From dae9f6d3c2c00feed13d20ca539b908548a83b03 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Mon, 2 Oct 2017 13:14:50 +0100
Subject: [PATCH] Test if tokens are expired from host instead of inside
 container (#1727)

* Test if tokens are expired from host instead of inside container

* Update main.yml
---
 .../rotate_tokens/tasks/main.yml              | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
index 5bab7120a..842358177 100644
--- a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
+++ b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
@@ -1,17 +1,28 @@
 ---
+- name: Rotate Tokens | Get default token name
+  shell: "{{ bin_dir }}/kubectl get secrets -o custom-columns=name:{.metadata.name} --no-headers | grep -m1 default-token"
+  register: default_token
+
+- name: Rotate Tokens | Get default token data
+  command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
+  register: default_token_data
+  run_once: true
+
 - name: Rotate Tokens | Test if default certificate is expired
-  shell: >-
-    kubectl run -i test-rotate-tokens
-    --image={{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
-    --restart=Never --rm
-    kubectl get nodes
+  uri:
+    url: https://{{ kube_apiserver_ip }}/api/v1/nodes
+    method: GET
+    return_content: no
+    validate_certs: no
+    headers:
+      Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
   register: check_secret
-  failed_when: false
   run_once: true
+  failed_when: false
 
 - name: Rotate Tokens | Determine if certificate is expired
   set_fact:
-    needs_rotation: '{{ "You must be logged in" in check_secret.stderr }}'
+    needs_rotation: '{{ check_secret.status not in [200, 403] }}'
 
 # FIXME(mattymo): Exclude built in secrets that were automatically rotated,
 # instead of filtering manually
-- 
GitLab