Don't generate static tokens for nodes and control planes

Nodes to api-server relies by default certificates, and bootstrap tokens, and there should be no need to generate tokens for every nodes, even when enabling static token auth.
2025-12-13 21:34:40 +03:00 · 2024-09-23 16:38:21 +02:00
parent 03a055c383
commit baf0a331c9
8 changed files with 1 additions and 168 deletions
--- a/docs/ansible/ansible.md
+++ b/docs/ansible/ansible.md
@@ -174,8 +174,6 @@ The following tags are defined in playbooks:
 | init                           | Windows kubernetes init nodes                         |
 | iptables                       | Flush and clear iptable when resetting                |
 | k8s-pre-upgrade                | Upgrading K8s cluster                                 |
 | k8s-secrets                    | Configuring K8s certs/keys                            |
 | k8s-gen-tokens                 | Configuring K8s tokens                                |
 | kata-containers                | Configuring kata-containers runtime                   |
 | krew                           | Install and manage krew                               |
 | kubeadm                        | Roles linked to kubeadm tasks                         |
--- a/docs/operations/upgrades.md
+++ b/docs/operations/upgrades.md
@@ -392,7 +392,7 @@ ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limi
 Upgrade kubelet:
 ```ShellSession
-ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
 ```
 Upgrade Kubernetes master components:
--- a/roles/kubernetes/control-plane/meta/main.yml
+++ b/roles/kubernetes/control-plane/meta/main.yml
@@ -1,10 +1,6 @@
 ---
 dependencies:
  - role: kubernetes/kubeadm_common
  - role: kubernetes/tokens
    when: kube_token_auth
    tags:
      - k8s-secrets
  - role: adduser
    user: "{{ addusers.etcd }}"
    when:
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -9,7 +9,6 @@
  become: true
  tags:
    - kubelet
    - k8s-secrets
    - kube-controller-manager
    - kube-apiserver
    - bootstrap-os
@@ -34,7 +33,6 @@
  become: true
  tags:
    - kubelet
    - k8s-secrets
    - kube-controller-manager
    - kube-apiserver
    - bootstrap-os
--- a/roles/kubernetes/tokens/files/kube-gen-token.sh
+++ b/roles/kubernetes/tokens/files/kube-gen-token.sh
@@ -1,34 +0,0 @@
 #!/bin/bash
 # Copyright 2015 The Kubernetes Authors All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 token_dir=${TOKEN_DIR:-/var/srv/kubernetes}
 token_file="${token_dir}/known_tokens.csv"
 create_accounts=($@)
 if [ ! -e "${token_file}" ]; then
  touch "${token_file}"
 fi
 for account in "${create_accounts[@]}"; do
  if grep ",${account}," "${token_file}" ; then
    continue
  fi
  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
  echo "${token},${account},${account}" >> "${token_file}"
  echo "${token}" > "${token_dir}/${account}.token"
  echo "Added ${account}"
 done
--- a/roles/kubernetes/tokens/tasks/check-tokens.yml
+++ b/roles/kubernetes/tokens/tasks/check-tokens.yml
@@ -1,41 +0,0 @@
 ---
 - name: "Check_tokens | check if the tokens have already been generated on first control plane node"
  stat:
    path: "{{ kube_token_dir }}/known_tokens.csv"
    get_attributes: false
    get_checksum: true
    get_mime: false
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  register: known_tokens_control_plane
  run_once: true
 - name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
  set_fact:
    sync_tokens: false
    gen_tokens: false
 - name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
  set_fact:
    gen_tokens: true
  when: not known_tokens_control_plane.stat.exists and kube_token_auth | default(true)
  run_once: true
 - name: "Check tokens | check if a cert already exists"
  stat:
    path: "{{ kube_token_dir }}/known_tokens.csv"
    get_attributes: false
    get_checksum: true
    get_mime: false
  register: known_tokens
 - name: "Check_tokens | Set 'sync_tokens' to true"
  set_fact:
    sync_tokens: >-
      {%- set tokens = {'sync': False} -%}
      {%- for server in groups['kube_control_plane'] | intersect(ansible_play_batch)
        if (not hostvars[server].known_tokens.stat.exists) or
        (hostvars[server].known_tokens.stat.checksum | default('') != known_tokens_control_plane.stat.checksum | default('')) -%}
        {%- set _ = tokens.update({'sync': True}) -%}
      {%- endfor -%}
      {{ tokens.sync }}
  run_once: true
--- a/roles/kubernetes/tokens/tasks/gen_tokens.yml
+++ b/roles/kubernetes/tokens/tasks/gen_tokens.yml
@@ -1,63 +0,0 @@
 ---
 - name: Gen_tokens | copy tokens generation script
  copy:
    src: "kube-gen-token.sh"
    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
    mode: "0700"
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: gen_tokens | default(false)
 - name: Gen_tokens | generate tokens for control plane components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ "system:kubectl" ]
    - "{{ groups['kube_control_plane'] }}"
  register: gentoken_control_plane
  changed_when: "'Added' in gentoken_control_plane.stdout"
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: gen_tokens | default(false)
 - name: Gen_tokens | generate tokens for node components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ 'system:kubelet' ]
    - "{{ groups['kube_node'] }}"
  register: gentoken_node
  changed_when: "'Added' in gentoken_node.stdout"
  run_once: true
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: gen_tokens | default(false)
 - name: Gen_tokens | Get list of tokens from first control plane node
  command: "find {{ kube_token_dir }} -maxdepth 1 -type f"
  register: tokens_list
  check_mode: false
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  when: sync_tokens | default(false)
 - name: Gen_tokens | Gather tokens
  shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
  args:
    executable: /bin/bash
  register: tokens_data
  check_mode: false
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  when: sync_tokens | default(false)
 - name: Gen_tokens | Copy tokens on control plane nodes
  shell: "set -o pipefail && echo '{{ tokens_data.stdout | quote }}' | base64 -d | tar xz -C /"
  args:
    executable: /bin/bash
  when:
    - ('kube_control_plane' in group_names)
    - sync_tokens | default(false)
    - inventory_hostname != groups['kube_control_plane'][0]
    - tokens_data.stdout
--- a/roles/kubernetes/tokens/tasks/main.yml
+++ b/roles/kubernetes/tokens/tasks/main.yml
@@ -1,21 +0,0 @@
 ---
 - name: Check tokens
  import_tasks: check-tokens.yml
  tags:
    - k8s-secrets
    - k8s-gen-tokens
    - facts
 - name: Make sure the tokens directory exits
  file:
    path: "{{ kube_token_dir }}"
    state: directory
    mode: "0644"
    group: "{{ kube_cert_group }}"
 - name: Generate tokens
  import_tasks: gen_tokens.yml
  tags:
    - k8s-secrets
    - k8s-gen-tokens