Kubelet csr approver (#9877)

* chore(helm-apps): fix README example README shows a non-working example according to the specs for this role. * Add support for kubelet-csr-approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * Add tests for kubelet-csr-approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * Add Documentation for Kubelet CSR Approver Co-Authored-By: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Co-authored-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
2025-12-14 13:54:37 +03:00 · 2023-05-11 00:49:09 +00:00
parent 9a72de54de
commit 07d45e6b62
13 changed files with 94 additions and 9 deletions
--- a/tests/files/packet_centos7-flannel-addons-ha.yml
+++ b/tests/files/packet_centos7-flannel-addons-ha.yml
@@ -25,6 +25,7 @@ metrics_server_kubelet_insecure_tls: true
 kube_token_auth: true
 enable_nodelocaldns: false
 kubelet_rotate_server_certificates: true
+kubelet_csr_approver_enabled: false

 kube_oidc_url: https://accounts.google.com/.well-known/openid-configuration
 kube_oidc_client_id: kubespray-example
--- a/tests/files/packet_debian11-kubelet-csr-approver.yml
+++ b/tests/files/packet_debian11-kubelet-csr-approver.yml
@@ -0,0 +1,11 @@
+---
+# Instance settings
+cloud_image: debian-11
+mode: default
+
+# Kubespray settings
+kubelet_rotate_server_certificates: true
+kubelet_csr_approver_enabled: true
+kubelet_csr_approver_values:
+  # Do not check DNS resolution in testing (not recommended in production)
+  bypassDnsResolution: true
--- a/tests/files/packet_ubuntu20-calico-aio-hardening.yml
+++ b/tests/files/packet_ubuntu20-calico-aio-hardening.yml
@@ -80,6 +80,7 @@ etcd_deployment_type: kubeadm
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
+kubelet_csr_approver_enabled: false
 kubelet_protect_kernel_defaults: true
 kubelet_event_record_qps: 1
 kubelet_rotate_certificates: true