026da060f2
It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
---
|
|
- name: "Check_tokens | check if the tokens have already been generated on first master"
|
|
stat:
|
|
path: "{{ kube_token_dir }}/known_tokens.csv"
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
register: known_tokens_master
|
|
run_once: true
|
|
|
|
- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
|
|
set_fact:
|
|
sync_tokens: false
|
|
gen_tokens: false
|
|
|
|
- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
|
|
set_fact:
|
|
gen_tokens: true
|
|
when: not known_tokens_master.stat.exists and kube_token_auth|default(true)
|
|
run_once: true
|
|
|
|
- name: "Check tokens | check if a cert already exists"
|
|
stat:
|
|
path: "{{ kube_cert_dir }}/ca.pem"
|
|
register: known_tokens
|
|
|
|
- name: "Check_tokens | Set 'sync_tokens' to true"
|
|
set_fact:
|
|
sync_tokens: true
|
|
when: >-
|
|
{%- set tokens = {'sync': False} -%}
|
|
{%- for server in groups['kube-master'] | intersect(play_hosts)
|
|
if (not hostvars[server].known_tokens.stat.exists) or
|
|
(hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%}
|
|
{%- set _ = tokens.update({'sync': True}) -%}
|
|
{%- endfor -%}
|
|
{{ tokens.sync }}
|
|
run_once: true
|