---

- name: "cluster/gen_kube_node_certs | Ensure kube_cert_dir exists"
  file:
    path: "{{ kube_cert_dir }}" 
    state: directory

- name: "cluster/gen_kube_node_certs | Add the kubernetes role"
  uri:
    url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}/v1/pki/roles/kubernetes"
    headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    method: POST
    body_format: json
    body: "{{ vault_default_role_permissions }}"
    status_code: 204
  when: inventory_hostname == groups["k8s-cluster"]|first

- include: ../gen_cert.yml
  vars:
    gen_cert_alt_names: "{{ groups['k8s-cluster'] | join(',') }},localhost"
    gen_cert_copy_ca: "{{ true if item == vault_kube_node_certs_needed|first else false }}"
    gen_cert_hosts: "{{ groups['k8s-cluster'] }}"
    gen_cert_ip_sans: >-
        {%- for host in groups["k8s-cluster"] -%}
        {{ hostvars[host]["ansible_default_ipv4"]["address"] }}
        {%- if not loop.last -%},{%- endif -%}
        {%- endfor -%}
        ,127.0.0.1,::1
    gen_cert_path: "{{ item }}"
    gen_cert_vault_headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
    gen_cert_vault_role: kubernetes
    gen_cert_vault_url: "https://{{ hostvars[groups.vault|first]['vault_leader'] }}:{{ vault_port }}"
  with_items: "{{ vault_kube_node_certs_needed|default([]) }}"