From 7323b77435f69362b0b4cc7edcb0915e9ab1ff48 Mon Sep 17 00:00:00 2001 From: Christian Albrecht Date: Wed, 6 Mar 2019 16:52:27 +0100 Subject: nixos/kubernetes: Address review: Separate preStart from certificates --- .../services/cluster/kubernetes/apiserver.nix | 5 +-- .../cluster/kubernetes/controller-manager.nix | 5 +-- .../services/cluster/kubernetes/flannel.nix | 7 ++++ nixos/modules/services/cluster/kubernetes/pki.nix | 46 +++++++++++----------- .../modules/services/cluster/kubernetes/proxy.nix | 5 +-- .../services/cluster/kubernetes/scheduler.nix | 5 +-- 6 files changed, 39 insertions(+), 34 deletions(-) (limited to 'nixos/modules/services') diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index e4650c12cff..72fb9535832 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -472,12 +472,11 @@ in after = [ "kube-scheduler.service" "kube-controller-manager.service" ]; before = [ "kube-control-plane-online.target" ]; preStart = '' - ${top.lib.mkWaitCurl (with top.pki.certs.flannelClient; { + ${top.lib.mkWaitCurl ( with config.systemd.services.kube-control-plane-online; { sleep = 3; path = "/healthz"; cacert = top.caFile; - inherit cert key; - })} + } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} ''; script = "echo Ok"; serviceConfig = { diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index cc43a243df1..a39fd62c689 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -111,12 +111,11 @@ in after = [ "kube-apiserver.service" ]; before = [ "kube-control-plane-online.target" ]; preStart = '' - ${top.lib.mkWaitCurl (with top.pki.certs.controllerManagerClient; { + ${top.lib.mkWaitCurl ( with config.systemd.services.kube-controller-manager; { sleep = 1; path = "/api"; cacert = top.caFile; - inherit cert key; - })} + } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} ''; serviceConfig = { RestartSec = "30s"; diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix index fba70e3b920..f85ebdafa31 100644 --- a/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -80,6 +80,13 @@ in after = [ "kubelet.target" ]; before = [ "flannel.target" ]; path = [ pkgs.iptables ]; + preStart = '' + ${top.lib.mkWaitCurl ( with config.systemd.services.flannel; { + path = "/api/v1/nodes"; + cacert = top.caFile; + args = "-o - | grep podCIDR >/dev/null"; + } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} + ''; }; systemd.services.docker = { diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 98284fba12a..14af3840eee 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -344,6 +344,7 @@ in }; systemd.services.kube-controller-manager = mkIf top.controllerManager.enable { + environment = { inherit (cfg.certs.controllerManagerClient) cert key; }; unitConfig.ConditionPathExists = controllerManagerPaths; }; @@ -355,6 +356,25 @@ in }; }; + systemd.services.kube-scheduler = mkIf top.scheduler.enable { + environment = { inherit (top.pki.certs.schedulerClient) cert key; }; + unitConfig.ConditionPathExists = schedulerPaths; + }; + + systemd.paths.kube-scheduler = mkIf top.scheduler.enable { + wantedBy = [ "kube-scheduler.service" ]; + pathConfig = { + PathExists = schedulerPaths; + PathChanged = schedulerPaths; + }; + }; + + systemd.services.kube-control-plane-online.environment = let + client = with cfg.certs; if top.apiserver.enable then clusterAdmin else kubelet; + in { + inherit (client) cert key; + }; + environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig) clusterAdminKubeconfig; @@ -419,19 +439,12 @@ in }; }; - systemd.services.flannel = { - preStart = '' - ${top.lib.mkWaitCurl (with top.pki.certs.flannelClient; { - path = "/api/v1/nodes"; - cacert = top.caFile; - inherit cert key; - args = "-o - | grep podCIDR >/dev/null"; - })} - ''; + systemd.services.flannel = mkIf top.flannel.enable { + environment = { inherit (top.pki.certs.flannelClient) cert key; }; unitConfig.ConditionPathExists = flannelPaths; }; - systemd.paths.flannel = { + systemd.paths.flannel = mkIf top.flannel.enable { wantedBy = [ "flannel.service" ]; pathConfig = { PathExists = flannelPaths; @@ -440,6 +453,7 @@ in }; systemd.services.kube-proxy = mkIf top.proxy.enable { + environment = { inherit (top.pki.certs.kubeProxyClient) cert key; }; unitConfig.ConditionPathExists = proxyPaths; }; @@ -451,18 +465,6 @@ in }; }; - systemd.services.kube-scheduler = mkIf top.scheduler.enable { - unitConfig.ConditionPathExists = schedulerPaths; - }; - - systemd.paths.kube-scheduler = mkIf top.scheduler.enable { - wantedBy = [ "kube-scheduler.service" ]; - pathConfig = { - PathExists = schedulerPaths; - PathChanged = schedulerPaths; - }; - }; - services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index d13d23e997b..01d59e9ac88 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -53,11 +53,10 @@ in before = [ "node-online.target" ]; path = with pkgs; [ iptables conntrack_tools ]; preStart = '' - ${top.lib.mkWaitCurl (with top.pki.certs.kubeProxyClient; { + ${top.lib.mkWaitCurl ( with config.systemd.services.kube-proxy; { path = "/api/v1/nodes/${top.kubelet.hostname}"; cacert = top.caFile; - inherit cert key; - })} + } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} ''; serviceConfig = { Slice = "kubernetes.slice"; diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 4aea9e9b6bd..32a84563076 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -63,12 +63,11 @@ in after = [ "kube-apiserver.service" ]; before = [ "kube-control-plane-online.target" ]; preStart = '' - ${top.lib.mkWaitCurl (with top.pki.certs.schedulerClient; { + ${top.lib.mkWaitCurl ( with config.systemd.services.kube-scheduler; { sleep = 1; path = "/api"; cacert = top.caFile; - inherit cert key; - })} + } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} ''; serviceConfig = { Slice = "kubernetes.slice"; -- cgit 1.4.1