Commit 9c870ac7 authored by vincent.cui's avatar vincent.cui
Browse files

nixos/kubernetes: fix pki's mkSpec function 

The `authority.file.path` field of a cert spec is
[defined as follows]
(https://github.com/cloudflare/certmgr/tree/v3.0.3#pki-specs):

> if this is included, the CA certificate will be saved here.
It follows the same file specification format above. Use this
if you want to save your CA cert to disk.

So certmgr fails, because each certmgr spec (apiserver,
addonManager, ...) wants to manage the file at the `cert.caCert`
location. However, the `authority.file.path` field is not needed
for generating a certificate, as the certificate is generated by
the CA, which is reachable at `authority.remote` (e.g.
https://localhost:8888 with `easyCerts = true`). The
`authority.file.path` field just saves the certificate of the CA
to disk.
parent 37b3df5f

nixos/modules/services/cluster/kubernetes/pki.nix

+0 −1
Original line number Diff line number Diff line
@@ -220,7 +220,6 @@ in 
            inherit (cert) action;

            authority = {

              inherit remote;

              file.path = cert.caCert;

              root_ca = cert.caCert;

              profile = "default";

              auth_key_file = certmgrAPITokenPath;