From a7a204ebca3811a0f1219738cb0d44604e0bd2e6 Mon Sep 17 00:00:00 2001
From: Maxime Guyot <Miouge1@users.noreply.github.com>
Date: Fri, 20 Mar 2020 12:14:36 +0100
Subject: [PATCH] Add kube_encryption_resources variable to configure which
 resources are encrypted at rest (#5797)

---
 roles/kubernetes/master/defaults/main/main.yml               | 2 ++
 roles/kubernetes/master/templates/secrets_encryption.yaml.j2 | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
index 408da58ea..cf20841e9 100644
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@@ -152,6 +152,8 @@ kube_encrypt_secret_data: false
 kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
 # Must be either: aescbc, secretbox or aesgcm
 kube_encryption_algorithm: "aescbc"
+# Which kubernetes resources to encrypt
+kube_encryption_resources: [secrets]
 
 # You may want to use ca.pem depending on your situation
 kube_front_proxy_ca: "front-proxy-ca.pem"
diff --git a/roles/kubernetes/master/templates/secrets_encryption.yaml.j2 b/roles/kubernetes/master/templates/secrets_encryption.yaml.j2
index 84c6a4ea8..0fc4bb850 100644
--- a/roles/kubernetes/master/templates/secrets_encryption.yaml.j2
+++ b/roles/kubernetes/master/templates/secrets_encryption.yaml.j2
@@ -1,8 +1,7 @@
 kind: EncryptionConfig
 apiVersion: v1
 resources:
-  - resources:
-    - secrets
+  - resources: {{ kube_encryption_resources }}
     providers:
     - {{ kube_encryption_algorithm }}:
         keys: