kubespray/roles/kubernetes/secrets/tasks/main.yml

---
- import_tasks: check-certs.yml
  tags:
    - k8s-secrets
    - facts

- import_tasks: check-tokens.yml
  tags:
    - k8s-secrets
    - facts

- name: Make sure the certificate directory exits
  file:
    path: "{{ kube_cert_dir }}"
    state: directory
    mode: o-rwx
    group: "{{ kube_cert_group }}"

- name: Make sure the tokens directory exits
  file:
    path: "{{ kube_token_dir }}"
    state: directory
    mode: o-rwx
    group: "{{ kube_cert_group }}"

#
# The following directory creates make sure that the directories
# exist on the first master for cases where the first master isn't
# being run.
#
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
  file:
    path: "{{ kube_config_dir }}"
    state: directory
    owner: kube
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_certs|default(false) or gen_tokens|default(false)
  tags:
    - kubelet
    - k8s-secrets
    - kube-controller-manager
    - kube-apiserver
    - bootstrap-os
    - apps
    - network
    - master
    - node

- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
  file:
    path: "{{ kube_script_dir }}"
    state: directory
    owner: kube
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_certs|default(false) or gen_tokens|default(false)
  tags:
    - k8s-secrets
    - bootstrap-os

- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
  file:
    path: "{{ kube_token_dir }}"
    state: directory
    mode: o-rwx
    group: "{{ kube_cert_group }}"
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)

- include_tasks: "gen_certs_{{ cert_management }}.yml"
  tags:
    - k8s-secrets

- import_tasks: upd_ca_trust.yml
  tags:
    - k8s-secrets

- name: "Gen_certs | Get certificate serials on kube masters"
  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
  register: "master_certificate_serials"
  changed_when: false
  with_items:
    - "admin-{{ inventory_hostname }}.pem"
    - "apiserver.pem"
    - "kube-controller-manager.pem"
    - "kube-scheduler.pem"
  when: inventory_hostname in groups['kube-master']

- name: "Gen_certs | set kube master certificate serial facts"
  set_fact:
    etcd_admin_cert_serial: "{{ master_certificate_serials.results[0].stdout|default() }}"
    apiserver_cert_serial: "{{ master_certificate_serials.results[1].stdout|default() }}"
    controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
    scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
  when: inventory_hostname in groups['kube-master']

- name: "Gen_certs | Get certificate serials on kube nodes"
  shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
  register: "node_certificate_serials"
  changed_when: false
  with_items:
    - "node-{{ inventory_hostname }}.pem"
    - "kube-proxy-{{ inventory_hostname }}.pem"
  when: inventory_hostname in groups['k8s-cluster']

- name: "Gen_certs | set kube node certificate serial facts"
  set_fact:
    kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
    kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
  when: inventory_hostname in groups['k8s-cluster']

- import_tasks: gen_tokens.yml
  tags:
    - k8s-secrets