reactive/kubernetes_master.py

@@ -287,6 +287,9 @@ def configure_cni(cni):
     cni.set_config(is_master=True, kubeconfig_path='')
 
 
+# Webhook configuration file
+webhook_config_path = '/root/cdk/webhook.kubeconfig'
+
 @when('leadership.is_leader')
 @when_not('authentication.setup')
 def setup_leader_authentication():
@@ -328,13 +331,11 @@ def setup_leader_authentication():
     leader_set(leader_data)
 
     # configure webhook authentication
-    webhook_config_path = '/root/cdk/webhook.kubeconfig'
     auth_mode = hookenv.config('authorization-mode')
     if 'Webhook' in re.split('[,\s]+', auth_mode):
         # Render the webhook configuration from the webhook.kubeconfig template
         webhook_context = {} # template parameters
         render('webhook.kubeconfig', webhook_config_path, webhook_context)
-        api_opts['authentication-token-webhook-config-file'] = webhook_config_path
     else:
         remove_if_exists(webhook_config_path)
                     
@@ -1315,6 +1316,11 @@ def configure_apiserver(etcd_connection_string):
     else:
         remove_if_exists(audit_webhook_config_path)
 
+    # Webhook config
+    auth_mode = hookenv.config('authorization-mode')
+    if 'Webhook' in re.split('[,\s]+', auth_mode):
+        api_opts['authorization-webhook-config-file'] = webhook_config_path
+
     configure_kubernetes_service('kube-apiserver', api_opts, 'api-extra-args')
     restart_apiserver()