Revert "Security fixes for etcd (#1778)" (#1786)

This reverts commit 4209f1cb.

Revert "Security fixes for etcd (#1778)" (#1786)
10dd0499 · Matthew Mosesohn · GitHub · 4209f1cb · 10dd0499 · 10dd0499
Commit 10dd0499 authored 7 years ago by Matthew Mosesohn Committed by GitHub 7 years ago
--- a/roles/etcd/handlers/main.yml
+++ b/roles/etcd/handlers/main.yml
@@ -21,8 +21,6 @@
 - name: wait for etcd up
  uri:
    url: "https://{% if is_etcd_master %}{{ etcd_address }}{% else %}127.0.0.1{% endif %}:2379/health"
-    client_cert: "{{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem"
-    client_key: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
    validate_certs: no
  register: result
  until: result.status is defined and result.status == 200

--- a/roles/etcd/tasks/configure.yml
+++ b/roles/etcd/tasks/configure.yml
@@ -5,11 +5,12 @@
  ignore_errors: true
  changed_when: false
  check_mode: no
+  when: is_etcd_master
  tags:
    - facts

 - name: Configure | Add member to the cluster if it is not there
-  when: etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
+  when: is_etcd_master and etcd_member_in_cluster.rc != 0 and etcd_cluster_is_healthy.rc == 0
  shell: "{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} member add {{ etcd_member_name }} {{ etcd_peer_url }}"

 - name: Install etcd launch script
@@ -26,13 +27,5 @@
    src: "etcd-{{ etcd_deployment_type }}.service.j2"
    dest: /etc/systemd/system/etcd.service
    backup: yes
+  when: is_etcd_master
  notify: restart etcd
-
- name: Confugure | Set etcd data dir permissions
-  file:
-    path: "{{ etcd_data_dir }}"
-    owner: etcd
-    group: etcd
-    mode: 0700
-    state: directory
-    recurse: yes
--- a/roles/etcd/templates/etcd.env.j2
+++ b/roles/etcd/templates/etcd.env.j2
 ETCD_DATA_DIR={{ etcd_data_dir }}
-ETCD_WAL_DIR={{ etcd_data_dir }}/member/wal
 ETCD_ADVERTISE_CLIENT_URLS={{ etcd_client_url }}
 ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_peer_url }}
 ETCD_INITIAL_CLUSTER_STATE={% if etcd_cluster_is_healthy.rc != 0 | bool %}new{% else %}existing{% endif %}
@@ -23,5 +22,3 @@ ETCD_PEER_TRUSTED_CA_FILE={{ etcd_cert_dir }}/ca.pem
 ETCD_PEER_CERT_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem
 ETCD_PEER_KEY_FILE={{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem
 ETCD_PEER_CLIENT_CERT_AUTH=true
-ETCD_CLIENT_CERT_AUTH=true
-
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -81,8 +81,6 @@
 - name: Calico | wait for etcd
  uri:
    url: https://localhost:2379/health
-    client_cert: "{{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem"
-    client_key: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
    validate_certs: no
  register: result
  until: result.status == 200 or result.status == 401