Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/kubernetes: minor module fixes #56589

Merged
merged 1 commit into from
Mar 8, 2019
Merged

nixos/kubernetes: minor module fixes #56589

merged 1 commit into from
Mar 8, 2019

Conversation

johanot
Copy link
Contributor

@johanot johanot commented Mar 1, 2019

Motivation for this change

While testing the revamped kubernetes module on our existing staging cluster with easyCerts disabled, I discovered some minor flaws in the module:

  1. The name of the etcd instance must be mkDefault'ed, because otherwise we risk overriding existing etcd cluster names, and that could potentially lead to cluster re-initiation on existing setups.

  2. It's currently not possible to use the kubernetes.lib.mkKubeConfig function to generate a kubeconfig with a custom ca. It will always use the toplevel ca cert. This is fine for current easyCerts setup, where we don't have multiple CA's, but in existing setups this might cause problems. We

  3. Turns out adding TLS-server certs to the controller manager was never done as part of the revamp and therefore we never discovered that the --tls-key-file flag on kube-controller-manager was named incorrectly. Similar flag names differ across various k8s components, but in this case it must be --tls-private-key-file. We should add TLS-serving certs to the controller-manager in another PR.

cc @fpletz for review
please backport to 19.03 :)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@johanot johanot requested a review from infinisil as a code owner March 1, 2019 19:34
@GrahamcOfBorg GrahamcOfBorg added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 0 This PR does not cause any packages to rebuild labels Mar 1, 2019
@johanot
Copy link
Contributor Author

johanot commented Mar 5, 2019

re-ping @fpletz @calbrecht :-)

@calbrecht
Copy link
Member

He, the changes apply and it does not even rebuild the tests :) but i think they are sane nevertheless.
Confirming the flag has to be --tls-private-key-file from https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
👍

infinisil
infinisil requested changes Mar 8, 2019
View reviewed changes
nixos/modules/services/cluster/kubernetes/default.nix Outdated
@@ -10,7 +10,7 @@ let
kind = "Config";
clusters = [{
name = "local";
cluster.certificate-authority = cfg.caFile;
cluster.certificate-authority = if (hasAttr "caFile" conf) then conf.caFile else cfg.caFile;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as just conf.caFile or cfg.caFile

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@infinisil Right, thanks. Fixed now.

nixos/kubernetes: minor module fixes
80c4fd4 
- mkDefault etcd instance name
- make sure ca-cert in mkKubeConfig can be overriden
- fix controller-manager "tls-private-key-file" flag name
@johanot johanot force-pushed the kubernetes-module-stabilization branch from 01623c3 to 80c4fd4 Compare March 8, 2019 08:19
@infinisil infinisil merged commit 9fa52ae into NixOS:master Mar 8, 2019
@johanot
Copy link
Contributor Author

johanot commented Mar 8, 2019

Thanks @infinisil . Do you mind cherry-picking this to 19.03 please? Or should I create a new PR?

@infinisil
Copy link
Member

Cherry-picked to release-19.03 in 5831fe1 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil infinisil approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 0 This PR does not cause any packages to rebuild
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@johanot @calbrecht @infinisil @GrahamcOfBorg