diff options
author | Markus <markus2342@users.noreply.github.com> | 2019-03-15 13:21:43 +0000 |
---|---|---|
committer | Markus <markus2342@users.noreply.github.com> | 2019-03-15 13:21:43 +0000 |
commit | 2e29412e9c33ebc2d78431dfc14ee2db722bcb30 (patch) | |
tree | 5844a8b3a1418bd2a1c103e8ee7a5d46d6f2c730 /nixos/modules/services/cluster | |
parent | 92ce24853dc64c25cb1a45c5b2b37da5b1342eab (diff) | |
download | nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.gz nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.bz2 nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.lz nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.xz nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.tar.zst nixpkgs-2e29412e9c33ebc2d78431dfc14ee2db722bcb30.zip |
nixos/kubernetes: Add proxy client certs to apiserver
Diffstat (limited to 'nixos/modules/services/cluster')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/apiserver.nix | 21 | ||||
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 2 |
2 files changed, 23 insertions, 0 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 455d0239604..de96edb51a9 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -184,6 +184,18 @@ in type = bool; }; + proxyClientCertFile = mkOption { + description = "Client certificate to use for connections to proxy."; + default = null; + type = nullOr path; + }; + + proxyClientKeyFile = mkOption { + description = "Key to use for connections to proxy."; + default = null; + type = nullOr path; + }; + runtimeConfig = mkOption { description = '' Api runtime configuration. See @@ -316,6 +328,10 @@ in "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \ ${optionalString (cfg.kubeletClientKeyFile != null) "--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \ + ${optionalString (cfg.proxyClientCertFile != null) + "--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \ + ${optionalString (cfg.proxyClientKeyFile != null) + "--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \ --insecure-bind-address=${cfg.insecureBindAddress} \ --insecure-port=${toString cfg.insecurePort} \ ${optionalString (cfg.runtimeConfig != "") @@ -389,6 +405,11 @@ in ] ++ cfg.extraSANs; action = "systemctl restart kube-apiserver.service"; }; + apiserverProxyClient = mkCert { + name = "kube-apiserver-proxy-client"; + CN = "front-proxy-client"; + action = "systemctl restart kube-apiserver.service"; + }; apiserverKubeletClient = mkCert { name = "kube-apiserver-kubelet-client"; CN = "system:kube-apiserver"; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 38deca23a99..0cd3f838279 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -353,6 +353,8 @@ in kubeletClientCaFile = mkDefault caCert; kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert; kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key; + proxyClientCertFile = mkDefault cfg.certs.apiserverProxyClient.cert; + proxyClientKeyFile = mkDefault cfg.certs.apiserverProxyClient.key; }); controllerManager = mkIf top.controllerManager.enable { serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.key; |