Unverified Commit 9e23c379 authored by Felix Bühler's avatar Felix Bühler Committed by GitHub
Browse files

Merge pull request #286032 from Stunkymonkey/k8s-pki-remove-chown 

kubernetes: prefer 'install' over 'mkdir/chmod/chown'
parents 5dac2ab2 ffadbb67

nixos/modules/services/cluster/kubernetes/pki.nix

+3 −5
Original line number Diff line number Diff line
@@ -174,9 +174,8 @@ in 
      '')

      (optionalString cfg.genCfsslAPIToken ''

        if [ ! -f "${cfsslAPITokenPath}" ]; then

          head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ' >"${cfsslAPITokenPath}"

          install -u cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}"

        fi

        chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}"

      '')]);



    systemd.services.kube-certmgr-bootstrap = {
@@ -194,7 +193,7 @@ in 
        if [ -f "${cfsslAPITokenPath}" ]; then

          ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}"

        else

          touch "${certmgrAPITokenPath}" && chmod 600 "${certmgrAPITokenPath}"

          install -m 600 /dev/null "${certmgrAPITokenPath}"

        fi

      ''

      (optionalString (cfg.pkiTrustOnBootstrap) ''
@@ -297,8 +296,7 @@ in 
          exit 1

        fi



        echo $token > ${certmgrAPITokenPath}

        chmod 600 ${certmgrAPITokenPath}

        install -m 0600 <(echo $token) ${certmgrAPITokenPath}



        echo "Restarting certmgr..." >&1

        systemctl restart certmgr