Added option for encrypting secrets to etcd v.2 (#2428)

* Added option for encrypting secrets to etcd * Fix keylength to 32 * Forgot the default * Rename secrets.yaml to secrets_encryption.yaml * Fix static path for secrets file to use ansible variable * Rename secrets.yaml.j2 to secrets_encryption.yaml.j2 * Base64 encode the token * Fixed merge error * Changed path to credentials dir * Update path to secrets file which is now readable inside the apiserver container. Set better file permissions * Add encryption option to k8s-cluster.yml
2026-03-09 11:47:47 +03:00 · 2018-03-15 20:20:05 +01:00
parent d843e3d562
commit 3d6fd49179
7 changed files with 39 additions and 1 deletions
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -52,6 +52,9 @@ apiServerExtraArgs:
 {%   if kube_oidc_groups_claim is defined %}
  oidc-groups-claim: {{ kube_oidc_groups_claim }}
 {%   endif %}
+{% endif %}
+{% if kube_encrypt_secret_data %}
+  experimental-encryption-provider-config: {{ kube_config_dir }}/ssl/secrets_encryption.yaml
 {% endif %}
  storage-backend: {{ kube_apiserver_storage_backend }}
 {% if kube_api_runtime_config is defined %}