Streamline path to certs dir (#3836)

* Streamline path to certs dir * More fixes * Set path to etcd certs in kubernetes defaults instead
2026-02-03 02:28:15 -03:30 · 2018-12-07 08:11:53 +01:00
parent 225f765b56
commit d5ce5874e8
15 changed files with 10 additions and 21 deletions
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -14,10 +14,6 @@ kube_apiserver_bind_address: 0.0.0.0
 # Inclusive at both ends of the range.
 kube_apiserver_node_port_range: "30000-32767"

-# ETCD cert dir for connecting apiserver to etcd
-etcd_config_dir: /etc/ssl/etcd
-etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
-
 # ETCD backend for k8s data
 kube_apiserver_storage_backend: etcd3

--- a/roles/kubernetes/master/tasks/encrypt-at-rest.yml
+++ b/roles/kubernetes/master/tasks/encrypt-at-rest.yml
@@ -2,7 +2,7 @@
 - name: Write secrets for encrypting secret data at rest
  template:
    src: secrets_encryption.yaml.j2
-    dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml"
+    dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
    owner: root
    group: "{{ kube_cert_group }}"
    mode: 0640
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -102,7 +102,7 @@ apiServerExtraArgs:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
  storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -87,7 +87,7 @@ apiServerExtraArgs:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
  storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -97,7 +97,7 @@ apiServerExtraArgs:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+  experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
  storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -95,7 +95,7 @@ apiServer:
 {%   endif %}
 {% endif %}
 {% if kube_encrypt_secret_data %}
-    encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
+    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
    storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}