Update

roles/secrets/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+# tasks file for secrets
+
+# Role for creating k8s cluster encryption key and config
+
+# Documentation: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
+
+# Generate a 32 byte random key and base64 encode it
+- name: Generate a 32 byte random key and base64 encode it
+  shell: head -c 32 /dev/urandom | base64
+  register: secret
+  when: inventory_hostname == groups['masters'][0] 
+  tags:
+    - encryption_config
+
+# Takes the secret generated above and place it into a .j2 template
+# to create the encryption config
+- name: Place encryption config template onto master
+  template:
+    src: encryption-config.yaml.j2
+    dest: /etc/pki/encryption-config.yaml
+  when: inventory_hostname == groups['masters'][0]
+  tags:
+    - encryption_config
+
+# Resgister the encryption config file for fetching
+- name: Register encryption config for fetching from master01
+  find:
+    paths: /etc/pki
+    recurse: no
+    patterns: "encryption-config.yaml"
+  register: files_to_copy
+  tags:
+    - encryption_config
+  when: inventory_hostname == groups['masters'][0]
+
+##########################################
+##     WARNING: ADD THIS ROLES /FILES   ##
+##     DIRECTORY TO YOUR .GITIGNORE     ##
+##            OR EVERYONE WILL          ##
+#      HAVE YOUR encryption-config      ##
+##########################################
+
+# Bring encryption config to the ansible controller
+- name: Fetch Encryption Config
+  fetch:
+    src: "{{ item.path }}"
+    dest: roles/secrets/files/
+    flat: yes
+  with_items: "{{ files_to_copy.files }}"
+  tags:
+    - encryption_config
+  when: inventory_hostname == groups['masters'][0]
+
+# This task is reserved for when you have 2 or more control nodes
+#- name: Distribute encryption config to other control nodes ( masters )
+#  copy:
+#    src: "encryption-config.yaml"
+#    dest: "/etc/pki"
+#  when: inventory_hostname == groups['management'][0]
+#  tags:
+#    - encryption_config