c12s-kubespray/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
2020-02-12 07:50:51 -08:00

108 lines
3.9 KiB
YAML

---
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{ groups['kube-master'][0] }})"
run_once: yes
delegate_to: "{{ groups['kube-master'][0] }}"
file:
path: "{{ helm_config_dir }}"
state: directory
owner: kube
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{ groups['kube-master'][0] }})"
run_once: yes
delegate_to: "{{ groups['kube-master'][0] }}"
file:
path: "{{ helm_script_dir }}"
state: directory
owner: kube
- name: Gen_helm_tiller_certs | Copy certs generation script
run_once: yes
delegate_to: "{{ groups['kube-master'][0] }}"
template:
src: "helm-make-ssl.sh.j2"
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
mode: 0700
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{ groups['kube-master'][0] }})"
find:
paths: "{{ helm_home_dir }}"
patterns: "*.pem"
get_checksum: true
delegate_to: "{{ groups['kube-master'][0] }}"
register: helmcert_master
run_once: true
- name: Gen_helm_tiller_certs | run cert generation script
run_once: yes
delegate_to: "{{ groups['kube-master'][0] }}"
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
- name: Check_helm_client_certs | Set helm_client_certs
set_fact:
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
- name: "Check_helm_client_certs | check if a cert already exists on master node"
find:
paths: "{{ helm_home_dir }}"
patterns: "*.pem"
get_checksum: true
register: helmcert_node
when: inventory_hostname != groups['kube-master'][0]
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
set_fact:
sync_helm_certs: (not item in helmcert_node.files | map(attribute='path') | map("basename") | list or helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
when:
- inventory_hostname != groups['kube-master'][0]
with_items:
- "{{ helm_client_certs }}"
- name: Gen_helm_tiller_certs | Gather helm client certs
# noqa 303 - tar is called intentionally here, but maybe this should be done with the slurp module
shell: "tar cfz - -C {{ helm_home_dir }} {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
args:
executable: /bin/bash
no_log: true
register: helm_client_cert_data
check_mode: no
delegate_to: "{{ groups['kube-master'][0] }}"
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
tempfile:
state: file
path: /tmp
prefix: helmcertsXXXXX
suffix: tar.gz
register: helm_cert_tempfile
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
copy:
content: "{{ helm_client_cert_data.stdout }}"
dest: "{{ helm_cert_tempfile.path }}"
owner: root
mode: "0600"
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Unpack helm certs on masters
shell: "base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
no_log: true
changed_when: false
check_mode: no
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
file:
path: "{{ helm_cert_tempfile.path }}"
state: absent
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
- name: Gen_certs | check certificate permissions
file:
path: "{{ helm_home_dir }}"
group: "{{ helm_cert_group }}"
state: directory
owner: "{{ helm_cert_owner }}"
mode: "u=rwX,g-rwx,o-rwx"
recurse: yes