c12s-kubespray/roles/etcd/tasks/check_certs.yml

---
- name: "Check_certs | check if all certs have already been generated on first master"
  stat:
    path: "{{ etcd_cert_dir }}/{{ item }}"
    get_md5: no
  delegate_to: "{{groups['etcd'][0]}}"
  register: etcdcert_master
  run_once: true
  with_items: >-
       ['ca.pem',
       {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
       {% for host in all_etcd_hosts %}
       'node-{{ host }}-key.pem'
       {% if not loop.last %}{{','}}{% endif %}
       {% endfor %}]       

- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs' and 'etcd_secret_changed' to false"
  set_fact:
    sync_certs: false
    gen_certs: false
    etcd_secret_changed: false

- name: "Check_certs | Set 'gen_certs' to true"
  set_fact:
    gen_certs: true
  when: "not {{item.stat.exists}}"
  run_once: true
  with_items: "{{etcdcert_master.results}}"

- name: "Check certs | check if a cert already exists"
  stat:
    path: "{{ etcd_cert_dir }}/{{ item }}"
  register: etcdcert
  with_items:
    - ca.pem
    - node-{{ inventory_hostname }}-key.pem

- name: "Check_certs | Set 'sync_certs' to true"
  set_fact:
    sync_certs: true
  when: >-
      {%- set certs = {'sync': False} -%}
      {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
      {% for host in all_etcd_hosts %}
        {% if host == inventory_hostname %}
          {% if (not etcdcert.results[0].stat.exists|default(False)) or
              (not etcdcert.results[1].stat.exists|default(False)) or
              (etcdcert.results[1].stat.checksum|default('') != etcdcert_master.results[loop.index].stat.checksum|default('')) -%}
            {%- set _ = certs.update({'sync': True}) -%}
          {% endif %}
        {% endif %}
      {%- endfor -%}
      {{ certs.sync }}