Added secrets encryption at rest option
This commit is contained in:
parent
f684f6d907
commit
e93b438ee0
|
@ -80,6 +80,7 @@ consistency.
|
||||||
| `k3s_datastore_certfile` | Define the database TLS Cert file. | _NULL_ |
|
| `k3s_datastore_certfile` | Define the database TLS Cert file. | _NULL_ |
|
||||||
| `k3s_datastore_keyfile` | Define the database TLS Key file. | _NULL_ |
|
| `k3s_datastore_keyfile` | Define the database TLS Key file. | _NULL_ |
|
||||||
| `k3s_dqlite_datastore` | Use DQLite as the database backend for HA. (EXPERIMENTAL) | `false` |
|
| `k3s_dqlite_datastore` | Use DQLite as the database backend for HA. (EXPERIMENTAL) | `false` |
|
||||||
|
| `k3s_secrets_encryption` | Use secrets encryption at rest. (EXPERIMENTAL) | `false` |
|
||||||
|
|
||||||
#### Important note about `k3s_release_version`
|
#### Important note about `k3s_release_version`
|
||||||
|
|
||||||
|
|
|
@ -95,3 +95,6 @@ k3s_disable_network_policy: false
|
||||||
|
|
||||||
# Default local storage path for local provisioner storage class, if set to "false" we will use the default
|
# Default local storage path for local provisioner storage class, if set to "false" we will use the default
|
||||||
k3s_default_local_storage_path: false
|
k3s_default_local_storage_path: false
|
||||||
|
|
||||||
|
# Use secret encryption at rest (EXPERIMENTAL)
|
||||||
|
k3s_secrets_encryption: false
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
vars:
|
vars:
|
||||||
molecule_is_test: true
|
molecule_is_test: true
|
||||||
k3s_dqlite_datastore: true
|
k3s_dqlite_datastore: true
|
||||||
|
k3s_secrets_encryption: true
|
||||||
k3s_use_experimental: true
|
k3s_use_experimental: true
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Set each node to be a control node
|
- name: Set each node to be a control node
|
||||||
|
|
|
@ -8,3 +8,4 @@
|
||||||
fail_msg: "Experimental variables have been configured. If you want to use them ensure you set k3s_use_experimental"
|
fail_msg: "Experimental variables have been configured. If you want to use them ensure you set k3s_use_experimental"
|
||||||
when: (k3s_non_root is defined and k3s_non_root)
|
when: (k3s_non_root is defined and k3s_non_root)
|
||||||
or (k3s_dqlite_datastore is defined and k3s_dqlite_datastore)
|
or (k3s_dqlite_datastore is defined and k3s_dqlite_datastore)
|
||||||
|
or (k3s_secrets_encryption is defined and k3s_secrets_encryption)
|
||||||
|
|
|
@ -213,3 +213,11 @@
|
||||||
success_msg: "Local storage path supported in {{ k3s_release_version }}"
|
success_msg: "Local storage path supported in {{ k3s_release_version }}"
|
||||||
fail_msg: "Local storage path are not supported in {{ k3s_release_version }}"
|
fail_msg: "Local storage path are not supported in {{ k3s_release_version }}"
|
||||||
when: k3s_default_local_storage_path is defined and k3s_default_local_storage_path
|
when: k3s_default_local_storage_path is defined and k3s_default_local_storage_path
|
||||||
|
|
||||||
|
- name: Check k3s_secrets_encryption against k3s version
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- (k3s_release_version | replace('v', '')) is version_compare('1.17.4', '>=')
|
||||||
|
success_msg: "Secrets encryption at rest supported in {{ k3s_release_version }}"
|
||||||
|
fail_msg: "Secrets encryption at rest is not supported in {{ k3s_release_version }}"
|
||||||
|
when: k3s_secrets_encryption is defined and k3s_secrets_encryption
|
||||||
|
|
|
@ -77,6 +77,9 @@ ExecStart={{ k3s_install_dir }}/k3s
|
||||||
--token {{ k3s_control_token }}
|
--token {{ k3s_control_token }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if k3s_secrets_encryption is defined and k3s_secrets_encryption %}
|
||||||
|
--secrets-encryption
|
||||||
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
agent
|
agent
|
||||||
--server https://{{ k3s_control_node_address }}:{{ k3s_https_port }}
|
--server https://{{ k3s_control_node_address }}:{{ k3s_https_port }}
|
||||||
|
|
Loading…
Reference in New Issue