Create CA and Client Certificates on a protected CA Server, and transfer to them to your nodes, using Ansible
This is based on https://kapuablog.wordpress.com/2019/11/26/ansible-reading-a-remote-yaml-file/
It has been used in $my_service to generate client certificates on a protected Certificate Authority (CA) server (accessible only to my Ansible Tower/AWX server) and is then distributed to the client nodes.