etcd-certs: only change necessary permissions (#12914 )

We currently **recursively** set the permissions of /etc/ssl/etcd/ssl (default path) to 700. But this removes group permission from the files under it, and certain composents (like calio with etcd datastore) rely on it ; thus, the upgrade of a cluster can fail because the calico-kube-controller can't access the certs, and thus the etcd. This works in other case because as far as I can tell, the apiserver which do access the etcd run as root (the owner of the files, not just the "group owner") We also for some reasons do this twice. Only create the etcd cert directory with the correct permissions once, not recursively. Co-authored-by: Max Gautier <mg@max.gautier.name>
Docs: cilium_kube_proxy_replacement change boolean (#12911 )
2026-02-04 08:48:42 +03:00 · 2026-01-27 20:29:51 +05:30 · 2026-01-27 17:03:49 +05:30
3 changed files with 3 additions and 14 deletions
--- a/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-net-cilium.yml
@@ -56,8 +56,8 @@ cilium_l2announcements: false
 #
 # Only effective when monitor aggregation is set to "medium" or higher.
 # cilium_monitor_aggregation_flags: "all"
-# Kube Proxy Replacement mode (strict/partial)
-# cilium_kube_proxy_replacement: partial
+# Kube Proxy Replacement mode (true/false)
+# cilium_kube_proxy_replacement: false

 # If upgrading from Cilium < 1.5, you may want to override some of these options
 # to prevent service disruptions. See also:
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -5,8 +5,7 @@
    group: "{{ etcd_cert_group }}"
    state: directory
    owner: "{{ etcd_owner }}"
-    mode: "{{ etcd_cert_dir_mode }}"
-    recurse: true
+    mode: "0700"

 - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
  file:
@@ -145,15 +144,6 @@
    - ('k8s_cluster' in group_names) and
        sync_certs | default(false) and inventory_hostname not in groups['etcd']

- name: Gen_certs | check certificate permissions
-  file:
-    path: "{{ etcd_cert_dir }}"
-    group: "{{ etcd_cert_group }}"
-    state: directory
-    owner: "{{ etcd_owner }}"
-    mode: "{{ etcd_cert_dir_mode }}"
-    recurse: true
-
 # This is a hack around the fact kubeadm expect the same certs path on all kube_control_plane
 # TODO: fix certs generation to have the same file everywhere
 # OR work with kubeadm on node-specific config
--- a/roles/etcd_defaults/defaults/main.yml
+++ b/roles/etcd_defaults/defaults/main.yml
@@ -18,7 +18,6 @@ etcd_backup_retention_count: -1
 force_etcd_cert_refresh: true
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
-etcd_cert_dir_mode: "0700"
 etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate