diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
index 37568d69410f69944f90f56f9a1b7cc464e55ad6..295ebcb0c61503f41302bf750ca27e59eee74c91 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -4,7 +4,8 @@
     src: "openssl.conf.j2"
     dest: "{{ kube_config_dir }}/openssl.conf"
   run_once: yes
-  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_certs|default(false)
 
 - name: certs | copy certs generation script
   copy:
@@ -12,12 +13,14 @@
     dest: "{{ kube_script_dir }}/make-ssl.sh"
     mode: 0700
   run_once: yes
-  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_certs|default(false)
 
 - name: certs | run cert generation script
   command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
   run_once: yes
-  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_certs|default(false)
   notify: set secret_changed
 
 - set_fact:
diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/secrets/tasks/gen_tokens.yml
index 987326500168b3cf3c6b0b93a6ba274c540e7c3a..b432132475ec447fbe06bacb579356cead460379 100644
--- a/roles/kubernetes/secrets/tasks/gen_tokens.yml
+++ b/roles/kubernetes/secrets/tasks/gen_tokens.yml
@@ -5,7 +5,8 @@
     dest: "{{ kube_script_dir }}/kube-gen-token.sh"
     mode: 0700
   run_once: yes
-  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_tokens|default(false)
 
 - name: tokens | generate tokens for master components
   command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
@@ -18,7 +19,8 @@
   changed_when: "'Added' in gentoken_master.stdout"
   notify: set secret_changed
   run_once: yes
-  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_tokens|default(false)
 
 - name: tokens | generate tokens for node components
   command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
@@ -31,22 +33,24 @@
   changed_when: "'Added' in gentoken_node.stdout"
   notify: set secret_changed
   run_once: yes
-  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_tokens|default(false)
 
 - name: tokens | Get list of tokens from first master
   shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
   register: tokens_list
   changed_when: false
-  when: inventory_hostname == groups['kube-master'][0] and sync_tokens|default(false)
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: sync_tokens|default(false)
 
 - name: tokens | Get the tokens from first master
   slurp:
     src: "{{ item }}"
-  delegate_to: "{{groups['kube-master'][0]}}"
   register: slurp_tokens
   with_items: '{{tokens_list.stdout_lines}}'
-  when: sync_tokens|default(false)
   run_once: true
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: sync_tokens|default(false)
   notify: set secret_changed
 
 - name: tokens | Copy tokens on masters