Add an ability to provide oidc cert in base64 (#4618)
This commit is contained in:
parent
4d57ed314d
commit
4a10dca7d4
2 changed files with 15 additions and 1 deletions
|
@ -119,11 +119,14 @@ kube_webhook_token_auth: false
|
||||||
# kube_oidc_url: https:// ...
|
# kube_oidc_url: https:// ...
|
||||||
# kube_oidc_client_id: kubernetes
|
# kube_oidc_client_id: kubernetes
|
||||||
## Optional settings for OIDC
|
## Optional settings for OIDC
|
||||||
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
|
||||||
# kube_oidc_username_claim: sub
|
# kube_oidc_username_claim: sub
|
||||||
# kube_oidc_username_prefix: oidc:
|
# kube_oidc_username_prefix: oidc:
|
||||||
# kube_oidc_groups_claim: groups
|
# kube_oidc_groups_claim: groups
|
||||||
# kube_oidc_groups_prefix: oidc:
|
# kube_oidc_groups_prefix: oidc:
|
||||||
|
# Copy oidc CA file to the following path if needed
|
||||||
|
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
||||||
|
# Optionally include a base64-encoded oidc CA cert
|
||||||
|
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
|
||||||
|
|
||||||
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
|
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
|
||||||
# kube_webhook_token_auth_url: https://...
|
# kube_webhook_token_auth_url: https://...
|
||||||
|
|
|
@ -10,6 +10,17 @@
|
||||||
import_tasks: kubeadm-migrate-certs.yml
|
import_tasks: kubeadm-migrate-certs.yml
|
||||||
when: old_apiserver_cert.stat.exists
|
when: old_apiserver_cert.stat.exists
|
||||||
|
|
||||||
|
- name: Install OIDC certificate
|
||||||
|
copy:
|
||||||
|
content: "{{ kube_oidc_ca_cert | b64decode }}"
|
||||||
|
dest: "{{ kube_oidc_ca_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0644"
|
||||||
|
when:
|
||||||
|
- kube_oidc_auth
|
||||||
|
- kube_oidc_ca_cert is defined
|
||||||
|
|
||||||
- name: kubeadm | Check serviceaccount key
|
- name: kubeadm | Check serviceaccount key
|
||||||
stat:
|
stat:
|
||||||
path: "{{ kube_cert_dir }}/sa.key"
|
path: "{{ kube_cert_dir }}/sa.key"
|
||||||
|
|
Loading…
Reference in a new issue