Merge pull request #286032 from Stunkymonkey/k8s-pki-remove-chown

kubernetes: prefer 'install' over 'mkdir/chmod/chown'
author: Felix Bühler <Stunkymonkey@users.noreply.github.com> 2024-02-06 19:21:08 +0100
committer: GitHub <noreply@github.com> 2024-02-06 19:21:08 +0100
commit: 9e23c379c7468fcfbddd81267dd5438f9d234c0b (patch)
tree: a9504d42ff06f5176dea76d1de6729417cc16624 /nixos
parent: 5dac2ab2645883e266ce5fd56e56160df28015f2 (diff)
parent: ffadbb6788b40d9bf84074ecabbf05de8be1daf8 (diff)
download: nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar
nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.gz
nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.bz2
nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.lz
nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.xz
nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.zst
nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.zip
1 files changed, 3 insertions, 5 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 35151ebd6bd7..4b7a86c44a0c 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -174,9 +174,8 @@ in
       '')
       (optionalString cfg.genCfsslAPIToken ''
         if [ ! -f "${cfsslAPITokenPath}" ]; then
-          head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ' >"${cfsslAPITokenPath}"
+          install -u cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}"
         fi
-        chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}"
       '')]);
 
     systemd.services.kube-certmgr-bootstrap = {
@@ -194,7 +193,7 @@ in
         if [ -f "${cfsslAPITokenPath}" ]; then
           ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}"
         else
-          touch "${certmgrAPITokenPath}" && chmod 600 "${certmgrAPITokenPath}"
+          install -m 600 /dev/null "${certmgrAPITokenPath}"
         fi
       ''
       (optionalString (cfg.pkiTrustOnBootstrap) ''
@@ -297,8 +296,7 @@ in
           exit 1
         fi
 
-        echo $token > ${certmgrAPITokenPath}
-        chmod 600 ${certmgrAPITokenPath}
+        install -m 0600 <(echo $token) ${certmgrAPITokenPath}
 
         echo "Restarting certmgr..." >&1
         systemctl restart certmgr
author	Felix Bühler <Stunkymonkey@users.noreply.github.com>	2024-02-06 19:21:08 +0100
committer	GitHub <noreply@github.com>	2024-02-06 19:21:08 +0100
commit	9e23c379c7468fcfbddd81267dd5438f9d234c0b (patch)
tree	a9504d42ff06f5176dea76d1de6729417cc16624 /nixos
parent	5dac2ab2645883e266ce5fd56e56160df28015f2 (diff)
parent	ffadbb6788b40d9bf84074ecabbf05de8be1daf8 (diff)
download	nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.gz nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.bz2 nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.lz nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.xz nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.tar.zst nixlib-9e23c379c7468fcfbddd81267dd5438f9d234c0b.zip