generate secrets on first master

roles/coreos-bootstrap/tasks/main.yml

@@ -37,7 +37,7 @@
 - name: Install required python modules
   pip:
     name: "{{ item }}"
-  with_items: pip_python_modules
+  with_items: "{{pip_python_modules}}"
 
 - name: Check configured hostname
   shell: hostname

roles/kubernetes/secrets/tasks/check-tokens.yml

@@ -0,0 +1,36 @@
+---
+- name: "Check tokens | check if the tokens have already been generated on first master"
+  stat:
+    path: "{{ kube_token_dir }}/known_tokens.csv"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: known_tokens_master
+  run_once: true
+
+- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
+  set_fact:
+    sync_tokens: false
+    gen_tokens: false
+
+- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
+  set_fact:
+    gen_tokens: true
+  when: not known_tokens_master.stat.exists
+  run_once: true
+
+- name: "Check tokens | check if a cert already exists"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: known_tokens
+
+- name: "Check_tokens | Set 'sync_tokens' to true"
+  set_fact:
+    sync_tokens: true
+  when: >-
+      {%- set tokens = {'sync': False} -%}
+      {%- for server in groups['kube-master']
+         if (not hostvars[server].known_tokens.stat.exists) or
+         (hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%}
+         {%- set _ = tokens.update({'sync': True}) -%}
+      {%- endfor -%}
+      {{ tokens.sync }}
+  run_once: true

roles/kubernetes/secrets/tasks/gen_certs.yml

@@ -1,31 +1,29 @@
 ---
 - name: certs | write openssl config
-  become: False
-  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+  template:
+    src: "openssl.conf.j2"
+    dest: "{{ kube_config_dir }}/openssl.conf"
   run_once: yes
-  when: gen_certs|default(false)
+  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
+
+- name: certs | copy certs generation script
+  copy:
+    src: "make-ssl.sh"
+    dest: "{{ kube_script_dir }}/make-ssl.sh"
+    mode: 0700
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
 
 - name: certs | run cert generation script
-  become: False
-  local_action: shell
-    {{ role_path }}/scripts/make-ssl.sh
-    -f {{ role_path }}/files/openssl.conf
-    -d {{ role_path }}/files/certs/
+  command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
   run_once: yes
-  when: gen_certs|default(false)
+  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
   notify: set secret_changed
 
 - set_fact:
     master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
     node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
 
-- name: certs | Copy certs on first master
-  copy:
-    src: "certs/{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-  with_items: '{{ master_certs + node_certs }}'
-  when: inventory_hostname == "{{ groups['kube-master'][0] }}" and gen_certs|default(false)
-
 - name: certs | Get the certs from first master
   slurp:
     src: "{{ kube_cert_dir }}/{{ item }}"

roles/kubernetes/secrets/tasks/gen_tokens.yml

@@ -1,30 +1,58 @@
 ---
+- name: tokens | copy tokens generation script
+  copy:
+    src: "kube-gen-token.sh"
+    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
+    mode: 0700
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+
 - name: tokens | generate tokens for master components
-  become: False
-  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
   environment:
-    TOKEN_DIR: "{{ role_path }}/files/tokens"
+    TOKEN_DIR: "{{ kube_token_dir }}"
   with_nested:
     - [ "system:kubectl" ]
     - "{{ groups['kube-master'] }}"
   register: gentoken_master
   changed_when: "'Added' in gentoken_master.stdout"
   notify: set secret_changed
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
 
 - name: tokens | generate tokens for node components
-  become: False
-  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
   environment:
-    TOKEN_DIR: "{{ role_path }}/files/tokens"
+    TOKEN_DIR: "{{ kube_token_dir }}"
   with_nested:
     - [ 'system:kubelet' ]
     - "{{ groups['kube-node'] }}"
   register: gentoken_node
   changed_when: "'Added' in gentoken_node.stdout"
   notify: set secret_changed
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+
+- name: tokens | Get list of tokens from first master
+  shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
+  register: tokens_list
+  changed_when: false
+  when: inventory_hostname == groups['kube-master'][0] and sync_tokens|default(false)
+
+- name: tokens | Get the tokens from first master
+  slurp:
+    src: "{{ item }}"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: slurp_tokens
+  with_items: '{{tokens_list.stdout_lines}}'
+  when: sync_tokens|default(false)
+  run_once: true
+  notify: set secret_changed
 
-- name: tokens | Copy tokens on master
+- name: tokens | Copy tokens on masters
   copy:
-    src: "tokens"
-    dest: "/etc/kubernetes"
-  when: inventory_hostname in "{{ groups['kube-master'] }}"
+    content: "{{ item.content|b64decode }}"
+    dest: "{{ item.source }}"
+  with_items: '{{slurp_tokens.results}}'
+  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]

roles/kubernetes/secrets/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - include: check-certs.yml
+- include: check-tokens.yml
 
 - name: Make sure the certificate directory exits
   file: