Browse Source

Add kube_encryption_resources variable to configure which resources are encrypted at rest (#5797)

pull/5803/head
Maxime Guyot 4 years ago
committed by GitHub
parent
commit
a7a204ebca
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions
  1. 2
      roles/kubernetes/master/defaults/main/main.yml
  2. 3
      roles/kubernetes/master/templates/secrets_encryption.yaml.j2

2
roles/kubernetes/master/defaults/main/main.yml

@ -152,6 +152,8 @@ kube_encrypt_secret_data: false
kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
# Must be either: aescbc, secretbox or aesgcm
kube_encryption_algorithm: "aescbc"
# Which kubernetes resources to encrypt
kube_encryption_resources: [secrets]
# You may want to use ca.pem depending on your situation
kube_front_proxy_ca: "front-proxy-ca.pem"

3
roles/kubernetes/master/templates/secrets_encryption.yaml.j2

@ -1,8 +1,7 @@
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
- resources: {{ kube_encryption_resources }}
providers:
- {{ kube_encryption_algorithm }}:
keys:

Loading…
Cancel
Save