From 3e52a0db95d5b9a2e398a6ccd7ada7c6b6d11690 Mon Sep 17 00:00:00 2001 From: David Louks <2402775+dlouks@users.noreply.github.com> Date: Thu, 5 May 2022 16:52:43 -0500 Subject: [PATCH] Add optional setting for ca data in auth webhook (#8777) * Add optional setting for ca data in auth webhook * add webhook token auth variables to sample inventory --- inventory/sample/group_vars/all/all.yml | 7 +++++++ roles/kubernetes/control-plane/defaults/main/main.yml | 8 ++++++-- .../templates/webhook-token-auth-config.yaml.j2 | 3 +++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml index d3c27ac35..ea69a5b2c 100644 --- a/inventory/sample/group_vars/all/all.yml +++ b/inventory/sample/group_vars/all/all.yml @@ -113,3 +113,10 @@ no_proxy_exclude_workers: false # sysctl_file_path to add sysctl conf to # sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf" + +## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication +kube_webhook_token_auth: false +kube_webhook_token_auth_url_skip_tls_verify: false +# kube_webhook_token_auth_url: https://... +## base64-encoded string of the webhook's CA certificate +# kube_webhook_token_auth_ca_data: "LS0t..." diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 227a53b09..51984933b 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -111,13 +111,17 @@ kube_api_runtime_config: [] ## Enable/Disable Kube API Server Authentication Methods kube_token_auth: false kube_oidc_auth: false + +## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication kube_webhook_token_auth: false kube_webhook_token_auth_url_skip_tls_verify: false -## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication # kube_webhook_token_auth_url: https://... -kube_webhook_authorization: false +## base64-encoded string of the webhook's CA certificate +# kube_webhook_token_auth_ca_data: "LS0t..." + ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ # kube_webhook_authorization_url: https://... +kube_webhook_authorization: false kube_webhook_authorization_url_skip_tls_verify: false diff --git a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 index 4d0c1eccb..f152d11be 100644 --- a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2 @@ -4,6 +4,9 @@ clusters: cluster: server: {{ kube_webhook_token_auth_url }} insecure-skip-tls-verify: {{ kube_webhook_token_auth_url_skip_tls_verify }} +{% if kube_webhook_token_auth_ca_data is defined %} + certificate-authority-data: {{ kube_webhook_token_auth_ca_data }} +{% endif %} # users refers to the API server's webhook configuration. users: