kubespray/roles/network_plugin/calico/tasks/calico_apiserver_certs.yml

61 lines
1.7 KiB
YAML

---
- name: Calico | Check if calico apiserver exists
command: "{{ kubectl }} -n calico-apiserver get secret calico-apiserver-certs"
register: calico_apiserver_secret
changed_when: false
failed_when: false
- name: Calico | Create ns manifests
template:
src: "calico-apiserver-ns.yml.j2"
dest: "{{ kube_config_dir }}/calico-apiserver-ns.yml"
mode: "0644"
- name: Calico | Apply ns manifests
kube:
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/calico-apiserver-ns.yml"
state: "latest"
- name: Calico | Ensure calico certs dir
file:
path: /etc/calico/certs
state: directory
mode: "0755"
when: calico_apiserver_secret.rc != 0
- name: Calico | Copy ssl script for apiserver certs
template:
src: make-ssl-calico.sh.j2
dest: "{{ bin_dir }}/make-ssl-apiserver.sh"
mode: "0755"
when: calico_apiserver_secret.rc != 0
- name: Calico | Copy ssl config for apiserver certs
copy:
src: openssl.conf
dest: /etc/calico/certs/openssl.conf
mode: "0644"
when: calico_apiserver_secret.rc != 0
- name: Calico | Generate apiserver certs
command: >-
{{ bin_dir }}/make-ssl-apiserver.sh
-f /etc/calico/certs/openssl.conf
-c {{ kube_cert_dir }}
-d /etc/calico/certs
-s apiserver
when: calico_apiserver_secret.rc != 0
- name: Calico | Create calico apiserver generic secrets
command: >-
{{ kubectl }} -n calico-apiserver
create secret generic {{ item.name }}
--from-file={{ item.cert }}
--from-file={{ item.key }}
with_items:
- name: calico-apiserver-certs
cert: /etc/calico/certs/apiserver.crt
key: /etc/calico/certs/apiserver.key
when: calico_apiserver_secret.rc != 0