kubespray/roles/kubernetes/common/tasks/secrets.yml

---
- name: certs | create system kube-cert groups
  group: name={{ kube_cert_group }} state=present system=yes

- name: create system kube user
  user:
    name=kube
    comment="Kubernetes user"
    shell=/sbin/nologin
    state=present
    system=yes
    groups={{ kube_cert_group }}

- name: certs | make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- name: tokens | make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}

- include: gen_certs.yml
  run_once: true
  when: inventory_hostname == groups['kube-master'][0]

- name: Read back the CA certificate
  slurp:
    src: "{{ kube_cert_dir }}/ca.crt"
  register: ca_cert
  run_once: true
  delegate_to: "{{ groups['kube-master'][0] }}"

- name: certs | register the CA certificate as a fact for later use
  set_fact:
    kube_ca_cert: "{{ ca_cert.content|b64decode }}"

- name: certs | write CA certificate everywhere
  copy: content="{{ kube_ca_cert }}" dest="{{ kube_cert_dir }}/ca.crt"
  notify:
    - restart daemons

- include: gen_tokens.yml
  run_once: true
  when: inventory_hostname == groups['kube-master'][0]
Initial commit 2015-10-04 04:19:50 +08:00			`---`
			`- name: certs \| create system kube-cert groups`
			`group: name={{ kube_cert_group }} state=present system=yes`

			`- name: create system kube user`
			`user:`
			`name=kube`
			`comment="Kubernetes user"`
			`shell=/sbin/nologin`
			`state=present`
			`system=yes`
			`groups={{ kube_cert_group }}`

			`- name: certs \| make sure the certificate directory exits`
			`file:`
			`path={{ kube_cert_dir }}`
			`state=directory`
			`mode=o-rwx`
			`group={{ kube_cert_group }}`

			`- name: tokens \| make sure the tokens directory exits`
			`file:`
			`path={{ kube_token_dir }}`
			`state=directory`
			`mode=o-rwx`
			`group={{ kube_cert_group }}`

			`- include: gen_certs.yml`
			`run_once: true`
			`when: inventory_hostname == groups['kube-master'][0]`

			`- name: Read back the CA certificate`
			`slurp:`
			`src: "{{ kube_cert_dir }}/ca.crt"`
			`register: ca_cert`
			`run_once: true`
			`delegate_to: "{{ groups['kube-master'][0] }}"`

			`- name: certs \| register the CA certificate as a fact for later use`
			`set_fact:`
			`kube_ca_cert: "{{ ca_cert.content\|b64decode }}"`

			`- name: certs \| write CA certificate everywhere`
			`copy: content="{{ kube_ca_cert }}" dest="{{ kube_cert_dir }}/ca.crt"`
			`notify:`
			`- restart daemons`

			`- include: gen_tokens.yml`
			`run_once: true`
			`when: inventory_hostname == groups['kube-master'][0]`