Per master tokens for the scheduler and controller-manager

2025-07-31 15:25:57 +00:00 · 2015-06-25 19:18:29 -04:00 · 2015-06-25 19:18:29 -04:00 · 9f4bfd144f
commit 9f4bfd144f
parent c6f2841839
5 changed files with 20 additions and 26 deletions
--- a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
@ -6,12 +6,12 @@
    mode=u+x

 - name: Generate tokens for master components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_items:
-    - "system:controller_manager"
-    - "system:scheduler"
+  with_nested:
+    - [ "system:controller_manager", "system:scheduler" ]
+    - "{{ groups['masters'] }}"
  register: gentoken
  changed_when: "'Added' in gentoken.stdout"
  notify:
--- a/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml
@ -13,16 +13,6 @@
  notify:
    - restart daemons

- name: Copy master tokens to the masters
-  synchronize: src={{ kube_token_dir }}/{{ item }} dest={{ kube_token_dir }}/{{ item }}
-  delegate_to: "{{ groups['masters'][0] }}"
-  with_items:
-    - "system:controller_manager.token"
-    - "system:scheduler.token"
-  notify:
-    - restart daemons
-  when: inventory_hostname in groups['masters']
-
 - name: remove ssh public key so apiserver can not push stuff
  authorized_key: user=root key="{{ item }}" state=absent
  with_file:
--- a/contrib/ansible/roles/master/tasks/main.yml
+++ b/contrib/ansible/roles/master/tasks/main.yml
@ -21,16 +21,25 @@
 - name: Enable apiserver
  service: name=kube-apiserver enabled=yes state=started

+- name: Get the node token values
+  slurp:
+    src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
+  with_items:
+    - "system:controller_manager"
+    - "system:scheduler"
+  register: tokens
+  delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Set token facts
+  set_fact:
+    controller_manager_token: "{{ tokens.results[0].content|b64decode }}"
+    scheduler_token: "{{ tokens.results[1].content|b64decode }}"
+
 - name: write the config file for the controller-manager
  template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager
  notify:
    - restart controller-manager

- name: Get the controller-manager token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:controller_manager.token"
-  register: controller_manager_token
-
 - name: write the kubecfg (auth) file for controller-manager
  template: src=controller-manager.kubeconfig.j2 dest={{ kube_config_dir }}/controller-manager.kubeconfig
  notify:
@ -44,11 +53,6 @@
  notify:
    - restart scheduler

- name: Get the scheduler token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:scheduler.token"
-  register: scheduler_token
-
 - name: write the kubecfg (auth) file for scheduler
  template: src=scheduler.kubeconfig.j2 dest={{ kube_config_dir }}/scheduler.kubeconfig
  notify:
--- a/contrib/ansible/roles/master/templates/controller-manager.kubeconfig.j2
+++ b/contrib/ansible/roles/master/templates/controller-manager.kubeconfig.j2
@ -15,4 +15,4 @@ contexts:
 users:
 - name: controller-manager
  user:
-    token: {{ controller_manager_token.content|b64decode }}
+    token: {{ controller_manager_token }}
--- a/contrib/ansible/roles/master/templates/scheduler.kubeconfig.j2
+++ b/contrib/ansible/roles/master/templates/scheduler.kubeconfig.j2
@ -15,4 +15,4 @@ contexts:
 users:
 - name: scheduler
  user:
-    token: {{ scheduler_token.content|b64decode }}
+    token: {{ scheduler_token }}