kubespray

External-Mirrors/kubespray

Fork 0

mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-01 17:48:12 -03:30

Commit Graph

Author	SHA1	Message	Date
Max Gautier	37f7a86014	etcd-certs: only change necessary permissions (#12908 ) We currently recursively set the permissions of /etc/ssl/etcd/ssl (default path) to 700. But this removes group permission from the files under it, and certain composents (like calio with etcd datastore) rely on it ; thus, the upgrade of a cluster can fail because the calico-kube-controller can't access the certs, and thus the etcd. This works in other case because as far as I can tell, the apiserver which do access the etcd run as root (the owner of the files, not just the "group owner") We also for some reasons do this twice. Only create the etcd cert directory with the correct permissions once, not recursively.	2026-01-27 20:25:52 +05:30
Max Gautier	9d06ce1a8d	CI: enable unsafe_show_logs == true by default (#12702 ) * CI: enable unsafe_show_logs == true by default * Deduplicate defaults vars (unsafe_show_logs)	2025-11-19 23:10:00 -08:00
Max Gautier	9c2bdeec63	Decouple etcd defaults in a separate role This allows us to reuse the defaults in other places without putting everything in kubespray-defaults. In that, for kubernetes/control-plane.	2025-05-16 14:51:29 +02:00

Author

SHA1

Message

Date

Max Gautier

37f7a86014

etcd-certs: only change necessary permissions (#12908 )

We currently **recursively** set the permissions of /etc/ssl/etcd/ssl
(default path) to 700. But this removes group permission from the files
under it, and certain composents (like calio with etcd datastore) rely
on it ; thus, the upgrade of a cluster can fail because the
calico-kube-controller can't access the certs, and thus the etcd.

This works in other case because as far as I can tell, the apiserver
which do access the etcd run as root (the owner of the files, not just
the "group owner")

We also for some reasons do this twice.

Only create the etcd cert directory with the correct permissions once,
not recursively.

2026-01-27 20:25:52 +05:30

Max Gautier

9d06ce1a8d

CI: enable unsafe_show_logs == true by default (#12702 )

* CI: enable unsafe_show_logs == true by default

* Deduplicate defaults vars (unsafe_show_logs)

2025-11-19 23:10:00 -08:00

Max Gautier

9c2bdeec63

Decouple etcd defaults in a separate role

This allows us to reuse the defaults in other places without putting
everything in kubespray-defaults.

In that, for kubernetes/control-plane.

2025-05-16 14:51:29 +02:00

3 Commits