You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.1 KiB

  1. ---
  2. - name: certs | write openssl config
  3. template:
  4. src: "openssl.conf.j2"
  5. dest: "{{ kube_config_dir }}/openssl.conf"
  6. run_once: yes
  7. delegate_to: "{{groups['kube-master'][0]}}"
  8. when: gen_certs|default(false)
  9. - name: certs | copy certs generation script
  10. copy:
  11. src: "make-ssl.sh"
  12. dest: "{{ kube_script_dir }}/make-ssl.sh"
  13. mode: 0700
  14. run_once: yes
  15. delegate_to: "{{groups['kube-master'][0]}}"
  16. when: gen_certs|default(false)
  17. - name: certs | run cert generation script
  18. command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
  19. run_once: yes
  20. delegate_to: "{{groups['kube-master'][0]}}"
  21. when: gen_certs|default(false)
  22. notify: set secret_changed
  23. - set_fact:
  24. master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
  25. node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
  26. - name: certs | Get the certs from first master
  27. slurp:
  28. src: "{{ kube_cert_dir }}/{{ item }}"
  29. delegate_to: "{{groups['kube-master'][0]}}"
  30. register: slurp_certs
  31. with_items: '{{ master_certs + node_certs }}'
  32. when: sync_certs|default(false)
  33. run_once: true
  34. notify: set secret_changed
  35. - name: certs | Copy certs on masters
  36. copy:
  37. content: "{{ item.content|b64decode }}"
  38. dest: "{{ item.source }}"
  39. with_items: '{{slurp_certs.results}}'
  40. when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
  41. inventory_hostname != groups['kube-master'][0]
  42. - name: certs | Copy certs on nodes
  43. copy:
  44. content: "{{ item.content|b64decode }}"
  45. dest: "{{ item.source }}"
  46. with_items: '{{slurp_certs.results}}'
  47. when: item.item in node_certs and
  48. inventory_hostname in groups['kube-node'] and sync_certs|default(false) and
  49. inventory_hostname != groups['kube-master'][0]
  50. - name: certs | check certificate permissions
  51. file:
  52. path={{ kube_cert_dir }}
  53. group={{ kube_cert_group }}
  54. owner=kube
  55. recurse=yes
  56. - shell: ls {{ kube_cert_dir}}/*key.pem
  57. register: keyfiles
  58. changed_when: false
  59. - name: certs | set permissions on keys
  60. file:
  61. path: "{{ item }}"
  62. mode: 0600
  63. with_items: "{{ keyfiles.stdout_lines }}"