From dbe02d398aae71b527fab2bb671d5c43618bbd5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hannes=20K=C3=B6rber?= <hannes@hkoerber.de>
Date: Wed, 9 Dec 2020 09:48:49 +0100
Subject: [PATCH] etcd: Fix permissions of /etc/ssl/etcd/ssl (#6908)

---
 roles/etcd/defaults/main.yml          | 1 +
 roles/etcd/tasks/gen_certs_script.yml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index 9533f4e70..8da2df988 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -14,6 +14,7 @@ etcd_backup_retention_count: -1
 
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
+etcd_cert_dir_mode: "0700"
 etcd_cert_group: root
 # Note: This does not set up DNS entries. It simply adds the following DNS
 # entries to the certificate
diff --git a/roles/etcd/tasks/gen_certs_script.yml b/roles/etcd/tasks/gen_certs_script.yml
index 0314ad9d9..36a8e2fc6 100644
--- a/roles/etcd/tasks/gen_certs_script.yml
+++ b/roles/etcd/tasks/gen_certs_script.yml
@@ -5,7 +5,7 @@
     group: "{{ etcd_cert_group }}"
     state: directory
     owner: kube
-    mode: 0700
+    mode: "{{ etcd_cert_dir_mode }}"
     recurse: yes
 
 - name: "Gen_certs | create etcd script dir (on {{ groups['etcd'][0] }})"
@@ -157,5 +157,5 @@
     group: "{{ etcd_cert_group }}"
     state: directory
     owner: kube
-    mode: 0640
+    mode: "{{ etcd_cert_dir_mode }}"
     recurse: yes