--- - name: "Check_certs | Register certs that have already been generated on first etcd node" find: paths: "{{ etcd_cert_dir }}" patterns: "ca.pem,node*.pem,member*.pem,admin*.pem" get_checksum: true delegate_to: "{{ groups['etcd'][0] }}" register: etcdcert_master run_once: true - name: "Check_certs | Set default value for 'sync_certs', 'gen_certs' and 'etcd_secret_changed' to false" set_fact: sync_certs: false gen_certs: false etcd_secret_changed: false - name: "Check certs | Register ca and etcd admin/member certs on etcd hosts" stat: path: "{{ etcd_cert_dir }}/{{ item }}" get_attributes: false get_checksum: true get_mime: false register: etcd_member_certs when: inventory_hostname in groups['etcd'] with_items: - ca.pem - member-{{ inventory_hostname }}.pem - member-{{ inventory_hostname }}-key.pem - admin-{{ inventory_hostname }}.pem - admin-{{ inventory_hostname }}-key.pem - name: "Check certs | Register ca and etcd node certs on kubernetes hosts" stat: path: "{{ etcd_cert_dir }}/{{ item }}" register: etcd_node_certs when: inventory_hostname in groups['k8s_cluster'] with_items: - ca.pem - node-{{ inventory_hostname }}.pem - node-{{ inventory_hostname }}-key.pem - name: "Check_certs | Set 'gen_certs' to true if expected certificates are not on the first etcd node(1/2)" set_fact: gen_certs: true when: force_etcd_cert_refresh or not item in etcdcert_master.files | map(attribute='path') | list run_once: true with_items: "{{ expected_files }}" vars: expected_files: >- ['{{ etcd_cert_dir }}/ca.pem', {% set etcd_members = groups['etcd'] %} {% for host in etcd_members %} '{{ etcd_cert_dir }}/admin-{{ host }}.pem', '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem', '{{ etcd_cert_dir }}/member-{{ host }}.pem', '{{ etcd_cert_dir }}/member-{{ host }}-key.pem', {% endfor %} {% set k8s_nodes = groups['kube_control_plane'] %} {% for host in k8s_nodes %} '{{ etcd_cert_dir }}/node-{{ host }}.pem', '{{ etcd_cert_dir }}/node-{{ host }}-key.pem' {% if not loop.last %}{{ ',' }}{% endif %} {% endfor %}] - name: "Check_certs | Set 'gen_certs' to true if expected certificates are not on the first etcd node(2/2)" set_fact: gen_certs: true run_once: true with_items: "{{ expected_files }}" vars: expected_files: >- ['{{ etcd_cert_dir }}/ca.pem', {% set etcd_members = groups['etcd'] %} {% for host in etcd_members %} '{{ etcd_cert_dir }}/admin-{{ host }}.pem', '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem', '{{ etcd_cert_dir }}/member-{{ host }}.pem', '{{ etcd_cert_dir }}/member-{{ host }}-key.pem', {% endfor %} {% set k8s_nodes = groups['k8s_cluster'] | unique | sort %} {% for host in k8s_nodes %} '{{ etcd_cert_dir }}/node-{{ host }}.pem', '{{ etcd_cert_dir }}/node-{{ host }}-key.pem' {% if not loop.last %}{{ ',' }}{% endif %} {% endfor %}] when: - kube_network_plugin in ["calico", "flannel", "cilium"] or cilium_deploy_additionally | default(false) | bool - kube_network_plugin != "calico" or calico_datastore == "etcd" - force_etcd_cert_refresh or not item in etcdcert_master.files | map(attribute='path') | list - name: "Check_certs | Set 'gen_*_certs' groups to track which nodes needs to have certs generated on first etcd node" vars: existing_certs: etcdcert_master.files | map(attribute='path') ansible.builtin.group_by: key: "gen_{{ item.node_type }}_certs_{{ force_etcd_cert_refresh or item.certs is not subset(existing_certs) }}" loop: "{{ cert_files | dict2items(key_name='node_type', value_name='certs') }}" - name: "Check_certs | Set 'etcd_member_requires_sync' to true if ca or member/admin cert and key don't exist on etcd member or checksum doesn't match" set_fact: etcd_member_requires_sync: true when: - inventory_hostname in groups['etcd'] - (not etcd_member_certs.results[0].stat.exists | default(false)) or (not etcd_member_certs.results[1].stat.exists | default(false)) or (not etcd_member_certs.results[2].stat.exists | default(false)) or (not etcd_member_certs.results[3].stat.exists | default(false)) or (not etcd_member_certs.results[4].stat.exists | default(false)) or (etcd_member_certs.results[0].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_member_certs.results[0].stat.path) | map(attribute="checksum") | first | default('')) or (etcd_member_certs.results[1].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_member_certs.results[1].stat.path) | map(attribute="checksum") | first | default('')) or (etcd_member_certs.results[2].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_member_certs.results[2].stat.path) | map(attribute="checksum") | first | default('')) or (etcd_member_certs.results[3].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_member_certs.results[3].stat.path) | map(attribute="checksum") | first | default('')) or (etcd_member_certs.results[4].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_member_certs.results[4].stat.path) | map(attribute="checksum") | first | default('')) - name: "Check_certs | Set 'kubernetes_host_requires_sync' to true if ca or node cert and key don't exist on kubernetes host or checksum doesn't match" set_fact: kubernetes_host_requires_sync: true when: - inventory_hostname in groups['k8s_cluster'] and inventory_hostname not in groups['etcd'] - (not etcd_node_certs.results[0].stat.exists | default(false)) or (not etcd_node_certs.results[1].stat.exists | default(false)) or (not etcd_node_certs.results[2].stat.exists | default(false)) or (etcd_node_certs.results[0].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_node_certs.results[0].stat.path) | map(attribute="checksum") | first | default('')) or (etcd_node_certs.results[1].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_node_certs.results[1].stat.path) | map(attribute="checksum") | first | default('')) or (etcd_node_certs.results[2].stat.checksum | default('') != etcdcert_master.files | selectattr("path", "equalto", etcd_node_certs.results[2].stat.path) | map(attribute="checksum") | first | default('')) - name: "Check_certs | Set 'sync_certs' to true" set_fact: sync_certs: true when: - etcd_member_requires_sync | default(false) or kubernetes_host_requires_sync | default(false) or 'gen_master_certs_True' in group_names or 'gen_node_certs_True' in group_names