Add optional setting for ca data in auth webhook (#8777)

* Add optional setting for ca data in auth webhook * add webhook token auth variables to sample inventory

Add optional setting for ca data in auth webhook (#8777)
3e52a0db · David Louks · GitHub · 94484873 · 3e52a0db · 3e52a0db
Unverified Commit 3e52a0db authored 2 years ago by David Louks Committed by GitHub 2 years ago
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -113,3 +113,10 @@ no_proxy_exclude_workers: false
 # sysctl_file_path to add sysctl conf to
 # sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
+## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+kube_webhook_token_auth: false
+kube_webhook_token_auth_url_skip_tls_verify: false
+# kube_webhook_token_auth_url: https://...
+## base64-encoded string of the webhook's CA certificate
+# kube_webhook_token_auth_ca_data: "LS0t..."
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -111,13 +111,17 @@ kube_api_runtime_config: []
 ## Enable/Disable Kube API Server Authentication Methods
 kube_token_auth: false
 kube_oidc_auth: false
+## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
 kube_webhook_token_auth: false
 kube_webhook_token_auth_url_skip_tls_verify: false
-## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
 # kube_webhook_token_auth_url: https://...
-kube_webhook_authorization: false
+## base64-encoded string of the webhook's CA certificate
+# kube_webhook_token_auth_ca_data: "LS0t..."
 ## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
 # kube_webhook_authorization_url: https://...
+kube_webhook_authorization: false
 kube_webhook_authorization_url_skip_tls_verify: false

--- a/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/webhook-token-auth-config.yaml.j2
@@ -4,6 +4,9 @@ clusters:
  cluster:
    server: {{ kube_webhook_token_auth_url }}
    insecure-skip-tls-verify: {{ kube_webhook_token_auth_url_skip_tls_verify }}
+{% if kube_webhook_token_auth_ca_data is defined %}
+    certificate-authority-data: {{ kube_webhook_token_auth_ca_data }}
+{% endif %}
 # users refers to the API server's webhook configuration.
 users: