Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / bbc5a43d778ca1079c08c5a095fc0d8f7327a901^! / . / cluster / machines / modules / kube-common.nix
commitbbc5a43d778ca1079c08c5a095fc0d8f7327a901[log] [tgz]
authorSerge Bazanski <q3k@hackerspace.pl>Fri Mar 31 22:39:26 2023 +0000
committerq3k <q3k@hackerspace.pl>Fri Mar 31 22:53:59 2023 +0000
treea432b91bc29672b9334c3c45cf212e5f974c775b
parent3a6d67e0c4774f8f72d558caf81601c00025936b [diff] [blame]
cluster: move kubernetes services to temporary CA bundle

This is already deployed, and it allows Kubernetes components
(temporary) freedom to use the old or new CA cert.

Change-Id: I8ac7f773a333c30fa22902b8edc327c0c700a482
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1490
Reviewed-by: q3k <q3k@hackerspace.pl>

diff --git a/cluster/machines/modules/kube-common.nix b/cluster/machines/modules/kube-common.nix
index 6707efa..f4c6066 100644
--- a/cluster/machines/modules/kube-common.nix
+++ b/cluster/machines/modules/kube-common.nix

@@ -86,7 +86,9 @@
       # We do not use any nixpkgs predefined roles for k8s. Instead, we enable
       # k8s components manually.
       roles = [];
-      caFile = cfg.pki.kube.apiserver.ca;
+      # TODO(q3k): undo after CA migration done
+      #caFile = cfg.pki.kube.apiserver.ca;
+      caFile = ../../certs/ca-kube-new-and-old.crt;
       clusterCidr = "10.10.16.0/20";
       addons.dns.enable = false;
     };