From d5ce5874e8917fa5d343cff30bbd341a2e5d8371 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <ak@patientsky.com>
Date: Fri, 7 Dec 2018 08:11:53 +0100
Subject: [PATCH] Streamline path to certs dir (#3836)
* Streamline path to certs dir
* More fixes
* Set path to etcd certs in kubernetes defaults instead
---
roles/kubernetes-apps/ansible/defaults/main.yml | 4 ----
roles/kubernetes/kubeadm/tasks/main.yml | 2 +-
roles/kubernetes/master/defaults/main.yml | 4 ----
roles/kubernetes/master/tasks/encrypt-at-rest.yml | 2 +-
.../master/templates/kubeadm-config.v1alpha1.yaml.j2 | 2 +-
.../master/templates/kubeadm-config.v1alpha2.yaml.j2 | 2 +-
.../master/templates/kubeadm-config.v1alpha3.yaml.j2 | 2 +-
.../master/templates/kubeadm-config.v1beta1.yaml.j2 | 2 +-
roles/kubernetes/node/defaults/main.yml | 2 --
roles/kubernetes/preinstall/tasks/0050-create_directories.yml | 2 +-
roles/kubespray-defaults/defaults/main.yaml | 3 +++
roles/network_plugin/calico/defaults/main.yml | 1 -
roles/network_plugin/calico/rr/defaults/main.yml | 1 -
roles/network_plugin/canal/defaults/main.yml | 1 -
roles/network_plugin/cilium/defaults/main.yml | 1 -
15 files changed, 10 insertions(+), 21 deletions(-)
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index f5896903b..5e47740ca 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -48,7 +48,3 @@ dashboard_tls_cert_file: dashboard.crt
# Override dashboard default settings
dashboard_token_ttl: 900
-
-# SSL
-etcd_cert_dir: "/etc/ssl/etcd/ssl"
-canal_cert_dir: "/etc/canal/certs"
diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index c2035859d..6c8743c7c 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -16,7 +16,7 @@
register: kubelet_conf
- name: Calculate kubeadm CA cert hash
- shell: openssl x509 -pubkey -in {{ kube_config_dir }}/ssl/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+ shell: openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
register: kubeadm_ca_hash
delegate_to: "{{ groups['kube-master'][0] }}"
run_once: true
diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index 2d8af345c..e8d495884 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -14,10 +14,6 @@ kube_apiserver_bind_address: 0.0.0.0
# Inclusive at both ends of the range.
kube_apiserver_node_port_range: "30000-32767"
-# ETCD cert dir for connecting apiserver to etcd
-etcd_config_dir: /etc/ssl/etcd
-etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
-
# ETCD backend for k8s data
kube_apiserver_storage_backend: etcd3
diff --git a/roles/kubernetes/master/tasks/encrypt-at-rest.yml b/roles/kubernetes/master/tasks/encrypt-at-rest.yml
index 2e569b08b..332e622c7 100644
--- a/roles/kubernetes/master/tasks/encrypt-at-rest.yml
+++ b/roles/kubernetes/master/tasks/encrypt-at-rest.yml
@@ -2,7 +2,7 @@
- name: Write secrets for encrypting secret data at rest
template:
src: secrets_encryption.yaml.j2
- dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml"
+ dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
owner: root
group: "{{ kube_cert_group }}"
mode: 0640
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
index f2ad127c7..71c504532 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -102,7 +102,7 @@ apiServerExtraArgs:
{% endif %}
{% endif %}
{% if kube_encrypt_secret_data %}
- experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+ experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index 3385d2892..fb43775d2 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -87,7 +87,7 @@ apiServerExtraArgs:
{% endif %}
{% endif %}
{% if kube_encrypt_secret_data %}
- experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+ experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
index d6f77ff7f..58250724d 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -97,7 +97,7 @@ apiServerExtraArgs:
{% endif %}
{% endif %}
{% if kube_encrypt_secret_data %}
- experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+ experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
index 366cbee23..01338230e 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -95,7 +95,7 @@ apiServer:
{% endif %}
{% endif %}
{% if kube_encrypt_secret_data %}
- encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+ encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index b6b6f9ea6..ecd75e3cc 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -67,8 +67,6 @@ nginx_image_repo: nginx
nginx_image_tag: 1.13
nginx_config_dir: "/etc/nginx"
-etcd_config_dir: /etc/ssl/etcd
-
kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins
# A port range to reserve for services with NodePort visibility.
diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
index c508af4c9..f27bda3fe 100644
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -19,7 +19,7 @@
with_items:
- "{{bin_dir}}"
- "{{ kube_config_dir }}"
- - "{{ kube_config_dir }}/ssl"
+ - "{{ kube_cert_dir }}"
- "{{ kube_manifest_dir }}"
- "{{ kube_script_dir }}"
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 745e2a9f8..15797558f 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -449,3 +449,6 @@ pip_extra_args: |-
{%- endif -%}
{%- endif -%}
{{ pip_extra_args_list|join(' ') }}
+
+etcd_config_dir: /etc/ssl/etcd
+etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml
index 9883ad1fd..39bf10861 100644
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -15,7 +15,6 @@ ipip_mode: Always # change to "CrossSubnet" if you only want ipip encapsulation
overwrite_hyperkube_cni: true
calico_cert_dir: /etc/calico/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
# Global as_num (/calico/bgp/v1/global/as_num)
global_as_num: "64512"
diff --git a/roles/network_plugin/calico/rr/defaults/main.yml b/roles/network_plugin/calico/rr/defaults/main.yml
index 0fde5eff8..bdc2d9f10 100644
--- a/roles/network_plugin/calico/rr/defaults/main.yml
+++ b/roles/network_plugin/calico/rr/defaults/main.yml
@@ -4,7 +4,6 @@
global_as_num: "64512"
calico_cert_dir: /etc/calico/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
# Limits for apps
calico_rr_memory_limit: 1000M
diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index 38696b87a..0be0f14fc 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -13,7 +13,6 @@ canal_log_level: "info"
# Etcd SSL dirs
canal_cert_dir: /etc/canal/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
# Canal Network Policy directory
canal_policy_dir: /etc/kubernetes/policy
diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index f6a836f95..e97364644 100755
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -5,7 +5,6 @@ cilium_disable_ipv4: false
# Etcd SSL dirs
cilium_cert_dir: /etc/cilium/certs
-etcd_cert_dir: /etc/ssl/etcd/ssl
# Cilium Network Policy directory
cilium_policy_dir: /etc/kubernetes/policy
--
GitLab