fix: mask kubelet before rebuild, unmask in kubeadm helpers

- Mask kubelet service entirely before nixos-rebuild to prevent systemd from restarting it during switch - Unmask kubelet in th-kubeadm-init/join scripts before starting
2026-03-02 12:44:40 +00:00
parent 93e43a546f
commit d42e83358c
2 changed files with 6 additions and 2 deletions
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -141,6 +141,7 @@ in
        --leaderElection \
        > /etc/kubernetes/manifests/kube-vip.yaml
      systemctl unmask kubelet || true
      systemctl stop kubelet || true
      env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm reset -f || true
@@ -201,6 +202,7 @@ in
        --leaderElection \
        > /etc/kubernetes/manifests/kube-vip.yaml
      systemctl unmask kubelet || true
      systemctl stop kubelet || true
      eval "$1"
    '')
@@ -213,6 +215,7 @@ in
        exit 1
      fi
      systemctl unmask kubelet || true
      systemctl stop kubelet || true
      eval "$1"
    '')
--- a/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
+++ b/nixos/kubeadm/scripts/rebuild-and-bootstrap.sh
@@ -211,9 +211,10 @@ prepare_remote_space() {
 prepare_remote_kubelet() {
  local node_ip="$1"
  echo "==> Quiescing kubelet on $node_ip"
-  remote "$node_ip" "sudo systemctl disable --now kubelet >/dev/null 2>&1 || true"
+  remote "$node_ip" "sudo systemctl stop kubelet >/dev/null 2>&1 || true"
  remote "$node_ip" "sudo systemctl disable kubelet >/dev/null 2>&1 || true"
  remote "$node_ip" "sudo systemctl mask kubelet >/dev/null 2>&1 || true"
  remote "$node_ip" "sudo systemctl reset-failed kubelet >/dev/null 2>&1 || true"
  remote "$node_ip" "sudo rm -f /etc/systemd/system/multi-user.target.wants/kubelet.service || true"
 }
 populate_nodes