summary refs log tree commit diff
path: root/nixos/modules/services/cluster/kubernetes/apiserver.nix
diff options
context:
space:
mode:
authorMarkus <markus2342@users.noreply.github.com>2019-03-15 13:21:43 +0000
committerMarkus <markus2342@users.noreply.github.com>2019-03-15 13:21:43 +0000
commit2e29412e9c33ebc2d78431dfc14ee2db722bcb30 (patch)
tree5844a8b3a1418bd2a1c103e8ee7a5d46d6f2c730 /nixos/modules/services/cluster/kubernetes/apiserver.nix
parent92ce24853dc64c25cb1a45c5b2b37da5b1342eab (diff)
downloadnixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar
nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.gz
nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.bz2
nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.lz
nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.xz
nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.zst
nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.zip
nixos/kubernetes: Add proxy client certs to apiserver
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes/apiserver.nix')
-rw-r--r--nixos/modules/services/cluster/kubernetes/apiserver.nix21


1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix
index 455d0239604..de96edb51a9 100644
--- a/nixos/modules/services/cluster/kubernetes/apiserver.nix
+++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix
@@ -184,6 +184,18 @@ in
       type = bool;
     };
 
+    proxyClientCertFile = mkOption {
+      description = "Client certificate to use for connections to proxy.";
+      default = null;
+      type = nullOr path;
+    };
+
+    proxyClientKeyFile = mkOption {
+      description = "Key to use for connections to proxy.";
+      default = null;
+      type = nullOr path;
+    };
+
     runtimeConfig = mkOption {
       description = ''
         Api runtime configuration. See
@@ -316,6 +328,10 @@ in
                 "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \
               ${optionalString (cfg.kubeletClientKeyFile != null)
                 "--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \
+              ${optionalString (cfg.proxyClientCertFile != null)
+                "--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \
+              ${optionalString (cfg.proxyClientKeyFile != null)
+                "--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \
               --insecure-bind-address=${cfg.insecureBindAddress} \
               --insecure-port=${toString cfg.insecurePort} \
               ${optionalString (cfg.runtimeConfig != "")
@@ -389,6 +405,11 @@ in
                   ] ++ cfg.extraSANs;
           action = "systemctl restart kube-apiserver.service";
         };
+        apiserverProxyClient = mkCert {
+          name = "kube-apiserver-proxy-client";
+          CN = "front-proxy-client";
+          action = "systemctl restart kube-apiserver.service";
+        };
         apiserverKubeletClient = mkCert {
           name = "kube-apiserver-kubelet-client";
           CN = "system:kube-apiserver";

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-12 11:05:08 +0000