--- # Tasks to set up roles and role bindings for certificate access - name: Create read-only role for certificates kubernetes.core.k8s: state: present definition: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: "{{ role_name }}" namespace: "{{ certificate_namespace }}" rules: - apiGroups: [""] resources: ["secrets"] resourceNames: ["{{ certificate_secret_name | default(certificate_name + '-tls') }}"] verbs: ["get", "watch", "list"] kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" # Add a role that allows listing all secrets (without resourceNames restriction) - name: Create role for listing secrets kubernetes.core.k8s: state: present definition: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: "{{ role_name }}-list" namespace: "{{ certificate_namespace }}" rules: - apiGroups: [""] resources: ["secrets"] verbs: ["list", "watch"] kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" - name: Check if RoleBinding already exists kubernetes.core.k8s_info: api_version: rbac.authorization.k8s.io/v1 kind: RoleBinding name: "{{ rolebinding_name }}" namespace: "{{ certificate_namespace }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" register: existing_rolebinding ignore_errors: true - name: Delete existing RoleBinding if it exists kubernetes.core.k8s: state: absent api_version: rbac.authorization.k8s.io/v1 kind: RoleBinding name: "{{ rolebinding_name }}" namespace: "{{ certificate_namespace }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" when: existing_rolebinding.resources is defined and existing_rolebinding.resources | length > 0 # Create binding for the first role - name: Create RoleBinding for service account kubernetes.core.k8s: state: present definition: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "{{ rolebinding_name }}" namespace: "{{ certificate_namespace }}" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "{{ role_name }}" subjects: - kind: ServiceAccount name: "{{ router_service_account }}" namespace: "{{ router_namespace }}" - kind: User name: "system:serviceaccount:{{ router_namespace }}:{{ router_service_account }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" # Check if list RoleBinding already exists - name: Check if list RoleBinding already exists kubernetes.core.k8s_info: api_version: rbac.authorization.k8s.io/v1 kind: RoleBinding name: "{{ rolebinding_name }}-list" namespace: "{{ certificate_namespace }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" register: existing_list_rolebinding ignore_errors: true # Delete existing list RoleBinding if it exists - name: Delete existing list RoleBinding if it exists kubernetes.core.k8s: state: absent api_version: rbac.authorization.k8s.io/v1 kind: RoleBinding name: "{{ rolebinding_name }}-list" namespace: "{{ certificate_namespace }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" when: existing_list_rolebinding.resources is defined and existing_list_rolebinding.resources | length > 0 # Create binding for the list role - name: Create RoleBinding for list role kubernetes.core.k8s: state: present definition: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: "{{ rolebinding_name }}-list" namespace: "{{ certificate_namespace }}" roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: "{{ role_name }}-list" subjects: - kind: ServiceAccount name: "{{ router_service_account }}" namespace: "{{ router_namespace }}" - kind: User name: "system:serviceaccount:{{ router_namespace }}:{{ router_service_account }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}"