---
#- name: Get create ca cert script from Kubernetes
#  get_url:
#    url=https://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes/master/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
#    dest={{ kube_script_dir }}/make-ca-cert.sh mode=0500
#    force=yes

- name: certs | install cert generation script
  copy:
    src=make-ca-cert.sh
    dest={{ kube_script_dir }}
    mode=0500
  changed_when: false

# FIXME This only generates a cert for one master...
- name: certs | run cert generation script
  command:
    "{{ kube_script_dir }}/make-ca-cert.sh {{ inventory_hostname }}"
  args:
    creates: "{{ kube_cert_dir }}/server.crt"
  environment:
    MASTER_IP: "{{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}"
    MASTER_NAME: "{{ inventory_hostname }}"
    DNS_DOMAIN: "{{ dns_domain }}"
    SERVICE_CLUSTER_IP_RANGE: "{{ kube_service_addresses }}"
    CERT_DIR: "{{ kube_cert_dir }}"
    CERT_GROUP: "{{ kube_cert_group }}"

- name: certs | check certificate permissions
  file:
    path={{ item }}
    group={{ kube_cert_group }}
    owner=kube
    mode=0440
  with_items:
    - "{{ kube_cert_dir }}/ca.crt"
    - "{{ kube_cert_dir }}/server.crt"
    - "{{ kube_cert_dir }}/server.key"
    - "{{ kube_cert_dir }}/kubecfg.crt"
    - "{{ kube_cert_dir }}/kubecfg.key"
    - "{{ kube_cert_dir }}/kubelet.crt"
    - "{{ kube_cert_dir }}/kubelet.key"