kubespray/roles/etcd/tasks/gen_nodes_certs_script.yml

---
- name: Gen_certs | Set cert names per node
  set_fact:
    my_etcd_node_certs: [ 'ca.pem',
                          'node-{{ inventory_hostname }}.pem',
                          'node-{{ inventory_hostname }}-key.pem']
  tags:
    - facts

- name: "Check_certs | Set 'sync_certs' to true on nodes"
  set_fact:
    sync_certs: true
  with_items:
    - "{{ my_etcd_node_certs }}"

- name: Gen_certs | Gather node certs
  vars:
    ansible_ssh_retries: 10
  shell: "set -o pipefail && tar cfz - -C {{ etcd_cert_dir }} {{ my_etcd_node_certs | join(' ') }} | base64 --wrap=0"
  args:
    executable: /bin/bash
  no_log: "{{ not (unsafe_show_logs | bool) }}"
  register: etcd_node_certs
  check_mode: no
  delegate_to: "{{ groups['etcd'][0] }}"
  changed_when: false

- name: Gen_certs | Copy certs on nodes
  shell: "set -o pipefail && base64 -d <<< '{{ etcd_node_certs.stdout | quote }}' | tar xz -C {{ etcd_cert_dir }}"
  args:
    executable: /bin/bash
  no_log: "{{ not (unsafe_show_logs | bool) }}"
  changed_when: false