You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
---
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{groups['kube-master'][0]}})"
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
file:
path: "{{ helm_config_dir }}"
state: directory
owner: kube
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{groups['kube-master'][0]}})"
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
file:
path: "{{ helm_script_dir }}"
state: directory
owner: kube
- name: Gen_helm_tiller_certs | Copy certs generation script
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
template:
src: "helm-make-ssl.sh.j2"
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
mode: 0700
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{groups['kube-master'][0]}})"
find:
paths: "{{ helm_home_dir }}"
patterns: "*.pem"
get_checksum: true
delegate_to: "{{groups['kube-master'][0]}}"
register: helmcert_master
run_once: true
- name: Gen_helm_tiller_certs | run cert generation script
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
- set_fact:
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
- name: "Check_helm_client_certs | check if a cert already exists on master node"
find:
paths: "{{ helm_home_dir }}"
patterns: "*.pem"
get_checksum: true
register: helmcert_node
when: inventory_hostname != groups['kube-master'][0]
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
set_fact:
sync_helm_certs: true
when: inventory_hostname != groups['kube-master'][0] and
(not item in helmcert_node.files | map(attribute='path') | map("basename") | list or
helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
with_items:
- "{{ helm_client_certs }}"
- name: Gen_helm_tiller_certs | Gather helm client certs
shell: "tar cfz - -C {{ helm_home_dir }} -T /dev/stdin <<< {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
args:
executable: /bin/bash
no_log: true
register: helm_client_cert_data
check_mode: no
delegate_to: "{{groups['kube-master'][0]}}"
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
tempfile:
state: file
path: /tmp
prefix: helmcertsXXXXX
suffix: tar.gz
register: helm_cert_tempfile
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
copy:
content: "{{helm_client_cert_data.stdout}}"
dest: "{{helm_cert_tempfile.path}}"
owner: root
mode: "0600"
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Unpack helm certs on masters
shell: "base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
no_log: true
changed_when: false
check_mode: no
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
file:
path: "{{helm_cert_tempfile.path}}"
state: absent
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_certs | check certificate permissions
file:
path: "{{ helm_home_dir }}"
group: "{{ helm_cert_group }}"
state: directory
owner: "{{ helm_cert_owner }}"
mode: "u=rwX,g-rwx,o-rwx"
recurse: yes
|
