diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index a39fd62c689a..a28679dbb9a9 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -104,18 +104,30 @@ in }; ###### implementation - config = mkIf cfg.enable { - systemd.services.kube-controller-manager = { + config = let + + controllerManagerPaths = filter (a: a != null) [ + cfg.kubeconfig.caFile + cfg.kubeconfig.certFile + cfg.kubeconfig.keyFile + cfg.rootCaFile + cfg.serviceAccountKeyFile + cfg.tlsCertFile + cfg.tlsKeyFile + ]; + + in mkIf cfg.enable { + systemd.services.kube-controller-manager = rec { description = "Kubernetes Controller Manager Service"; wantedBy = [ "kube-control-plane-online.target" ]; after = [ "kube-apiserver.service" ]; before = [ "kube-control-plane-online.target" ]; + environment.KUBECONFIG = top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig; preStart = '' - ${top.lib.mkWaitCurl ( with config.systemd.services.kube-controller-manager; { - sleep = 1; - path = "/api"; - cacert = top.caFile; - } // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} + until kubectl auth can-i get /api -q 2>/dev/null; do + echo kubectl auth can-i get /api: exit status $? + sleep 2 + done ''; serviceConfig = { RestartSec = "30s"; @@ -128,7 +140,7 @@ in "--cluster-cidr=${cfg.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ + --kubeconfig=${environment.KUBECONFIG} \ --leader-elect=${boolToString cfg.leaderElect} \ ${optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ @@ -149,7 +161,16 @@ in User = "kubernetes"; Group = "kubernetes"; }; - path = top.path; + path = top.path ++ [ pkgs.kubectl ]; + unitConfig.ConditionPathExists = controllerManagerPaths; + }; + + systemd.paths.kube-controller-manager = { + wantedBy = [ "kube-controller-manager.service" ]; + pathConfig = { + PathExists = controllerManagerPaths; + PathChanged = controllerManagerPaths; + }; }; services.kubernetes.pki.certs = with top.lib; { diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 85e1fc9671c6..3c7af73e0b9a 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -136,13 +136,6 @@ in cfg.certs.schedulerClient.cert cfg.certs.schedulerClient.key ]; - controllerManagerPaths = [ - top.controllerManager.rootCaFile - top.controllerManager.tlsCertFile - top.controllerManager.tlsKeyFile - cfg.certs.controllerManagerClient.cert - cfg.certs.controllerManagerClient.key - ]; kubeletPaths = [ top.kubelet.clientCaFile top.kubelet.tlsCertFile @@ -307,19 +300,6 @@ in }; }; - systemd.services.kube-controller-manager = mkIf top.controllerManager.enable { - environment = { inherit (cfg.certs.controllerManagerClient) cert key; }; - unitConfig.ConditionPathExists = controllerManagerPaths; - }; - - systemd.paths.kube-controller-manager = mkIf top.controllerManager.enable { - wantedBy = [ "kube-controller-manager.service" ]; - pathConfig = { - PathExists = controllerManagerPaths; - PathChanged = controllerManagerPaths; - }; - }; - systemd.services.kube-scheduler = mkIf top.scheduler.enable { environment = { inherit (top.pki.certs.schedulerClient) cert key; }; unitConfig.ConditionPathExists = schedulerPaths;