Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 6ae33c9afeb4
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 7f2f8f359fe0
Choose a head ref
34 contributors

Commits on Mar 3, 2019

  1. nixos/kubernetes: Add systemd path units 

    to protect services from crashing and clobbering the logs when
certificates are not in place yet and make sure services are activated
when certificates are ready.

To prevent errors similar to "kube-controller-manager.path: Failed to
enter waiting state: Too many open files"
fs.inotify.max_user_instances has to be increased.
    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    f9e2f76 View commit details

  2. nixos/kubernetes: Stabilize services startup across machines 

    by adding targets and curl wait loops to services to ensure services
are not started before their depended services are reachable.

Extra targets cfssl-online.target and kube-apiserver-online.target
syncronize starts across machines and node-online.target ensures
docker is restarted and ready to deploy containers on after flannel
has discussed the network cidr with apiserver.

Since flannel needs to be started before addon-manager to configure
the docker interface, it has to have its own rbac bootstrap service.

The curl wait loops within the other services exists to ensure that when
starting the service it is able to do its work immediately without
clobbering the log about failing conditions.

By ensuring kubernetes.target is only reached after starting the
cluster it can be used in the tests as a wait condition.

In kube-certmgr-bootstrap mkdir is needed for it to not fail to start.

The following is the relevant part of systemctl list-dependencies

default.target
● ├─certmgr.service
● ├─cfssl.service
● ├─docker.service
● ├─etcd.service
● ├─flannel.service
● ├─kubernetes.target
● │ ├─kube-addon-manager.service
● │ ├─kube-proxy.service
● │ ├─kube-apiserver-online.target
● │ │ ├─flannel-rbac-bootstrap.service
● │ │ ├─kube-apiserver-online.service
● │ │ ├─kube-apiserver.service
● │ │ ├─kube-controller-manager.service
● │ │ └─kube-scheduler.service
● │ └─node-online.target
● │   ├─node-online.service
● │   ├─flannel.target
● │   │ ├─flannel.service
● │   │ └─mk-docker-opts.service
● │   └─kubelet.target
● │     └─kubelet.service
● ├─network-online.target
● │ └─cfssl-online.target
● │   ├─certmgr.service
● │   ├─cfssl-online.service
● │   └─kube-certmgr-bootstrap.service
    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    62f0375 View commit details

  3. nixos/kubernetes: flannel needs iptables in service path

    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    51aeaaf View commit details

  4. nixos/kubernetes: Add longer timeouts for waiting services

    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    cf8389c View commit details

  5. nixos/kubernetes: Seed docker images before kubelet service start 

    to speed up startup time because it can be parallelized.
    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    fd28c0a View commit details

  6. nixos/kubernetes: Put dashboard service account into bootstrapAddons 

    to prevent errors in log about missing permissions when
addon manager starts the dashboard.
    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    7df88bd View commit details

  7. nixos/kubernetes: No need to restart services besides certmgr 

    within the node join script, since certmgr is taking care of
restarting services.
    @calbrecht
    calbrecht committed Mar 3, 2019
    Copy the full SHA
    74962bf View commit details

Commits on Mar 6, 2019

  1. nixos/kubernetes: Address review: Rename targets and move proxy to no… 

    …de-online.target
    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    ff91d58 View commit details

  2. nixos/kubernetes: Address review: Move bootstrapping addons into own … 

    …service
    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    6e9037f View commit details

  3. nixos/kubernetes: Address review: Move controller manager paths into pki

    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    52fe1d2 View commit details

  4. nixos/kubernetes: Address review: Separate preStart from certificates

    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    7323b77 View commit details

  5. nixos/kubernetes: Address review: Remove restart from certmgr bootstr… 

    …ap service
    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    5684034 View commit details

  6. nixos/kubernetes: Address review: rename node-online target

    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    e148cb0 View commit details

  7. nixos/kubernetes: Address review: Move remaining paths to pki

    @calbrecht
    calbrecht committed Mar 6, 2019
    Copy the full SHA
    ff382c1 View commit details

Commits on Mar 8, 2019

  1. nixos/kubernetes: Fix kube-control-plane-online must not be present 

    outside kubernetes module.
    @calbrecht
    calbrecht committed Mar 8, 2019
    Copy the full SHA
    154356d View commit details

Commits on Mar 11, 2019

  1. Cleanup pki: addon-manager

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    ee9dd43 View commit details

  2. Cleanup pki: apiserver and etcd

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    8ab50cb View commit details

  3. Cleanup pki: controller-manager

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    ce83dc2 View commit details

  4. Cleanup pki: flannel

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    ea6985f View commit details

  5. Cleanup pki: kubelet

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    73657b7 View commit details

  6. Cleanup pki: proxy

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    46653f8 View commit details

  7. Cleanup pki: scheduler

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    50c5f48 View commit details

  8. Cleanup pki: control-plane-online

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    45e683f View commit details

  9. Cleanup pki: remove mkWaitCurl

    @calbrecht
    calbrecht committed Mar 11, 2019
    Copy the full SHA
    e3a80eb View commit details

Commits on Mar 15, 2019

  1. nixos/kubernetes: Add proxy client certs to apiserver

    @markus2342
    markus2342 committed Mar 15, 2019
    Copy the full SHA
    2e29412 View commit details

Commits on Mar 22, 2019

  1. go-langserver: unstable-2018-03-05 -> 2.0.0

    @dtzWill
    dtzWill committed Mar 22, 2019
    Copy the full SHA
    4158b5d View commit details

  2. go-langserver: don't use old go

    @dtzWill
    dtzWill committed Mar 22, 2019
    Copy the full SHA
    16a1601 View commit details

  3. bleachbit: 2.0 -> 2.2 

    https://www.bleachbit.org/news/bleachbit-22
    @dtzWill
    dtzWill committed Mar 22, 2019
    Copy the full SHA
    1390b58 View commit details

Commits on Mar 23, 2019

  1. bleachbit: drop unnecessary wrapPython input 

    Per reviewer feedback, thanks!
    @dtzWill
    dtzWill committed Mar 23, 2019
    Copy the full SHA
    575df3a View commit details

Commits on Mar 25, 2019

  1. bleachbit: use format="other", simplify. 

    Patch by @worldbypeace, during PR review.  Thanks!
    @dtzWill
    dtzWill committed Mar 25, 2019
    Copy the full SHA
    34845f2 View commit details

Commits on Mar 26, 2019

  1. qtstyleplugin-kvantum{,-qt4}: 0.10.x -> 0.11.0

    @dtzWill
    dtzWill committed Mar 26, 2019
    Copy the full SHA
    455d1ca View commit details

Commits on Mar 31, 2019

  1. hivex: add perl to wrapper and libiconv dependency

    @Amar1729
    Amar1729 committed Mar 31, 2019
    Copy the full SHA
    3dbeaad View commit details

Commits on Apr 1, 2019

  1. bleachbit: don't run tests, or pretend to do so

    @dtzWill
    dtzWill committed Apr 1, 2019
    Copy the full SHA
    5be54d0 View commit details

Commits on Apr 7, 2019

  1. nodePackages.joplin: init, cli note-taking app 

    Companion to joplin-desktop!
    @dtzWill
    dtzWill committed Apr 7, 2019
    Copy the full SHA
    73bfe94 View commit details

  2. nodePackages: update (regen via generate.sh)

    @dtzWill
    dtzWill committed Apr 7, 2019
    Copy the full SHA
    1638aa6 View commit details

  3. joplin: top-level \o/

    @dtzWill
    dtzWill committed Apr 7, 2019
    Copy the full SHA
    fd0570b View commit details

Commits on Apr 13, 2019

  1. musl: 1.1.21 -> 1.1.22 

    https://www.openwall.com/lists/musl/2019/04/10/1
    @dtzWill
    dtzWill committed Apr 13, 2019
    Copy the full SHA
    9c08507 View commit details

Commits on Apr 15, 2019

  1. numatop: init at 2.1

    @dtzWill
    dtzWill committed Apr 15, 2019
    Copy the full SHA
    0d600ae View commit details

  2. numatop: improve description, as suggested during review (ty!) 

    Co-Authored-By: dtzWill <github@wdtz.org>
    @markuskowa @dtzWill
    markuskowa and dtzWill committed Apr 15, 2019
    Copy the full SHA
    50fc2e7 View commit details

  3. numatop: platforms

    @dtzWill
    dtzWill committed Apr 15, 2019
    Copy the full SHA
    49ed37b View commit details

Commits on Apr 16, 2019

  1. gitAndTools.pre-commit: 1.14.4 -> 1.15.1 

    Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/pre-commit/versions
    @r-ryantm
    r-ryantm committed Apr 16, 2019
    Copy the full SHA
    7b60fb4 View commit details

  2. python37Packages.wsproto: 0.13.0 -> 0.14.0 

    Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/python3.7-wsproto/versions
    @r-ryantm
    r-ryantm committed Apr 16, 2019
    Copy the full SHA
    2000ef6 View commit details

  3. libplist 2019-01-20 -> 2019-04-04

    @infinisil
    infinisil committed Apr 16, 2019
    Copy the full SHA
    2013c91 View commit details

  4. libusbmuxd: 2019-01-18 -> 2019-03-23

    @infinisil
    infinisil committed Apr 16, 2019
    Copy the full SHA
    dd03b21 View commit details

  5. libimobiledevice: 2018-07-24 -> 2019-04-04

    @infinisil
    infinisil committed Apr 16, 2019
    Copy the full SHA
    173e960 View commit details

  6. usbmuxd: 2018-10-10 -> 2019-03-05

    @infinisil
    infinisil committed Apr 16, 2019
    Copy the full SHA
    71c1b44 View commit details

  7. ifuse: 1.1.3 -> 2018-10-08 

    Switching to latest master, as there hasn't been a new release in a
while, see libimobiledevice/ifuse#34
    @infinisil
    infinisil committed Apr 16, 2019
    Copy the full SHA
    8d5252b View commit details

  8. ideviceinstaller: 2018-06-01 -> 2018-10-01

    @infinisil
    infinisil committed Apr 16, 2019
    Copy the full SHA
    768e9b1 View commit details

Commits on Apr 17, 2019

  1. gnome3.gnome-control-center: Add mutter keybindings 

    Closes: NixOS/nixpkgs#19590
    @jtojnar
    jtojnar committed Apr 17, 2019
    Copy the full SHA
    1e6fec0 View commit details

  2. vscode: use absolute predetermined path instead of heuristic 

    Fixes #59725
    @Synthetica9
    Synthetica9 committed Apr 17, 2019
    Copy the full SHA
    f9d9c61 View commit details
Showing with 4,773 additions and 2,607 deletions.
  1. +6 −3 lib/fixed-points.nix
  2. +79 −4 nixos/modules/services/cluster/kubernetes/addon-manager.nix
  3. +21 −15 nixos/modules/services/cluster/kubernetes/addons/dashboard.nix
  4. +66 −3 nixos/modules/services/cluster/kubernetes/apiserver.nix
  5. +34 −5 nixos/modules/services/cluster/kubernetes/controller-manager.nix
  6. +26 −0 nixos/modules/services/cluster/kubernetes/default.nix
  7. +59 −9 nixos/modules/services/cluster/kubernetes/flannel.nix
  8. +77 −9 nixos/modules/services/cluster/kubernetes/kubelet.nix
  9. +92 −73 nixos/modules/services/cluster/kubernetes/pki.nix
  10. +31 −6 nixos/modules/services/cluster/kubernetes/proxy.nix
  11. +30 −4 nixos/modules/services/cluster/kubernetes/scheduler.nix
  12. +4 −1 nixos/tests/kubernetes/base.nix
  13. +3 −0 nixos/tests/kubernetes/dns.nix
  14. +4 −0 nixos/tests/kubernetes/rbac.nix
  15. +5 −1 pkgs/applications/editors/vscode/default.nix
  16. +14 −14 pkgs/applications/misc/bleachbit/default.nix
  17. +139 −0 pkgs/applications/misc/stretchly/default.nix
  18. +6 −4 pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
  19. +2 −2 pkgs/applications/networking/instant-messengers/signal-desktop/default.nix
  20. +0 −30 pkgs/applications/networking/irc/chatzilla/default.nix
  21. +2 −2 pkgs/applications/networking/protonmail-bridge/default.nix
  22. +6 −0 pkgs/applications/science/math/sage/sage-src.nix
  23. +2 −2 pkgs/applications/version-management/git-and-tools/pre-commit/default.nix
  24. +3 −1 pkgs/desktops/gnome-3/core/gnome-control-center/default.nix
  25. +8 −2 pkgs/desktops/gnome-3/core/grilo-plugins/default.nix
  26. +3 −3 pkgs/desktops/gnome-3/extensions/sound-output-device-chooser/default.nix
  27. +3 −3 pkgs/desktops/gnome-3/extensions/window-corner-preview/default.nix
  28. +5 −5 pkgs/development/compilers/openjdk/11.nix
  29. +10 −10 pkgs/development/compilers/openjdk/8.nix
  30. +2 −2 pkgs/development/compilers/scala/dotty-bare.nix
  31. +2 −5 pkgs/development/libraries/dleyna-renderer/default.nix
  32. +130 −0 pkgs/development/libraries/dleyna-renderer/gupnp-1.2.diff
  33. +0 −4 pkgs/development/libraries/glibc/common.nix
  34. +11 −6 pkgs/development/libraries/hivex/default.nix
  35. +4 −4 pkgs/development/libraries/libimobiledevice/default.nix
  36. +4 −4 pkgs/development/libraries/libplist/default.nix
  37. +4 −4 pkgs/development/libraries/libusbmuxd/default.nix
  38. +4 −4 pkgs/development/libraries/qtstyleplugin-kvantum-qt4/default.nix
  39. +2 −2 pkgs/development/libraries/qtstyleplugin-kvantum/default.nix
  40. +14 −0 pkgs/development/node-packages/default-v10.nix
  41. +1 −0 pkgs/development/node-packages/node-packages-v10.json
  42. +3,651 −2,233 pkgs/development/node-packages/node-packages-v10.nix
  43. +8 −8 pkgs/development/node-packages/node-packages-v6.nix
  44. +29 −11 pkgs/development/node-packages/node-packages-v8.nix
  45. +0 −6 pkgs/development/python-modules/azure-mgmt-network/default.nix
  46. +2 −2 pkgs/development/python-modules/python-language-server/default.nix
  47. +8 −3 pkgs/development/python-modules/wsproto/default.nix
  48. +2 −2 pkgs/development/python-modules/xdot/default.nix
  49. +2 −2 pkgs/development/ruby-modules/bundix/default.nix
  50. +4 −4 pkgs/development/tools/continuous-integration/gitlab-runner/default.nix
  51. +4 −5 pkgs/development/tools/go-langserver/default.nix
  52. +2 −2 pkgs/os-specific/linux/kernel/linux-4.14.nix
  53. +2 −2 pkgs/os-specific/linux/kernel/linux-4.19.nix
  54. +2 −2 pkgs/os-specific/linux/kernel/linux-4.9.nix
  55. +2 −2 pkgs/os-specific/linux/kernel/linux-5.0.nix
  56. +2 −2 pkgs/os-specific/linux/musl/default.nix
  57. +27 −0 pkgs/os-specific/linux/numatop/default.nix
  58. +36 −0 pkgs/os-specific/linux/zfs/build-fixes-unstable.patch
  59. +3 −6 pkgs/os-specific/linux/zfs/default.nix
  60. +3 −3 pkgs/servers/monitoring/grafana/default.nix
  61. +4 −4 pkgs/tools/filesystems/ifuse/default.nix
  62. +5 −5 pkgs/tools/misc/ideviceinstaller/default.nix
  63. +4 −4 pkgs/tools/misc/usbmuxd/default.nix
  64. +2 −2 pkgs/tools/misc/youtube-dl/default.nix
  65. +3 −18 pkgs/tools/package-management/nixops/default.nix
  66. +3 −8 pkgs/tools/package-management/nixops/generic.nix
  67. +31 −0 pkgs/tools/package-management/nixops/nixops-v1_6_1.nix
  68. +3 −20 pkgs/tools/package-management/nixops/unstable.nix
  69. +11 −5 pkgs/top-level/all-packages.nix
9 changes: 6 additions & 3 deletions lib/fixed-points.nix
View file
Original file line number Diff line number Diff line change
@@ -30,9 +30,12 @@ rec {
# nix-repl> converge (x: x / 2) 16
# 0
converge = f: x:
if (f x) == x
then x
else converge f (f x);
let
x' = f x;
in
if x' == x
then x
else converge f x';

# Modify the contents of an explicitly recursive attribute set in a way that
# honors `self`-references. This is accomplished with a function
83 changes: 79 additions & 4 deletions nixos/modules/services/cluster/kubernetes/addon-manager.nix
View file
Original file line number Diff line number Diff line change
@@ -63,18 +63,49 @@ in
};

enable = mkEnableOption "Whether to enable Kubernetes addon manager.";

kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager";
bootstrapAddonsKubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager bootstrap";
};

###### implementation
config = mkIf cfg.enable {
config = let

addonManagerPaths = filter (a: a != null) [
cfg.kubeconfig.caFile
cfg.kubeconfig.certFile
cfg.kubeconfig.keyFile
];
bootstrapAddonsPaths = filter (a: a != null) [
cfg.bootstrapAddonsKubeconfig.caFile
cfg.bootstrapAddonsKubeconfig.certFile
cfg.bootstrapAddonsKubeconfig.keyFile
];

in mkIf cfg.enable {
environment.etc."kubernetes/addons".source = "${addons}/";

#TODO: Get rid of kube-addon-manager in the future for the following reasons
# - it is basically just a shell script wrapped around kubectl
# - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount
# - it is designed to be used with k8s system components only
# - it would be better with a more Nix-oriented way of managing addons
systemd.services.kube-addon-manager = {
description = "Kubernetes addon manager";
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
environment.ADDON_PATH = "/etc/kubernetes/addons/";
path = [ pkgs.gawk ];
after = [ "kube-node-online.target" ];
before = [ "kubernetes.target" ];
environment = {
ADDON_PATH = "/etc/kubernetes/addons/";
KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager" cfg.kubeconfig;
};
path = with pkgs; [ gawk kubectl ];
preStart = ''
until kubectl -n kube-system get serviceaccounts/default 2>/dev/null; do
echo kubectl -n kube-system get serviceaccounts/default: exit status $?
sleep 2
done
'';
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = "${top.package}/bin/kube-addons";
@@ -84,8 +115,52 @@ in
Restart = "on-failure";
RestartSec = 10;
};
unitConfig.ConditionPathExists = addonManagerPaths;
};

systemd.paths.kube-addon-manager = {
wantedBy = [ "kube-addon-manager.service" ];
pathConfig = {
PathExists = addonManagerPaths;
PathChanged = addonManagerPaths;
};
};

services.kubernetes.addonManager.kubeconfig.server = mkDefault top.apiserverAddress;

systemd.services.kube-addon-manager-bootstrap = mkIf (top.apiserver.enable && top.addonManager.bootstrapAddons != {}) {
wantedBy = [ "kube-control-plane-online.target" ];
after = [ "kube-apiserver.service" ];
before = [ "kube-control-plane-online.target" ];
path = [ pkgs.kubectl ];
environment = {
KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager-bootstrap" cfg.bootstrapAddonsKubeconfig;
};
preStart = with pkgs; let
files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v))
cfg.bootstrapAddons;
in ''
until kubectl auth can-i '*' '*' -q 2>/dev/null; do
echo kubectl auth can-i '*' '*': exit status $?
sleep 2
done
kubectl apply -f ${concatStringsSep " \\\n -f " files}
'';
script = "echo Ok";
unitConfig.ConditionPathExists = bootstrapAddonsPaths;
};

systemd.paths.kube-addon-manager-bootstrap = {
wantedBy = [ "kube-addon-manager-bootstrap.service" ];
pathConfig = {
PathExists = bootstrapAddonsPaths;
PathChanged = bootstrapAddonsPaths;
};
};

services.kubernetes.addonManager.bootstrapAddonsKubeconfig.server = mkDefault top.apiserverAddress;

services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled
(let
name = system:kube-addon-manager;
36 changes: 21 additions & 15 deletions nixos/modules/services/cluster/kubernetes/addons/dashboard.nix
View file
Original file line number Diff line number Diff line change
@@ -169,6 +169,23 @@ in {
};
};

kubernetes-dashboard-cm = {
apiVersion = "v1";
kind = "ConfigMap";
metadata = {
labels = {
k8s-app = "kubernetes-dashboard";
# Allows editing resource and makes sure it is created first.
"addonmanager.kubernetes.io/mode" = "EnsureExists";
};
name = "kubernetes-dashboard-settings";
namespace = "kube-system";
};
};
};

services.kubernetes.addonManager.bootstrapAddons = mkMerge [{

kubernetes-dashboard-sa = {
apiVersion = "v1";
kind = "ServiceAccount";
@@ -210,20 +227,9 @@ in {
};
type = "Opaque";
};
kubernetes-dashboard-cm = {
apiVersion = "v1";
kind = "ConfigMap";
metadata = {
labels = {
k8s-app = "kubernetes-dashboard";
# Allows editing resource and makes sure it is created first.
"addonmanager.kubernetes.io/mode" = "EnsureExists";
};
name = "kubernetes-dashboard-settings";
namespace = "kube-system";
};
};
} // (optionalAttrs cfg.rbac.enable
}

(optionalAttrs cfg.rbac.enable
(let
subjects = [{
kind = "ServiceAccount";
@@ -323,6 +329,6 @@ in {
inherit subjects;
};
})
));
))];
};
}
69 changes: 66 additions & 3 deletions nixos/modules/services/cluster/kubernetes/apiserver.nix
View file
Original file line number Diff line number Diff line change
@@ -184,6 +184,18 @@ in
type = bool;
};

proxyClientCertFile = mkOption {
description = "Client certificate to use for connections to proxy.";
default = null;
type = nullOr path;
};

proxyClientKeyFile = mkOption {
description = "Key to use for connections to proxy.";
default = null;
type = nullOr path;
};

runtimeConfig = mkOption {
description = ''
Api runtime configuration. See
@@ -272,11 +284,32 @@ in
###### implementation
config = mkMerge [

(mkIf cfg.enable {
(let

apiserverPaths = filter (a: a != null) [
cfg.clientCaFile
cfg.etcd.caFile
cfg.etcd.certFile
cfg.etcd.keyFile
cfg.kubeletClientCaFile
cfg.kubeletClientCertFile
cfg.kubeletClientKeyFile
cfg.serviceAccountKeyFile
cfg.tlsCertFile
cfg.tlsKeyFile
];
etcdPaths = filter (a: a != null) [
config.services.etcd.trustedCaFile
config.services.etcd.certFile
config.services.etcd.keyFile
];

in mkIf cfg.enable {
systemd.services.kube-apiserver = {
description = "Kubernetes APIServer Service";
wantedBy = [ "kubernetes.target" ];
after = [ "network.target" ];
wantedBy = [ "kube-control-plane-online.target" ];
after = [ "certmgr.service" ];
before = [ "kube-control-plane-online.target" ];
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = ''${top.package}/bin/kube-apiserver \
@@ -316,6 +349,10 @@ in
"--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \
${optionalString (cfg.kubeletClientKeyFile != null)
"--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \
${optionalString (cfg.proxyClientCertFile != null)
"--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \
${optionalString (cfg.proxyClientKeyFile != null)
"--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \
--insecure-bind-address=${cfg.insecureBindAddress} \
--insecure-port=${toString cfg.insecurePort} \
${optionalString (cfg.runtimeConfig != "")
@@ -341,6 +378,15 @@ in
Restart = "on-failure";
RestartSec = 5;
};
unitConfig.ConditionPathExists = apiserverPaths;
};

systemd.paths.kube-apiserver = mkIf top.apiserver.enable {
wantedBy = [ "kube-apiserver.service" ];
pathConfig = {
PathExists = apiserverPaths;
PathChanged = apiserverPaths;
};
};

services.etcd = {
@@ -354,6 +400,18 @@ in
initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"];
};

systemd.services.etcd = {
unitConfig.ConditionPathExists = etcdPaths;
};

systemd.paths.etcd = {
wantedBy = [ "etcd.service" ];
pathConfig = {
PathExists = etcdPaths;
PathChanged = etcdPaths;
};
};

services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled {

apiserver-kubelet-api-admin-crb = {
@@ -389,6 +447,11 @@ in
] ++ cfg.extraSANs;
action = "systemctl restart kube-apiserver.service";
};
apiserverProxyClient = mkCert {
name = "kube-apiserver-proxy-client";
CN = "front-proxy-client";
action = "systemctl restart kube-apiserver.service";
};
apiserverKubeletClient = mkCert {
name = "kube-apiserver-kubelet-client";
CN = "system:kube-apiserver";
39 changes: 34 additions & 5 deletions nixos/modules/services/cluster/kubernetes/controller-manager.nix
View file
Original file line number Diff line number Diff line change
@@ -104,11 +104,31 @@ in
};

###### implementation
config = mkIf cfg.enable {
systemd.services.kube-controller-manager = {
config = let

controllerManagerPaths = filter (a: a != null) [
cfg.kubeconfig.caFile
cfg.kubeconfig.certFile
cfg.kubeconfig.keyFile
cfg.rootCaFile
cfg.serviceAccountKeyFile
cfg.tlsCertFile
cfg.tlsKeyFile
];

in mkIf cfg.enable {
systemd.services.kube-controller-manager = rec {
description = "Kubernetes Controller Manager Service";
wantedBy = [ "kubernetes.target" ];
wantedBy = [ "kube-control-plane-online.target" ];
after = [ "kube-apiserver.service" ];
before = [ "kube-control-plane-online.target" ];
environment.KUBECONFIG = top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig;
preStart = ''
until kubectl auth can-i get /api -q 2>/dev/null; do
echo kubectl auth can-i get /api: exit status $?
sleep 2
done
'';
serviceConfig = {
RestartSec = "30s";
Restart = "on-failure";
@@ -120,7 +140,7 @@ in
"--cluster-cidr=${cfg.clusterCidr}"} \
${optionalString (cfg.featureGates != [])
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
--kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \
--kubeconfig=${environment.KUBECONFIG} \
--leader-elect=${boolToString cfg.leaderElect} \
${optionalString (cfg.rootCaFile!=null)
"--root-ca-file=${cfg.rootCaFile}"} \
@@ -141,7 +161,16 @@ in
User = "kubernetes";
Group = "kubernetes";
};
path = top.path;
path = top.path ++ [ pkgs.kubectl ];
unitConfig.ConditionPathExists = controllerManagerPaths;
};

systemd.paths.kube-controller-manager = {
wantedBy = [ "kube-controller-manager.service" ];
pathConfig = {
PathExists = controllerManagerPaths;
PathChanged = controllerManagerPaths;
};
};

services.kubernetes.pki.certs = with top.lib; {
26 changes: 26 additions & 0 deletions nixos/modules/services/cluster/kubernetes/default.nix
View file
Original file line number Diff line number Diff line change
@@ -263,6 +263,30 @@ in {
wantedBy = [ "multi-user.target" ];
};

systemd.targets.kube-control-plane-online = {
wantedBy = [ "kubernetes.target" ];
before = [ "kubernetes.target" ];
};

systemd.services.kube-control-plane-online = rec {
description = "Kubernetes control plane is online";
wantedBy = [ "kube-control-plane-online.target" ];
after = [ "kube-scheduler.service" "kube-controller-manager.service" ];
before = [ "kube-control-plane-online.target" ];
environment.KUBECONFIG = cfg.lib.mkKubeConfig "default" cfg.kubeconfig;
path = [ pkgs.kubectl ];
preStart = ''
until kubectl get --raw=/healthz 2>/dev/null; do
echo kubectl get --raw=/healthz: exit status $?
sleep 3
done
'';
script = "echo Ok";
serviceConfig = {
TimeoutSec = "500";
};
};

systemd.tmpfiles.rules = [
"d /opt/cni/bin 0755 root root -"
"d /run/kubernetes 0755 kubernetes kubernetes -"
@@ -286,6 +310,8 @@ in {
services.kubernetes.apiserverAddress = mkDefault ("https://${if cfg.apiserver.advertiseAddress != null
then cfg.apiserver.advertiseAddress
else "${cfg.masterAddress}:${toString cfg.apiserver.securePort}"}");

services.kubernetes.kubeconfig.server = mkDefault cfg.apiserverAddress;
})
];
}
Loading