From 941965ba3648b3d7c1032bccae9e778fa14a74cc Mon Sep 17 00:00:00 2001 From: David Louks <2402775+dlouks@users.noreply.github.com> Date: Tue, 3 May 2022 10:01:22 -0500 Subject: [PATCH 1/2] Add optional setting for ca data in auth webhook --- roles/kubernetes/control-plane/defaults/main/main.yml | 1 + .../control-plane/templates/webhook-token-auth-config.yaml.j2 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 227a53b094b..0cd80563a6f 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -118,6 +118,7 @@ kube_webhook_token_auth_url_skip_tls_verify: false kube_webhook_authorization: false ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ # kube_webhook_authorization_url: https://... +# kube_webhook_token_auth_ca_data: kube_webhook_authorization_url_skip_tls_verify: false diff --git a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 index 4d0c1eccbc5..f152d11beb4 100644 --- a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 @@ -4,6 +4,9 @@ clusters: cluster: server: {{ kube_webhook_token_auth_url }} insecure-skip-tls-verify: {{ kube_webhook_token_auth_url_skip_tls_verify }} +{% if kube_webhook_token_auth_ca_data is defined %} + certificate-authority-data: {{ kube_webhook_token_auth_ca_data }} +{% endif %} # users refers to the API server's webhook configuration. users: From 27fff95335fa3ffc095d0c40131d39534373c05d Mon Sep 17 00:00:00 2001 From: David Louks <2402775+dlouks@users.noreply.github.com> Date: Wed, 4 May 2022 11:09:31 -0500 Subject: [PATCH 2/2] add webhook token auth variables to sample inventory --- inventory/sample/group_vars/all/all.yml | 7 +++++++ roles/kubernetes/control-plane/defaults/main/main.yml | 9 ++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml index d3c27ac35bd..ea69a5b2c1d 100644 --- a/inventory/sample/group_vars/all/all.yml +++ b/inventory/sample/group_vars/all/all.yml @@ -113,3 +113,10 @@ no_proxy_exclude_workers: false # sysctl_file_path to add sysctl conf to # sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf" + +## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication +kube_webhook_token_auth: false +kube_webhook_token_auth_url_skip_tls_verify: false +# kube_webhook_token_auth_url: https://... +## base64-encoded string of the webhook's CA certificate +# kube_webhook_token_auth_ca_data: "LS0t..." diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 0cd80563a6f..51984933b79 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -111,14 +111,17 @@ kube_api_runtime_config: [] ## Enable/Disable Kube API Server Authentication Methods kube_token_auth: false kube_oidc_auth: false + +## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication kube_webhook_token_auth: false kube_webhook_token_auth_url_skip_tls_verify: false -## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication # kube_webhook_token_auth_url: https://... -kube_webhook_authorization: false +## base64-encoded string of the webhook's CA certificate +# kube_webhook_token_auth_ca_data: "LS0t..." + ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ # kube_webhook_authorization_url: https://... -# kube_webhook_token_auth_ca_data: +kube_webhook_authorization: false kube_webhook_authorization_url_skip_tls_verify: false