From 46653f84c94ab9190a6841dbbfd874bb25d2a7f6 Mon Sep 17 00:00:00 2001 From: Christian Albrecht Date: Mon, 11 Mar 2019 11:01:54 +0100 Subject: [PATCH] Cleanup pki: proxy --- .../services/cluster/kubernetes/pki.nix | 17 ---------- .../services/cluster/kubernetes/proxy.nix | 34 ++++++++++++++----- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 92eefae5bda4..be0b50e93299 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -124,10 +124,6 @@ in top.caFile certmgrAPITokenPath ]; - proxyPaths = mkIf top.proxy.enable [ - cfg.certs.kubeProxyClient.cert - cfg.certs.kubeProxyClient.key - ]; schedulerPaths = mkIf top.scheduler.enable [ cfg.certs.schedulerClient.cert cfg.certs.schedulerClient.key @@ -366,19 +362,6 @@ in 127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local ''; - systemd.services.kube-proxy = mkIf top.proxy.enable { - environment = { inherit (top.pki.certs.kubeProxyClient) cert key; }; - unitConfig.ConditionPathExists = proxyPaths; - }; - - systemd.paths.kube-proxy = mkIf top.proxy.enable { - wantedBy = [ "kube-proxy.service" ]; - pathConfig = { - PathExists = proxyPaths; - PathChanged = proxyPaths; - }; - }; - services.kubernetes = { apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; { diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 65d4f9ccbfcb..8a90542fe633 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -45,18 +45,27 @@ in }; ###### implementation - config = mkIf cfg.enable { - systemd.services.kube-proxy = { + config = let + + proxyPaths = filter (a: a != null) [ + cfg.kubeconfig.caFile + cfg.kubeconfig.certFile + cfg.kubeconfig.keyFile + ]; + + in mkIf cfg.enable { + systemd.services.kube-proxy = rec { description = "Kubernetes Proxy Service"; wantedBy = [ "kube-node-online.target" ]; after = [ "kubelet-online.service" ]; before = [ "kube-node-online.target" ]; - path = with pkgs; [ iptables conntrack_tools ]; + environment.KUBECONFIG = top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig; + path = with pkgs; [ iptables conntrack_tools kubectl ]; preStart = '' - ${top.lib.mkWaitCurl ( with config.systemd.services.kube-proxy; { - path = "/api/v1/nodes/${top.kubelet.hostname}"; - cacert = top.caFile; - } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} + until kubectl auth can-i get nodes/${top.kubelet.hostname} -q 2>/dev/null; do + echo kubectl auth can-i get nodes/${top.kubelet.hostname}: exit status $? + sleep 2 + done ''; serviceConfig = { Slice = "kubernetes.slice"; @@ -66,7 +75,7 @@ in "--cluster-cidr=${top.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ + --kubeconfig=${environment.KUBECONFIG} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -74,6 +83,15 @@ in Restart = "on-failure"; RestartSec = 5; }; + unitConfig.ConditionPathExists = proxyPaths; + }; + + systemd.paths.kube-proxy = { + wantedBy = [ "kube-proxy.service" ]; + pathConfig = { + PathExists = proxyPaths; + PathChanged = proxyPaths; + }; }; services.kubernetes.pki.certs = {