From d1f58fed4c9a93c010fb3209decf4d764b72c8af Mon Sep 17 00:00:00 2001
From: Dann Bohn <djb44@psu.edu>
Date: Fri, 14 Jul 2017 09:27:20 -0400
Subject: [PATCH] Template out known_users.csv, optionally add groups

---
 inventory/group_vars/k8s-cluster.yml                  | 3 +++
 roles/kubernetes/secrets/tasks/main.yml               | 6 ++----
 roles/kubernetes/secrets/templates/known_users.csv.j2 | 3 +++
 3 files changed, 8 insertions(+), 4 deletions(-)
 create mode 100644 roles/kubernetes/secrets/templates/known_users.csv.j2

diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 65a8661d0..16ae6490e 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -39,6 +39,7 @@ kube_cert_group: kube-cert
 kube_log_level: 2
 
 # Users to create for basic auth in Kubernetes API via HTTP
+# Optionally add groups for user
 kube_api_pwd: "changeme"
 kube_users:
   kube:
@@ -47,6 +48,8 @@ kube_users:
   root:
     pass: "{{kube_api_pwd}}"
     role: admin
+    # groups:
+    #   - system:masters
 
 
 
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index fb4c38f38..5f55b775b 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -27,12 +27,10 @@
     group: "{{ kube_cert_group }}"
 
 - name: Populate users for basic auth in API
-  lineinfile:
+  template:
+    src: known_users.csv.j2
     dest: "{{ kube_users_dir }}/known_users.csv"
-    create: yes
-    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
     backup: yes
-  with_dict: "{{ kube_users }}"
   when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
   notify: set secret_changed
 
diff --git a/roles/kubernetes/secrets/templates/known_users.csv.j2 b/roles/kubernetes/secrets/templates/known_users.csv.j2
new file mode 100644
index 000000000..3e792c52b
--- /dev/null
+++ b/roles/kubernetes/secrets/templates/known_users.csv.j2
@@ -0,0 +1,3 @@
+{% for user in kube_users %}
+{{kube_users[user].pass}},{{user}},{{kube_users[user].role}}{% if kube_users[user].groups is defined %},{% set groups_csv = kube_users[user].groups|join(',') -%}"{{groups_csv}}"{% endif %}
+{% endfor %}
-- 
GitLab