diff options
author | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-11 10:47:58 +0100 |
---|---|---|
committer | Christian Albrecht <christian.albrecht@mayflower.de> | 2019-03-11 12:22:31 +0100 |
commit | 8ab50cb239e4aaeb88c372171a79f1fd874dfe50 (patch) | |
tree | 9d1e3fdab8a5882e480644037cc1a958c8d1d7a8 /nixos/modules/services/cluster/kubernetes/apiserver.nix | |
parent | ee9dd4386a061594ad69ff5a3a683f899f9f8c93 (diff) | |
download | nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.gz nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.bz2 nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.lz nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.xz nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.zst nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.zip |
Cleanup pki: apiserver and etcd
Diffstat (limited to 'nixos/modules/services/cluster/kubernetes/apiserver.nix')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/apiserver.nix | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 28784407459..677738b4ec5 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -272,7 +272,27 @@ in ###### implementation config = mkMerge [ - (mkIf cfg.enable { + (let + + apiserverPaths = filter (a: a != null) [ + cfg.clientCaFile + cfg.etcd.caFile + cfg.etcd.certFile + cfg.etcd.keyFile + cfg.kubeletClientCaFile + cfg.kubeletClientCertFile + cfg.kubeletClientKeyFile + cfg.serviceAccountKeyFile + cfg.tlsCertFile + cfg.tlsKeyFile + ]; + etcdPaths = filter (a: a != null) [ + config.services.etcd.trustedCaFile + config.services.etcd.certFile + config.services.etcd.keyFile + ]; + + in mkIf cfg.enable { systemd.services.kube-apiserver = { description = "Kubernetes APIServer Service"; wantedBy = [ "kube-control-plane-online.target" ]; @@ -342,6 +362,15 @@ in Restart = "on-failure"; RestartSec = 5; }; + unitConfig.ConditionPathExists = apiserverPaths; + }; + + systemd.paths.kube-apiserver = mkIf top.apiserver.enable { + wantedBy = [ "kube-apiserver.service" ]; + pathConfig = { + PathExists = apiserverPaths; + PathChanged = apiserverPaths; + }; }; services.etcd = { @@ -355,6 +384,18 @@ in initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"]; }; + systemd.services.etcd = { + unitConfig.ConditionPathExists = etcdPaths; + }; + + systemd.paths.etcd = { + wantedBy = [ "etcd.service" ]; + pathConfig = { + PathExists = etcdPaths; + PathChanged = etcdPaths; + }; + }; + services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled { apiserver-kubelet-api-admin-crb = { |