kubespray

External-Mirrors/kubespray

Fork 0

mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-02 10:08:13 -03:30

Commit Graph

Author	SHA1	Message	Date
k8s-infra-cherrypick-robot	4ff716dddd	etcd-certs: only change necessary permissions (#12914 ) We currently recursively set the permissions of /etc/ssl/etcd/ssl (default path) to 700. But this removes group permission from the files under it, and certain composents (like calio with etcd datastore) rely on it ; thus, the upgrade of a cluster can fail because the calico-kube-controller can't access the certs, and thus the etcd. This works in other case because as far as I can tell, the apiserver which do access the etcd run as root (the owner of the files, not just the "group owner") We also for some reasons do this twice. Only create the etcd cert directory with the correct permissions once, not recursively. Co-authored-by: Max Gautier <mg@max.gautier.name>	2026-01-27 20:29:51 +05:30
k8s-infra-cherrypick-robot	dbca6a7757	[release-2.29] CI: enable unsafe_show_logs == true by default (#12728 ) * CI: enable unsafe_show_logs == true by default * Deduplicate defaults vars (unsafe_show_logs) --------- Co-authored-by: Max Gautier <mg@max.gautier.name>	2025-11-19 23:32:02 -08:00
Max Gautier	9c2bdeec63	Decouple etcd defaults in a separate role This allows us to reuse the defaults in other places without putting everything in kubespray-defaults. In that, for kubernetes/control-plane.	2025-05-16 14:51:29 +02:00

Author

SHA1

Message

Date

k8s-infra-cherrypick-robot

4ff716dddd

etcd-certs: only change necessary permissions (#12914 )

We currently **recursively** set the permissions of /etc/ssl/etcd/ssl
(default path) to 700. But this removes group permission from the files
under it, and certain composents (like calio with etcd datastore) rely
on it ; thus, the upgrade of a cluster can fail because the
calico-kube-controller can't access the certs, and thus the etcd.

This works in other case because as far as I can tell, the apiserver
which do access the etcd run as root (the owner of the files, not just
the "group owner")

We also for some reasons do this twice.

Only create the etcd cert directory with the correct permissions once,
not recursively.

Co-authored-by: Max Gautier <mg@max.gautier.name>

2026-01-27 20:29:51 +05:30

k8s-infra-cherrypick-robot

dbca6a7757

[release-2.29] CI: enable unsafe_show_logs == true by default (#12728 )

* CI: enable unsafe_show_logs == true by default

* Deduplicate defaults vars (unsafe_show_logs)

---------

Co-authored-by: Max Gautier <mg@max.gautier.name>

2025-11-19 23:32:02 -08:00

Max Gautier

9c2bdeec63

Decouple etcd defaults in a separate role

This allows us to reuse the defaults in other places without putting
everything in kubespray-defaults.

In that, for kubernetes/control-plane.

2025-05-16 14:51:29 +02:00

3 Commits