epostnikof/kubespray
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-28 09:39:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add optional setting for ca data in auth webhook (#8777)

Browse Source 
* Add optional setting for ca data in auth webhook

* add webhook token auth variables to sample inventory
This commit is contained in:
David Louks
2022-05-05 16:52:43 -05:00
committed by GitHub
parent 94484873d1
commit 3e52a0db95
3 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
inventory/sample/group_vars/all/all.yml
View File

@@ -113,3 +113,10 @@ no_proxy_exclude_workers: false
# sysctl_file_path to add sysctl conf to # sysctl_file_path to add sysctl conf to
# sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf" # sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
kube_webhook_token_auth: false
kube_webhook_token_auth_url_skip_tls_verify: false
# kube_webhook_token_auth_url: https://...
## base64-encoded string of the webhook's CA certificate
# kube_webhook_token_auth_ca_data: "LS0t..."

8
roles/kubernetes/control-plane/defaults/main/main.yml
View File

@@ -111,13 +111,17 @@ kube_api_runtime_config: []
## Enable/Disable Kube API Server Authentication Methods ## Enable/Disable Kube API Server Authentication Methods
kube_token_auth: false kube_token_auth: false
kube_oidc_auth: false kube_oidc_auth: false
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
kube_webhook_token_auth: false kube_webhook_token_auth: false
kube_webhook_token_auth_url_skip_tls_verify: false kube_webhook_token_auth_url_skip_tls_verify: false
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://... # kube_webhook_token_auth_url: https://...
kube_webhook_authorization: false ## base64-encoded string of the webhook's CA certificate
# kube_webhook_token_auth_ca_data: "LS0t..."
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
# kube_webhook_authorization_url: https://... # kube_webhook_authorization_url: https://...
kube_webhook_authorization: false
kube_webhook_authorization_url_skip_tls_verify: false kube_webhook_authorization_url_skip_tls_verify: false

3
roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2
View File

@@ -4,6 +4,9 @@ clusters:
cluster: cluster:
server: {{ kube_webhook_token_auth_url }} server: {{ kube_webhook_token_auth_url }}
insecure-skip-tls-verify: {{ kube_webhook_token_auth_url_skip_tls_verify }} insecure-skip-tls-verify: {{ kube_webhook_token_auth_url_skip_tls_verify }}
{% if kube_webhook_token_auth_ca_data is defined %}
certificate-authority-data: {{ kube_webhook_token_auth_ca_data }}
{% endif %}
# users refers to the API server's webhook configuration. # users refers to the API server's webhook configuration.
users: users: