c12s-kubespray/roles/kubernetes/secrets/tasks/check-tokens.yml
Vincent Schwarzer ea1f072c7e Granular authentication Control
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00

36 lines
1.2 KiB
YAML

---
- name: "Check_tokens | check if the tokens have already been generated on first master"
stat:
path: "{{ kube_token_dir }}/known_tokens.csv"
delegate_to: "{{groups['kube-master'][0]}}"
register: known_tokens_master
run_once: true
- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
set_fact:
sync_tokens: false
gen_tokens: false
- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
set_fact:
gen_tokens: true
when: not known_tokens_master.stat.exists and kube_token_auth|default(true)
run_once: true
- name: "Check tokens | check if a cert already exists"
stat:
path: "{{ kube_cert_dir }}/ca.pem"
register: known_tokens
- name: "Check_tokens | Set 'sync_tokens' to true"
set_fact:
sync_tokens: true
when: >-
{%- set tokens = {'sync': False} -%}
{%- for server in groups['kube-master'] | intersect(play_hosts)
if (not hostvars[server].known_tokens.stat.exists) or
(hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%}
{%- set _ = tokens.update({'sync': True}) -%}
{%- endfor -%}
{{ tokens.sync }}
run_once: true