Streamline path to certs dir (#3836)
* Streamline path to certs dir * More fixes * Set path to etcd certs in kubernetes defaults instead
This commit is contained in:
parent
225f765b56
commit
d5ce5874e8
15 changed files with 10 additions and 21 deletions
|
@ -48,7 +48,3 @@ dashboard_tls_cert_file: dashboard.crt
|
||||||
|
|
||||||
# Override dashboard default settings
|
# Override dashboard default settings
|
||||||
dashboard_token_ttl: 900
|
dashboard_token_ttl: 900
|
||||||
|
|
||||||
# SSL
|
|
||||||
etcd_cert_dir: "/etc/ssl/etcd/ssl"
|
|
||||||
canal_cert_dir: "/etc/canal/certs"
|
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
register: kubelet_conf
|
register: kubelet_conf
|
||||||
|
|
||||||
- name: Calculate kubeadm CA cert hash
|
- name: Calculate kubeadm CA cert hash
|
||||||
shell: openssl x509 -pubkey -in {{ kube_config_dir }}/ssl/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
|
shell: openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
|
||||||
register: kubeadm_ca_hash
|
register: kubeadm_ca_hash
|
||||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
|
@ -14,10 +14,6 @@ kube_apiserver_bind_address: 0.0.0.0
|
||||||
# Inclusive at both ends of the range.
|
# Inclusive at both ends of the range.
|
||||||
kube_apiserver_node_port_range: "30000-32767"
|
kube_apiserver_node_port_range: "30000-32767"
|
||||||
|
|
||||||
# ETCD cert dir for connecting apiserver to etcd
|
|
||||||
etcd_config_dir: /etc/ssl/etcd
|
|
||||||
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
|
||||||
|
|
||||||
# ETCD backend for k8s data
|
# ETCD backend for k8s data
|
||||||
kube_apiserver_storage_backend: etcd3
|
kube_apiserver_storage_backend: etcd3
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
- name: Write secrets for encrypting secret data at rest
|
- name: Write secrets for encrypting secret data at rest
|
||||||
template:
|
template:
|
||||||
src: secrets_encryption.yaml.j2
|
src: secrets_encryption.yaml.j2
|
||||||
dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml"
|
dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ kube_cert_group }}"
|
group: "{{ kube_cert_group }}"
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
|
|
@ -102,7 +102,7 @@ apiServerExtraArgs:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kube_encrypt_secret_data %}
|
{% if kube_encrypt_secret_data %}
|
||||||
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
|
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
storage-backend: {{ kube_apiserver_storage_backend }}
|
storage-backend: {{ kube_apiserver_storage_backend }}
|
||||||
{% if kube_api_runtime_config is defined %}
|
{% if kube_api_runtime_config is defined %}
|
||||||
|
|
|
@ -87,7 +87,7 @@ apiServerExtraArgs:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kube_encrypt_secret_data %}
|
{% if kube_encrypt_secret_data %}
|
||||||
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
|
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
storage-backend: {{ kube_apiserver_storage_backend }}
|
storage-backend: {{ kube_apiserver_storage_backend }}
|
||||||
{% if kube_api_runtime_config is defined %}
|
{% if kube_api_runtime_config is defined %}
|
||||||
|
|
|
@ -97,7 +97,7 @@ apiServerExtraArgs:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kube_encrypt_secret_data %}
|
{% if kube_encrypt_secret_data %}
|
||||||
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
|
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
storage-backend: {{ kube_apiserver_storage_backend }}
|
storage-backend: {{ kube_apiserver_storage_backend }}
|
||||||
{% if kube_api_runtime_config is defined %}
|
{% if kube_api_runtime_config is defined %}
|
||||||
|
|
|
@ -95,7 +95,7 @@ apiServer:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if kube_encrypt_secret_data %}
|
{% if kube_encrypt_secret_data %}
|
||||||
encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
|
encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
|
||||||
{% endif %}
|
{% endif %}
|
||||||
storage-backend: {{ kube_apiserver_storage_backend }}
|
storage-backend: {{ kube_apiserver_storage_backend }}
|
||||||
{% if kube_api_runtime_config is defined %}
|
{% if kube_api_runtime_config is defined %}
|
||||||
|
|
|
@ -67,8 +67,6 @@ nginx_image_repo: nginx
|
||||||
nginx_image_tag: 1.13
|
nginx_image_tag: 1.13
|
||||||
nginx_config_dir: "/etc/nginx"
|
nginx_config_dir: "/etc/nginx"
|
||||||
|
|
||||||
etcd_config_dir: /etc/ssl/etcd
|
|
||||||
|
|
||||||
kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins
|
kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins
|
||||||
|
|
||||||
# A port range to reserve for services with NodePort visibility.
|
# A port range to reserve for services with NodePort visibility.
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
with_items:
|
with_items:
|
||||||
- "{{bin_dir}}"
|
- "{{bin_dir}}"
|
||||||
- "{{ kube_config_dir }}"
|
- "{{ kube_config_dir }}"
|
||||||
- "{{ kube_config_dir }}/ssl"
|
- "{{ kube_cert_dir }}"
|
||||||
- "{{ kube_manifest_dir }}"
|
- "{{ kube_manifest_dir }}"
|
||||||
- "{{ kube_script_dir }}"
|
- "{{ kube_script_dir }}"
|
||||||
|
|
||||||
|
|
|
@ -449,3 +449,6 @@ pip_extra_args: |-
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
{{ pip_extra_args_list|join(' ') }}
|
{{ pip_extra_args_list|join(' ') }}
|
||||||
|
|
||||||
|
etcd_config_dir: /etc/ssl/etcd
|
||||||
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
||||||
|
|
|
@ -15,7 +15,6 @@ ipip_mode: Always # change to "CrossSubnet" if you only want ipip encapsulation
|
||||||
overwrite_hyperkube_cni: true
|
overwrite_hyperkube_cni: true
|
||||||
|
|
||||||
calico_cert_dir: /etc/calico/certs
|
calico_cert_dir: /etc/calico/certs
|
||||||
etcd_cert_dir: /etc/ssl/etcd/ssl
|
|
||||||
|
|
||||||
# Global as_num (/calico/bgp/v1/global/as_num)
|
# Global as_num (/calico/bgp/v1/global/as_num)
|
||||||
global_as_num: "64512"
|
global_as_num: "64512"
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
global_as_num: "64512"
|
global_as_num: "64512"
|
||||||
|
|
||||||
calico_cert_dir: /etc/calico/certs
|
calico_cert_dir: /etc/calico/certs
|
||||||
etcd_cert_dir: /etc/ssl/etcd/ssl
|
|
||||||
|
|
||||||
# Limits for apps
|
# Limits for apps
|
||||||
calico_rr_memory_limit: 1000M
|
calico_rr_memory_limit: 1000M
|
||||||
|
|
|
@ -13,7 +13,6 @@ canal_log_level: "info"
|
||||||
|
|
||||||
# Etcd SSL dirs
|
# Etcd SSL dirs
|
||||||
canal_cert_dir: /etc/canal/certs
|
canal_cert_dir: /etc/canal/certs
|
||||||
etcd_cert_dir: /etc/ssl/etcd/ssl
|
|
||||||
|
|
||||||
# Canal Network Policy directory
|
# Canal Network Policy directory
|
||||||
canal_policy_dir: /etc/kubernetes/policy
|
canal_policy_dir: /etc/kubernetes/policy
|
||||||
|
|
|
@ -5,7 +5,6 @@ cilium_disable_ipv4: false
|
||||||
|
|
||||||
# Etcd SSL dirs
|
# Etcd SSL dirs
|
||||||
cilium_cert_dir: /etc/cilium/certs
|
cilium_cert_dir: /etc/cilium/certs
|
||||||
etcd_cert_dir: /etc/ssl/etcd/ssl
|
|
||||||
|
|
||||||
# Cilium Network Policy directory
|
# Cilium Network Policy directory
|
||||||
cilium_policy_dir: /etc/kubernetes/policy
|
cilium_policy_dir: /etc/kubernetes/policy
|
||||||
|
|
Loading…
Reference in a new issue