diff options
| author | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2021-01-13 20:10:04 +0100 |
|---|---|---|
| committer | zowoq <59103226+zowoq@users.noreply.github.com> | 2021-03-07 12:50:39 +1000 |
| commit | 7da62867be079bb5f6412fb12a76dbb68f9bad4b (patch) | |
| tree | 5165d62928ea72c15ccaef05b1eddeb80c6e1814 /nixos/modules/services/cluster/kubernetes/apiserver.nix | |
| parent | fc750b2000a1cfb31cc4cf2a409f16f243d2f9c0 (diff) | |
| download | nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.tar nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.tar.gz nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.tar.bz2 nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.tar.lz nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.tar.xz nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.tar.zst nixpkgs-7da62867be079bb5f6412fb12a76dbb68f9bad4b.zip | |
nixos/kubernetes: adapt module and test cases to fit kubernetes v1.20.X as well as coredns v1.7.X
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes/apiserver.nix')
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes/apiserver.nix | 44 |
1 files changed, 37 insertions, 7 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 95bdb4c0d14..616389dfaac 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -238,14 +238,42 @@ in type = int; }; + apiAudiences = mkOption { + description = '' + Kubernetes apiserver ServiceAccount issuer. + ''; + default = "api,https://kubernetes.default.svc"; + type = str; + }; + + serviceAccountIssuer = mkOption { + description = '' + Kubernetes apiserver ServiceAccount issuer. + ''; + default = "https://kubernetes.default.svc"; + type = str; + }; + + serviceAccountSigningKeyFile = mkOption { + description = '' + Path to the file that contains the current private key of the service + account token issuer. The issuer will sign issued ID tokens with this + private key. + ''; + default = top.serviceAccountSigningKeyFile; + type = path; + }; + serviceAccountKeyFile = mkOption { description = '' - Kubernetes apiserver PEM-encoded x509 RSA private or public key file, - used to verify ServiceAccount tokens. By default tls private key file - is used. + File containing PEM-encoded x509 RSA or ECDSA private or public keys, + used to verify ServiceAccount tokens. The specified file can contain + multiple keys, and the flag can be specified multiple times with + different files. If unspecified, --tls-private-key-file is used. + Must be specified when --service-account-signing-key is provided ''; - default = null; - type = nullOr path; + default = top.serviceAccountKeyFile; + type = path; }; serviceClusterIpRange = mkOption { @@ -357,8 +385,10 @@ in ${optionalString (cfg.runtimeConfig != "") "--runtime-config=${cfg.runtimeConfig}"} \ --secure-port=${toString cfg.securePort} \ - ${optionalString (cfg.serviceAccountKeyFile!=null) - "--service-account-key-file=${cfg.serviceAccountKeyFile}"} \ + --api-audiences=${toString cfg.apiAudiences} \ + --service-account-issuer=${toString cfg.serviceAccountIssuer} \ + --service-account-signing-key-file=${cfg.serviceAccountSigningKeyFile} \ + --service-account-key-file=${cfg.serviceAccountKeyFile} \ --service-cluster-ip-range=${cfg.serviceClusterIpRange} \ --storage-backend=${cfg.storageBackend} \ ${optionalString (cfg.tlsCertFile != null) |