c12s-kubespray/roles/kubernetes/node/tasks/secrets.yml

---
- name: Secrets | certs | make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: Secrets | tokens | make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- include: gen_certs.yml
  when: inventory_hostname == groups['kube-master'][0]

- include: gen_calico_tokens.yml

# Sync certs between nodes
- name: Secrets | create user
  user:
    name: '{{ansible_user_id}}'
    generate_ssh_key: yes
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: yes

- name: Secrets | 'get ssh keypair'
  slurp: path=~/.ssh/id_rsa.pub
  register: public_key
  delegate_to: "{{ groups['kube-master'][0] }}"

- name: Secrets | 'setup keypair on nodes'
  authorized_key:
    user: '{{ansible_user_id}}'
    key: "{{public_key.content|b64decode }}"

- name: Secrets | synchronize certificates for nodes
  synchronize:
    src: "{{ item }}"
    dest: "{{ kube_cert_dir }}"
    recursive: yes
    delete: yes
    rsync_opts: [ '--one-file-system']
    set_remote_user: false
  with_items:
    - "{{ kube_cert_dir}}/ca.pem"
    - "{{ kube_cert_dir}}/node.pem"
    - "{{ kube_cert_dir}}/node-key.pem"
  delegate_to: "{{ groups['kube-master'][0] }}"
  when: inventory_hostname not in "{{ groups['kube-master'] }}"
Initial commit 2015-10-03 20:19:50 +00:00			`---`
Rename tasks 2016-01-19 13:08:57 +00:00			`- name: Secrets \| certs \| make sure the certificate directory exits`
Initial commit 2015-10-03 20:19:50 +00:00			`file:`
			`path={{ kube_cert_dir }}`
			`state=directory`
			`mode=o-rwx`
			`group={{ kube_cert_group }}`

Rename tasks 2016-01-19 13:08:57 +00:00			`- name: Secrets \| tokens \| make sure the tokens directory exits`
Initial commit 2015-10-03 20:19:50 +00:00			`file:`
			`path={{ kube_token_dir }}`
			`state=directory`
			`mode=o-rwx`
			`group={{ kube_cert_group }}`

			`- include: gen_certs.yml`
			`when: inventory_hostname == groups['kube-master'][0]`

run apiserver as a service reorder master handlers typo for sysvinit 2016-01-22 13:25:33 +00:00			`- include: gen_calico_tokens.yml`
calico talks to apiserver with https 2015-12-18 21:22:52 +00:00
Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-11 10:32:13 +00:00			`# Sync certs between nodes`
Rename tasks 2016-01-19 13:08:57 +00:00			`- name: Secrets \| create user`
			`user:`
Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-11 10:32:13 +00:00			`name: '{{ansible_user_id}}'`
			`generate_ssh_key: yes`
			`delegate_to: "{{ groups['kube-master'][0] }}"`
			`run_once: yes`
Initial commit 2015-10-03 20:19:50 +00:00
Rename tasks 2016-01-19 13:08:57 +00:00			`- name: Secrets \| 'get ssh keypair'`
Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-11 10:32:13 +00:00			`slurp: path=~/.ssh/id_rsa.pub`
			`register: public_key`
			`delegate_to: "{{ groups['kube-master'][0] }}"`
Initial commit 2015-10-03 20:19:50 +00:00
Rename tasks 2016-01-19 13:08:57 +00:00			`- name: Secrets \| 'setup keypair on nodes'`
Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-11 10:32:13 +00:00			`authorized_key:`
			`user: '{{ansible_user_id}}'`
			`key: "{{public_key.content\|b64decode }}"`
Fix docker 2015-11-20 13:04:13 +00:00
Rename tasks 2016-01-19 13:08:57 +00:00			`- name: Secrets \| synchronize certificates for nodes`
Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-11 10:32:13 +00:00			`synchronize:`
			`src: "{{ item }}"`
			`dest: "{{ kube_cert_dir }}"`
			`recursive: yes`
			`delete: yes`
			`rsync_opts: [ '--one-file-system']`
enforce user root when sudo is used 2016-01-05 14:33:23 +00:00			`set_remote_user: false`
Master and nodes will run the 'node' role, kube-proxy is run under a container, new script for ssl certs 2015-12-11 10:32:13 +00:00			`with_items:`
			`- "{{ kube_cert_dir}}/ca.pem"`
			`- "{{ kube_cert_dir}}/node.pem"`
			`- "{{ kube_cert_dir}}/node-key.pem"`
			`delegate_to: "{{ groups['kube-master'][0] }}"`
don't sync certs on masters, already done in another task 2015-12-21 13:24:57 +00:00			`when: inventory_hostname not in "{{ groups['kube-master'] }}"`