Configure API server with the CA bundle

kubernetes-sigs · Apr 7, 2022 · dbb2e2b · dbb2e2b
1 parent f195d58
commit dbb2e2b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml
@@ -370,6 +370,21 @@
     - inventory_hostname in groups['kube_control_plane']
     - typha_enabled and calico_datastore == "kdd"
 
+- name: Calico | get calico apiserver caBundle
+  command: "{{ bin_dir }}/kubectl get secret -n calico-apiserver calico-apiserver-certs -o jsonpath='{.data.apiserver\\.crt}'"
+  changed_when: false
+  register: calico_apiserver_cabundle
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - calico_apiserver_enabled and calico_datastore == "kdd"
+
+- name: Calico | set calico apiserver caBundle fact
+  set_fact:
+    calico_apiserver_cabundle: "{{ calico_apiserver_cabundle.stdout }}"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - calico_apiserver_enabled and calico_datastore == "kdd"
+
 - name: Calico | Create calico manifests for apiserver
   template:
     src: "{{ item.file }}.j2"

diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -118,6 +118,7 @@ metadata:
 spec:
   group: projectcalico.org
   groupPriorityMinimum: 1500
+  caBundle: {{ calico_apiserver_cabundle }}
   service:
     name: calico-api
     namespace: calico-apiserver