2ab2f3a0a3
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets * Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
107 lines
3.8 KiB
YAML
107 lines
3.8 KiB
YAML
---
|
|
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{groups['kube-master'][0]}})"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
file:
|
|
path: "{{ helm_config_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
|
|
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{groups['kube-master'][0]}})"
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
file:
|
|
path: "{{ helm_script_dir }}"
|
|
state: directory
|
|
owner: kube
|
|
|
|
- name: Gen_helm_tiller_certs | Copy certs generation script
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
template:
|
|
src: "helm-make-ssl.sh.j2"
|
|
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
|
|
mode: 0700
|
|
|
|
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{groups['kube-master'][0]}})"
|
|
find:
|
|
paths: "{{ helm_home_dir }}"
|
|
patterns: "*.pem"
|
|
get_checksum: true
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
register: helmcert_master
|
|
run_once: true
|
|
|
|
- name: Gen_helm_tiller_certs | run cert generation script
|
|
run_once: yes
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
|
|
|
|
- set_fact:
|
|
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
|
|
|
|
- name: "Check_helm_client_certs | check if a cert already exists on master node"
|
|
find:
|
|
paths: "{{ helm_home_dir }}"
|
|
patterns: "*.pem"
|
|
get_checksum: true
|
|
register: helmcert_node
|
|
when: inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
|
|
set_fact:
|
|
sync_helm_certs: true
|
|
when: inventory_hostname != groups['kube-master'][0] and
|
|
(not item in helmcert_node.files | map(attribute='path') | map("basename") | list or
|
|
helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
|
|
with_items:
|
|
- "{{ helm_client_certs }}"
|
|
|
|
- name: Gen_helm_tiller_certs | Gather helm client certs
|
|
shell: "tar cfz - -C {{ helm_home_dir }} -T /dev/stdin <<< {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
|
|
args:
|
|
executable: /bin/bash
|
|
no_log: true
|
|
register: helm_client_cert_data
|
|
check_mode: no
|
|
delegate_to: "{{groups['kube-master'][0]}}"
|
|
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
|
|
tempfile:
|
|
state: file
|
|
path: /tmp
|
|
prefix: helmcertsXXXXX
|
|
suffix: tar.gz
|
|
register: helm_cert_tempfile
|
|
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
|
|
copy:
|
|
content: "{{helm_client_cert_data.stdout}}"
|
|
dest: "{{helm_cert_tempfile.path}}"
|
|
owner: root
|
|
mode: "0600"
|
|
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_helm_tiller_certs | Unpack helm certs on masters
|
|
shell: "base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
|
|
no_log: true
|
|
changed_when: false
|
|
check_mode: no
|
|
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
|
|
file:
|
|
path: "{{helm_cert_tempfile.path}}"
|
|
state: absent
|
|
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
|
|
|
- name: Gen_certs | check certificate permissions
|
|
file:
|
|
path: "{{ helm_home_dir }}"
|
|
group: "{{ helm_cert_group }}"
|
|
state: directory
|
|
owner: "{{ helm_cert_owner }}"
|
|
mode: "u=rwX,g-rwx,o-rwx"
|
|
recurse: yes
|