Kubernetes-Home-Lab/roles/secrets/tasks/main.yml

---
# tasks file for secrets

# Role for creating k8s cluster encryption key and config

# Documentation: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

# Generate a 32 byte random key and base64 encode it
- name: Generate a 32 byte random key and base64 encode it
  shell: head -c 32 /dev/urandom | base64
  register: secret
  when: inventory_hostname == groups['masters'][0] 
  tags:
    - encryption_config

# Takes the secret generated above and place it into a .j2 template
# to create the encryption config
- name: Place encryption config template onto master
  template:
    src: encryption-config.yaml.j2
    dest: /etc/pki/encryption-config.yaml
  when: inventory_hostname == groups['masters'][0]
  tags:
    - encryption_config

# Resgister the encryption config file for fetching
- name: Register encryption config for fetching from master01
  find:
    paths: /etc/pki
    recurse: no
    patterns: "encryption-config.yaml"
  register: files_to_copy
  tags:
    - encryption_config
  when: inventory_hostname == groups['masters'][0]

##########################################
##     WARNING: ADD THIS ROLES /FILES   ##
##     DIRECTORY TO YOUR .GITIGNORE     ##
##            OR EVERYONE WILL          ##
#      HAVE YOUR encryption-config      ##
##########################################

# Bring encryption config to the ansible controller
- name: Fetch Encryption Config
  fetch:
    src: "{{ item.path }}"
    dest: roles/secrets/files/
    flat: yes
  with_items: "{{ files_to_copy.files }}"
  tags:
    - encryption_config
  when: inventory_hostname == groups['masters'][0]

# This task is reserved for when you have 2 or more control nodes
#- name: Distribute encryption config to other control nodes ( masters )
#  copy:
#    src: "encryption-config.yaml"
#    dest: "/etc/pki"
#  when: inventory_hostname == groups['management'][0]
#  tags:
#    - encryption_config