mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-23 14:11:36 +00:00
nixos/kubernetes: Address review: Separate preStart from certificates
This commit is contained in:
Christian Albrecht
parent
52fe1d2e7a
commit
7323b77435
|
|
@ -472,12 +472,11 @@ in
|
|||
after = [ "kube-scheduler.service" "kube-controller-manager.service" ];
|
||||
before = [ "kube-control-plane-online.target" ];
|
||||
preStart = ''
|
||||
${top.lib.mkWaitCurl (with top.pki.certs.flannelClient; {
|
||||
${top.lib.mkWaitCurl ( with config.systemd.services.kube-control-plane-online; {
|
||||
sleep = 3;
|
||||
path = "/healthz";
|
||||
cacert = top.caFile;
|
||||
inherit cert key;
|
||||
})}
|
||||
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })}
|
||||
'';
|
||||
script = "echo Ok";
|
||||
serviceConfig = {
|
||||
|
|
|
|||
|
|
@ -111,12 +111,11 @@ in
|
|||
after = [ "kube-apiserver.service" ];
|
||||
before = [ "kube-control-plane-online.target" ];
|
||||
preStart = ''
|
||||
${top.lib.mkWaitCurl (with top.pki.certs.controllerManagerClient; {
|
||||
${top.lib.mkWaitCurl ( with config.systemd.services.kube-controller-manager; {
|
||||
sleep = 1;
|
||||
path = "/api";
|
||||
cacert = top.caFile;
|
||||
inherit cert key;
|
||||
})}
|
||||
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })}
|
||||
'';
|
||||
serviceConfig = {
|
||||
RestartSec = "30s";
|
||||
|
|
|
|||
|
|
@ -80,6 +80,13 @@ in
|
|||
after = [ "kubelet.target" ];
|
||||
before = [ "flannel.target" ];
|
||||
path = [ pkgs.iptables ];
|
||||
preStart = ''
|
||||
${top.lib.mkWaitCurl ( with config.systemd.services.flannel; {
|
||||
path = "/api/v1/nodes";
|
||||
cacert = top.caFile;
|
||||
args = "-o - | grep podCIDR >/dev/null";
|
||||
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.docker = {
|
||||
|
|
|
|||
|
|
@ -344,6 +344,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services.kube-controller-manager = mkIf top.controllerManager.enable {
|
||||
environment = { inherit (cfg.certs.controllerManagerClient) cert key; };
|
||||
unitConfig.ConditionPathExists = controllerManagerPaths;
|
||||
};
|
||||
|
||||
|
|
@ -355,6 +356,25 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.kube-scheduler = mkIf top.scheduler.enable {
|
||||
environment = { inherit (top.pki.certs.schedulerClient) cert key; };
|
||||
unitConfig.ConditionPathExists = schedulerPaths;
|
||||
};
|
||||
|
||||
systemd.paths.kube-scheduler = mkIf top.scheduler.enable {
|
||||
wantedBy = [ "kube-scheduler.service" ];
|
||||
pathConfig = {
|
||||
PathExists = schedulerPaths;
|
||||
PathChanged = schedulerPaths;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kube-control-plane-online.environment = let
|
||||
client = with cfg.certs; if top.apiserver.enable then clusterAdmin else kubelet;
|
||||
in {
|
||||
inherit (client) cert key;
|
||||
};
|
||||
|
||||
environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig)
|
||||
clusterAdminKubeconfig;
|
||||
|
||||
|
|
@ -419,19 +439,12 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.flannel = {
|
||||
preStart = ''
|
||||
${top.lib.mkWaitCurl (with top.pki.certs.flannelClient; {
|
||||
path = "/api/v1/nodes";
|
||||
cacert = top.caFile;
|
||||
inherit cert key;
|
||||
args = "-o - | grep podCIDR >/dev/null";
|
||||
})}
|
||||
'';
|
||||
systemd.services.flannel = mkIf top.flannel.enable {
|
||||
environment = { inherit (top.pki.certs.flannelClient) cert key; };
|
||||
unitConfig.ConditionPathExists = flannelPaths;
|
||||
};
|
||||
|
||||
systemd.paths.flannel = {
|
||||
systemd.paths.flannel = mkIf top.flannel.enable {
|
||||
wantedBy = [ "flannel.service" ];
|
||||
pathConfig = {
|
||||
PathExists = flannelPaths;
|
||||
|
|
@ -440,6 +453,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services.kube-proxy = mkIf top.proxy.enable {
|
||||
environment = { inherit (top.pki.certs.kubeProxyClient) cert key; };
|
||||
unitConfig.ConditionPathExists = proxyPaths;
|
||||
};
|
||||
|
||||
|
|
@ -451,18 +465,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.kube-scheduler = mkIf top.scheduler.enable {
|
||||
unitConfig.ConditionPathExists = schedulerPaths;
|
||||
};
|
||||
|
||||
systemd.paths.kube-scheduler = mkIf top.scheduler.enable {
|
||||
wantedBy = [ "kube-scheduler.service" ];
|
||||
pathConfig = {
|
||||
PathExists = schedulerPaths;
|
||||
PathChanged = schedulerPaths;
|
||||
};
|
||||
};
|
||||
|
||||
services.kubernetes = {
|
||||
|
||||
apiserver = mkIf top.apiserver.enable (with cfg.certs.apiServer; {
|
||||
|
|
|
|||
|
|
@ -53,11 +53,10 @@ in
|
|||
before = [ "node-online.target" ];
|
||||
path = with pkgs; [ iptables conntrack_tools ];
|
||||
preStart = ''
|
||||
${top.lib.mkWaitCurl (with top.pki.certs.kubeProxyClient; {
|
||||
${top.lib.mkWaitCurl ( with config.systemd.services.kube-proxy; {
|
||||
path = "/api/v1/nodes/${top.kubelet.hostname}";
|
||||
cacert = top.caFile;
|
||||
inherit cert key;
|
||||
})}
|
||||
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
|
|
|
|||
|
|
@ -63,12 +63,11 @@ in
|
|||
after = [ "kube-apiserver.service" ];
|
||||
before = [ "kube-control-plane-online.target" ];
|
||||
preStart = ''
|
||||
${top.lib.mkWaitCurl (with top.pki.certs.schedulerClient; {
|
||||
${top.lib.mkWaitCurl ( with config.systemd.services.kube-scheduler; {
|
||||
sleep = 1;
|
||||
path = "/api";
|
||||
cacert = top.caFile;
|
||||
inherit cert key;
|
||||
})}
|
||||
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Slice = "kubernetes.slice";
|
||||
|
|
|
|||
Loading…
Reference in a new issue