diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index b1086aa0d04753dbc7db9bdb129df56ee28fe605..d39d146fd8c1b78af56d4d6b5356a4bddfb03427 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -9,4 +9,7 @@ kubedns_image_tag: "{{ kubedns_version }}"
 kubednsmasq_image_repo: "gcr.io/google_containers/kube-dnsmasq-amd64"
 kubednsmasq_image_tag: "{{ kubednsmasq_version }}"
 exechealthz_image_repo: "gcr.io/google_containers/exechealthz-amd64"
-exechealthz_image_tag: "{{ exechealthz_version }}"
\ No newline at end of file
+exechealthz_image_tag: "{{ exechealthz_version }}"
+
+# SSL
+etcd_cert_dir: "/etc/ssl/etcd/ssl"
diff --git a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
index 5e0586e16c7d0842b8504e51bb6166f1bd30b997..698710b95608f5ad4d576244de3bbaa02b35e9c5 100644
--- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
@@ -44,12 +44,11 @@ spec:
             # This removes the need for KubeDNS to resolve the Service.
             - name: CONFIGURE_ETC_HOSTS
               value: "true"
-    volumeMounts:
-    - mountPath: {{ etcd_cert_dir }}
-      name: etcd-certs
-      readOnly: true
-  volumes:
-  - hostPath:
-      path: {{ etcd_cert_dir }}
-    name: etcd-certs
-
+          volumeMounts:
+          - mountPath: {{ etcd_cert_dir }}
+            name: etcd-certs
+            readOnly: true
+      volumes:
+      - hostPath:
+          path: {{ etcd_cert_dir }}
+        name: etcd-certs