2017-09-15 06:35:36 +00:00
|
|
|
---
|
|
|
|
|
- name: Rotate Tokens | Get list of pods and their current secrets
|
|
|
|
|
command: >-
|
|
|
|
|
{{ bin_dir }}/kubectl get pods --all-namespaces
|
|
|
|
|
-o 'jsonpath={range .items[*]}{.metadata.namespace}{" "}{.metadata.name}{" "}{.spec.volumes[*].name}{"\n"}{end}'
|
|
|
|
|
register: pods_secrets
|
|
|
|
|
run_once: true
|
|
|
|
|
|
|
|
|
|
- name: Rotate Tokens | Get default tokens to expire
|
|
|
|
|
shell: >-
|
|
|
|
|
{{ bin_dir }}/kubectl get secrets --all-namespaces
|
|
|
|
|
-o 'jsonpath={range .items[*]}{"\n"}{.metadata.namespace}{" "}{.metadata.name}{end}'
|
|
|
|
|
| grep default-token
|
|
|
|
|
register: tokens_to_delete
|
|
|
|
|
run_once: true
|
|
|
|
|
|
|
|
|
|
- name: Rotate Tokens | Delete expired tokens
|
|
|
|
|
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
|
|
|
|
with_items: "{{ tokens_to_delete.stdout_lines }}"
|
|
|
|
|
run_once: true
|
|
|
|
|
|
2017-09-21 19:44:38 +00:00
|
|
|
- name: Rotate Tokens | Delete pods
|
2017-09-15 06:35:36 +00:00
|
|
|
command: "{{ bin_dir }}/kubectl delete pod -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
|
|
|
|
with_items: "{{ pods_secrets.stdout_lines }}"
|
|
|
|
|
register: delete_pods
|
|
|
|
|
when: item.split(" ")[0] + " " + item.split(" ")[2] in tokens_to_delete.stdout
|
|
|
|
|
failed_when: delete_pods.rc != 0 and "not found" not in delete_pods.stderr
|
|
|
|
|
run_once: true
|
