Etcd cluster setup makeover

The current way to setup the etc cluster is messy and buggy.

- It checks for cluster is healthy before the cluster is even created.
- The unit files are started on handlers, not in the task, so you mess with "flush handlers".
- The join_member.yml is not used.
- etcd events cluster is not configured for kubeadm
- remove duplicate runs between running the role on etcd nodes and k8s nodes

roles/etcd/tasks/gen_certs_script.yml

@@ -15,6 +15,7 @@
     owner: root
     mode: 0700
   run_once: yes
+  when: inventory_hostname == groups['etcd'][0]
   delegate_to: "{{groups['etcd'][0]}}"
 
 - name: "Gen_certs | create etcd cert dir (on {{groups['etcd'][0]}})"
@@ -26,6 +27,7 @@
     recurse: yes
     mode: 0700
   run_once: yes
+  when: inventory_hostname == groups['etcd'][0]
   delegate_to: "{{groups['etcd'][0]}}"
 
 - name: Gen_certs | write openssl config
@@ -34,7 +36,9 @@
     dest: "{{ etcd_config_dir }}/openssl.conf"
   run_once: yes
   delegate_to: "{{groups['etcd'][0]}}"
-  when: gen_certs|default(false)
+  when:
+    - gen_certs|default(false)
+    - inventory_hostname == groups['etcd'][0]
 
 - name: Gen_certs | copy certs generation script
   copy:
@@ -43,8 +47,9 @@
     mode: 0700
   run_once: yes
   delegate_to: "{{groups['etcd'][0]}}"
-  when: gen_certs|default(false)
-
+  when:
+    - gen_certs|default(false)
+    - inventory_hostname == groups['etcd'][0]
 
 - name: Gen_certs | run cert generation script
   command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
@@ -61,7 +66,9 @@
               {% endfor %}"
   run_once: yes
   delegate_to: "{{groups['etcd'][0]}}"
-  when: gen_certs|default(false)
+  when:
+    - gen_certs|default(false)
+    - inventory_hostname == groups['etcd'][0]
   notify: set etcd_secret_changed
 
 - set_fact:
@@ -160,5 +167,5 @@
     group: "{{ etcd_cert_group }}"
     state: directory
     owner: kube
-    mode: "u=rwX,g-rwx,o-rwx"
+    mode: "640"
     recurse: yes