From 3619026ee8343c13ce236b35cd2192521bed3550 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Wed, 22 May 2024 18:16:00 -0400 Subject: [PATCH] add ability to configure ACE in downstream / #104 --- inventory/sample/group_vars/rke2_servers.yml | 8 ++++ .../tasks/add-kube-api-authn-webhook.yaml | 45 +++++++++++++++++++ sample_files/kube-api-authn-webhook.yaml | 18 ++++++++ 3 files changed, 71 insertions(+) create mode 100644 roles/rke2_server/tasks/add-kube-api-authn-webhook.yaml create mode 100644 sample_files/kube-api-authn-webhook.yaml diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index d451b625..9c80f93d 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -51,3 +51,11 @@ rke2_config: {} # Add a pod security admission config file by specifying the file path on the control host # Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored # pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" + +# See https://ranchermanager.docs.rancher.com/v2.6/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/register-existing-clusters#authorized-cluster-endpoint-support-for-rke2-and-k3s-clusters +# Authorized Cluster Endpoint Support for RKE2 +# Warning: You must also set: +# # rke2_config: +# # kube-apiserver-arg: +# # - authentication-token-webhook-config-file=/var/lib/rancher/rke2/kube-api-authn-webhook.yaml +# kube_api_authn_webhook_file_path: "{{ playbook_dir }}/sample_files/kube-api-authn-webhook.yaml" \ No newline at end of file diff --git a/roles/rke2_server/tasks/add-kube-api-authn-webhook.yaml b/roles/rke2_server/tasks/add-kube-api-authn-webhook.yaml new file mode 100644 index 00000000..93c7ec35 --- /dev/null +++ b/roles/rke2_server/tasks/add-kube-api-authn-webhook.yaml @@ -0,0 +1,45 @@ +--- +- name: Create the /var/lib/rancher/rke2 config dir + ansible.builtin.file: + path: /var/lib/rancher/rke2 + state: directory + recurse: yes + +- name: Add config file + vars: + file_contents: "{{ lookup('file', kube_api_authn_webhook_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 + dest: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml" + mode: '0640' + owner: root + group: root + when: + - kube_api_authn_webhook_file_path is defined + - kube_api_authn_webhook_file_path|length != 0 + notify: Restart rke2-server + +- name: Remove config file + when: + - kube_api_authn_webhook_file_path is not defined or kube_api_authn_webhook_file_path|length == 0 + block: + - name: Check that the config file exists + ansible.builtin.stat: + path: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml" + register: stat_result + + - name: "Check that the config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false diff --git a/sample_files/kube-api-authn-webhook.yaml b/sample_files/kube-api-authn-webhook.yaml new file mode 100644 index 00000000..c176c085 --- /dev/null +++ b/sample_files/kube-api-authn-webhook.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Config +clusters: + - name: Default + cluster: + insecure-skip-tls-verify: true + server: http://127.0.0.1:6440/v1/authenticate +users: + - name: Default + user: + insecure-skip-tls-verify: true +current-context: webhook +contexts: + - name: webhook + context: + user: Default + cluster: Default