c12s-kubespray/roles/etcd/tasks/upd_ca_trust.yml

---
- name: Gen_certs | target ca-certificate store file
  set_fact:
    ca_cert_path: |-
      {% if ansible_os_family == "Debian" -%}
      /usr/local/share/ca-certificates/etcd-ca.crt
      {%- elif ansible_os_family == "RedHat" -%}
      /etc/pki/ca-trust/source/anchors/etcd-ca.crt
      {%- elif ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] -%}
      /etc/ssl/certs/etcd-ca.pem
      {%- elif ansible_os_family == "Suse" -%}
      /etc/pki/trust/anchors/etcd-ca.pem
      {%- elif ansible_os_family == "ClearLinux" -%}
      /usr/share/ca-certs/etcd-ca.pem
      {%- endif %}
  tags:
    - facts

- name: Gen_certs | add CA to trusted CA dir
  copy:
    src: "{{ etcd_cert_dir }}/ca.pem"
    dest: "{{ ca_cert_path }}"
    remote_src: true
  register: etcd_ca_cert

- name: Gen_certs | update ca-certificates (Debian/Ubuntu/SUSE/Container Linux by CoreOS)  # noqa 503
  command: update-ca-certificates
  when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "Suse"]

- name: Gen_certs | update ca-certificates (RedHat)  # noqa 503
  command: update-ca-trust extract
  when: etcd_ca_cert.changed and ansible_os_family == "RedHat"

- name: Gen_certs | update ca-certificates (ClearLinux)  # noqa 503
  command: clrtrust add "{{ ca_cert_path }}"
  when: etcd_ca_cert.changed and ansible_os_family == "ClearLinux"
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`---`
			`- name: Gen_certs \| target ca-certificate store file`
			`set_fact:`
			`ca_cert_path: \|-`
			`{% if ansible_os_family == "Debian" -%}`
			`/usr/local/share/ca-certificates/etcd-ca.crt`
			`{%- elif ansible_os_family == "RedHat" -%}`
			`/etc/pki/ca-trust/source/anchors/etcd-ca.crt`
added "Flatcar", "Flatcar Container Linux by Kinvolk" for all coreOS role (#5607) 2020-02-18 08:15:29 +00:00			`{%- elif ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] -%}`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`/etc/ssl/certs/etcd-ca.pem`
Revert "Revert "Add openSUSE support" (#2697)" (#2699) This reverts commit 51f4e6585a2000bd226c42ffde813639e4154ac6. 2018-04-26 09:52:06 +00:00			`{%- elif ansible_os_family == "Suse" -%}`
			`/etc/pki/trust/anchors/etcd-ca.pem`
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com> 2018-12-18 09:39:25 +00:00			`{%- elif ansible_os_family == "ClearLinux" -%}`
			`/usr/share/ca-certs/etcd-ca.pem`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`{%- endif %}`
Normalize tags in all places to prepare for tag fixing in future (#1739) 2017-10-05 07:43:04 +00:00			`tags:`
			`- facts`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00
			`- name: Gen_certs \| add CA to trusted CA dir`
			`copy:`
			`src: "{{ etcd_cert_dir }}/ca.pem"`
			`dest: "{{ ca_cert_path }}"`
			`remote_src: true`
			`register: etcd_ca_cert`

Add noqa and disable .ansible-lint global exclusions (#6410) 2020-07-27 13:24:17 +00:00			`- name: Gen_certs \| update ca-certificates (Debian/Ubuntu/SUSE/Container Linux by CoreOS) # noqa 503`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`command: update-ca-certificates`
added "Flatcar", "Flatcar Container Linux by Kinvolk" for all coreOS role (#5607) 2020-02-18 08:15:29 +00:00			`when: etcd_ca_cert.changed and ansible_os_family in ["Debian", "CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "Suse"]`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00
Add noqa and disable .ansible-lint global exclusions (#6410) 2020-07-27 13:24:17 +00:00			`- name: Gen_certs \| update ca-certificates (RedHat) # noqa 503`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00			`command: update-ca-trust extract`
			`when: etcd_ca_cert.changed and ansible_os_family == "RedHat"`
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com> 2018-12-18 09:39:25 +00:00
Add noqa and disable .ansible-lint global exclusions (#6410) 2020-07-27 13:24:17 +00:00			`- name: Gen_certs \| update ca-certificates (ClearLinux) # noqa 503`
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com> 2018-12-18 09:39:25 +00:00			`command: clrtrust add "{{ ca_cert_path }}"`
			`when: etcd_ca_cert.changed and ansible_os_family == "ClearLinux"`