From b472c2df980c7a676b4ba2a88d8feabfe10f4f78 Mon Sep 17 00:00:00 2001
From: mlushpenko <iviakciivi@gmail.com>
Date: Tue, 6 Feb 2018 00:14:50 +0100
Subject: [PATCH 1/3] Fix safe upgrade

Even though there it kubeadm_token_ttl=0 which means that kubeadm token never expires, it is not present in `kubeadm token list` after cluster is provisioned (at least after it is running for some time) and there is issue regarding this https://github.com/kubernetes/kubeadm/issues/335, so we need to create a new temporary token during the cluster upgrade.
---
 roles/kubernetes/kubeadm/tasks/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index 0616dad5b..4da21b77d 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -22,6 +22,16 @@
   delegate_to: "{{ groups['kube-master'][0] }}"
   run_once: true
 
+- name: Create kubeadm token for joining nodes with 24h expiration (default)
+  command: "{{ bin_dir }}/kubeadm token create"
+  run_once: true
+  register: temp_token
+  delegate_to: "{{ groups['kube-master'][0] }}"
+
+- name: Override predefined kubeadm_token that expires after 24h
+  set_fact:
+    kubeadm_token: "{{ temp_token.stdout }}"
+    
 - name: Create kubeadm client config
   template:
     src: kubeadm-client.conf.j2

From 4e61fb9cd3277f8b2c1277f49e39573fac1b087b Mon Sep 17 00:00:00 2001
From: mlushpenko <iviakciivi@gmail.com>
Date: Tue, 6 Feb 2018 15:43:05 +0100
Subject: [PATCH 2/3] Refactored kubeadm join process and fixed uncrodonng for
 master nodes

---
 roles/kubernetes/kubeadm/tasks/main.yml                  | 6 ++----
 roles/kubernetes/master/defaults/main.yml                | 3 ---
 roles/kubernetes/master/templates/kubeadm-config.yaml.j2 | 2 --
 roles/kubespray-defaults/defaults/main.yaml              | 1 -
 roles/upgrade/post-upgrade/tasks/main.yml                | 2 +-
 5 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index 4da21b77d..2b6e739db 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -28,16 +28,14 @@
   register: temp_token
   delegate_to: "{{ groups['kube-master'][0] }}"
 
-- name: Override predefined kubeadm_token that expires after 24h
-  set_fact:
-    kubeadm_token: "{{ temp_token.stdout }}"
-    
 - name: Create kubeadm client config
   template:
     src: kubeadm-client.conf.j2
     dest: "{{ kube_config_dir }}/kubeadm-client.conf"
     backup: yes
   when: not is_kube_master
+  vars:
+    kubeadm_token: "{{ temp_token.stdout }}"
   register: kubeadm_client_conf
 
 - name: Join to cluster if needed
diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index 69e74cf83..6b22bfd05 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -82,9 +82,6 @@ controller_mgr_custom_flags: []
 
 scheduler_custom_flags: []
 
-# kubeadm settings
-## Value of 0 means it never expires
-kubeadm_token_ttl: 0
 ## Extra args for k8s components passing by kubeadm
 kube_kubeadm_controller_extra_args: {}
 kube_kubeadm_scheduler_extra_args: {}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
index eafe6f851..1f243e544 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -29,8 +29,6 @@ authorizationModes:
 {% for mode in authorization_modes %}
 - {{ mode }}
 {% endfor %}
-token: {{ kubeadm_token }}
-tokenTTL: "{{ kubeadm_token_ttl }}"
 selfHosted: false
 apiServerExtraArgs:
   bind-address: {{ kube_apiserver_bind_address }}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index f1d3a92b1..3be3e9d66 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -147,7 +147,6 @@ helm_deployment_type: host
 
 # Enable kubeadm deployment (experimental)
 kubeadm_enabled: false
-kubeadm_token: "abcdef.0123456789abcdef"
 
 # Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
 kubeconfig_localhost: false
diff --git a/roles/upgrade/post-upgrade/tasks/main.yml b/roles/upgrade/post-upgrade/tasks/main.yml
index ec6fdcf90..cef98bb0b 100644
--- a/roles/upgrade/post-upgrade/tasks/main.yml
+++ b/roles/upgrade/post-upgrade/tasks/main.yml
@@ -2,4 +2,4 @@
 - name: Uncordon node
   command: "{{ bin_dir }}/kubectl uncordon {{ inventory_hostname }}"
   delegate_to: "{{ groups['kube-master'][0] }}"
-  when: (needs_cordoning|default(false)) and ( {%- if inventory_hostname in groups['kube-node'] -%} true {%- else -%} false {%- endif -%} )
+  when: needs_cordoning|default(false)

From a37c642127311d97acceb2a1fe7ab7e31b68afcb Mon Sep 17 00:00:00 2001
From: mlushpenko <iviakciivi@gmail.com>
Date: Thu, 8 Feb 2018 20:25:04 +0100
Subject: [PATCH 3/3] Remove obsolete token variables

Tokens are generated automatically during init process and on-demand for nodes joining process
---
 inventory/sample/group_vars/all.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
index 29b14903d..2c460e28f 100644
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -96,10 +96,6 @@ bin_dir: /usr/local/bin
 
 ## Uncomment to enable experimental kubeadm deployment mode
 #kubeadm_enabled: false
-#kubeadm_token_first: "{{ lookup('password', inventory_dir + '/credentials/kubeadm_token_first length=6  chars=ascii_lowercase,digits') }}"
-#kubeadm_token_second: "{{ lookup('password', inventory_dir + '/credentials/kubeadm_token_second length=16 chars=ascii_lowercase,digits') }}"
-#kubeadm_token: "{{ kubeadm_token_first }}.{{ kubeadm_token_second }}"
-#
 ## Set these proxy values in order to update package manager and docker daemon to use proxies
 #http_proxy: ""
 #https_proxy: ""