From fb21fbef4fc09c708a76b0edcff1ca17f81c03e3 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Mon, 2 Mar 2026 16:49:21 +0000
Subject: [PATCH] fix: disable kubelet webhook auth in kubeadm init config

- Use explicit kubeadm config file with KubeletConfiguration
- Disable webhook authentication which was causing 'no client provided' error
- Add ConditionPathExists to kubelet systemd unit
---
 nixos/kubeadm/modules/k8s-common.nix | 47 +++++++++++++++++++++++-----
 1 file changed, 39 insertions(+), 8 deletions(-)

diff --git a/nixos/kubeadm/modules/k8s-common.nix b/nixos/kubeadm/modules/k8s-common.nix
index 8658c4d..4c182d1 100644
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -158,13 +158,37 @@ in
         exit 1
       fi
 
+      mkdir -p /tmp/kubeadm
+      cat > /tmp/kubeadm/init-config.yaml << 'KUBEADMCONFIG'
+      apiVersion: kubeadm.k8s.io/v1beta4
+      kind: InitConfiguration
+      nodeRegistration:
+        criSocket: unix:///run/containerd/containerd.sock
+      ---
+      apiVersion: kubeadm.k8s.io/v1beta4
+      kind: ClusterConfiguration
+      controlPlaneEndpoint: "KUBEADM_ENDPOINT"
+      networking:
+        podSubnet: "KUBEADM_POD_SUBNET"
+        serviceSubnet: "KUBEADM_SERVICE_SUBNET"
+        dnsDomain: "KUBEADM_DNS_DOMAIN"
+      ---
+      apiVersion: kubelet.config.k8s.io/v1beta1
+      kind: KubeletConfiguration
+      authentication:
+        webhook:
+          enabled: false
+      KUBEADMCONFIG
+
+      sed -i "s|KUBEADM_ENDPOINT|$vip:6443|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_POD_SUBNET|$pod_subnet|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_SERVICE_SUBNET|$service_subnet|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_DNS_DOMAIN|$domain|g" /tmp/kubeadm/init-config.yaml
+
       env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm init \
-        --control-plane-endpoint "$vip:6443" \
+        --config /tmp/kubeadm/init-config.yaml \
         --upload-certs \
-        --ignore-preflight-errors=NumCPU,HTTPProxyCIDR,Port-10250 \
-        --pod-network-cidr "$pod_subnet" \
-        --service-cidr "$service_subnet" \
-        --service-dns-domain "$domain" || {
+        --ignore-preflight-errors=NumCPU,HTTPProxyCIDR,Port-10250 || {
         echo "==> kubeadm init failed, kubelet logs:"
         journalctl -xeu kubelet --no-pager -n 50
         exit 1
@@ -255,15 +279,22 @@ in
     wants = [ "network-online.target" ];
     after = [ "containerd.service" "network-online.target" ];
     serviceConfig = {
-      Environment = "KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml";
+      Environment = [
+        "KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+        "KUBELET_KUBEADM_ARGS="
+        "KUBELET_EXTRA_ARGS="
+      ];
       EnvironmentFile = [
         "-/var/lib/kubelet/kubeadm-flags.env"
         "-/etc/default/kubelet"
       ];
-      ExecStart = "${pinnedK8s}/bin/kubelet $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS";
-      Restart = "always";
+      ExecStart = "${pinnedK8s}/bin/kubelet \$KUBELET_CONFIG_ARGS \$KUBELET_KUBEADM_ARGS \$KUBELET_EXTRA_ARGS";
+      Restart = "on-failure";
       RestartSec = "10";
     };
+    unitConfig = {
+      ConditionPathExists = "/var/lib/kubelet/config.yaml";
+    };
   };
 
   systemd.tmpfiles.rules = [