c12s-kubespray/roles/kubernetes/secrets/tasks/gen_tokens.yml

---
- name: Gen_tokens | copy tokens generation script
  copy:
    src: "kube-gen-token.sh"
    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
    mode: 0700
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)

- name: Gen_tokens | generate tokens for master components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ "system:kubectl" ]
    - "{{ groups['kube-master'] }}"
  register: gentoken_master
  changed_when: "'Added' in gentoken_master.stdout"
  notify: set secret_changed
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)

- name: Gen_tokens | generate tokens for node components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ 'system:kubelet' ]
    - "{{ groups['kube-node'] }}"
  register: gentoken_node
  changed_when: "'Added' in gentoken_node.stdout"
  notify: set secret_changed
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_tokens|default(false)

- name: Gen_tokens | Get list of tokens from first master
  shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
  register: tokens_list
  changed_when: false
  delegate_to: "{{groups['kube-master'][0]}}"
  when: sync_tokens|default(false)

- name: Gen_tokens | Gather tokens
  shell: "tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
  register: tokens_data
  delegate_to: "{{groups['kube-master'][0]}}"
  run_once: true
  when: sync_tokens|default(false)

- name: Gen_tokens | Copy tokens on masters
  shell: "echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
  changed_when: false
  when: inventory_hostname in groups['kube-master'] and sync_tokens|default(false) and
        inventory_hostname != groups['kube-master'][0]