--- - name: Parse certificate key if not set set_fact: kubeadm_certificate_key: "{{ hostvars[groups['kube_control_plane'][0]]['kubeadm_certificate_key'] }}" when: kubeadm_certificate_key is undefined - name: Create kubeadm cert controlplane config template: src: "kubeadm-client.conf.{{ kubeadmConfig_api_version }}.j2" dest: "{{ kube_config_dir }}/kubeadm-cert-controlplane.conf" mode: 0640 vars: kubeadm_cert_controlplane: true - name: Pull control plane certs down shell: >- {{ bin_dir }}/kubeadm join phase control-plane-prepare download-certs --config {{ kube_config_dir }}/kubeadm-cert-controlplane.conf && {{ bin_dir }}/kubeadm join phase control-plane-prepare certs --config {{ kube_config_dir }}/kubeadm-cert-controlplane.conf args: creates: "{{ kube_cert_dir }}/apiserver-etcd-client.key" - name: Delete unneeded certificates file: path: "{{ item }}" state: absent with_items: - "{{ kube_cert_dir }}/apiserver.crt" - "{{ kube_cert_dir }}/apiserver.key" - "{{ kube_cert_dir }}/ca.key" - "{{ kube_cert_dir }}/etcd/ca.key" - "{{ kube_cert_dir }}/etcd/healthcheck-client.crt" - "{{ kube_cert_dir }}/etcd/healthcheck-client.key" - "{{ kube_cert_dir }}/etcd/peer.crt" - "{{ kube_cert_dir }}/etcd/peer.key" - "{{ kube_cert_dir }}/etcd/server.crt" - "{{ kube_cert_dir }}/etcd/server.key" - "{{ kube_cert_dir }}/front-proxy-ca.crt" - "{{ kube_cert_dir }}/front-proxy-ca.key" - "{{ kube_cert_dir }}/front-proxy-client.crt" - "{{ kube_cert_dir }}/front-proxy-client.key" - "{{ kube_cert_dir }}/sa.key" - "{{ kube_cert_dir }}/sa.pub" - name: Calculate etcd cert serial command: "openssl x509 -in {{ kube_cert_dir }}/apiserver-etcd-client.crt -noout -serial" register: "etcd_client_cert_serial_result" changed_when: false when: - inventory_hostname in groups['k8s_cluster'] | union(groups['calico_rr'] | default([])) | unique | sort tags: - network - name: Set etcd_client_cert_serial set_fact: etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout.split('=')[1] }}" tags: - network