---
- name: Write secrets for encrypting secret data at rest
  template:
    src: secrets_encryption.yaml.j2
    dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml"
    owner: root
    group: "{{ kube_cert_group }}"
    mode: 0640
  tags:
    - kube-apiserver