--- - name: certs | make sure the certificate directory exits file: path={{ kube_cert_dir }} state=directory mode=o-rwx group={{ kube_cert_group }} - name: tokens | make sure the tokens directory exits file: path={{ kube_token_dir }} state=directory mode=o-rwx group={{ kube_cert_group }} - include: gen_certs.yml run_once: true when: inventory_hostname == groups['kube-master'][0] - include: gen_tokens.yml run_once: true when: inventory_hostname == groups['kube-master'][0] - name: tokens | generate tokens for calico command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" environment: TOKEN_DIR: "{{ kube_token_dir }}" with_nested: - [ "system:calico" ] - "{{ groups['k8s-cluster'] }}" register: gentoken changed_when: "'Added' in gentoken.stdout" when: kube_network_plugin == "calico" delegate_to: "{{ groups['kube-master'][0] }}" - name: tokens | get the calico token values slurp: src: "{{ kube_token_dir }}/system:calico-{{ inventory_hostname }}.token" register: calico_token when: kube_network_plugin == "calico" delegate_to: "{{ groups['kube-master'][0] }}" - name: tokens | Add KUBE_AUTH_TOKEN for calico lineinfile: regexp: "^KUBE_AUTH_TOKEN=.*$" line: "KUBE_AUTH_TOKEN={{ calico_token.content|b64decode }}" dest: "/etc/network-environment" when: kube_network_plugin == "calico" # Sync certs between nodes - user: name: '{{ansible_user_id}}' generate_ssh_key: yes delegate_to: "{{ groups['kube-master'][0] }}" run_once: yes - name: 'get ssh keypair' slurp: path=~/.ssh/id_rsa.pub register: public_key delegate_to: "{{ groups['kube-master'][0] }}" - name: 'setup keypair on nodes' authorized_key: user: '{{ansible_user_id}}' key: "{{public_key.content|b64decode }}" - name: synchronize certificates for nodes synchronize: src: "{{ item }}" dest: "{{ kube_cert_dir }}" recursive: yes delete: yes rsync_opts: [ '--one-file-system'] with_items: - "{{ kube_cert_dir}}/ca.pem" - "{{ kube_cert_dir}}/node.pem" - "{{ kube_cert_dir}}/node-key.pem" delegate_to: "{{ groups['kube-master'][0] }}"