diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index f5896903b..5e47740ca 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -48,7 +48,3 @@ dashboard_tls_cert_file: dashboard.crt # Override dashboard default settings dashboard_token_ttl: 900 - -# SSL -etcd_cert_dir: "/etc/ssl/etcd/ssl" -canal_cert_dir: "/etc/canal/certs" diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml index c2035859d..6c8743c7c 100644 --- a/roles/kubernetes/kubeadm/tasks/main.yml +++ b/roles/kubernetes/kubeadm/tasks/main.yml @@ -16,7 +16,7 @@ register: kubelet_conf - name: Calculate kubeadm CA cert hash - shell: openssl x509 -pubkey -in {{ kube_config_dir }}/ssl/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' + shell: openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' register: kubeadm_ca_hash delegate_to: "{{ groups['kube-master'][0] }}" run_once: true diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index 2d8af345c..e8d495884 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -14,10 +14,6 @@ kube_apiserver_bind_address: 0.0.0.0 # Inclusive at both ends of the range. kube_apiserver_node_port_range: "30000-32767" -# ETCD cert dir for connecting apiserver to etcd -etcd_config_dir: /etc/ssl/etcd -etcd_cert_dir: "{{ etcd_config_dir }}/ssl" - # ETCD backend for k8s data kube_apiserver_storage_backend: etcd3 diff --git a/roles/kubernetes/master/tasks/encrypt-at-rest.yml b/roles/kubernetes/master/tasks/encrypt-at-rest.yml index 2e569b08b..332e622c7 100644 --- a/roles/kubernetes/master/tasks/encrypt-at-rest.yml +++ b/roles/kubernetes/master/tasks/encrypt-at-rest.yml @@ -2,7 +2,7 @@ - name: Write secrets for encrypting secret data at rest template: src: secrets_encryption.yaml.j2 - dest: "{{ kube_config_dir }}/ssl/secrets_encryption.yaml" + dest: "{{ kube_cert_dir }}/secrets_encryption.yaml" owner: root group: "{{ kube_cert_group }}" mode: 0640 diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 index f2ad127c7..71c504532 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 @@ -102,7 +102,7 @@ apiServerExtraArgs: {% endif %} {% endif %} {% if kube_encrypt_secret_data %} - experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml + experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml {% endif %} storage-backend: {{ kube_apiserver_storage_backend }} {% if kube_api_runtime_config is defined %} diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 index 3385d2892..fb43775d2 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 @@ -87,7 +87,7 @@ apiServerExtraArgs: {% endif %} {% endif %} {% if kube_encrypt_secret_data %} - experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml + experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml {% endif %} storage-backend: {{ kube_apiserver_storage_backend }} {% if kube_api_runtime_config is defined %} diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 index d6f77ff7f..58250724d 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 @@ -97,7 +97,7 @@ apiServerExtraArgs: {% endif %} {% endif %} {% if kube_encrypt_secret_data %} - experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml + experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml {% endif %} storage-backend: {{ kube_apiserver_storage_backend }} {% if kube_api_runtime_config is defined %} diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 index 366cbee23..01338230e 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 @@ -95,7 +95,7 @@ apiServer: {% endif %} {% endif %} {% if kube_encrypt_secret_data %} - encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml + encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml {% endif %} storage-backend: {{ kube_apiserver_storage_backend }} {% if kube_api_runtime_config is defined %} diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index b6b6f9ea6..ecd75e3cc 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -67,8 +67,6 @@ nginx_image_repo: nginx nginx_image_tag: 1.13 nginx_config_dir: "/etc/nginx" -etcd_config_dir: /etc/ssl/etcd - kubelet_flexvolumes_plugins_dir: /var/lib/kubelet/volume-plugins # A port range to reserve for services with NodePort visibility. diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml index c508af4c9..f27bda3fe 100644 --- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml +++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml @@ -19,7 +19,7 @@ with_items: - "{{bin_dir}}" - "{{ kube_config_dir }}" - - "{{ kube_config_dir }}/ssl" + - "{{ kube_cert_dir }}" - "{{ kube_manifest_dir }}" - "{{ kube_script_dir }}" diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 745e2a9f8..15797558f 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -449,3 +449,6 @@ pip_extra_args: |- {%- endif -%} {%- endif -%} {{ pip_extra_args_list|join(' ') }} + +etcd_config_dir: /etc/ssl/etcd +etcd_cert_dir: "{{ etcd_config_dir }}/ssl" diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml index 9883ad1fd..39bf10861 100644 --- a/roles/network_plugin/calico/defaults/main.yml +++ b/roles/network_plugin/calico/defaults/main.yml @@ -15,7 +15,6 @@ ipip_mode: Always # change to "CrossSubnet" if you only want ipip encapsulation overwrite_hyperkube_cni: true calico_cert_dir: /etc/calico/certs -etcd_cert_dir: /etc/ssl/etcd/ssl # Global as_num (/calico/bgp/v1/global/as_num) global_as_num: "64512" diff --git a/roles/network_plugin/calico/rr/defaults/main.yml b/roles/network_plugin/calico/rr/defaults/main.yml index 0fde5eff8..bdc2d9f10 100644 --- a/roles/network_plugin/calico/rr/defaults/main.yml +++ b/roles/network_plugin/calico/rr/defaults/main.yml @@ -4,7 +4,6 @@ global_as_num: "64512" calico_cert_dir: /etc/calico/certs -etcd_cert_dir: /etc/ssl/etcd/ssl # Limits for apps calico_rr_memory_limit: 1000M diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml index 38696b87a..0be0f14fc 100644 --- a/roles/network_plugin/canal/defaults/main.yml +++ b/roles/network_plugin/canal/defaults/main.yml @@ -13,7 +13,6 @@ canal_log_level: "info" # Etcd SSL dirs canal_cert_dir: /etc/canal/certs -etcd_cert_dir: /etc/ssl/etcd/ssl # Canal Network Policy directory canal_policy_dir: /etc/kubernetes/policy diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index f6a836f95..e97364644 100755 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -5,7 +5,6 @@ cilium_disable_ipv4: false # Etcd SSL dirs cilium_cert_dir: /etc/cilium/certs -etcd_cert_dir: /etc/ssl/etcd/ssl # Cilium Network Policy directory cilium_policy_dir: /etc/kubernetes/policy