Add kube_encryption_resources variable to configure which resources are encrypted at rest (#5797)

4 years ago · a7a204ebca
2 changed files with 3 additions and 2 deletions
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@ -152,6 +152,8 @@ kube_encrypt_secret_data: false
 kube_encrypt_token: "{{ lookup('password', credentials_dir + '/kube_encrypt_token.creds length=32 chars=ascii_letters,digits') }}"
 # Must be either: aescbc, secretbox or aesgcm
 kube_encryption_algorithm: "aescbc"
 # Which kubernetes resources to encrypt
 kube_encryption_resources: [secrets]
 # You may want to use ca.pem depending on your situation
 kube_front_proxy_ca: "front-proxy-ca.pem"
--- a/roles/kubernetes/master/templates/secrets_encryption.yaml.j2
+++ b/roles/kubernetes/master/templates/secrets_encryption.yaml.j2
@ -1,8 +1,7 @@
 kind: EncryptionConfig
 apiVersion: v1
 resources:
  - resources:
    - secrets
  - resources: {{ kube_encryption_resources }}
    providers:
    - {{ kube_encryption_algorithm }}:
        keys: