---
- name: Playbook to automate a manual k8s installation
  hosts: localhost
  vars:
    worker_name: 
      - debian-k8s-node1
      - debian-k8s-node2
    server_name: "{{ item }}"
    haproxy_addr: "192.168.11.58"
    etcd_host1_ip: "192.168.11.167"
    etcd_host2_ip: "192.168.11.94"
    kube_cluster: "kubernetes"
  become: true
  tasks:
  - name: Download and install the cfssl utility
    get_url:
      url: https://pkg.cfssl.org/R1.2/{{ item }}_linux-amd64
      dest: /usr/local/bin/{{ item }}
      mode: 0755
    with_items:
      - cfssl
      - cfssljson

  - name: Put the seed key material files in place
    file:
      path: /var/tmp/kubernetes
      state: directory
  - copy:
      src: files/{{ item }}
      dest: /var/tmp/kubernetes/
      mode: preserve
    with_items:
      - ca-csr.json
      - admin-csr.json
      - ca-config.json
      - kube-controller-manager-csr.json
      - kube-proxy-csr.json
      - kube-scheduler-csr.json
      - kubernetes-csr.json
      - service-account-csr.json
  - template:
      src: templates/worker-csr_json.j2
      dest: /var/tmp/kubernetes/{{ item }}-csr.json
      mode: preserve
    with_items:
      - "{{ worker_name }}"

  - name: Create the CA
    shell: /usr/local/bin/cfssl gencert -initca ca-csr.json | /usr/local/bin/cfssljson -bare ca
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the admin KMOs
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | /usr/local/bin/cfssljson -bare admin
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the worker node certificates
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{ item }} -profile=kubernetes {{ item }}-csr.json | /usr/local/bin/cfssljson -bare {{ item }}
    args:
      chdir: /var/tmp/kubernetes
    with_items:
      - "{{ worker_name }}"

  - name: Create the kube-controller-manager KMOs
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | /usr/local/bin/cfssljson -bare kube-controller-manager
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the kube-proxy KMOs
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | /usr/local/bin/cfssljson -bare kube-proxy
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the kube-scheduler KMOs
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | /usr/local/bin/cfssljson -bare kube-scheduler
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the kubernetes cluster KMOs
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=10.32.0.1,"{{ etcd_host1_ip }}","{{ etcd_host2_ip }}","{{ haproxy_addr }}",127.0.0.1,kubernetes.default -profile=kubernetes  kubernetes-csr.json | /usr/local/bin/cfssljson -bare kubernetes
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the kubernetes service account KMOs
    shell: /usr/local/bin/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes service-account-csr.json | /usr/local/bin/cfssljson -bare service-account
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the worker node kubeconfig files
    shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://{{ haproxy_addr }}:6443 --kubeconfig={{ item }}.kubeconfig; kubectl config set-credentials system:node:{{ item }} --client-certificate={{ item }}.pem --client-key={{ item }}-key.pem --embed-certs=true --kubeconfig={{ item }}.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:node:{{ item }} --kubeconfig={{ item }}.kubeconfig; kubectl config use-context default --kubeconfig={{ item }}.kubeconfig
    args:
      chdir: /var/tmp/kubernetes
    with_items:
      - "{{ worker_name }}"

  - name: Create the kube-proxy kubeconfig file
    shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://{{ haproxy_addr }}:6443 --kubeconfig=kube-proxy.kubeconfig; kubectl config set-credentials system:kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig; kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the controller-manager kubeconfig file
    shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-controller-manager.kubeconfig; kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig; kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
    args:
      chdir: /var/tmp/kubernetes

  - name: Create the kube-scheduler kubeconfig file
    shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-scheduler.kubeconfig; kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig; kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
    args:
      chdir: /var/tmp/kubernetes

  - name: Create admin kubeconfig file
    shell: kubectl config set-cluster {{ kube_cluster }} --certificate-authority=ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=admin.kubeconfig; kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=admin.kubeconfig; kubectl config set-context default --cluster={{ kube_cluster }} --user=admin --kubeconfig=admin.kubeconfig; kubectl config use-context default --kubeconfig=admin.kubeconfig
    args:
      chdir: /var/tmp/kubernetes

  - name: Create data encryption key
    shell: head -c 32 /dev/urandom | base64
    register: enc_key
  - name: Generate the encryption file
    template:
      src: templates/encryption-config.j2
      dest: /var/tmp/kubernetes/encryption-config.yaml

  - name: Set the owner of files to be ansible
    file:
      path: /var/tmp/kubernetes
      owner: jonny
      recurse: true