diff --git a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml index fc13e74db66..2920b46ef8c 100644 --- a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml +++ b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml @@ -18,12 +18,12 @@ - restart daemons - name: Generate tokens for node components - command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item }}" + command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" environment: TOKEN_DIR: "{{ kube_token_dir }}" - with_items: - - "system:kubelet" - - "system:proxy" + with_nested: + - [ 'system:kubelet', 'system:proxy' ] + - "{{ groups['nodes'] }}" register: gentoken changed_when: "'Added' in gentoken.stdout" notify: diff --git a/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml b/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml index e832b968b00..61a53c3d8d5 100644 --- a/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml +++ b/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml @@ -23,16 +23,6 @@ - restart daemons when: inventory_hostname in groups['masters'] -- name: Copy node tokens to the nodes - synchronize: src={{ kube_token_dir }}/{{ item }} dest={{ kube_token_dir }}/{{ item }} - delegate_to: "{{ groups['masters'][0] }}" - with_items: - - "system:kubelet.token" - - "system:proxy.token" - notify: - - restart daemons - when: inventory_hostname in groups['nodes'] - - name: remove ssh public key so apiserver can not push stuff authorized_key: user=root key="{{ item }}" state=absent with_file: diff --git a/contrib/ansible/roles/node/tasks/main.yml b/contrib/ansible/roles/node/tasks/main.yml index f23bf1787fd..1d74a2821cf 100644 --- a/contrib/ansible/roles/node/tasks/main.yml +++ b/contrib/ansible/roles/node/tasks/main.yml @@ -14,16 +14,25 @@ - include: centos.yml when: not is_atomic and ansible_distribution == "CentOS" +- name: Get the node token values + slurp: + src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token" + with_items: + - "system:kubelet" + - "system:proxy" + register: tokens + delegate_to: "{{ groups['masters'][0] }}" + +- name: Set token facts + set_fact: + kubelet_token: "{{ tokens.results[0].content|b64decode }}" + proxy_token: "{{ tokens.results[1].content|b64decode }}" + - name: write the config files for kubelet template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet notify: - restart kubelet -- name: Get the kubelet token value - slurp: - src: "{{ kube_token_dir }}/system:kubelet.token" - register: kubelet_token - - name: write the kubecfg (auth) file for kubelet template: src=kubelet.kubeconfig.j2 dest={{ kube_config_dir }}/kubelet.kubeconfig notify: @@ -37,11 +46,6 @@ notify: - restart proxy -- name: Get the proxy token value - slurp: - src: "{{ kube_token_dir }}/system:proxy.token" - register: proxy_token - - name: write the kubecfg (auth) file for kube-proxy template: src=proxy.kubeconfig.j2 dest={{ kube_config_dir }}/proxy.kubeconfig notify: diff --git a/contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2 b/contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2 index 1c15a436542..b9c22fa63f5 100644 --- a/contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2 +++ b/contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2 @@ -15,4 +15,4 @@ contexts: users: - name: kubelet user: - token: {{ kubelet_token.content|b64decode }} + token: {{ kubelet_token }} diff --git a/contrib/ansible/roles/node/templates/proxy.kubeconfig.j2 b/contrib/ansible/roles/node/templates/proxy.kubeconfig.j2 index 35018bea3f0..f5d109816a5 100644 --- a/contrib/ansible/roles/node/templates/proxy.kubeconfig.j2 +++ b/contrib/ansible/roles/node/templates/proxy.kubeconfig.j2 @@ -15,4 +15,4 @@ clusters: users: - name: proxy user: - token: {{ proxy_token.content|b64decode }} + token: {{ proxy_token }}