From 034869347a52de20a9d9f1eef984780ce1e81b1e Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Wed, 4 Mar 2026 20:45:47 +0000
Subject: [PATCH] fix: require kubelet kubeconfig before starting service

Inline kubelet bootstrap/kubeconfig flags in ExecStart and gate startup on /etc/kubernetes/*kubelet.conf in addition to config.yaml. This prevents kubelet entering standalone mode with webhook auth enabled when no client config is present.
---
 nixos/kubeadm/modules/k8s-common.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/kubeadm/modules/k8s-common.nix b/nixos/kubeadm/modules/k8s-common.nix
index 840b772..1c3125b 100644
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -380,7 +380,6 @@ in
     after = [ "containerd.service" "network-online.target" ];
     serviceConfig = {
       Environment = [
-        "KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
         "KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
         "KUBELET_KUBEADM_ARGS="
         "KUBELET_EXTRA_ARGS="
@@ -389,12 +388,13 @@ in
         "-/var/lib/kubelet/kubeadm-flags.env"
         "-/etc/default/kubelet"
       ];
-      ExecStart = "${pinnedK8s}/bin/kubelet \$KUBELET_KUBECONFIG_ARGS \$KUBELET_CONFIG_ARGS \$KUBELET_KUBEADM_ARGS \$KUBELET_EXTRA_ARGS";
+      ExecStart = "${pinnedK8s}/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf \$KUBELET_CONFIG_ARGS \$KUBELET_KUBEADM_ARGS \$KUBELET_EXTRA_ARGS";
       Restart = "on-failure";
       RestartSec = "10";
     };
     unitConfig = {
       ConditionPathExists = "/var/lib/kubelet/config.yaml";
+      ConditionPathExistsGlob = "/etc/kubernetes/*kubelet.conf";
     };
   };