From 8f5bce792f1ac86e2401b87f12a98a18bb1fc3b1 Mon Sep 17 00:00:00 2001 From: pennae Date: Sat, 8 Jan 2022 06:59:18 +0100 Subject: [PATCH 1/2] Revert "nixos/kubernetes: make lib option internal and readonly" This reverts commit 7e28421e1704c95c056f2b2e7fc27a7569182e0f. --- .../services/cluster/kubernetes/controller-manager.nix | 7 +++---- nixos/modules/services/cluster/kubernetes/default.nix | 2 -- nixos/modules/services/cluster/kubernetes/kubelet.nix | 7 +++---- nixos/modules/services/cluster/kubernetes/pki.nix | 9 ++++----- nixos/modules/services/cluster/kubernetes/proxy.nix | 7 +++---- nixos/modules/services/cluster/kubernetes/scheduler.nix | 7 +++---- 6 files changed, 16 insertions(+), 23 deletions(-) diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index 6d54659720cb0..ed25715fab7d7 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -6,7 +6,6 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.controllerManager; - klib = options.services.kubernetes.lib.default; in { imports = [ @@ -57,7 +56,7 @@ in type = int; }; - kubeconfig = klib.mkKubeConfigOptions "Kubernetes controller manager"; + kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager"; leaderElect = mkOption { description = "Whether to start leader election before executing main loop."; @@ -130,7 +129,7 @@ in "--cluster-cidr=${cfg.clusterCidr}"} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${klib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ ${optionalString (cfg.rootCaFile!=null) "--root-ca-file=${cfg.rootCaFile}"} \ @@ -157,7 +156,7 @@ in path = top.path; }; - services.kubernetes.pki.certs = with klib; { + services.kubernetes.pki.certs = with top.lib; { controllerManager = mkCert { name = "kube-controller-manager"; CN = "kube-controller-manager"; diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 715c88ad88c7f..17625d97136c2 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -193,8 +193,6 @@ in { inherit mkKubeConfigOptions; }; type = types.attrs; - readOnly = true; - internal = true; }; secretsPath = mkOption { diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 2d58547ce4cee..3e8eac96f6bac 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -6,7 +6,6 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.kubelet; - klib = options.services.kubernetes.lib.default; cniConfig = if cfg.cni.config != [] && cfg.cni.configDir != null then @@ -28,7 +27,7 @@ let config.Cmd = ["/bin/pause"]; }; - kubeconfig = klib.mkKubeConfig "kubelet" cfg.kubeconfig; + kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig; manifestPath = "kubernetes/manifests"; @@ -178,7 +177,7 @@ in type = str; }; - kubeconfig = klib.mkKubeConfigOptions "Kubelet"; + kubeconfig = top.lib.mkKubeConfigOptions "Kubelet"; manifests = mkOption { description = "List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)"; @@ -359,7 +358,7 @@ in services.kubernetes.kubelet.hostname = with config.networking; mkDefault (hostName + optionalString (domain != null) ".${domain}"); - services.kubernetes.pki.certs = with klib; { + services.kubernetes.pki.certs = with top.lib; { kubelet = mkCert { name = "kubelet"; CN = top.kubelet.hostname; diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 00d572a509888..76ab03cd520ba 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -1,11 +1,10 @@ -{ config, options, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; let top = config.services.kubernetes; cfg = top.pki; - klib = options.services.kubernetes.lib; csrCA = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON { key = { @@ -30,7 +29,7 @@ let cfsslAPITokenLength = 32; clusterAdminKubeconfig = with cfg.certs.clusterAdmin; - klib.mkKubeConfig "cluster-admin" { + top.lib.mkKubeConfig "cluster-admin" { server = top.apiserverAddress; certFile = cert; keyFile = key; @@ -251,7 +250,7 @@ in # - it would be better with a more Nix-oriented way of managing addons systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{ environment.KUBECONFIG = with cfg.certs.addonManager; - klib.mkKubeConfig "addon-manager" { + top.lib.mkKubeConfig "addon-manager" { server = top.apiserverAddress; certFile = cert; keyFile = key; @@ -344,7 +343,7 @@ in ''; services.flannel = with cfg.certs.flannelClient; { - kubeconfig = klib.mkKubeConfig "flannel" { + kubeconfig = top.lib.mkKubeConfig "flannel" { server = top.apiserverAddress; certFile = cert; keyFile = key; diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 986301f6bd951..5f3da034120b7 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -6,7 +6,6 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.proxy; - klib = options.services.kubernetes.lib.default; in { imports = [ @@ -44,7 +43,7 @@ in type = str; }; - kubeconfig = klib.mkKubeConfigOptions "Kubernetes proxy"; + kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy"; verbosity = mkOption { description = '' @@ -73,7 +72,7 @@ in ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ --hostname-override=${cfg.hostname} \ - --kubeconfig=${klib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ ${cfg.extraOpts} ''; @@ -89,7 +88,7 @@ in services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName; services.kubernetes.pki.certs = { - kubeProxyClient = klib.mkCert { + kubeProxyClient = top.lib.mkCert { name = "kube-proxy-client"; CN = "system:kube-proxy"; action = "systemctl restart kube-proxy.service"; diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 442e3fe3a69f4..87263ee72fa43 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -6,7 +6,6 @@ let top = config.services.kubernetes; otop = options.services.kubernetes; cfg = top.scheduler; - klib = options.services.kubernetes.lib.default; in { ###### interface @@ -33,7 +32,7 @@ in type = listOf str; }; - kubeconfig = klib.mkKubeConfigOptions "Kubernetes scheduler"; + kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler"; leaderElect = mkOption { description = "Whether to start leader election before executing main loop."; @@ -70,7 +69,7 @@ in --address=${cfg.address} \ ${optionalString (cfg.featureGates != []) "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ - --kubeconfig=${klib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ + --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \ --leader-elect=${boolToString cfg.leaderElect} \ --port=${toString cfg.port} \ ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ @@ -88,7 +87,7 @@ in }; services.kubernetes.pki.certs = { - schedulerClient = klib.mkCert { + schedulerClient = top.lib.mkCert { name = "kube-scheduler-client"; CN = "system:kube-scheduler"; action = "systemctl restart kube-scheduler.service"; From 7b91df17fe7d16af4d79ff08b86483d99409304f Mon Sep 17 00:00:00 2001 From: pennae Date: Sat, 8 Jan 2022 07:10:25 +0100 Subject: [PATCH 2/2] nixos/kubernetes: move all k8s docs out of the sandbox otherwise the manual won't build. ideally they'll move back into the sandbox at some point, but we're obviously not qualified to put them there. --- nixos/modules/services/cluster/kubernetes/addon-manager.nix | 1 + nixos/modules/services/cluster/kubernetes/addons/dns.nix | 2 ++ nixos/modules/services/cluster/kubernetes/apiserver.nix | 1 + .../modules/services/cluster/kubernetes/controller-manager.nix | 2 ++ nixos/modules/services/cluster/kubernetes/default.nix | 2 ++ nixos/modules/services/cluster/kubernetes/flannel.nix | 2 ++ nixos/modules/services/cluster/kubernetes/kubelet.nix | 2 ++ nixos/modules/services/cluster/kubernetes/pki.nix | 2 ++ nixos/modules/services/cluster/kubernetes/proxy.nix | 2 ++ nixos/modules/services/cluster/kubernetes/scheduler.nix | 2 ++ 10 files changed, 18 insertions(+) diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index 9159d5915eb77..b677d900ff50a 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -167,4 +167,5 @@ in }; }; + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/addons/dns.nix b/nixos/modules/services/cluster/kubernetes/addons/dns.nix index 10f45db7883f4..7bd4991f43f7b 100644 --- a/nixos/modules/services/cluster/kubernetes/addons/dns.nix +++ b/nixos/modules/services/cluster/kubernetes/addons/dns.nix @@ -363,4 +363,6 @@ in { services.kubernetes.kubelet.clusterDns = mkDefault cfg.clusterIp; }; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/apiserver.nix b/nixos/modules/services/cluster/kubernetes/apiserver.nix index 5b97c571d7639..a192e93badc23 100644 --- a/nixos/modules/services/cluster/kubernetes/apiserver.nix +++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix @@ -496,4 +496,5 @@ in ]; + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix index ed25715fab7d7..7c317e94deebf 100644 --- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix @@ -171,4 +171,6 @@ in services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress; }; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index 17625d97136c2..ae10657202d9c 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -313,4 +313,6 @@ in { else "${cfg.masterAddress}:${toString cfg.apiserver.securePort}"}"); }) ]; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix index fecea7a15f3db..cb81eaaf01609 100644 --- a/nixos/modules/services/cluster/kubernetes/flannel.nix +++ b/nixos/modules/services/cluster/kubernetes/flannel.nix @@ -95,4 +95,6 @@ in }; }; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix index 3e8eac96f6bac..253355c20cb2f 100644 --- a/nixos/modules/services/cluster/kubernetes/kubelet.nix +++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix @@ -395,4 +395,6 @@ in }) ]; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 76ab03cd520ba..88bde4e915576 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -401,4 +401,6 @@ in }; }; }); + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix index 5f3da034120b7..0fd98d1c15761 100644 --- a/nixos/modules/services/cluster/kubernetes/proxy.nix +++ b/nixos/modules/services/cluster/kubernetes/proxy.nix @@ -97,4 +97,6 @@ in services.kubernetes.proxy.kubeconfig.server = mkDefault top.apiserverAddress; }; + + meta.buildDocsInSandbox = false; } diff --git a/nixos/modules/services/cluster/kubernetes/scheduler.nix b/nixos/modules/services/cluster/kubernetes/scheduler.nix index 87263ee72fa43..2a522f1db89ce 100644 --- a/nixos/modules/services/cluster/kubernetes/scheduler.nix +++ b/nixos/modules/services/cluster/kubernetes/scheduler.nix @@ -96,4 +96,6 @@ in services.kubernetes.scheduler.kubeconfig.server = mkDefault top.apiserverAddress; }; + + meta.buildDocsInSandbox = false; }