Fix creation and sync of etcd certs

Admin certs only go to etcd nodes
Only generate cert-data for nodes that need sync

roles/etcd/files/make-ssl-etcd.sh

@@ -71,30 +71,24 @@ fi
 # ETCD member
 if [ -n "$MASTERS" ]; then
     for host in $MASTERS; do
+        # Member key
         openssl genrsa -out member-${host}-key.pem 2048 > /dev/null 2>&1
         openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${host}" -config ${CONFIG} > /dev/null 2>&1
         openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 365 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
+
+        # Admin key
+        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${host}" > /dev/null 2>&1
+        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 365 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
     done
-else
-    openssl genrsa -out member-key.pem 2048 > /dev/null 2>&1
-    openssl req -new -key member-key.pem -out member.csr -subj "/CN=etcd-member" -config ${CONFIG} > /dev/null 2>&1
-    openssl x509 -req -in member.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member.pem -days 365 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
 fi
 
-# Node and admin keys
+# Node keys
 if [ -n "$HOSTS" ]; then
     for host in $HOSTS; do
-        for i in node admin; do
-            openssl genrsa -out ${i}-${host}-key.pem 2048 > /dev/null 2>&1
-            openssl req -new -key ${i}-${host}-key.pem -out ${i}-${host}.csr -subj "/CN=kube-${i}-${host}" > /dev/null 2>&1
-            openssl x509 -req -in ${i}-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${i}-${host}.pem -days 365 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
-        done
-     done
-else
-    for i in node admin; do
-        openssl genrsa -out ${i}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key ${i}-key.pem -out ${i}.csr -subj "/CN=kube-${i}" > /dev/null 2>&1
-        openssl x509 -req -in ${i}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${i}.pem -days 365 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
+        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${host}" > /dev/null 2>&1
+        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
     done
 fi
 

roles/etcd/tasks/check_certs.yml

@@ -28,7 +28,7 @@
 
 - name: "Check certs | check if a cert already exists"
   stat:
-    path: "{{ etcd_cert_dir }}/node-{{inventory_hostname}}-key.pem"
+    path: "{{ etcd_cert_dir }}/{{ item }}"
   register: etcdcert
   with_items:
     - ca.pem

roles/etcd/tasks/gen_certs.yml

@@ -40,8 +40,7 @@
                     {{ m }}
                   {% endif %}
                 {% endfor %}"
-    - HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
-              {% for h in all_kube_hosts %}
+    - HOSTS: "{% for h in groups['k8s-cluster'] %}
                 {% if hostvars[h].sync_certs|default(false) %}
                     {{ h }}
                 {% endif %}
@@ -66,8 +65,7 @@
                      'member-{{ inventory_hostname }}-key.pem'
                      ]
     all_node_certs: "['ca.pem',
-                    {% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
-                    {% for node in all_kube_hosts %}
+                    {% for node in groups['k8s-cluster'] %}
                     'node-{{ node }}.pem',
                     'node-{{ node }}-key.pem',
                     {% endfor %}]"
@@ -78,14 +76,16 @@
   shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
   register: etcd_master_cert_data
   delegate_to: "{{groups['etcd'][0]}}"
-  when: sync_certs|default(false)
+  when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
+        inventory_hostname != groups['etcd'][0]
   notify: set etcd_secret_changed
 
 - name: Gen_certs | Gather etcd node certs
   shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_node_certs|join(' ') }} | base64 --wrap=0"
   register: etcd_node_cert_data
   delegate_to: "{{groups['etcd'][0]}}"
-  when: sync_certs|default(false)
+  when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and
+        inventory_hostname not in groups['etcd']
   notify: set etcd_secret_changed
 
 - name: Gen_certs | Copy certs on masters
@@ -97,7 +97,8 @@
 - name: Gen_certs | Copy certs on nodes
   shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
   changed_when: false
-  when: sync_certs|default(false) and inventory_hostname not in groups['etcd']
+  when: sync_certs|default(false) and
+        inventory_hostname not in groups['etcd']
 
 - name: Gen_certs | check certificate permissions
   file: