Use slurp to get the ca.crt

contrib/ansible/roles/kubernetes/tasks/place_secrets.yml

@@ -1,20 +0,0 @@
----
-- name: place ssh public key so apiserver can push certs
-  authorized_key: user=root key="{{ item }}" state=present
-  with_file:
-    - '/tmp/id_rsa.pub'
-  changed_when: false
-
-- name: Copy certificates directly from the apiserver to nodes
-  synchronize: src={{ kube_cert_dir }}/{{ item }} dest={{ kube_cert_dir }}/{{ item }}
-  delegate_to: "{{ groups['masters'][0] }}"
-  with_items:
-    - "ca.crt"
-  notify:
-    - restart daemons
-
-- name: remove ssh public key so apiserver can not push stuff
-  authorized_key: user=root key="{{ item }}" state=absent
-  with_file:
-    - '/tmp/id_rsa.pub'
-  changed_when: false

contrib/ansible/roles/kubernetes/tasks/secrets.yml

@@ -28,35 +28,17 @@
 - include: gen_certs.yml
   when: inventory_hostname == groups['masters'][0]
 
+- name: Read back the CA certificate
+  slurp:
+    src: "{{ kube_cert_dir }}/ca.crt"
+  register: ca_cert
+  run_once: true
+  delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Place CA certificate everywhere
+  copy: content="{{ ca_cert.content|b64decode }}" dest="{{ kube_cert_dir }}/ca.crt"
+  notify:
+    - restart daemons
+
 - include: gen_tokens.yml
   when: inventory_hostname == groups['masters'][0]
-
-- name: Install rsync to push secrets around
-  action: "{{ ansible_pkg_mgr }}"
-  args:
-    name: rsync
-    state: latest
-  when: not is_atomic
-
-- name: Generating RSA key for master node to push to others
-  user: name=root generate_ssh_key=yes
-  run_once: true
-  delegate_to: "{{ groups['masters'][0] }}"
-
-- name: Downloading pub key
-  fetch:
-    src=/root/.ssh/id_rsa.pub
-    dest=/tmp/id_rsa.pub
-    flat=yes
-    fail_on_missing=true
-  run_once: true
-  delegate_to: "{{ groups['masters'][0] }}"
-  changed_when: false
-
-- include: place_secrets.yml
-
-- name: Delete the downloaded pub key
-  local_action: file path=/tmp/id_rsa.pub state=absent
-  sudo: false
-  run_once: true
-  changed_when: false