fixup! r/k8s-controller: Deploy HAProxy

2025-07-22 15:59:27 -05:00 · 2025-07-22 15:59:27 -05:00 · d43bc9fc48
parent da525b5c27
commit d43bc9fc48
2 changed files with 10 additions and 6 deletions
--- a/group_vars/k8s-controller.yml
+++ b/group_vars/k8s-controller.yml
@ -21,3 +21,12 @@ vrrp_instance:
    track_process {
        kube-apiserver
    }
+
+kube_root_ca_pem: >-
+  {{ lookup(
+    "kubernetes.core.k8s",
+    kind="ConfigMap",
+    namespace="default",
+    resource_name="kube-root-ca.crt"
+    ).data["ca.crt"]
+  }}
--- a/roles/k8s-controller/tasks/main.yml
+++ b/roles/k8s-controller/tasks/main.yml
@ -1,16 +1,11 @@
-# SELinux prevents HAProxy (haproxy_t) from reading the Kubernetes root
-# CA certificate file (kubernetes_file_t).  Changing the policy to
-# allow it would be overly permissive, so we make a private copy of the
-# file for HAproxy to use.
 - name: ensure haproxy has a copy of kubernetes ca certificate
  copy:
-    src: /etc/kubernetes/pki/ca.crt
    dest: /etc/haproxy/kube-root-ca.crt
+    content: '{{ kube_root_ca_pem }}'
    owner: root
    group: root
    mode: u=rw,go=r
    setype: etc_t
-    remote_src: true
  tags:
  - haproxy
  - ca-cert