c12s-kubespray/roles/kubernetes/secrets/tasks/check-tokens.yml

---
- name: "Check_tokens | check if the tokens have already been generated on first master"
  stat:
    path: "{{ kube_token_dir }}/known_tokens.csv"
  delegate_to: "{{groups['kube-master'][0]}}"
  register: known_tokens_master
  run_once: true

- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
  set_fact:
    sync_tokens: false
    gen_tokens: false

- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
  set_fact:
    gen_tokens: true
  when: not known_tokens_master.stat.exists and kube_token_auth|default(true)
  run_once: true

- name: "Check tokens | check if a cert already exists"
  stat:
    path: "{{ kube_cert_dir }}/ca.pem"
  register: known_tokens

- name: "Check_tokens | Set 'sync_tokens' to true"
  set_fact:
    sync_tokens: true
  when: >-
      {%- set tokens = {'sync': False} -%}
      {%- for server in groups['kube-master'] | intersect(play_hosts)
         if (not hostvars[server].known_tokens.stat.exists) or
         (hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%}
         {%- set _ = tokens.update({'sync': True}) -%}
      {%- endfor -%}
      {{ tokens.sync }}      
  run_once: true