Use node cert for etcd tasks instead of delegating to first etcd (#2386)

For etcdctl commands, use admin cert instead of node because this file
doesn't exist on etcd only hosts.

roles/network_plugin/calico/rr/tasks/main.yml

@@ -50,8 +50,8 @@
   command: |-
     {{ bin_dir }}/etcdctl \
     --peers={{ etcd_access_addresses }} \
-    --cert-file {{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem \
+    --cert-file {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem \
-    --key-file {{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem \
+    --key-file {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
     set /calico/bgp/v1/rr_v4/{{ rr_ip }} \
     '{
        "ip": "{{ rr_ip }}",

roles/network_plugin/calico/tasks/main.yml

@@ -83,26 +83,24 @@
   uri:
     url: https://localhost:2379/health
     validate_certs: no
-    client_cert: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem"
+    client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-    client_key: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem"
+    client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
   register: result
   until: result.status == 200 or result.status == 401
   retries: 10
   delay: 5
-  delegate_to: "{{groups['etcd'][0]}}"
   run_once: true
 
 - name: Calico | Check if calico network pool has already been configured
   command: |-
     curl \
       --cacert {{ etcd_cert_dir }}/ca.pem \
-      --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
+      --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
-      --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
+      --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
       https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
   register: calico_conf
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{groups['etcd'][0]}}"
   run_once: true
   changed_when: false
 
@@ -125,13 +123,12 @@
   command: |-
     curl \
       --cacert {{ etcd_cert_dir }}/ca.pem \
-      --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
+      --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
-      --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
+      --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
       https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
   register: calico_pools_raw
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{groups['etcd'][0]}}"
   run_once: true
 
 - set_fact:

roles/network_plugin/canal/tasks/main.yml

@@ -35,8 +35,8 @@
   changed_when: false
   run_once: true
   environment:
-    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem"
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem"
-    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
 
 - name: Canal | Create canal node manifests
   template: