diff options
author | Felix Bühler <Stunkymonkey@users.noreply.github.com> | 2024-02-06 19:21:08 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-06 19:21:08 +0100 |
commit | 9e23c379c7468fcfbddd81267dd5438f9d234c0b (patch) | |
tree | a9504d42ff06f5176dea76d1de6729417cc16624 /nixos | |
parent | 5dac2ab2645883e266ce5fd56e56160df28015f2 (diff) | |
parent | ffadbb6788b40d9bf84074ecabbf05de8be1daf8 (diff) | |
download | nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.gz nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.bz2 nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.lz nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.xz nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.zst nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.zip |
Merge pull request #286032 from Stunkymonkey/k8s-pki-remove-chown
kubernetes: prefer 'install' over 'mkdir/chmod/chown'
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/cluster/kubernetes/pki.nix | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix index 35151ebd6bd7..4b7a86c44a0c 100644 --- a/nixos/modules/services/cluster/kubernetes/pki.nix +++ b/nixos/modules/services/cluster/kubernetes/pki.nix @@ -174,9 +174,8 @@ in '') (optionalString cfg.genCfsslAPIToken '' if [ ! -f "${cfsslAPITokenPath}" ]; then - head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ' >"${cfsslAPITokenPath}" + install -u cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}" fi - chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}" '')]); systemd.services.kube-certmgr-bootstrap = { @@ -194,7 +193,7 @@ in if [ -f "${cfsslAPITokenPath}" ]; then ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}" else - touch "${certmgrAPITokenPath}" && chmod 600 "${certmgrAPITokenPath}" + install -m 600 /dev/null "${certmgrAPITokenPath}" fi '' (optionalString (cfg.pkiTrustOnBootstrap) '' @@ -297,8 +296,7 @@ in exit 1 fi - echo $token > ${certmgrAPITokenPath} - chmod 600 ${certmgrAPITokenPath} + install -m 0600 <(echo $token) ${certmgrAPITokenPath} echo "Restarting certmgr..." >&1 systemctl restart certmgr |