--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create directory
+ file:
+ name: "{{ config.path | dirname }}"
+ state: directory
+ mode: 0755
+ owner: "{{ config.owner | default('root') }}"
+ group: "{{ config.group | default('root') }}"
+
+- name: create kubeconfig
+ command: "/usr/bin/kubectl config {{ cmd }} --kubeconfig={{ config.path }}"
+ with_items:
+ - "set-cluster kubernetes --certificate-authority=/etc/openssl/ca.pem --embed-certs=true --server=https://{{ config.apiserver }}:{{ config.apiserver_port }}"
+ - "set-context default --cluster=kubernetes --user={{ config.user }}"
+ - "use-context default"
+ loop_control:
+ loop_var: cmd
+
+- name: set user auth with token
+ command: "/usr/bin/kubectl config set-credentials {{ config.user }} --token={{ config.token }} --kubeconfig={{ config.path }}"
+ when: config.token is defined and config.token
+
+- name: set user auth with certs
+ command: "/usr/bin/kubectl config set-credentials {{ config.user }} --client-certificate={{ config.cert }} --client-key={{ config.key }} --embed-certs=true --kubeconfig={{ config.path }}"
+ when: not (config.token is defined and config.token)
+
+- name: changing permissions of kubeconfig
+ file:
+ path: "{{ config.path }}"
+ mode: "{{ config.restricted | default(true) | ternary('0640', '0644') }}"
+ owner: "{{ config.owner | default('root') }}"
+ group: "{{ config.group | default('root') }}"
+
+- name: allowing users to access kubeconfig
+ acl:
+ name: "{{ config.path }}"
+ entity: "{{ user }}"
+ etype: user
+ permissions: "r"
+ state: present
+ with_items: "{{ config.add_users | default([]) }}"
+ loop_control:
+ loop_var: user
+
+- name: adding read permission to kubeconfig dir
+ acl:
+ name: "{{ config.path | dirname }}"
+ entity: "{{ user }}"
+ etype: user
+ permissions: "rx"
+ state: present
+ with_items: "{{ config.add_users | default([]) }}"
+ loop_control:
+ loop_var: user