Add requestheader-client-ca.

2025-12-14 13:44:56 -05:00
parent 51feef1582
commit f18b7d0da9
8 changed files with 68 additions and 2 deletions
--- a/nix/kubernetes/roles/kube_apiserver/default.nix
+++ b/nix/kubernetes/roles/kube_apiserver/default.nix
@@ -26,6 +26,12 @@ in
      description = "IP address this server should advertise.";
    };

+    kube_apiserver.external_ip = lib.mkOption {
+      example = "192.168.1.10";
+      type = lib.types.str;
+      description = "IP address to reach this cluster externally.";
+    };
+
    kube_apiserver.etcd_services = lib.mkOption {
      default = [ ];
      example = [ "https://192.168.1.10:2379" ];
@@ -59,7 +65,7 @@ in
            "--authorization-mode=Node,RBAC"
            "--bind-address=0.0.0.0"
            "--client-ca-file=/.persist/keys/kube/ca.pem"
-            "--requestheader-client-ca-file=/var/lib/kubernetes/requestheader-client-ca.pem"
+            "--requestheader-client-ca-file=/.persist/keys/kube/requestheader-client-ca.pem"
            ''--requestheader-allowed-names=""''
            "--requestheader-extra-headers-prefix=X-Remote-Extra-"
            "--requestheader-group-headers=X-Remote-Group"
@@ -79,7 +85,7 @@ in
            "--runtime-config='api/all=true'"
            "--service-account-key-file=/.persist/keys/kube/service-account.pem"
            "--service-account-signing-key-file=/.persist/keys/kube/service-account-key.pem"
-            "--service-account-issuer=https://{{ kubernetes_public_address }}:6443"
+            "--service-account-issuer=https://${config.me.kube_apiserver.external_ip}:6443"
            "--service-node-port-range=30000-32767"
            "--tls-cert-file=/.persist/keys/kube/kubernetes.pem"
            "--tls-private-key-file=/.persist/keys/kube/kubernetes-key.pem"