kubernetes: added workaround for encryption config

author: Christian Pointner <equinox@spreadspace.org> 2020-02-08 04:24:09 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2020-02-08 04:24:09 +0100
commit: f18604123fbebce35263ad220f8c4b2c730f6002 (patch)
tree: 3a60febc2ad22f2f13bbb325b75fb2e801e399c2
parent: new k8s-emc playbook (diff)
8 files changed, 46 insertions, 14 deletions
diff --git a/dan/group_vars/k8s-emc.yml b/dan/group_vars/k8s-emc.yml
new file mode 100644
index 00000000..060be2eb
--- /dev/null
+++ b/dan/group_vars/k8s-emc.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;dan
+61333930636361366561623133393666393566646538316464613834386236373463623762336335
+6237333534653261376537366463633536636438616230610a663461346436326330303862313039
+36343136376230306438633239303263326263383436333533373731656236396466363433636565
+3962316137343233620a363461633638316561303631343331303764336465356435313662393538
+30653536653934343534373835356637626430306437643730303562656437306434623263346261
+33313836336561373063383661666334383961653164323066653262613131393266393264383235
+30353462326630656363653461326433363739353837316164363733333463396165313330663065
+30303831376161376233323335616431633738653735366139646439653563653331653130313537
+62303166383264636162636266653738333762396564633630653032623531653539
diff --git a/dan/k8s-emc.yml b/dan/k8s-emc.yml
index 518604b0..ddaf3739 100644
--- a/dan/k8s-emc.yml
+++ b/dan/k8s-emc.yml
@@ -13,5 +13,13 @@
       masters:
       - emc-master
 
+### hack hack hack...
+- name: cook kubernetes secrets
+  hosts: _kubernetes_masters_
+  gather_facts: no
+  tasks:
+  - set_fact:
+      kubernetes_secrets_cooked: "{{ kubernetes_secrets }}"
+
 - import_playbook: ../common/kubernetes.yml
 - import_playbook: ../common/kubernetes-cleanup.yml
diff --git a/inventory/group_vars/k8s-emc/main.yml b/inventory/group_vars/k8s-emc/main.yml
index d9bf350e..367fcda9 100644
--- a/inventory/group_vars/k8s-emc/main.yml
+++ b/inventory/group_vars/k8s-emc/main.yml
@@ -19,6 +19,10 @@ kubernetes:
   service_ip_range: 172.18.192.0/18
 
 
+kubernetes_secrets:
+  encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}"
+
+
 kubeguard:
   ## node_index must be in the range between 1 and 190 -> 189 hosts possible
   ##
diff --git a/inventory/group_vars/k8s-test/main.yml b/inventory/group_vars/k8s-test/main.yml
index 60d381ec..e67039df 100644
--- a/inventory/group_vars/k8s-test/main.yml
+++ b/inventory/group_vars/k8s-test/main.yml
@@ -22,8 +22,9 @@ kubernetes:
   pod_ip_range_size: 24
   service_ip_range: 172.18.192.0/18
 
-# kubernetes_secrets:
-#   encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}"
+
+kubernetes_secrets:
+  encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}"
 
 
 kubeguard:
diff --git a/roles/kubernetes/kubeadm/master/tasks/main.yml b/roles/kubernetes/kubeadm/master/tasks/main.yml
index 9af041b2..bc238c0a 100644
--- a/roles/kubernetes/kubeadm/master/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/master/tasks/main.yml
@@ -1,15 +1,15 @@
 ---
-# - name: create direcotry for encryption config
-#   file:
-#     name: /etc/kubernetes/encryption
-#     state: directory
-#     mode: 0700
-
-# - name: install encryption config
-#   template:
-#     src: encryption-config.j2
-#     dest: /etc/kubernetes/encryption/config
-#     mode: 0600
+- name: create direcotry for encryption config
+  file:
+    name: /etc/kubernetes/encryption
+    state: directory
+    mode: 0700
+
+- name: install encryption config
+  template:
+    src: encryption-config.j2
+    dest: /etc/kubernetes/encryption/config
+    mode: 0600
 
 
 - name: install primary master
diff --git a/roles/kubernetes/kubeadm/master/templates/encryption-config.j2 b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
index 345c9bf9..b0e700b2 100644
--- a/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
+++ b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
@@ -6,7 +6,7 @@ resources:
     providers:
     - secretbox:
         keys:
-{% for key in kubernetes_secrets.encryption_config_keys %}
+{% for key in kubernetes_secrets_cooked.encryption_config_keys %}
         - name: key{{ loop.index }}
           secret: {{ key }}
 {% endfor %}
diff --git a/roles/kubernetes/kubeadm/reset/tasks/main.yml b/roles/kubernetes/kubeadm/reset/tasks/main.yml
index f0e88e53..1e3539e1 100644
--- a/roles/kubernetes/kubeadm/reset/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/reset/tasks/main.yml
@@ -8,6 +8,7 @@
     - /etc/kubernetes/kubeadm-init.log
     - /etc/kubernetes/kubeadm-join.log
     - /etc/kubernetes/pki
+    - /etc/kubernetes/encryption
   file:
     path: "{{ item }}"
     state: absent
diff --git a/spreadspace/k8s-test.yml b/spreadspace/k8s-test.yml
index b94f8301..3cadbb92 100644
--- a/spreadspace/k8s-test.yml
+++ b/spreadspace/k8s-test.yml
@@ -13,5 +13,13 @@
       masters:
       - s2-k8s-test0
 
+### hack hack hack...
+- name: cook kubernetes secrets
+  hosts: _kubernetes_masters_
+  gather_facts: no
+  tasks:
+  - set_fact:
+      kubernetes_secrets_cooked: "{{ kubernetes_secrets }}"
+
 - import_playbook: ../common/kubernetes.yml
 - import_playbook: ../common/kubernetes-cleanup.yml
author	Christian Pointner <equinox@spreadspace.org>	2020-02-08 04:24:09 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2020-02-08 04:24:09 +0100
commit	f18604123fbebce35263ad220f8c4b2c730f6002 (patch)
tree	3a60febc2ad22f2f13bbb325b75fb2e801e399c2
parent	new k8s-emc playbook (diff)