kubespray/roles/kubernetes/secrets/tasks/main.yml

---
- include: check-certs.yml
  tags: [k8s-secrets, facts]
- include: check-tokens.yml
  tags: [k8s-secrets, facts]

- name: Make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Make sure the users directory exits
  file:
    path={{ kube_users_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Populate users for basic auth in API
  lineinfile:
    dest: "{{ kube_users_dir }}/known_users.csv"
    create: yes
    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
    backup: yes
  with_dict: "{{ kube_users }}"
  when: inventory_hostname in "{{ groups['kube-master'] }}"
  notify: set secret_changed

- include: gen_certs.yml
  tags: k8s-secrets
- include: gen_tokens.yml
  tags: k8s-secrets