Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove generation of static tokens for cluster members #11567

Merged
merged 2 commits into from
Sep 26, 2024
Merged

Remove generation of static tokens for cluster members #11567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
baf0a33
Don't generate static tokens for nodes and control planes
VannTen Sep 23, 2024
a2a2dfa
k8s/control-plane: cleanup excessive defaulting
VannTen Sep 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions docs/ansible/ansible.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,8 +174,6 @@ The following tags are defined in playbooks:
| init | Windows kubernetes init nodes |
| iptables | Flush and clear iptable when resetting |
| k8s-pre-upgrade | Upgrading K8s cluster |
| k8s-secrets | Configuring K8s certs/keys |
| k8s-gen-tokens | Configuring K8s tokens |
| kata-containers | Configuring kata-containers runtime |
| krew | Install and manage krew |
| kubeadm | Roles linked to kubeadm tasks |
Expand Down
2 changes: 1 addition & 1 deletion docs/operations/upgrades.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,7 +392,7 @@ ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limi
Upgrade kubelet:

```ShellSession
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs
```

Upgrade Kubernetes master components:
Expand Down
4 changes: 0 additions & 4 deletions roles/kubernetes/control-plane/meta/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
---
dependencies:
- role: kubernetes/kubeadm_common
- role: kubernetes/tokens
when: kube_token_auth
tags:
- k8s-secrets
- role: adduser
user: "{{ addusers.etcd }}"
when:
Expand Down
6 changes: 3 additions & 3 deletions roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ apiServer:
profiling: "{{ kube_profiling }}"
request-timeout: "{{ kube_apiserver_request_timeout }}"
enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
{% if kube_token_auth | default(true) %}
{% if kube_token_auth %}
token-auth-file: {{ kube_token_dir }}/known_tokens.csv
{% endif %}
{% if kube_apiserver_service_account_lookup %}
Expand Down Expand Up @@ -230,14 +230,14 @@ apiServer:
{% if kube_apiserver_tracing %}
tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml
{% endif %}
{% if kubernetes_audit or kube_token_auth | default(true) or kube_webhook_token_auth | default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs | length %}
{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs | length %}
extraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %}
- name: cloud-config
hostPath: {{ kube_config_dir }}/cloud_config
mountPath: {{ kube_config_dir }}/cloud_config
{% endif %}
{% if kube_token_auth | default(true) %}
{% if kube_token_auth %}
- name: token-auth-config
hostPath: {{ kube_token_dir }}
mountPath: {{ kube_token_dir }}
Expand Down
2 changes: 0 additions & 2 deletions roles/kubernetes/preinstall/tasks/0050-create_directories.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
become: true
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
Expand All @@ -34,7 +33,6 @@
become: true
tags:
- kubelet
- k8s-secrets
- kube-controller-manager
- kube-apiserver
- bootstrap-os
Expand Down
34 changes: 0 additions & 34 deletions roles/kubernetes/tokens/files/kube-gen-token.sh
View file
Open in desktop

This file was deleted.

41 changes: 0 additions & 41 deletions roles/kubernetes/tokens/tasks/check-tokens.yml
View file
Open in desktop

This file was deleted.

63 changes: 0 additions & 63 deletions roles/kubernetes/tokens/tasks/gen_tokens.yml
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions roles/kubernetes/tokens/tasks/main.yml
View file
Open in desktop

This file was deleted.