Streamline path to certs dir (#3836)

* Streamline path to certs dir

* More fixes

* Set path to etcd certs in kubernetes defaults instead
This commit is contained in:
Andreas Krüger 2018-12-07 08:11:53 +01:00 committed by Kubernetes Prow Robot
parent 225f765b56
commit d5ce5874e8
15 changed files with 10 additions and 21 deletions

View file

@ -48,7 +48,3 @@ dashboard_tls_cert_file: dashboard.crt
# Override dashboard default settings # Override dashboard default settings
dashboard_token_ttl: 900 dashboard_token_ttl: 900
# SSL
etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs"

View file

@ -16,7 +16,7 @@
register: kubelet_conf register: kubelet_conf
- name: Calculate kubeadm CA cert hash - name: Calculate kubeadm CA cert hash
shell: openssl x509 -pubkey -in {{ kube_config_dir }}/ssl/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' shell: openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
register: kubeadm_ca_hash register: kubeadm_ca_hash
delegate_to: "{{ groups['kube-master'][0] }}" delegate_to: "{{ groups['kube-master'][0] }}"
run_once: true run_once: true

View file

@ -14,10 +14,6 @@ kube_apiserver_bind_address: 0.0.0.0
# Inclusive at both ends of the range. # Inclusive at both ends of the range.
kube_apiserver_node_port_range: "30000-32767" kube_apiserver_node_port_range: "30000-32767"
# ETCD cert dir for connecting apiserver to etcd
etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
# ETCD backend for k8s data # ETCD backend for k8s data
kube_apiserver_storage_backend: etcd3 kube_apiserver_storage_backend: etcd3

View file

@ -2,7 +2,7 @@
- name: Write secrets for encrypting secret data at rest - name: Write secrets for encrypting secret data at rest
template: template:
src: secrets_encryption.yaml.j2 src: secrets_encryption.yaml.j2
dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml" dest: "{{ kube_cert_dir }}/secrets_encryption.yaml"
owner: root owner: root
group: "{{ kube_cert_group }}" group: "{{ kube_cert_group }}"
mode: 0640 mode: 0640

View file

@ -102,7 +102,7 @@ apiServerExtraArgs:
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if kube_encrypt_secret_data %} {% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %} {% endif %}
storage-backend: {{ kube_apiserver_storage_backend }} storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %} {% if kube_api_runtime_config is defined %}

View file

@ -87,7 +87,7 @@ apiServerExtraArgs:
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if kube_encrypt_secret_data %} {% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %} {% endif %}
storage-backend: {{ kube_apiserver_storage_backend }} storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %} {% if kube_api_runtime_config is defined %}

View file

@ -97,7 +97,7 @@ apiServerExtraArgs:
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if kube_encrypt_secret_data %} {% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %} {% endif %}
storage-backend: {{ kube_apiserver_storage_backend }} storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %} {% if kube_api_runtime_config is defined %}

View file

@ -95,7 +95,7 @@ apiServer:
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if kube_encrypt_secret_data %} {% if kube_encrypt_secret_data %}
encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %} {% endif %}
storage-backend: {{ kube_apiserver_storage_backend }} storage-backend: {{ kube_apiserver_storage_backend }}
{% if kube_api_runtime_config is defined %} {% if kube_api_runtime_config is defined %}

View file

@ -67,8 +67,6 @@ nginx_image_repo: nginx
nginx_image_tag: 1.13 nginx_image_tag: 1.13
nginx_config_dir: "/etc/nginx" nginx_config_dir: "/etc/nginx"
etcd_config_dir: /etc/ssl/etcd
kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins
# A port range to reserve for services with NodePort visibility. # A port range to reserve for services with NodePort visibility.

View file

@ -19,7 +19,7 @@
with_items: with_items:
- "{{bin_dir}}" - "{{bin_dir}}"
- "{{ kube_config_dir }}" - "{{ kube_config_dir }}"
- "{{ kube_config_dir }}/ssl" - "{{ kube_cert_dir }}"
- "{{ kube_manifest_dir }}" - "{{ kube_manifest_dir }}"
- "{{ kube_script_dir }}" - "{{ kube_script_dir }}"

View file

@ -449,3 +449,6 @@ pip_extra_args: |-
{%- endif -%} {%- endif -%}
{%- endif -%} {%- endif -%}
{{ pip_extra_args_list|join(' ') }} {{ pip_extra_args_list|join(' ') }}
etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"

View file

@ -15,7 +15,6 @@ ipip_mode: Always # change to "CrossSubnet" if you only want ipip encapsulation
overwrite_hyperkube_cni: true overwrite_hyperkube_cni: true
calico_cert_dir: /etc/calico/certs calico_cert_dir: /etc/calico/certs
etcd_cert_dir: /etc/ssl/etcd/ssl
# Global as_num (/calico/bgp/v1/global/as_num) # Global as_num (/calico/bgp/v1/global/as_num)
global_as_num: "64512" global_as_num: "64512"

View file

@ -4,7 +4,6 @@
global_as_num: "64512" global_as_num: "64512"
calico_cert_dir: /etc/calico/certs calico_cert_dir: /etc/calico/certs
etcd_cert_dir: /etc/ssl/etcd/ssl
# Limits for apps # Limits for apps
calico_rr_memory_limit: 1000M calico_rr_memory_limit: 1000M

View file

@ -13,7 +13,6 @@ canal_log_level: "info"
# Etcd SSL dirs # Etcd SSL dirs
canal_cert_dir: /etc/canal/certs canal_cert_dir: /etc/canal/certs
etcd_cert_dir: /etc/ssl/etcd/ssl
# Canal Network Policy directory # Canal Network Policy directory
canal_policy_dir: /etc/kubernetes/policy canal_policy_dir: /etc/kubernetes/policy

View file

@ -5,7 +5,6 @@ cilium_disable_ipv4: false
# Etcd SSL dirs # Etcd SSL dirs
cilium_cert_dir: /etc/cilium/certs cilium_cert_dir: /etc/cilium/certs
etcd_cert_dir: /etc/ssl/etcd/ssl
# Cilium Network Policy directory # Cilium Network Policy directory
cilium_policy_dir: /etc/kubernetes/policy cilium_policy_dir: /etc/kubernetes/policy