You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

64 lines
2.4 KiB

  1. ---
  2. - include_tasks: sync_etcd_master_certs.yml
  3. when: inventory_hostname in groups.etcd
  4. tags:
  5. - etcd-secrets
  6. - include_tasks: sync_etcd_node_certs.yml
  7. when: inventory_hostname in etcd_node_cert_hosts
  8. tags:
  9. - etcd-secrets
  10. # Issue master certs to Etcd nodes
  11. - include_tasks: ../../vault/tasks/shared/issue_cert.yml
  12. vars:
  13. issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
  14. issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
  15. issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
  16. issue_cert_file_group: "{{ etcd_cert_group }}"
  17. issue_cert_file_owner: kube
  18. issue_cert_hosts: "{{ groups.etcd }}"
  19. issue_cert_ip_sans: >-
  20. [
  21. {%- for host in groups.etcd -%}
  22. "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
  23. {%- if hostvars[host]['ip'] is defined -%}
  24. "{{ hostvars[host]['ip'] }}",
  25. {%- endif -%}
  26. {%- endfor -%}
  27. "127.0.0.1","::1"
  28. ]
  29. issue_cert_path: "{{ item }}"
  30. issue_cert_role: etcd
  31. issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  32. issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
  33. with_items: "{{ etcd_master_certs_needed|d([]) }}"
  34. when: inventory_hostname in groups.etcd
  35. notify: set etcd_secret_changed
  36. # Issue node certs to everyone else
  37. - include_tasks: ../../vault/tasks/shared/issue_cert.yml
  38. vars:
  39. issue_cert_common_name: "etcd:node:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
  40. issue_cert_alt_names: "{{ etcd_node_cert_hosts }}"
  41. issue_cert_copy_ca: "{{ item == etcd_node_certs_needed|first }}"
  42. issue_cert_file_group: "{{ etcd_cert_group }}"
  43. issue_cert_file_owner: kube
  44. issue_cert_hosts: "{{ etcd_node_cert_hosts }}"
  45. issue_cert_ip_sans: >-
  46. [
  47. {%- for host in etcd_node_cert_hosts -%}
  48. "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
  49. {%- if hostvars[host]['ip'] is defined -%}
  50. "{{ hostvars[host]['ip'] }}",
  51. {%- endif -%}
  52. {%- endfor -%}
  53. "127.0.0.1","::1"
  54. ]
  55. issue_cert_path: "{{ item }}"
  56. issue_cert_role: etcd
  57. issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
  58. issue_cert_mount_path: "{{ etcd_vault_mount_path }}"
  59. with_items: "{{ etcd_node_certs_needed|d([]) }}"
  60. when: inventory_hostname in etcd_node_cert_hosts
  61. notify: set etcd_secret_changed