Address PR feedback.

* Consolidate variable definitions to `kargo-defaults`.
* Set `AlwaysAllow` as the default authorization mode.
* Ability to set multiple authorization modes.
* Various style fixes and typos

roles/kargo-defaults/defaults/main.yaml

@@ -114,3 +114,9 @@ vault_deployment_type: docker
 k8s_image_pull_policy: IfNotPresent
 efk_enabled: false
 enable_network_policy: false
+
+## List of authorization plugins that must be configured for
+## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported
+## at the moment.
+authorization_mode: ['AlwaysAllow']
+rbac_enabled: "{{ 'RBAC' in authorization_mode }}"

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -41,10 +41,9 @@ netchecker_server_memory_requests: 64M
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"
 
-# RBAC
-rbac_resources:
+# RBAC specific resources that will be ignored when RBAC is not enabled.
+apiserver_rbac_resources:
   - clusterrole,
   - clusterrolebinding,
   - sa
-
-rbac_enabled: "{{ authorization_mode == 'RBAC' }}"
+  - serviceaccount

roles/kubernetes-apps/ansible/tasks/main.yml

@@ -21,7 +21,7 @@
     - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
     - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
   register: manifests
-  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in rbac_resources or rbac_enabled)
+  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled)
   tags: dnsmasq
 
 - name: Kubernetes Apps | Start Resources

roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml

@@ -24,4 +24,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: cluster-proportional-autoscaler
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml

@@ -114,7 +114,6 @@ spec:
         - containerPort: 8080
           protocol: TCP
       dnsPolicy: Default  # Don't use cluster DNS.
-{% if authorization_mode is defined and authorization_mode == "RBAC" %}
-      serviceAccount: kube-dns
+{% if rbac_enabled %}
       serviceAccountName: kube-dns
-{% endif %}
+{% endif %}

roles/kubernetes-apps/helm/defaults/main.yml

@@ -2,5 +2,3 @@ helm_enabled: false
 
 # specify a dir and attach it to helm for HELM_HOME.
 helm_home_dir: "/root/.helm"
-
-rbac_enabled: "{{ authorization_mode == 'RBAC' }}"

roles/kubernetes/master/defaults/main.yml

@@ -66,4 +66,3 @@ controller_mgr_custom_flags: []
 
 scheduler_custom_flags: []
 
-authorization_mode: RBAC

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -82,7 +82,7 @@ spec:
     - --anonymous-auth={{ kube_api_anonymous_auth }}
 {% endif %}
 {% if authorization_mode %}
-    - --authorization-mode={{ authorization_mode }}
+    - --authorization-mode={{ authorization_mode|join(',') }}
 {% endif %}
 {% if apiserver_custom_flags is string %}
     - {{ apiserver_custom_flags }}
@@ -127,4 +127,4 @@ spec:
   - hostPath:
       path: /etc/ssl/certs/ca-bundle.crt
     name: rhel-ca-bundle
-{% endif %}
+{% endif %}

roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2

@@ -35,7 +35,7 @@ spec:
     - --node-monitor-period={{ kube_controller_node_monitor_period }}
     - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
     - --v={{ kube_log_level }}
-{% if authorization_mode is defined and authorization_mode == "RBAC" %}
+{% if rbac_enabled %}
     - --use-service-account-credentials
 {% endif %}
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}

roles/kubernetes/secrets/tasks/check-certs.yml

@@ -10,8 +10,8 @@
 
 - name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed'  to false"
   set_fact:
-    sync_certs: true
-    gen_certs: true
+    sync_certs: false
+    gen_certs: false
     secret_changed: false
 
 - name: "Check certs | check if a cert already exists on node"