Add an ability to provide oidc cert in base64 (#4618)

This commit is contained in:
Sergey Kolekonov 2019-04-24 20:40:01 +04:00 committed by Kubernetes Prow Robot
parent 4d57ed314d
commit 4a10dca7d4
2 changed files with 15 additions and 1 deletions

View file

@ -119,11 +119,14 @@ kube_webhook_token_auth: false
# kube_oidc_url: https:// ... # kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes # kube_oidc_client_id: kubernetes
## Optional settings for OIDC ## Optional settings for OIDC
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# kube_oidc_username_claim: sub # kube_oidc_username_claim: sub
# kube_oidc_username_prefix: oidc: # kube_oidc_username_prefix: oidc:
# kube_oidc_groups_claim: groups # kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: oidc: # kube_oidc_groups_prefix: oidc:
# Copy oidc CA file to the following path if needed
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# Optionally include a base64-encoded oidc CA cert
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication ## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://... # kube_webhook_token_auth_url: https://...

View file

@ -10,6 +10,17 @@
import_tasks: kubeadm-migrate-certs.yml import_tasks: kubeadm-migrate-certs.yml
when: old_apiserver_cert.stat.exists when: old_apiserver_cert.stat.exists
- name: Install OIDC certificate
copy:
content: "{{ kube_oidc_ca_cert | b64decode }}"
dest: "{{ kube_oidc_ca_file }}"
owner: root
group: root
mode: "0644"
when:
- kube_oidc_auth
- kube_oidc_ca_cert is defined
- name: kubeadm | Check serviceaccount key - name: kubeadm | Check serviceaccount key
stat: stat:
path: "{{ kube_cert_dir }}/sa.key" path: "{{ kube_cert_dir }}/sa.key"