okd/roles/etcd_certificates/tasks/client.yml

---
- name: Ensure generated_certs directory present
  file:
    path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    state: directory
    mode: 0700
  with_items: "{{ etcd_needing_client_certs | default([]) }}"

- name: Create the client csr
  command: >
    openssl req -new -keyout {{ item.etcd_cert_prefix }}client.key
    -config {{ etcd_openssl_conf }}
    -out {{ item.etcd_cert_prefix }}client.csr
    -reqexts {{ etcd_req_ext }} -batch -nodes
    -subj /CN={{ item.etcd_hostname }}
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
                 ~ item.etcd_cert_prefix ~ 'client.csr' }}"
  environment:
    SAN: "IP:{{ item.etcd_ip }}"
  with_items: "{{ etcd_needing_client_certs | default([]) }}"

- name: Sign and create the client crt
  command: >
    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
    -out {{ item.etcd_cert_prefix }}client.crt
    -in {{ item.etcd_cert_prefix }}client.csr
    -batch
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
                 ~ item.etcd_cert_prefix ~ 'client.crt' }}"
  environment:
    SAN: "IP:{{ item.etcd_ip }}"
  with_items: "{{ etcd_needing_client_certs | default([]) }}"

- file:
    src: "{{ etcd_ca_cert }}"
    dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
    state: hard
  with_items: "{{ etcd_needing_client_certs | default([]) }}"