Place a different token for every node/daemon combination

We can now revoke one token at a time!

contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml

@@ -18,12 +18,12 @@
     - restart daemons
 
 - name: Generate tokens for node components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
   environment:
     TOKEN_DIR: "{{ kube_token_dir }}"
-  with_items:
+  with_nested:
-    - "system:kubelet"
+    - [ 'system:kubelet', 'system:proxy' ]
-    - "system:proxy"
+    - "{{ groups['nodes'] }}"
   register: gentoken
   changed_when: "'Added' in gentoken.stdout"
   notify:

contrib/ansible/roles/kubernetes/tasks/place_secrets.yml

@@ -23,16 +23,6 @@
     - restart daemons
   when: inventory_hostname in groups['masters']
 
-- name: Copy node tokens to the nodes
-  synchronize: src={{ kube_token_dir }}/{{ item }} dest={{ kube_token_dir }}/{{ item }}
-  delegate_to: "{{ groups['masters'][0] }}"
-  with_items:
-    - "system:kubelet.token"
-    - "system:proxy.token"
-  notify:
-    - restart daemons
-  when: inventory_hostname in groups['nodes']
-
 - name: remove ssh public key so apiserver can not push stuff
   authorized_key: user=root key="{{ item }}" state=absent
   with_file:

contrib/ansible/roles/node/tasks/main.yml

@@ -14,16 +14,25 @@
 - include: centos.yml
   when: not is_atomic and ansible_distribution == "CentOS"
 
+- name: Get the node token values
+  slurp:
+    src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
+  with_items:
+    - "system:kubelet"
+    - "system:proxy"
+  register: tokens
+  delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Set token facts
+  set_fact:
+    kubelet_token: "{{ tokens.results[0].content|b64decode }}"
+    proxy_token: "{{ tokens.results[1].content|b64decode }}"
+
 - name: write the config files for kubelet
   template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet
   notify:
     - restart kubelet
 
-- name: Get the kubelet token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:kubelet.token"
-  register: kubelet_token
-
 - name: write the kubecfg (auth) file for kubelet
   template: src=kubelet.kubeconfig.j2 dest={{ kube_config_dir }}/kubelet.kubeconfig
   notify:
@@ -37,11 +46,6 @@
   notify:
     - restart proxy
 
-- name: Get the proxy token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:proxy.token"
-  register: proxy_token
-
 - name: write the kubecfg (auth) file for kube-proxy
   template: src=proxy.kubeconfig.j2 dest={{ kube_config_dir }}/proxy.kubeconfig
   notify:

contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2

@@ -15,4 +15,4 @@ contexts:
 users:
 - name: kubelet
   user:
-    token: {{ kubelet_token.content|b64decode }}
+    token: {{ kubelet_token }}

contrib/ansible/roles/node/templates/proxy.kubeconfig.j2

@@ -15,4 +15,4 @@ clusters:
 users:
 - name: proxy
   user:
-    token: {{ proxy_token.content|b64decode }}
+    token: {{ proxy_token }}