From 7f915b333b7321c2b32cf66e25ebf0759aaf3497 Mon Sep 17 00:00:00 2001 From: k8s-infra-cherrypick-robot <90416843+k8s-infra-cherrypick-robot@users.noreply.github.com> Date: Tue, 27 Jan 2026 06:59:51 -0800 Subject: [PATCH] etcd-certs: only change necessary permissions (#12913) We currently **recursively** set the permissions of /etc/ssl/etcd/ssl (default path) to 700. But this removes group permission from the files under it, and certain composents (like calio with etcd datastore) rely on it ; thus, the upgrade of a cluster can fail because the calico-kube-controller can't access the certs, and thus the etcd. This works in other case because as far as I can tell, the apiserver which do access the etcd run as root (the owner of the files, not just the "group owner") We also for some reasons do this twice. Only create the etcd cert directory with the correct permissions once, not recursively. Co-authored-by: Max Gautier --- roles/etcd/defaults/main.yml | 1 - roles/etcd/tasks/gen_certs_script.yml | 12 +----------- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml index 2bba006da..d5f4ba703 100644 --- a/roles/etcd/defaults/main.yml +++ b/roles/etcd/defaults/main.yml @@ -18,7 +18,6 @@ etcd_backup_retention_count: -1 force_etcd_cert_refresh: true etcd_config_dir: /etc/ssl/etcd etcd_cert_dir: "{{ etcd_config_dir }}/ssl" -etcd_cert_dir_mode: "0700" etcd_cert_group: root # Note: This does not set up DNS entries. It simply adds the following DNS # entries to the certificate diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml index c0b032aae..1fc26ae2e 100644 --- a/roles/etcd/tasks/gen_certs_script.yml +++ b/roles/etcd/tasks/gen_certs_script.yml @@ -5,8 +5,7 @@ group: "{{ etcd_cert_group }}" state: directory owner: "{{ etcd_owner }}" - mode: "{{ etcd_cert_dir_mode }}" - recurse: true + mode: "0700" - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})" file: @@ -145,15 +144,6 @@ - ('k8s_cluster' in group_names) and sync_certs | default(false) and inventory_hostname not in groups['etcd'] -- name: Gen_certs | check certificate permissions - file: - path: "{{ etcd_cert_dir }}" - group: "{{ etcd_cert_group }}" - state: directory - owner: "{{ etcd_owner }}" - mode: "{{ etcd_cert_dir_mode }}" - recurse: true - # This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane # TODO: fix certs generation to have the same file everywhere # OR work with kubeadm on node-specific config