diff options
| author | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-11 11:01:54 +0100 |
|---|---|---|
| committer | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-11 12:22:49 +0100 |
| commit | 46653f84c94ab9190a6841dbbfd874bb25d2a7f6 (patch) | |
| tree | d5e74733d135c2a2abcaabd9ff32b3267f4fa3bb | |
| parent | 73657b7fcfe8ad87af70a1b6186a355971da6c97 (diff) | |
| download | nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.tar nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.tar.gz nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.tar.bz2 nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.tar.lz nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.tar.xz nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.tar.zst nixpkgs-46653f84c94ab9190a6841dbbfd874bb25d2a7f6.zip | |
Cleanup pki: proxy
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 17 | ||||
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/proxy.nix | 34 |
2 files changed, 26 insertions, 25 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 92eefae5bda..be0b50e9329 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -124,10 +124,6 @@ in top.caFile certmgrAPITokenPath ]; - proxyPaths = mkIf top.proxy.enable [ - cfg.certs.kubeProxyClient.cert - cfg.certs.kubeProxyClient.key - ]; schedulerPaths = mkIf top.scheduler.enable [ cfg.certs.schedulerClient.cert cfg.certs.schedulerClient.key @@ -366,19 +362,6 @@ in 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local ''; - systemd.services.kube-proxy = mkIf top.proxy.enable { - environment = { inherit (top.pki.certs.kubeProxyClient) cert key; }; - unitConfig.ConditionPathExists = proxyPaths; - }; - - systemd.paths.kube-proxy = mkIf top.proxy.enable { - wantedBy = [ "kube-proxy.service" ]; - pathConfig = { - PathExists = proxyPaths; - PathChanged = proxyPaths; - }; - }; - services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 65d4f9ccbfc..8a90542fe63 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -45,18 +45,27 @@ in }; ###### implementation - config = mkIf cfg.enable { - systemd.services.kube-proxy = { + config = let + + proxyPaths = filter (a: a != null) [ + cfg.kubeconfig.caFile + cfg.kubeconfig.certFile + cfg.kubeconfig.keyFile + ]; + + in mkIf cfg.enable { + systemd.services.kube-proxy = rec { description = "Kubernetes Proxy Service"; wantedBy = [ "kube-node-online.target" ]; after = [ "kubelet-online.service" ]; before = [ "kube-node-online.target" ]; - path = with pkgs; [ iptables conntrack_tools ]; + environment.KUBECONFIG = top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig; + path = with pkgs; [ iptables conntrack_tools kubectl ]; preStart = '' - ${top.lib.mkWaitCurl ( with config.systemd.services.kube-proxy; { - path = "/api/v1/nodes/${top.kubelet.hostname}"; - cacert = top.caFile; - } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} + until kubectl auth can-i get nodes/${top.kubelet.hostname} -q 2>/dev/null; do + echo kubectl auth can-i get nodes/${top.kubelet.hostname}: exit status $? + sleep 2 + done ''; serviceConfig = { Slice = "kubernetes.slice"; @@ -66,7 +75,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ + --kubeconfig=${environment.KUBECONFIG} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -74,6 +83,15 @@ in Restart = "on-failure"; RestartSec = 5; }; + unitConfig.ConditionPathExists = proxyPaths; + }; + + systemd.paths.kube-proxy = { + wantedBy = [ "kube-proxy.service" ]; + pathConfig = { + PathExists = proxyPaths; + PathChanged = proxyPaths; + }; }; services.kubernetes.pki.certs = { |