From f18604123fbebce35263ad220f8c4b2c730f6002 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 8 Feb 2020 04:24:09 +0100
Subject: kubernetes: added workaround for encryption config

---
 dan/group_vars/k8s-emc.yml                         | 10 ++++++++++
 dan/k8s-emc.yml                                    |  8 ++++++++
 inventory/group_vars/k8s-emc/main.yml              |  4 ++++
 inventory/group_vars/k8s-test/main.yml             |  5 +++--
 roles/kubernetes/kubeadm/master/tasks/main.yml     | 22 +++++++++++-----------
 .../kubeadm/master/templates/encryption-config.j2  |  2 +-
 roles/kubernetes/kubeadm/reset/tasks/main.yml      |  1 +
 spreadspace/k8s-test.yml                           |  8 ++++++++
 8 files changed, 46 insertions(+), 14 deletions(-)
 create mode 100644 dan/group_vars/k8s-emc.yml

diff --git a/dan/group_vars/k8s-emc.yml b/dan/group_vars/k8s-emc.yml
new file mode 100644
index 00000000..060be2eb
--- /dev/null
+++ b/dan/group_vars/k8s-emc.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;dan
+61333930636361366561623133393666393566646538316464613834386236373463623762336335
+6237333534653261376537366463633536636438616230610a663461346436326330303862313039
+36343136376230306438633239303263326263383436333533373731656236396466363433636565
+3962316137343233620a363461633638316561303631343331303764336465356435313662393538
+30653536653934343534373835356637626430306437643730303562656437306434623263346261
+33313836336561373063383661666334383961653164323066653262613131393266393264383235
+30353462326630656363653461326433363739353837316164363733333463396165313330663065
+30303831376161376233323335616431633738653735366139646439653563653331653130313537
+62303166383264636162636266653738333762396564633630653032623531653539
diff --git a/dan/k8s-emc.yml b/dan/k8s-emc.yml
index 518604b0..ddaf3739 100644
--- a/dan/k8s-emc.yml
+++ b/dan/k8s-emc.yml
@@ -13,5 +13,13 @@
       masters:
       - emc-master
 
+### hack hack hack...
+- name: cook kubernetes secrets
+  hosts: _kubernetes_masters_
+  gather_facts: no
+  tasks:
+  - set_fact:
+      kubernetes_secrets_cooked: "{{ kubernetes_secrets }}"
+
 - import_playbook: ../common/kubernetes.yml
 - import_playbook: ../common/kubernetes-cleanup.yml
diff --git a/inventory/group_vars/k8s-emc/main.yml b/inventory/group_vars/k8s-emc/main.yml
index d9bf350e..367fcda9 100644
--- a/inventory/group_vars/k8s-emc/main.yml
+++ b/inventory/group_vars/k8s-emc/main.yml
@@ -19,6 +19,10 @@ kubernetes:
   service_ip_range: 172.18.192.0/18
 
 
+kubernetes_secrets:
+  encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}"
+
+
 kubeguard:
   ## node_index must be in the range between 1 and 190 -> 189 hosts possible
   ##
diff --git a/inventory/group_vars/k8s-test/main.yml b/inventory/group_vars/k8s-test/main.yml
index 60d381ec..e67039df 100644
--- a/inventory/group_vars/k8s-test/main.yml
+++ b/inventory/group_vars/k8s-test/main.yml
@@ -22,8 +22,9 @@ kubernetes:
   pod_ip_range_size: 24
   service_ip_range: 172.18.192.0/18
 
-# kubernetes_secrets:
-#   encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}"
+
+kubernetes_secrets:
+  encryption_config_keys: "{{ vault_kubernetes_encryption_config_keys }}"
 
 
 kubeguard:
diff --git a/roles/kubernetes/kubeadm/master/tasks/main.yml b/roles/kubernetes/kubeadm/master/tasks/main.yml
index 9af041b2..bc238c0a 100644
--- a/roles/kubernetes/kubeadm/master/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/master/tasks/main.yml
@@ -1,15 +1,15 @@
 ---
-# - name: create direcotry for encryption config
-#   file:
-#     name: /etc/kubernetes/encryption
-#     state: directory
-#     mode: 0700
-
-# - name: install encryption config
-#   template:
-#     src: encryption-config.j2
-#     dest: /etc/kubernetes/encryption/config
-#     mode: 0600
+- name: create direcotry for encryption config
+  file:
+    name: /etc/kubernetes/encryption
+    state: directory
+    mode: 0700
+
+- name: install encryption config
+  template:
+    src: encryption-config.j2
+    dest: /etc/kubernetes/encryption/config
+    mode: 0600
 
 
 - name: install primary master
diff --git a/roles/kubernetes/kubeadm/master/templates/encryption-config.j2 b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
index 345c9bf9..b0e700b2 100644
--- a/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
+++ b/roles/kubernetes/kubeadm/master/templates/encryption-config.j2
@@ -6,7 +6,7 @@ resources:
     providers:
     - secretbox:
         keys:
-{% for key in kubernetes_secrets.encryption_config_keys %}
+{% for key in kubernetes_secrets_cooked.encryption_config_keys %}
         - name: key{{ loop.index }}
           secret: {{ key }}
 {% endfor %}
diff --git a/roles/kubernetes/kubeadm/reset/tasks/main.yml b/roles/kubernetes/kubeadm/reset/tasks/main.yml
index f0e88e53..1e3539e1 100644
--- a/roles/kubernetes/kubeadm/reset/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/reset/tasks/main.yml
@@ -8,6 +8,7 @@
     - /etc/kubernetes/kubeadm-init.log
     - /etc/kubernetes/kubeadm-join.log
     - /etc/kubernetes/pki
+    - /etc/kubernetes/encryption
   file:
     path: "{{ item }}"
     state: absent
diff --git a/spreadspace/k8s-test.yml b/spreadspace/k8s-test.yml
index b94f8301..3cadbb92 100644
--- a/spreadspace/k8s-test.yml
+++ b/spreadspace/k8s-test.yml
@@ -13,5 +13,13 @@
       masters:
       - s2-k8s-test0
 
+### hack hack hack...
+- name: cook kubernetes secrets
+  hosts: _kubernetes_masters_
+  gather_facts: no
+  tasks:
+  - set_fact:
+      kubernetes_secrets_cooked: "{{ kubernetes_secrets }}"
+
 - import_playbook: ../common/kubernetes.yml
 - import_playbook: ../common/kubernetes-cleanup.yml
-- 
cgit v1.2.3