c12s-kubespray/roles/kubernetes/secrets/tasks/main.yml

110 lines
3 KiB
YAML
Raw Permalink Normal View History

---
- import_tasks: check-certs.yml
tags:
- k8s-secrets
- k8s-gen-certs
- facts
- name: Make sure the certificate directory exits
file:
path: "{{ kube_cert_dir }}"
state: directory
mode: o-rwx
group: "{{ kube_cert_group }}"
#
# The following directory creates make sure that the directories
# exist on the first master for cases where the first master isn't
# being run.
#
- name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})"
file:
path: "{{ kube_config_dir }}"
state: directory
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false)
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- apps
- network
- master
- node
- name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})"
file:
path: "{{ kube_script_dir }}"
state: directory
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false)
tags:
- k8s-secrets
- include_tasks: "gen_certs_script.yml"
when:
- cert_management |d('script') == 'script'
tags:
- k8s-secrets
- k8s-gen-certs
- import_tasks: upd_ca_trust.yml
tags:
- k8s-secrets
- k8s-gen-certs
- name: "Gen_certs | Get certificate serials on kube masters"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
register: "master_certificate_serials"
changed_when: false
with_items:
- "admin-{{ inventory_hostname }}.pem"
- "apiserver.pem"
- "kube-controller-manager.pem"
- "kube-scheduler.pem"
when: inventory_hostname in groups['kube-master']
tags:
- master
- kubelet
- node
- name: "Gen_certs | set kube master certificate serial facts"
set_fact:
etcd_admin_cert_serial: "{{ master_certificate_serials.results[0].stdout|default() }}"
apiserver_cert_serial: "{{ master_certificate_serials.results[1].stdout|default() }}"
controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
when: inventory_hostname in groups['kube-master']
tags:
- master
- kubelet
- node
- name: "Gen_certs | Get certificate serials on kube nodes"
shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
register: "node_certificate_serials"
changed_when: false
with_items:
- "node-{{ inventory_hostname }}.pem"
- "kube-proxy-{{ inventory_hostname }}.pem"
when:
- inventory_hostname in groups['k8s-cluster']
tags:
- node
- kube-proxy
- name: "Gen_certs | set kube node certificate serial facts"
set_fact:
kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
when: inventory_hostname in groups['k8s-cluster']
tags:
- kubelet
- node
- kube-proxy