Don't generate static tokens for nodes and control planes

Nodes to api-server relies by default certificates, and bootstrap tokens, and there should be no need to generate tokens for every nodes, even when enabling static token auth.

Don't generate static tokens for nodes and control planes
baf0a331 · Max Gautier · 03a055c3 · baf0a331 · baf0a331 · baf0a331
Unverified Commit baf0a331 authored 11 months ago by Max Gautier
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -174,8 +174,6 @@ The following tags are defined in playbooks:
 | init                           | Windows kubernetes init nodes                         |
 | iptables                       | Flush and clear iptable when resetting                |
 | k8s-pre-upgrade                | Upgrading K8s cluster                                 |
-| k8s-secrets                    | Configuring K8s certs/keys                            |
-| k8s-gen-tokens                 | Configuring K8s tokens                                |
 | kata-containers                | Configuring kata-containers runtime                   |
 | krew                           | Install and manage krew                               |
 | kubeadm                        | Roles linked to kubeadm tasks                         |

--- a/docs/operations/upgrades.md
+++ b/docs/operations/upgrades.md
@@ -392,7 +392,7 @@ ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limi
 Upgrade kubelet:

 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
 ```

 Upgrade Kubernetes master components:

--- a/roles/kubernetes/control-plane/meta/main.yml
+++ b/roles/kubernetes/control-plane/meta/main.yml
 ---
 dependencies:
  - role: kubernetes/kubeadm_common
-  - role: kubernetes/tokens
-    when: kube_token_auth
-    tags:
-      - k8s-secrets
  - role: adduser
    user: "{{ addusers.etcd }}"
    when:

--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -9,7 +9,6 @@
  become: true
  tags:
    - kubelet
-    - k8s-secrets
    - kube-controller-manager
    - kube-apiserver
    - bootstrap-os
@@ -34,7 +33,6 @@
  become: true
  tags:
    - kubelet
-    - k8s-secrets
    - kube-controller-manager
    - kube-apiserver
    - bootstrap-os

--- a/roles/kubernetes/tokens/files/kube-gen-token.sh
+++ b/roles/kubernetes/tokens/files/kube-gen-token.sh
-#!/bin/bash
-
-# Copyright 2015 The Kubernetes Authors All rights reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-token_dir=${TOKEN_DIR:-/var/srv/kubernetes}
-token_file="${token_dir}/known_tokens.csv"
-
-create_accounts=($@)
-
-if [ ! -e "${token_file}" ]; then
-  touch "${token_file}"
-fi
-
-for account in "${create_accounts[@]}"; do
-  if grep ",${account}," "${token_file}" ; then
-    continue
-  fi
-  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
-  echo "${token},${account},${account}" >> "${token_file}"
-  echo "${token}" > "${token_dir}/${account}.token"
-  echo "Added ${account}"
-done
--- a/roles/kubernetes/tokens/tasks/check-tokens.yml
+++ b/roles/kubernetes/tokens/tasks/check-tokens.yml
---
- name: "Check_tokens | check if the tokens have already been generated on first control plane node"
-  stat:
-    path: "{{ kube_token_dir }}/known_tokens.csv"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  register: known_tokens_control_plane
-  run_once: true
-
- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
-  set_fact:
-    sync_tokens: false
-    gen_tokens: false
-
- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
-  set_fact:
-    gen_tokens: true
-  when: not known_tokens_control_plane.stat.exists and kube_token_auth | default(true)
-  run_once: true
-
- name: "Check tokens | check if a cert already exists"
-  stat:
-    path: "{{ kube_token_dir }}/known_tokens.csv"
-    get_attributes: false
-    get_checksum: true
-    get_mime: false
-  register: known_tokens
-
- name: "Check_tokens | Set 'sync_tokens' to true"
-  set_fact:
-    sync_tokens: >-
-      {%- set tokens = {'sync': False} -%}
-      {%- for server in groups['kube_control_plane'] | intersect(ansible_play_batch)
-        if (not hostvars[server].known_tokens.stat.exists) or
-        (hostvars[server].known_tokens.stat.checksum | default('') != known_tokens_control_plane.stat.checksum | default('')) -%}
-        {%- set _ = tokens.update({'sync': True}) -%}
-      {%- endfor -%}
-      {{ tokens.sync }}
-  run_once: true
--- a/roles/kubernetes/tokens/tasks/gen_tokens.yml
+++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml
---
- name: Gen_tokens | copy tokens generation script
-  copy:
-    src: "kube-gen-token.sh"
-    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
-    mode: "0700"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  when: gen_tokens | default(false)
-
- name: Gen_tokens | generate tokens for control plane components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ "system:kubectl" ]
-    - "{{ groups['kube_control_plane'] }}"
-  register: gentoken_control_plane
-  changed_when: "'Added' in gentoken_control_plane.stdout"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  when: gen_tokens | default(false)
-
- name: Gen_tokens | generate tokens for node components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ 'system:kubelet' ]
-    - "{{ groups['kube_node'] }}"
-  register: gentoken_node
-  changed_when: "'Added' in gentoken_node.stdout"
-  run_once: true
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  when: gen_tokens | default(false)
-
- name: Gen_tokens | Get list of tokens from first control plane node
-  command: "find {{ kube_token_dir }} -maxdepth 1 -type f"
-  register: tokens_list
-  check_mode: false
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  when: sync_tokens | default(false)
-
- name: Gen_tokens | Gather tokens
-  shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
-  args:
-    executable: /bin/bash
-  register: tokens_data
-  check_mode: false
-  delegate_to: "{{ groups['kube_control_plane'][0] }}"
-  run_once: true
-  when: sync_tokens | default(false)
-
- name: Gen_tokens | Copy tokens on control plane nodes
-  shell: "set -o pipefail && echo '{{ tokens_data.stdout | quote }}' | base64 -d | tar xz -C /"
-  args:
-    executable: /bin/bash
-  when:
-    - ('kube_control_plane' in group_names)
-    - sync_tokens | default(false)
-    - inventory_hostname != groups['kube_control_plane'][0]
-    - tokens_data.stdout
--- a/roles/kubernetes/tokens/tasks/main.yml
+++ b/roles/kubernetes/tokens/tasks/main.yml
---
-
- name: Check tokens
-  import_tasks: check-tokens.yml
-  tags:
-    - k8s-secrets
-    - k8s-gen-tokens
-    - facts
-
- name: Make sure the tokens directory exits
-  file:
-    path: "{{ kube_token_dir }}"
-    state: directory
-    mode: "0644"
-    group: "{{ kube_cert_group }}"
-
- name: Generate tokens
-  import_tasks: gen_tokens.yml
-  tags:
-    - k8s-secrets
-    - k8s-gen-tokens