Cleanup pki: controller-manager

author: Christian Albrecht <christian.albrecht@mayflower.de> 2019-03-11 10:50:32 +0100
committer: Christian Albrecht <christian.albrecht@mayflower.de> 2019-03-11 12:22:36 +0100
commit: ce83dc2c52dae33330d868abd358166f9a4cb77a (patch)
tree: d4006503d1653255ec653a367430d48cf2775d87 /nixos/modules/services/cluster/kubernetes
parent: 8ab50cb239e4aaeb88c372171a79f1fd874dfe50 (diff)
download: nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar
nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.gz
nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.bz2
nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.lz
nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.xz
nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.zst
nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.zip
2 files changed, 30 insertions, 29 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix
index a39fd62c689..a28679dbb9a 100644
--- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix
+++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix
@@ -104,18 +104,30 @@ in
   };
 
   ###### implementation
-  config = mkIf cfg.enable {
-    systemd.services.kube-controller-manager = {
+  config = let
+
+    controllerManagerPaths = filter (a: a != null) [
+      cfg.kubeconfig.caFile
+      cfg.kubeconfig.certFile
+      cfg.kubeconfig.keyFile
+      cfg.rootCaFile
+      cfg.serviceAccountKeyFile
+      cfg.tlsCertFile
+      cfg.tlsKeyFile
+    ];
+
+  in mkIf cfg.enable {
+    systemd.services.kube-controller-manager = rec {
       description = "Kubernetes Controller Manager Service";
       wantedBy = [ "kube-control-plane-online.target" ];
       after = [ "kube-apiserver.service" ];
       before = [ "kube-control-plane-online.target" ];
+      environment.KUBECONFIG = top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig;
       preStart = ''
-        ${top.lib.mkWaitCurl ( with config.systemd.services.kube-controller-manager; {
-          sleep = 1;
-          path = "/api";
-          cacert = top.caFile;
-        } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })}
+        until kubectl auth can-i get /api -q 2>/dev/null; do
+          echo kubectl auth can-i get /api: exit status $?
+          sleep 2
+        done
       '';
       serviceConfig = {
         RestartSec = "30s";
@@ -128,7 +140,7 @@ in
             "--cluster-cidr=${cfg.clusterCidr}"} \
           ${optionalString (cfg.featureGates != [])
             "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
-          --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \
+          --kubeconfig=${environment.KUBECONFIG} \
           --leader-elect=${boolToString cfg.leaderElect} \
           ${optionalString (cfg.rootCaFile!=null)
             "--root-ca-file=${cfg.rootCaFile}"} \
@@ -149,7 +161,16 @@ in
         User = "kubernetes";
         Group = "kubernetes";
       };
-      path = top.path;
+      path = top.path ++ [ pkgs.kubectl ];
+      unitConfig.ConditionPathExists = controllerManagerPaths;
+    };
+
+    systemd.paths.kube-controller-manager = {
+      wantedBy = [ "kube-controller-manager.service" ];
+      pathConfig = {
+        PathExists = controllerManagerPaths;
+        PathChanged = controllerManagerPaths;
+      };
     };
 
     services.kubernetes.pki.certs = with top.lib; {
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 85e1fc9671c..3c7af73e0b9 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -136,13 +136,6 @@ in
       cfg.certs.schedulerClient.cert
       cfg.certs.schedulerClient.key
     ];
-    controllerManagerPaths = [
-      top.controllerManager.rootCaFile
-      top.controllerManager.tlsCertFile
-      top.controllerManager.tlsKeyFile
-      cfg.certs.controllerManagerClient.cert
-      cfg.certs.controllerManagerClient.key
-    ];
     kubeletPaths = [
       top.kubelet.clientCaFile
       top.kubelet.tlsCertFile
@@ -307,19 +300,6 @@ in
         };
       };
 
-      systemd.services.kube-controller-manager = mkIf top.controllerManager.enable {
-        environment = { inherit (cfg.certs.controllerManagerClient) cert key; };
-        unitConfig.ConditionPathExists = controllerManagerPaths;
-      };
-
-      systemd.paths.kube-controller-manager = mkIf top.controllerManager.enable {
-        wantedBy = [ "kube-controller-manager.service" ];
-        pathConfig = {
-          PathExists = controllerManagerPaths;
-          PathChanged = controllerManagerPaths;
-        };
-      };
-
       systemd.services.kube-scheduler = mkIf top.scheduler.enable {
         environment = { inherit (top.pki.certs.schedulerClient) cert key; };
         unitConfig.ConditionPathExists = schedulerPaths;
author	Christian Albrecht <christian.albrecht@mayflower.de>	2019-03-11 10:50:32 +0100
committer	Christian Albrecht <christian.albrecht@mayflower.de>	2019-03-11 12:22:36 +0100
commit	ce83dc2c52dae33330d868abd358166f9a4cb77a (patch)
tree	d4006503d1653255ec653a367430d48cf2775d87 /nixos/modules/services/cluster/kubernetes
parent	8ab50cb239e4aaeb88c372171a79f1fd874dfe50 (diff)
download	nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.gz nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.bz2 nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.lz nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.xz nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.tar.zst nixpkgs-ce83dc2c52dae33330d868abd358166f9a4cb77a.zip