You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

73 lines
2.7 KiB

  1. ---
  2. - include_tasks: sync_etcd_master_certs.yml
  3. when: inventory_hostname in groups.etcd
  4. tags:
  5. - etcd-secrets
  6. - include_tasks: sync_etcd_node_certs.yml
  7. when: inventory_hostname in etcd_node_cert_hosts
  8. tags:
  9. - etcd-secrets
  10. # Issue master certs to Etcd nodes
  11. - include_tasks: ../../vault/tasks/shared/issue_cert.yml
  12. vars:
  13. issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
  14. issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
  15. issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
  16. issue_cert_file_group: "{{ etcd_cert_group }}"
  17. issue_cert_file_owner: kube
  18. issue_cert_hosts: "{{ groups.etcd }}"
  19. issue_cert_ip_sans: >-
  20. [
  21. {%- for host in groups.etcd -%}
  22. "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
  23. {%- if hostvars[host]['ip'] is defined -%}
  24. "{{ hostvars[host]['ip'] }}",
  25. {%- endif -%}
  26. {%- endfor -%}
  27. {%- for cert_alt_ip in etcd_cert_alt_ips -%}
  28. "{{ cert_alt_ip }}",
  29. {%- endfor -%}
  30. "127.0.0.1","::1"
  31. ]
  32. issue_cert_path: "{{ item }}"
  33. issue_cert_role: etcd
  34. issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  35. issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
  36. with_items: "{{ etcd_master_certs_needed|d([]) }}"
  37. when: inventory_hostname in groups.etcd
  38. notify: set etcd_secret_changed
  39. # Issue node certs to everyone else
  40. - include_tasks: ../../vault/tasks/shared/issue_cert.yml
  41. vars:
  42. issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
  43. issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
  44. issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
  45. issue_cert_file_group: "{{ etcd_cert_group }}"
  46. issue_cert_file_owner: kube
  47. issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
  48. issue_cert_ip_sans: >-
  49. [
  50. {%- for host in etcd_node_cert_hosts -%}
  51. "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
  52. {%- if hostvars[host]['ip'] is defined -%}
  53. "{{ hostvars[host]['ip'] }}",
  54. {%- endif -%}
  55. {%- endfor -%}
  56. "127.0.0.1","::1"
  57. ]
  58. issue_cert_path: "{{ item }}"
  59. issue_cert_role: etcd
  60. issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  61. issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
  62. with_items: "{{ etcd_node_certs_needed|d([]) }}"
  63. when: inventory_hostname in etcd_node_cert_hosts
  64. notify: set etcd_secret_changed
  65. - name: gen_certs_vault | ensure file permissions
  66. shell: >-
  67. find {{etcd_cert_dir }} -type d -exec chmod 0755 {} \; &&
  68. find {{etcd_cert_dir }} -type f -exec chmod 0640 {} \;
  69. changed_when: false