From 4a10dca7d42654cd2008fb04a50acfda4fe11856 Mon Sep 17 00:00:00 2001
From: Sergey Kolekonov <skolekonov@mirantis.com>
Date: Wed, 24 Apr 2019 20:40:01 +0400
Subject: [PATCH] Add an ability to provide oidc cert in base64 (#4618)
---
roles/kubernetes/master/defaults/main/main.yml | 5 ++++-
roles/kubernetes/master/tasks/kubeadm-setup.yml | 11 +++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
index 3109038e8..b2578e102 100644
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@@ -119,11 +119,14 @@ kube_webhook_token_auth: false
# kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes
## Optional settings for OIDC
-# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# kube_oidc_username_claim: sub
# kube_oidc_username_prefix: oidc:
# kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: oidc:
+# Copy oidc CA file to the following path if needed
+# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
+# Optionally include a base64-encoded oidc CA cert
+# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://...
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index d2ed583fa..24c91d1be 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -10,6 +10,17 @@
import_tasks: kubeadm-migrate-certs.yml
when: old_apiserver_cert.stat.exists
+- name: Install OIDC certificate
+ copy:
+ content: "{{ kube_oidc_ca_cert | b64decode }}"
+ dest: "{{ kube_oidc_ca_file }}"
+ owner: root
+ group: root
+ mode: "0644"
+ when:
+ - kube_oidc_auth
+ - kube_oidc_ca_cert is defined
+
- name: kubeadm | Check serviceaccount key
stat:
path: "{{ kube_cert_dir }}/sa.key"
--
GitLab