add ability to configure ACE in downstream / #104

inventory/sample/group_vars/rke2_servers.yml

@@ -51,3 +51,11 @@ rke2_config: {}
 # Add a pod security admission config file by specifying the file path on the control host
 # Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored
 # pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml"
+
+# See https://ranchermanager.docs.rancher.com/v2.6/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/register-existing-clusters#authorized-cluster-endpoint-support-for-rke2-and-k3s-clusters
+# Authorized Cluster Endpoint Support for RKE2
+# Warning: You must also set:
+# # rke2_config:
+# #    kube-apiserver-arg:
+# #      - authentication-token-webhook-config-file=/var/lib/rancher/rke2/kube-api-authn-webhook.yaml
+# kube_api_authn_webhook_file_path: "{{ playbook_dir }}/sample_files/kube-api-authn-webhook.yaml"

roles/rke2_server/tasks/add-kube-api-authn-webhook.yaml

@@ -0,0 +1,45 @@
+---
+- name: Create the /var/lib/rancher/rke2 config dir
+  ansible.builtin.file:
+    path: /var/lib/rancher/rke2
+    state: directory
+    recurse: yes
+
+- name: Add config file
+  vars:
+    file_contents: "{{ lookup('file', kube_api_authn_webhook_file_path) }}"
+  ansible.builtin.template:
+    src: ansible_header.j2
+    dest: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml"
+    mode: '0640'
+    owner: root
+    group: root
+  when:
+    - kube_api_authn_webhook_file_path is defined
+    - kube_api_authn_webhook_file_path|length != 0
+  notify: Restart rke2-server
+
+- name: Remove config file
+  when:
+    - kube_api_authn_webhook_file_path is not defined or kube_api_authn_webhook_file_path|length == 0
+  block:
+    - name: Check that the config file exists
+      ansible.builtin.stat:
+        path: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml"
+      register: stat_result
+
+    - name: "Check that the config file has ansible managed comments"
+      ansible.builtin.lineinfile:
+        name: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists | bool is true
+
+    - name: Remove the config file if exists and has ansible managed comments
+      ansible.builtin.file:
+        path: "/var/lib/rancher/rke2/kube-api-authn-webhook.yaml"
+        state: absent
+      when:
+        - ansible_managed_check.changed | bool is false

sample_files/kube-api-authn-webhook.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Config
+clusters:
+  - name: Default
+    cluster:
+      insecure-skip-tls-verify: true
+      server: http://127.0.0.1:6440/v1/authenticate
+users:
+  - name: Default
+    user:
+      insecure-skip-tls-verify: true
+current-context: webhook
+contexts:
+  - name: webhook
+    context:
+      user: Default
+      cluster: Default