ea1f072c7e
It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.
86 lines
2.5 KiB
YAML
86 lines
2.5 KiB
YAML
---
|
|
- include: check-certs.yml
|
|
tags: [k8s-secrets, facts]
|
|
|
|
- include: check-tokens.yml
|
|
tags: [k8s-secrets, facts]
|
|
|
|
- name: Make sure the certificate directory exits
|
|
file:
|
|
path: "{{ kube_cert_dir }}"
|
|
state: directory
|
|
mode: o-rwx
|
|
group: "{{ kube_cert_group }}"
|
|
|
|
- name: Make sure the tokens directory exits
|
|
file:
|
|
path: "{{ kube_token_dir }}"
|
|
state: directory
|
|
mode: o-rwx
|
|
group: "{{ kube_cert_group }}"
|
|
|
|
- name: Make sure the users directory exits
|
|
file:
|
|
path: "{{ kube_users_dir }}"
|
|
state: directory
|
|
mode: o-rwx
|
|
group: "{{ kube_cert_group }}"
|
|
|
|
- name: Populate users for basic auth in API
|
|
lineinfile:
|
|
dest: "{{ kube_users_dir }}/known_users.csv"
|
|
create: yes
|
|
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
|
|
backup: yes
|
|
with_dict: "{{ kube_users }}"
|
|
when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
|
|
notify: set secret_changed
|
|
|
|
#
|
|
# The following directory creates make sure that the directories
|
|
# exist on the first master for cases where the first master isn't
|
|
# being run.
|
|
#
|
|
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_config_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
|
|
when: gen_certs|default(false) or gen_tokens|default(false)
|
|
|
|
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_script_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
tags: [k8s-secrets, bootstrap-os]
|
|
when: gen_certs|default(false) or gen_tokens|default(false)
|
|
|
|
- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
|
|
file:
|
|
path: "{{ kube_token_dir }}"
|
|
state: directory
|
|
mode: o-rwx
|
|
group: "{{ kube_cert_group }}"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: gen_tokens|default(false)
|
|
|
|
- include: "gen_certs_{{ cert_management }}.yml"
|
|
tags: k8s-secrets
|
|
|
|
- include: sync_kube_master_certs.yml
|
|
when: cert_management == "vault" and inventory_hostname in groups['kube-master']
|
|
tags: k8s-secrets
|
|
|
|
- include: sync_kube_node_certs.yml
|
|
when: cert_management == "vault" and inventory_hostname in groups['k8s-cluster']
|
|
tags: k8s-secrets
|
|
|
|
- include: gen_tokens.yml
|
|
tags: k8s-secrets
|