Skip to content
Snippets Groups Projects
Commit 07b28940 authored by Manuel Cintron's avatar Manuel Cintron Committed by Kubernetes Prow Robot
Browse files

Adding ability to maintain existing Encryption Secrets at Rest. (#4255) 

* Adding ability to maintain existing Encryption Secrets at Rest.

If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token.

This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets.

* Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
parent 802ac377
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
roles/kubernetes/master/defaults/main/main.yml
+ 2
0
View file @ 07b28940
......@@ -163,3 +163,5 @@ kube_override_hostname: >-
{%- else -%}
{{ inventory_hostname }}
{%- endif -%}
secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
roles/kubernetes/master/tasks/encrypt-at-rest.yml
+ 29
0
View file @ 07b28940
---
- name: Check if secret for encrypting data at rest already exist
stat:
path: "{{ kube_cert_dir }}/secrets_encryption.yaml"
register: secrets_encryption_file
- name: Slurp secrets_encryption file if it exists
slurp:
src: "{{ kube_cert_dir }}/secrets_encryption.yaml"
register: secret_file_encoded
when: secrets_encryption_file.stat.exists
- name: Base 64 Decode slurped secrets_encryption.yaml file
set_fact:
secret_file_decoded: "{{secret_file_encoded['content'] | b64decode | from_yaml}}"
when: secrets_encryption_file.stat.exists
- name: Extract secret value from secrets_encryption.yaml
set_fact:
kube_encrypt_token_extracted: "{{ secret_file_decoded | json_query(secrets_encryption_query) | first | b64decode}}"
when: secrets_encryption_file.stat.exists
- name: Set kube_encrypt_token across master nodes
set_fact:
kube_encrypt_token: "{{ kube_encrypt_token_extracted }}"
delegate_to: "{{ item }}"
delegate_facts: true
with_inventory_hostnames: kube-master
when: kube_encrypt_token_extracted is defined
- name: Write secrets for encrypting secret data at rest
template:
src: secrets_encryption.yaml.j2
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment