C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
c12s-kubespray/roles/kubernetes/control-plane/tasks/encrypt-at-rest.yml

43 lines
1.4 KiB
YAML
Raw Normal View History

Added option for encrypting secrets to etcd v.2 (#2428) * Added option for encrypting secrets to etcd * Fix keylength to 32 * Forgot the default * Rename secrets.yaml to secrets_encryption.yaml * Fix static path for secrets file to use ansible variable * Rename secrets.yaml.j2 to secrets_encryption.yaml.j2 * Base64 encode the token * Fixed merge error * Changed path to credentials dir * Update path to secrets file which is now readable inside the apiserver container. Set better file permissions * Add encryption option to k8s-cluster.yml
2018-03-15 19:20:05 +00:00
---
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 15:31:45 +00:00
- name: Check if secret for encrypting data at rest already exist
stat:
path: "{{ kube_cert_dir }}/secrets_encryption.yaml"
Only use stat get_checksum: yes when needed (#7270) By default Ansible stat module compute checksum, list extended attributes and find mime type To find all stat invocations that really use one of those: git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)' Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2021-02-10 13:36:59 +00:00
get_attributes: no
get_checksum: no
get_mime: no
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 15:31:45 +00:00
register: secrets_encryption_file
- name: Slurp secrets_encryption file if it exists
slurp:
src: "{{ kube_cert_dir }}/secrets_encryption.yaml"
register: secret_file_encoded
when: secrets_encryption_file.stat.exists
- name: Base 64 Decode slurped secrets_encryption.yaml file
set_fact:
ansible-lint: add spaces around variables [E206] (#4699)
2019-05-02 21:24:21 +00:00
secret_file_decoded: "{{ secret_file_encoded['content'] | b64decode | from_yaml }}"
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 15:31:45 +00:00
when: secrets_encryption_file.stat.exists
- name: Extract secret value from secrets_encryption.yaml
set_fact:
ansible-lint: add spaces around variables [E206] (#4699)
2019-05-02 21:24:21 +00:00
kube_encrypt_token_extracted: "{{ secret_file_decoded | json_query(secrets_encryption_query) | first | b64decode }}"
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 15:31:45 +00:00
when: secrets_encryption_file.stat.exists
- name: Set kube_encrypt_token across master nodes
set_fact:
kube_encrypt_token: "{{ kube_encrypt_token_extracted }}"
delegate_to: "{{ item }}"
delegate_facts: true
Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation
2021-03-24 00:26:05 +00:00
with_inventory_hostnames: kube_control_plane
Adding ability to maintain existing Encryption Secrets at Rest. (#4255) * Adding ability to maintain existing Encryption Secrets at Rest. If secrets_encryption.yaml is present it will not be overriten with a new kube_encrypt_token. This should allow for it to be set ahead of a playbook running or maintain it if cluster.yml is ran on the same cluster and the ansible host does not have access to the secrets. * Setting existing kube_encrypt_token across all master nodes in case it was missing in one or more nodes.
2019-02-19 15:31:45 +00:00
when: kube_encrypt_token_extracted is defined
Added option for encrypting secrets to etcd v.2 (#2428) * Added option for encrypting secrets to etcd * Fix keylength to 32 * Forgot the default * Rename secrets.yaml to secrets_encryption.yaml * Fix static path for secrets file to use ansible variable * Rename secrets.yaml.j2 to secrets_encryption.yaml.j2 * Base64 encode the token * Fixed merge error * Changed path to credentials dir * Update path to secrets file which is now readable inside the apiserver container. Set better file permissions * Add encryption option to k8s-cluster.yml
2018-03-15 19:20:05 +00:00
- name: Write secrets for encrypting secret data at rest
template:
src: secrets_encryption.yaml.j2
Streamline path to certs dir (#3836) * Streamline path to certs dir * More fixes * Set path to etcd certs in kubernetes defaults instead
2018-12-07 07:11:53 +00:00
dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
Added option for encrypting secrets to etcd v.2 (#2428) * Added option for encrypting secrets to etcd * Fix keylength to 32 * Forgot the default * Rename secrets.yaml to secrets_encryption.yaml * Fix static path for secrets file to use ansible variable * Rename secrets.yaml.j2 to secrets_encryption.yaml.j2 * Base64 encode the token * Fixed merge error * Changed path to credentials dir * Update path to secrets file which is now readable inside the apiserver container. Set better file permissions * Add encryption option to k8s-cluster.yml
2018-03-15 19:20:05 +00:00
owner: root
group: "{{ kube_cert_group }}"
mode: 0640
tags:
- kube-apiserver
Reference in a new issue Copy permalink