You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

159 lines
5.0 KiB

  1. ---
  2. - name: Gen_certs | create etcd cert dir
  3. file:
  4. path: "{{ etcd_cert_dir }}"
  5. group: "{{ etcd_cert_group }}"
  6. state: directory
  7. owner: kube
  8. mode: 0700
  9. recurse: yes
  10. - name: "Gen_certs | create etcd script dir (on {{groups['etcd'][0]}})"
  11. file:
  12. path: "{{ etcd_script_dir }}"
  13. state: directory
  14. owner: root
  15. mode: 0700
  16. run_once: yes
  17. when: inventory_hostname == groups['etcd'][0]
  18. delegate_to: "{{groups['etcd'][0]}}"
  19. - name: "Gen_certs | create etcd cert dir (on {{groups['etcd'][0]}})"
  20. file:
  21. path: "{{ etcd_cert_dir }}"
  22. group: "{{ etcd_cert_group }}"
  23. state: directory
  24. owner: kube
  25. recurse: yes
  26. mode: 0700
  27. run_once: yes
  28. when: inventory_hostname == groups['etcd'][0]
  29. delegate_to: "{{groups['etcd'][0]}}"
  30. - name: Gen_certs | write openssl config
  31. template:
  32. src: "openssl.conf.j2"
  33. dest: "{{ etcd_config_dir }}/openssl.conf"
  34. run_once: yes
  35. delegate_to: "{{groups['etcd'][0]}}"
  36. when:
  37. - gen_certs|default(false)
  38. - inventory_hostname == groups['etcd'][0]
  39. - name: Gen_certs | copy certs generation script
  40. template:
  41. src: "make-ssl-etcd.sh.j2"
  42. dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
  43. mode: 0700
  44. run_once: yes
  45. delegate_to: "{{groups['etcd'][0]}}"
  46. when:
  47. - gen_certs|default(false)
  48. - inventory_hostname == groups['etcd'][0]
  49. - name: Gen_certs | run cert generation script
  50. command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
  51. environment:
  52. - MASTERS: "{% for m in groups['etcd'] %}
  53. {% if gen_node_certs[m] %}
  54. {{ m }}
  55. {% endif %}
  56. {% endfor %}"
  57. - HOSTS: "{% for h in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
  58. {% if gen_node_certs[h] %}
  59. {{ h }}
  60. {% endif %}
  61. {% endfor %}"
  62. run_once: yes
  63. delegate_to: "{{groups['etcd'][0]}}"
  64. when:
  65. - gen_certs|default(false)
  66. - inventory_hostname == groups['etcd'][0]
  67. notify: set etcd_secret_changed
  68. - name: Gen_certs | Gather etcd master certs
  69. slurp:
  70. src: "{{ item }}"
  71. register: etcd_master_certs
  72. with_items:
  73. - "{{ etcd_cert_dir }}/ca.pem"
  74. - "{{ etcd_cert_dir }}/ca-key.pem"
  75. - "[{% for node in groups['etcd'] %}
  76. '{{ etcd_cert_dir }}/admin-{{ node }}.pem',
  77. '{{ etcd_cert_dir }}/admin-{{ node }}-key.pem',
  78. '{{ etcd_cert_dir }}/member-{{ node }}.pem',
  79. '{{ etcd_cert_dir }}/member-{{ node }}-key.pem',
  80. {% endfor %}]"
  81. - "[{% for node in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
  82. '{{ etcd_cert_dir }}/node-{{ node }}.pem',
  83. '{{ etcd_cert_dir }}/node-{{ node }}-key.pem',
  84. {% endfor %}]"
  85. delegate_to: "{{groups['etcd'][0]}}"
  86. when:
  87. - inventory_hostname in groups['etcd']
  88. - sync_certs|default(false)
  89. - inventory_hostname != groups['etcd'][0]
  90. notify: set etcd_secret_changed
  91. - name: Gen_certs | Write etcd master certs
  92. copy:
  93. dest: "{{ item.item }}"
  94. content: "{{ item.content | b64decode }}"
  95. group: "{{ etcd_cert_group }}"
  96. owner: kube
  97. mode: 0640
  98. with_items: "{{ etcd_master_certs.results }}"
  99. when:
  100. - inventory_hostname in groups['etcd']
  101. - sync_certs|default(false)
  102. - inventory_hostname != groups['etcd'][0]
  103. - set_fact:
  104. my_etcd_node_certs: ['ca.pem',
  105. 'node-{{ inventory_hostname }}.pem',
  106. 'node-{{ inventory_hostname }}-key.pem']
  107. tags:
  108. - facts
  109. - name: "Check_certs | Set 'sync_certs' to true on nodes"
  110. set_fact:
  111. sync_certs: true
  112. when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
  113. inventory_hostname in groups['k8s-cluster']) and
  114. inventory_hostname not in groups['etcd']
  115. with_items:
  116. - "{{ my_etcd_node_certs }}"
  117. - name: Gen_certs | Gather node certs
  118. shell: "tar cfz - -C {{ etcd_cert_dir }} -T /dev/stdin <<< {{ my_etcd_node_certs|join(' ') }} | base64 --wrap=0"
  119. args:
  120. executable: /bin/bash
  121. warn: false
  122. no_log: true
  123. register: etcd_node_certs
  124. check_mode: no
  125. delegate_to: "{{groups['etcd'][0]}}"
  126. when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
  127. inventory_hostname in groups['k8s-cluster']) and
  128. sync_certs|default(false) and inventory_hostname not in groups['etcd']
  129. - name: Gen_certs | Copy certs on nodes
  130. shell: "base64 -d <<< '{{etcd_node_certs.stdout|quote}}' | tar xz -C {{ etcd_cert_dir }}"
  131. args:
  132. executable: /bin/bash
  133. no_log: true
  134. changed_when: false
  135. check_mode: no
  136. when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
  137. inventory_hostname in groups['k8s-cluster']) and
  138. sync_certs|default(false) and inventory_hostname not in groups['etcd']
  139. notify: set etcd_secret_changed
  140. - name: Gen_certs | check certificate permissions
  141. file:
  142. path: "{{ etcd_cert_dir }}"
  143. group: "{{ etcd_cert_group }}"
  144. state: directory
  145. owner: kube
  146. mode: 0640
  147. recurse: yes