--- - include: check-certs.yml tags: [k8s-secrets, facts] - include: check-tokens.yml tags: [k8s-secrets, facts] - name: Make sure the certificate directory exits file: path: "{{ kube_cert_dir }}" state: directory mode: o-rwx group: "{{ kube_cert_group }}" - name: Make sure the tokens directory exits file: path: "{{ kube_token_dir }}" state: directory mode: o-rwx group: "{{ kube_cert_group }}" - name: Make sure the users directory exits file: path: "{{ kube_users_dir }}" state: directory mode: o-rwx group: "{{ kube_cert_group }}" - name: Populate users for basic auth in API lineinfile: dest: "{{ kube_users_dir }}/known_users.csv" create: yes line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}' backup: yes with_dict: "{{ kube_users }}" when: inventory_hostname in "{{ groups['kube-master'] }}" notify: set secret_changed # # The following directory creates make sure that the directories # exist on the first master for cases where the first master isn't # being run. # - name: "Gen_certs | Create kubernetes config directory (on {{groups['kube-master'][0]}})" file: path: "{{ kube_config_dir }}" state: directory owner: kube run_once: yes delegate_to: "{{groups['kube-master'][0]}}" tags: [kubelet, k8s-secrets, kube-controller-manager, kube-apiserver, bootstrap-os, apps, network, master, node] when: gen_certs|default(false) or gen_tokens|default(false) - name: "Gen_certs | Create kubernetes script directory (on {{groups['kube-master'][0]}})" file: path: "{{ kube_script_dir }}" state: directory owner: kube run_once: yes delegate_to: "{{groups['kube-master'][0]}}" tags: [k8s-secrets, bootstrap-os] when: gen_certs|default(false) or gen_tokens|default(false) - name: "Get_tokens | Make sure the tokens directory exits (on {{groups['kube-master'][0]}})" file: path: "{{ kube_token_dir }}" state: directory mode: o-rwx group: "{{ kube_cert_group }}" run_once: yes delegate_to: "{{groups['kube-master'][0]}}" when: gen_tokens|default(false) - include: "gen_certs_{{ cert_management }}.yml" tags: k8s-secrets - include: sync_kube_master_certs.yml when: cert_management == "vault" and inventory_hostname in groups['kube-master'] tags: k8s-secrets - include: sync_kube_node_certs.yml when: cert_management == "vault" and inventory_hostname in groups['k8s-cluster'] tags: k8s-secrets - include: gen_tokens.yml tags: k8s-secrets