---
- name: certs | create system kube-cert groups
  group: name={{ kube_cert_group }} state=present system=yes

- name: create system kube user
  user:
    name=kube
    comment="Kubernetes user"
    shell=/sbin/nologin
    state=present
    system=yes
    groups={{ kube_cert_group }}

- name: certs | make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: tokens | make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- include: gen_certs.yml
  run_once: true
  when: inventory_hostname == groups['kube-master'][0]

- name: Read back the CA certificate
  slurp:
    src: "{{ kube_cert_dir }}/ca.crt"
  register: ca_cert
  run_once: true
  delegate_to: "{{ groups['kube-master'][0] }}"

- name: certs | register the CA certificate as a fact for later use
  set_fact:
    kube_ca_cert: "{{ ca_cert.content|b64decode }}"

- name: certs | write CA certificate everywhere
  copy: content="{{ kube_ca_cert }}" dest="{{ kube_cert_dir }}/ca.crt"
  notify:
    - restart daemons

- include: gen_tokens.yml
  run_once: true
  when: inventory_hostname == groups['kube-master'][0]