From 36015084c83b06539e81ac5b71178d5ca41dd803 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 23 Jul 2025 10:50:24 -0500
Subject: [PATCH] ansible: Allow host-provisioner to read root CA

The Kubernetes root CA certificate is stored in a ConfigMap named
`kube-root-ca.crt` in every namespace.  The _host-provisioner_ needs to
be able to read this ConfigMap in order to prepare control plane nodes,
as it is used by HAProxy to check the health of the API servers running
on each node.
---
 ansible/rbac.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/rbac.yaml b/ansible/rbac.yaml
index 7cc3e46..63d5148 100644
--- a/ansible/rbac.yaml
+++ b/ansible/rbac.yaml
@@ -54,6 +54,7 @@ rules:
   - get
   resourceNames:
   - cluster-info
+  - kube-root-ca.crt
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1