Fix kubernetes-sigs#4237: update kube cert path (kubernetes-sigs#4354)

contrib/terraform/openstack/README.md

@@ -412,13 +412,13 @@ sudo route add -net [internal-subnet]/24 gw [router-ip]
 ```
 3. List Kubernetes certificates & keys:
 ```
-ssh [os-user]@[master-ip] sudo ls /etc/kubernetes/ssl/
+ssh [os-user]@[master-ip] sudo ls /etc/kubernetes/pki/
 ```
 4. Get `admin`'s certificates and keys:
 ```
-ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-kube-master-1-key.pem > admin-key.pem
-ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/admin-kube-master-1.pem > admin.pem
-ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/ssl/ca.pem > ca.pem
+ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/pki/admin-kube-master-k8s-master-1-key.pem > admin-key.pem
+ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/pki/admin-kube-master-k8s-master-1.pem > admin.pem
+ssh [os-user]@[master-ip] sudo cat /etc/kubernetes/pki/ca.pem > ca.pem
 ```
 5. Configure kubectl:
 ```ShellSession

contrib/vault/roles/vault/defaults/main.yml

@@ -114,7 +114,7 @@ vault_client_headers:
   Content-Type: "application/json"
 
 etcd_cert_dir: /etc/ssl/etcd/ssl
-kube_cert_dir: /etc/kubernetes/ssl
+kube_cert_dir: /etc/kubernetes/pki
 
 vault_pki_mounts:
   userpass:

contrib/vault/vault.md

@@ -76,8 +76,8 @@ generated elsewhere, you'll need to copy the certificate and key to the hosts in
   * ``/etc/ssl/etcd/ssl/ca.pem``
   * ``/etc/ssl/etcd/ssl/ca-key.pem``
 * kubernetes:
-  * ``/etc/kubernetes/ssl/ca.pem``
-  * ``/etc/kubernetes/ssl/ca-key.pem``
+  * ``/etc/kubernetes/pki/ca.pem``
+  * ``/etc/kubernetes/pki/ca-key.pem``
 
 Additional Notes:
 

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -8,7 +8,9 @@ kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
 
 # This is where all the cert scripts and certs will be located
-kube_cert_dir: "{{ kube_config_dir }}/ssl"
+# For old version of k8s next line should be used instead
+# kube_cert_dir: "{{ kube_config_dir }}/ssl"
+kube_cert_dir: "{{ kube_config_dir }}/pki"
 
 # This is where all of the bearer tokens will be stored
 kube_token_dir: "{{ kube_config_dir }}/tokens"

roles/kubernetes/client/defaults/main.yml

@@ -4,4 +4,5 @@ kubectl_localhost: false
 artifacts_dir: "{{ inventory_dir }}/artifacts"
 
 kube_config_dir: "/etc/kubernetes"
+kube_cert_dir: "{{ kube_config_dir }}/pki"
 kube_apiserver_port: "6443"

roles/kubernetes/client/tasks/main.yml

@@ -49,7 +49,7 @@
     kubeconfig user
     --client-name kubernetes-admin
     --org system:masters
-    --cert-dir {{ kube_config_dir }}/ssl
+    --cert-dir {{ kube_cert_dir }}
     --apiserver-advertise-address {{ external_apiserver_address }}
     --apiserver-bind-port {{ external_apiserver_port }}
   run_once: yes

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -71,7 +71,7 @@
   tags: facts
 
 - name: kubeadm | Copy etcd cert dir under k8s cert dir
-  command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"
+  command: "cp -TR {{ etcd_cert_dir }} {{ kube_cert_dir }}/etcd"
   changed_when: false
 
 - name: Create audit-policy directory

roles/kubernetes/preinstall/defaults/main.yml

@@ -25,6 +25,7 @@ disable_ipv6_dns: false
 
 kube_cert_group: kube-cert
 kube_config_dir: /etc/kubernetes
+kube_cert_dir: "{{ kube_config_dir }}/pki"
 
 # Container Linux by CoreOS cloud init config file to define /etc/resolv.conf content
 # for hostnet pods and infra needs

roles/kubespray-defaults/defaults/main.yaml

@@ -93,7 +93,7 @@ kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
 
 # This is where all the cert scripts and certs will be located
-kube_cert_dir: "{{ kube_config_dir }}/ssl"
+kube_cert_dir: "{{ kube_config_dir }}/pki"
 
 # This is where all of the bearer tokens will be stored
 kube_token_dir: "{{ kube_config_dir }}/tokens"