Place a different token for every node/daemon combination

We can now revoke one token at a time!
This commit is contained in:
Eric Paris 2015-06-25 18:35:41 -04:00
parent bb179b6a4c
commit c6f2841839
5 changed files with 20 additions and 26 deletions

View File

@ -18,12 +18,12 @@
- restart daemons
- name: Generate tokens for node components
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item }}"
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
environment:
TOKEN_DIR: "{{ kube_token_dir }}"
with_items:
- "system:kubelet"
- "system:proxy"
with_nested:
- [ 'system:kubelet', 'system:proxy' ]
- "{{ groups['nodes'] }}"
register: gentoken
changed_when: "'Added' in gentoken.stdout"
notify:

View File

@ -23,16 +23,6 @@
- restart daemons
when: inventory_hostname in groups['masters']
- name: Copy node tokens to the nodes
synchronize: src={{ kube_token_dir }}/{{ item }} dest={{ kube_token_dir }}/{{ item }}
delegate_to: "{{ groups['masters'][0] }}"
with_items:
- "system:kubelet.token"
- "system:proxy.token"
notify:
- restart daemons
when: inventory_hostname in groups['nodes']
- name: remove ssh public key so apiserver can not push stuff
authorized_key: user=root key="{{ item }}" state=absent
with_file:

View File

@ -14,16 +14,25 @@
- include: centos.yml
when: not is_atomic and ansible_distribution == "CentOS"
- name: Get the node token values
slurp:
src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
with_items:
- "system:kubelet"
- "system:proxy"
register: tokens
delegate_to: "{{ groups['masters'][0] }}"
- name: Set token facts
set_fact:
kubelet_token: "{{ tokens.results[0].content|b64decode }}"
proxy_token: "{{ tokens.results[1].content|b64decode }}"
- name: write the config files for kubelet
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet
notify:
- restart kubelet
- name: Get the kubelet token value
slurp:
src: "{{ kube_token_dir }}/system:kubelet.token"
register: kubelet_token
- name: write the kubecfg (auth) file for kubelet
template: src=kubelet.kubeconfig.j2 dest={{ kube_config_dir }}/kubelet.kubeconfig
notify:
@ -37,11 +46,6 @@
notify:
- restart proxy
- name: Get the proxy token value
slurp:
src: "{{ kube_token_dir }}/system:proxy.token"
register: proxy_token
- name: write the kubecfg (auth) file for kube-proxy
template: src=proxy.kubeconfig.j2 dest={{ kube_config_dir }}/proxy.kubeconfig
notify:

View File

@ -15,4 +15,4 @@ contexts:
users:
- name: kubelet
user:
token: {{ kubelet_token.content|b64decode }}
token: {{ kubelet_token }}

View File

@ -15,4 +15,4 @@ clusters:
users:
- name: proxy
user:
token: {{ proxy_token.content|b64decode }}
token: {{ proxy_token }}