Per master tokens for the scheduler and controller-manager

contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml

@@ -6,12 +6,12 @@
     mode=u+x
 
 - name: Generate tokens for master components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
   environment:
     TOKEN_DIR: "{{ kube_token_dir }}"
-  with_items:
+  with_nested:
-    - "system:controller_manager"
+    - [ "system:controller_manager", "system:scheduler" ]
-    - "system:scheduler"
+    - "{{ groups['masters'] }}"
   register: gentoken
   changed_when: "'Added' in gentoken.stdout"
   notify:

contrib/ansible/roles/kubernetes/tasks/place_secrets.yml

@@ -13,16 +13,6 @@
   notify:
     - restart daemons
 
-- name: Copy master tokens to the masters
-  synchronize: src={{ kube_token_dir }}/{{ item }} dest={{ kube_token_dir }}/{{ item }}
-  delegate_to: "{{ groups['masters'][0] }}"
-  with_items:
-    - "system:controller_manager.token"
-    - "system:scheduler.token"
-  notify:
-    - restart daemons
-  when: inventory_hostname in groups['masters']
-
 - name: remove ssh public key so apiserver can not push stuff
   authorized_key: user=root key="{{ item }}" state=absent
   with_file:

contrib/ansible/roles/master/tasks/main.yml

@@ -21,16 +21,25 @@
 - name: Enable apiserver
   service: name=kube-apiserver enabled=yes state=started
 
+- name: Get the node token values
+  slurp:
+    src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
+  with_items:
+    - "system:controller_manager"
+    - "system:scheduler"
+  register: tokens
+  delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Set token facts
+  set_fact:
+    controller_manager_token: "{{ tokens.results[0].content|b64decode }}"
+    scheduler_token: "{{ tokens.results[1].content|b64decode }}"
+
 - name: write the config file for the controller-manager
   template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager
   notify:
     - restart controller-manager
 
-- name: Get the controller-manager token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:controller_manager.token"
-  register: controller_manager_token
-
 - name: write the kubecfg (auth) file for controller-manager
   template: src=controller-manager.kubeconfig.j2 dest={{ kube_config_dir }}/controller-manager.kubeconfig
   notify:
@@ -44,11 +53,6 @@
   notify:
     - restart scheduler
 
-- name: Get the scheduler token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:scheduler.token"
-  register: scheduler_token
-
 - name: write the kubecfg (auth) file for scheduler
   template: src=scheduler.kubeconfig.j2 dest={{ kube_config_dir }}/scheduler.kubeconfig
   notify:

contrib/ansible/roles/master/templates/controller-manager.kubeconfig.j2

@@ -15,4 +15,4 @@ contexts:
 users:
 - name: controller-manager
   user:
-    token: {{ controller_manager_token.content|b64decode }}
+    token: {{ controller_manager_token }}

contrib/ansible/roles/master/templates/scheduler.kubeconfig.j2

@@ -15,4 +15,4 @@ contexts:
 users:
 - name: scheduler
   user:
-    token: {{ scheduler_token.content|b64decode }}
+    token: {{ scheduler_token }}