Cleanup pki: apiserver and etcd

author: Christian Albrecht <christian.albrecht@mayflower.de> 2019-03-11 10:47:58 +0100
committer: Christian Albrecht <christian.albrecht@mayflower.de> 2019-03-11 12:22:31 +0100
commit: 8ab50cb239e4aaeb88c372171a79f1fd874dfe50 (patch)
tree: 9d1e3fdab8a5882e480644037cc1a958c8d1d7a8 /nixos/modules/services/cluster/kubernetes/apiserver.nix
parent: ee9dd4386a061594ad69ff5a3a683f899f9f8c93 (diff)
download: nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar
nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.gz
nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.bz2
nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.lz
nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.xz
nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.zst
nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.zip
1 files changed, 42 insertions, 1 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix
index 28784407459..677738b4ec5 100644
--- a/nixos/modules/services/cluster/kubernetes/apiserver.nix
+++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix
@@ -272,7 +272,27 @@ in
   ###### implementation
   config = mkMerge [
 
-    (mkIf cfg.enable {
+    (let
+
+      apiserverPaths = filter (a: a != null) [
+        cfg.clientCaFile
+        cfg.etcd.caFile
+        cfg.etcd.certFile
+        cfg.etcd.keyFile
+        cfg.kubeletClientCaFile
+        cfg.kubeletClientCertFile
+        cfg.kubeletClientKeyFile
+        cfg.serviceAccountKeyFile
+        cfg.tlsCertFile
+        cfg.tlsKeyFile
+      ];
+      etcdPaths = filter (a: a != null) [
+        config.services.etcd.trustedCaFile
+        config.services.etcd.certFile
+        config.services.etcd.keyFile
+      ];
+
+    in mkIf cfg.enable {
         systemd.services.kube-apiserver = {
           description = "Kubernetes APIServer Service";
           wantedBy = [ "kube-control-plane-online.target" ];
@@ -342,6 +362,15 @@ in
             Restart = "on-failure";
             RestartSec = 5;
           };
+          unitConfig.ConditionPathExists = apiserverPaths;
+        };
+
+        systemd.paths.kube-apiserver = mkIf top.apiserver.enable {
+          wantedBy = [ "kube-apiserver.service" ];
+          pathConfig = {
+            PathExists = apiserverPaths;
+            PathChanged = apiserverPaths;
+          };
         };
 
         services.etcd = {
@@ -355,6 +384,18 @@ in
           initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"];
         };
 
+        systemd.services.etcd = {
+          unitConfig.ConditionPathExists = etcdPaths;
+        };
+
+        systemd.paths.etcd = {
+          wantedBy = [ "etcd.service" ];
+          pathConfig = {
+            PathExists = etcdPaths;
+            PathChanged = etcdPaths;
+          };
+        };
+
         services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled {
 
           apiserver-kubelet-api-admin-crb = {
author	Christian Albrecht <christian.albrecht@mayflower.de>	2019-03-11 10:47:58 +0100
committer	Christian Albrecht <christian.albrecht@mayflower.de>	2019-03-11 12:22:31 +0100
commit	8ab50cb239e4aaeb88c372171a79f1fd874dfe50 (patch)
tree	9d1e3fdab8a5882e480644037cc1a958c8d1d7a8 /nixos/modules/services/cluster/kubernetes/apiserver.nix
parent	ee9dd4386a061594ad69ff5a3a683f899f9f8c93 (diff)
download	nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.gz nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.bz2 nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.lz nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.xz nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.tar.zst nixpkgs-8ab50cb239e4aaeb88c372171a79f1fd874dfe50.zip