kubespray/roles/kubernetes/secrets/tasks/main.yml

---
- include: check-certs.yml
  tags: [k8s-secrets, facts]
- include: check-tokens.yml
  tags: [k8s-secrets, facts]

- name: Make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Make sure the users directory exits
  file:
    path={{ kube_users_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Populate users for basic auth in API
  lineinfile:
    dest: "{{ kube_users_dir }}/known_users.csv"
    create: yes
    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
    backup: yes
  with_dict: "{{ kube_users }}"
  when: inventory_hostname in "{{ groups['kube-master'] }}"
  notify: set secret_changed

#
# The following directory creates make sure that the directories
# exist on the first master for cases where the first master isn't
# being run.
#
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
  file:
    path: "{{ kube_config_dir }}"
    state: directory
    owner: kube
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node]
  when: gen_certs|default(false) or gen_tokens|default(false)

- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
  file:
    path: "{{ kube_script_dir }}"
    state: directory
    owner: kube
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  tags: [k8s-secrets, bootstrap-os]
  when: gen_certs|default(false) or gen_tokens|default(false)

- name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})"
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)

- include: gen_certs_script.yml
  when: cert_management == "script"
  tags: k8s-secrets

- include: sync_kube_master_certs.yml
  when: cert_management == "vault" and inventory_hostname in groups['kube-master']
  tags: k8s-secrets
- include: sync_kube_node_certs.yml
  when: cert_management == "vault" and inventory_hostname in groups['k8s-cluster']
  tags: k8s-secrets
- include: gen_certs_vault.yml
  when: cert_management == "vault"
  tags: k8s-secrets

- include: gen_tokens.yml
  tags: k8s-secrets