Move kubectl config into a specific playbook and fix certs path

k8s.yml

@@ -31,11 +31,6 @@
       tags: role-cfssl
     - role: kubernetes-ca
       tags: role-kubernetes-ca
-- hosts: k8s_kubectl
-  become: yes
-  roles:
-    - role: kubectl
-      tags: role-kubectl
 - hosts: k8s_etcd
   roles:
     - role: etcd

playbooks/group_vars

@@ -0,0 +1 @@
+../group_vars

playbooks/host_vars

@@ -0,0 +1 @@
+../host_vars

playbooks/kubectl-config.yml

@@ -0,0 +1,8 @@
+---
+- hosts: all
+  tasks: [ ]
+- hosts: k8s_kubectl
+  become: yes
+  roles:
+    - role: kubectl
+      tags: role-kubectl

playbooks/roles

@@ -0,0 +1 @@
+../roles

roles/kubectl/tasks/kubectl-cluster-config.yml

@@ -1,7 +1,7 @@
 - name: kubectl config set-cluster
   shell: |
     kubectl config set-cluster {{k8s_config_cluster_name}} \
-      --certificate-authority={{k8s_ca_conf_directory}}/ca-k8s-apiserver.pem \
+      --certificate-authority={{k8s_ca_conf_directory}}/ca.pem \
       --embed-certs=true \
       --server=https://{{hostvars[groups.k8s_master|first]['ansible_' + k8s_interface].ipv4.address}}:6443
   register: set_cluster
@@ -12,8 +12,8 @@
 - name: kubectl config set-credentials admin
   shell: |
     kubectl config set-credentials admin \
-      --client-certificate={{k8s_ca_conf_directory}}/cert-admin.pem \
-      --client-key={{k8s_ca_conf_directory}}/cert-admin-key.pem
+      --client-certificate={{k8s_ca_conf_directory}}/admin.pem \
+      --client-key={{k8s_ca_conf_directory}}/admin-key.pem
   register: set_credentials
 
 - debug:

roles/kubectl/tasks/kubectl-config.yml

@@ -1,11 +1,11 @@
-- name: Generate a kubeconfig file for the {{service.name}} service (set-cluster)
-  shell: "kubectl config set-cluster {{k8s_config_cluster_name}} --certificate-authority={{k8s_ca_conf_directory}}/ca-k8s-apiserver.pem --embed-certs=true --server=https://{{apiServer}}:{{k8s_apiserver_secure_port}} --kubeconfig={{k8s_config_directory}}/{{service.name}}.kubeconfig"
+- name: Generate a kubeconfig file for the {{service}} service (set-cluster)
+  shell: "kubectl config set-cluster {{k8s_config_cluster_name}} --certificate-authority={{k8s_ca_conf_directory}}/ca.pem --embed-certs=true --server=https://{{apiServer}}:{{k8s_apiserver_secure_port}} --kubeconfig={{k8s_config_directory}}/{{service}}.kubeconfig"
 
-- name: Generate a kubeconfig file for the {{service.name}} service (set-credentials)
-  shell: "kubectl config set-credentials system:{{service.name}} --client-certificate={{k8s_ca_conf_directory}}/cert-{{service.client_cert}}.pem --client-key={{k8s_ca_conf_directory}}/cert-{{service.client_cert}}-key.pem --embed-certs=true --kubeconfig={{k8s_config_directory}}/{{service.name}}.kubeconfig"
+- name: Generate a kubeconfig file for the {{service}} service (set-credentials)
+  shell: "kubectl config set-credentials system:{{service}} --client-certificate={{k8s_ca_conf_directory}}/{{service}}.pem --client-key={{k8s_ca_conf_directory}}/{{service}}-key.pem --embed-certs=true --kubeconfig={{k8s_config_directory}}/{{service}}.kubeconfig"
 
-- name: Generate a kubeconfig file for the {{service.name}} service (set-context)
-  shell: "kubectl config set-context default --cluster={{k8s_config_cluster_name}} --user=system:{{service.name}} --kubeconfig={{k8s_config_directory}}/{{service.name}}.kubeconfig"
+- name: Generate a kubeconfig file for the {{service}} service (set-context)
+  shell: "kubectl config set-context default --cluster={{k8s_config_cluster_name}} --user=system:{{service}} --kubeconfig={{k8s_config_directory}}/{{service}}.kubeconfig"
 
 - name: Set use-context
-  shell: "kubectl config use-context default --kubeconfig={{k8s_config_directory}}/{{service.name}}.kubeconfig"
+  shell: "kubectl config use-context default --kubeconfig={{k8s_config_directory}}/{{service}}.kubeconfig"

roles/kubectl/tasks/main.yml

@@ -26,14 +26,14 @@
     - kubectl
 
 - name: Generate a kubeconfig file for each worker node (set-cluster)
-  shell: "kubectl config set-cluster {{k8s_config_cluster_name}} --certificate-authority={{k8s_ca_conf_directory}}/ca-k8s-apiserver.pem --embed-certs=true --server=https://{{hostvars[groups['k8s_master'][0]]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}}:{{k8s_apiserver_secure_port}} --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
+  shell: "kubectl config set-cluster {{k8s_config_cluster_name}} --certificate-authority={{k8s_ca_conf_directory}}/ca.pem --embed-certs=true --server=https://{{hostvars[groups['k8s_master'][0]]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}}:{{k8s_apiserver_secure_port}} --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
   with_inventory_hostnames:
     - k8s_worker
   tags:
     - k8s-auth-config-kubelet
 
 - name: Generate a kubeconfig file for each worker node (set-credentials)
-  shell: "kubectl config set-credentials system:node:{{hostvars[item]['ansible_hostname']}} --client-certificate={{k8s_ca_conf_directory}}/cert-{{item}}.pem --client-key={{k8s_ca_conf_directory}}/cert-{{item}}-key.pem --embed-certs=true --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
+  shell: "kubectl config set-credentials system:node:{{hostvars[item]['ansible_hostname']}} --client-certificate={{k8s_ca_conf_directory}}/{{item}}.pem --client-key={{k8s_ca_conf_directory}}/{{item}}-key.pem --embed-certs=true --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
   with_inventory_hostnames:
     - k8s_worker
   tags:
@@ -65,17 +65,15 @@
 
 - include_tasks: kubectl-config.yml
   loop:
-    - name: kube-proxy
-      client_cert: k8s-proxy
-    - name: kube-controller-manager
-      client_cert: k8s-controller-manager
-    - name: kube-scheduler
-      client_cert: k8s-scheduler
-    - name: admin
-      client_cert: admin
+    - kube-proxy
+    - kube-controller-manager
+    - kube-scheduler
+    - admin
   loop_control:
     loop_var: service
 
+- include_tasks: kubectl-cluster-config.yml
+
 - name: Create encryption config file
   template:
     src: "templates/encryption-config.yaml.j2"