Etcd certs: use symlink in kubeadm config

Author: ant31

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -23,10 +23,6 @@ kube_apiserver_etcd_compaction_interval: "5m0s"
 # in the request is actually present in etcd.
 kube_apiserver_service_account_lookup: true
 
-kube_etcd_cacert_file: ca.pem
-kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
-kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
-
 # Associated interfaces must be reachable by the rest of the cluster, and by
 # CLI/web clients.
 kube_controller_manager_bind_address: "::"

roles/kubernetes/preinstall/tasks/0200-etcd-link.yml

@@ -0,0 +1,14 @@
+- name: generate symlink to etcd certs
+  ansible.builtin.file:
+    src: "{{item.src}}"
+    dest: "{{item.dest}}"
+    state: link
+  loop:
+    - src: "{{etcd_cert_paths.client.ca}}"
+      dest: "{{ etcd_cert_dir }}/{{kube_etcd_cacert_file}}"
+    - src: "{{etcd_cert_paths.client.cert}}"
+      dest: "{{ etcd_cert_dir }}/{{kube_etcd_cert_file}}"
+    - src: "{{etcd_cert_paths.client.key}}"
+      dest: "{{ etcd_cert_dir }}/{{kube_etcd_key_file}}"
+  when:
+    - inventory_hostname  in groups['kube_control_plane']

roles/kubernetes/preinstall/tasks/main.yml

@@ -137,3 +137,10 @@
   when:
     - kube_network_plugin == 'calico'
     - not ignore_assert_errors
+
+- import_tasks: 0200-etcd-link.yml
+  tags:
+    - bootstrap-os
+    - etcd
+  when:
+    - etcd_deployment_type != "kubeadm"

roles/kubespray-defaults/defaults/main/main.yml

@@ -763,3 +763,15 @@ system_upgrade_reboot: on-upgrade  # never, always
 
 # Enables or disables the scheduler plugins.
 scheduler_plugins_enabled: false
+
+# Symlinks to etcd certs
+kube_etcd_cacert_file: "kube-client-ca.pem"
+kube_etcd_cert_file: "kube-client-cert.pem"
+kube_etcd_key_file: "kube-client-key.pem"
+
+# Harlink to etcd certs
+etcd_cert_paths:
+  client:
+    ca: "{{ etcd_cert_dir }}/ca.pem"
+    cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+    key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"