diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml index 65a8661d0..16ae6490e 100644 --- a/inventory/group_vars/k8s-cluster.yml +++ b/inventory/group_vars/k8s-cluster.yml @@ -39,6 +39,7 @@ kube_cert_group: kube-cert kube_log_level: 2 # Users to create for basic auth in Kubernetes API via HTTP +# Optionally add groups for user kube_api_pwd: "changeme" kube_users: kube: @@ -47,6 +48,8 @@ kube_users: root: pass: "{{kube_api_pwd}}" role: admin + # groups: + # - system:masters diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml index fb4c38f38..5f55b775b 100644 --- a/roles/kubernetes/secrets/tasks/main.yml +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -27,12 +27,10 @@ group: "{{ kube_cert_group }}" - name: Populate users for basic auth in API - lineinfile: + template: + src: known_users.csv.j2 dest: "{{ kube_users_dir }}/known_users.csv" - create: yes - line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}' backup: yes - with_dict: "{{ kube_users }}" when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true) notify: set secret_changed diff --git a/roles/kubernetes/secrets/templates/known_users.csv.j2 b/roles/kubernetes/secrets/templates/known_users.csv.j2 new file mode 100644 index 000000000..3e792c52b --- /dev/null +++ b/roles/kubernetes/secrets/templates/known_users.csv.j2 @@ -0,0 +1,3 @@ +{% for user in kube_users %} +{{kube_users[user].pass}},{{user}},{{kube_users[user].role}}{% if kube_users[user].groups is defined %},{% set groups_csv = kube_users[user].groups|join(',') -%}"{{groups_csv}}"{% endif %} +{% endfor %}