From baf0a331c91691cb2197178b774eca681e059a4c Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Mon, 23 Sep 2024 16:38:21 +0200
Subject: [PATCH] Don't generate static tokens for nodes and control planes

Nodes to api-server relies by default certificates, and bootstrap
tokens, and there should be no need to generate tokens for every nodes,
even when enabling static token auth.
---
 docs/ansible/ansible.md                       |  2 -
 docs/operations/upgrades.md                   |  2 +-
 roles/kubernetes/control-plane/meta/main.yml  |  4 --
 .../tasks/0050-create_directories.yml         |  2 -
 .../kubernetes/tokens/files/kube-gen-token.sh | 34 ----------
 .../kubernetes/tokens/tasks/check-tokens.yml  | 41 ------------
 roles/kubernetes/tokens/tasks/gen_tokens.yml  | 63 -------------------
 roles/kubernetes/tokens/tasks/main.yml        | 21 -------
 8 files changed, 1 insertion(+), 168 deletions(-)
 delete mode 100644 roles/kubernetes/tokens/files/kube-gen-token.sh
 delete mode 100644 roles/kubernetes/tokens/tasks/check-tokens.yml
 delete mode 100644 roles/kubernetes/tokens/tasks/gen_tokens.yml
 delete mode 100644 roles/kubernetes/tokens/tasks/main.yml

diff --git a/docs/ansible/ansible.md b/docs/ansible/ansible.md
index 5e79d966d..3297e1080 100644
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -174,8 +174,6 @@ The following tags are defined in playbooks:
 | init                           | Windows kubernetes init nodes                         |
 | iptables                       | Flush and clear iptable when resetting                |
 | k8s-pre-upgrade                | Upgrading K8s cluster                                 |
-| k8s-secrets                    | Configuring K8s certs/keys                            |
-| k8s-gen-tokens                 | Configuring K8s tokens                                |
 | kata-containers                | Configuring kata-containers runtime                   |
 | krew                           | Install and manage krew                               |
 | kubeadm                        | Roles linked to kubeadm tasks                         |
diff --git a/docs/operations/upgrades.md b/docs/operations/upgrades.md
index 6c915c765..ff768ebdc 100644
--- a/docs/operations/upgrades.md
+++ b/docs/operations/upgrades.md
@@ -392,7 +392,7 @@ ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limi
 Upgrade kubelet:
 
 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
 ```
 
 Upgrade Kubernetes master components:
diff --git a/roles/kubernetes/control-plane/meta/main.yml b/roles/kubernetes/control-plane/meta/main.yml
index 7b2cfe365..9e5d86e0f 100644
--- a/roles/kubernetes/control-plane/meta/main.yml
+++ b/roles/kubernetes/control-plane/meta/main.yml
@@ -1,10 +1,6 @@
 ---
 dependencies:
   - role: kubernetes/kubeadm_common
-  - role: kubernetes/tokens
-    when: kube_token_auth
-    tags:
-      - k8s-secrets
   - role: adduser
     user: "{{ addusers.etcd }}"
     when:
diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
index 7c4072c95..7f1cdb5d3 100644
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -9,7 +9,6 @@
   become: true
   tags:
     - kubelet
-    - k8s-secrets
     - kube-controller-manager
     - kube-apiserver
     - bootstrap-os
@@ -34,7 +33,6 @@
   become: true
   tags:
     - kubelet
-    - k8s-secrets
     - kube-controller-manager
     - kube-apiserver
     - bootstrap-os
diff --git a/roles/kubernetes/tokens/files/kube-gen-token.sh b/roles/kubernetes/tokens/files/kube-gen-token.sh
deleted file mode 100644
index 121b52263..000000000
--- a/roles/kubernetes/tokens/files/kube-gen-token.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash
-
-# Copyright 2015 The Kubernetes Authors All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-token_dir=${TOKEN_DIR:-/var/srv/kubernetes}
-token_file="${token_dir}/known_tokens.csv"
-
-create_accounts=($@)
-
-if [ ! -e "${token_file}" ]; then
-  touch "${token_file}"
-fi
-
-for account in "${create_accounts[@]}"; do
-  if grep ",${account}," "${token_file}" ; then
-    continue
-  fi
-  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
-  echo "${token},${account},${account}" >> "${token_file}"
-  echo "${token}" > "${token_dir}/${account}.token"
-  echo "Added ${account}"
-done
diff --git a/roles/kubernetes/tokens/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml
deleted file mode 100644
index baa0c9f03..000000000
--- a/roles/kubernetes/tokens/tasks/check-tokens.yml
+++ /dev/null
@@ -1,41 +0,0 @@
----
-- name: "Check_tokens | check if the tokens have already been generated on first control plane node"
-  stat:
-    path: "{{ kube_token_dir }}/known_tokens.csv"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  register: known_tokens_control_plane
-  run_once: true
-
-- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
-  set_fact:
-    sync_tokens: false
-    gen_tokens: false
-
-- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
-  set_fact:
-    gen_tokens: true
-  when: not known_tokens_control_plane.stat.exists and kube_token_auth | default(true)
-  run_once: true
-
-- name: "Check tokens | check if a cert already exists"
-  stat:
-    path: "{{ kube_token_dir }}/known_tokens.csv"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  register: known_tokens
-
-- name: "Check_tokens | Set 'sync_tokens' to true"
-  set_fact:
-    sync_tokens: >-
-      {%- set tokens = {'sync': False} -%}
-      {%- for server in groups['kube_control_plane'] | intersect(ansible_play_batch)
-        if (not hostvars[server].known_tokens.stat.exists) or
-        (hostvars[server].known_tokens.stat.checksum | default('') != known_tokens_control_plane.stat.checksum | default('')) -%}
-        {%- set _ = tokens.update({'sync': True}) -%}
-      {%- endfor -%}
-      {{ tokens.sync }}
-  run_once: true
diff --git a/roles/kubernetes/tokens/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml
deleted file mode 100644
index 67b45f9ae..000000000
--- a/roles/kubernetes/tokens/tasks/gen_tokens.yml
+++ /dev/null
@@ -1,63 +0,0 @@
----
-- name: Gen_tokens | copy tokens generation script
-  copy:
-    src: "kube-gen-token.sh"
-    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
-    mode: "0700"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  when: gen_tokens | default(false)
-
-- name: Gen_tokens | generate tokens for control plane components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ "system:kubectl" ]
-    - "{{ groups['kube_control_plane'] }}"
-  register: gentoken_control_plane
-  changed_when: "'Added' in gentoken_control_plane.stdout"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  when: gen_tokens | default(false)
-
-- name: Gen_tokens | generate tokens for node components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ 'system:kubelet' ]
-    - "{{ groups['kube_node'] }}"
-  register: gentoken_node
-  changed_when: "'Added' in gentoken_node.stdout"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  when: gen_tokens | default(false)
-
-- name: Gen_tokens | Get list of tokens from first control plane node
-  command: "find {{ kube_token_dir }} -maxdepth 1 -type f"
-  register: tokens_list
-  check_mode: false
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  when: sync_tokens | default(false)
-
-- name: Gen_tokens | Gather tokens
-  shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
-  args:
-    executable: /bin/bash
-  register: tokens_data
-  check_mode: false
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  when: sync_tokens | default(false)
-
-- name: Gen_tokens | Copy tokens on control plane nodes
-  shell: "set -o pipefail && echo '{{ tokens_data.stdout | quote }}' | base64 -d | tar xz -C /"
-  args:
-    executable: /bin/bash
-  when:
-    - ('kube_control_plane' in group_names)
-    - sync_tokens | default(false)
-    - inventory_hostname != groups['kube_control_plane'][0]
-    - tokens_data.stdout
diff --git a/roles/kubernetes/tokens/tasks/main.yml b/roles/kubernetes/tokens/tasks/main.yml
deleted file mode 100644
index cab5a06bd..000000000
--- a/roles/kubernetes/tokens/tasks/main.yml
+++ /dev/null
@@ -1,21 +0,0 @@
----
-
-- name: Check tokens
-  import_tasks: check-tokens.yml
-  tags:
-    - k8s-secrets
-    - k8s-gen-tokens
-    - facts
-
-- name: Make sure the tokens directory exits
-  file:
-    path: "{{ kube_token_dir }}"
-    state: directory
-    mode: "0644"
-    group: "{{ kube_cert_group }}"
-
-- name: Generate tokens
-  import_tasks: gen_tokens.yml
-  tags:
-    - k8s-secrets
-    - k8s-gen-tokens
-- 
GitLab