wip: r/k8s-worker: Use K8s API to create join token

roles/k8s-worker/tasks/main.yml

@@ -6,25 +6,118 @@
   tags:
   - kubeadm-join
 
-- name: generate bootstrap token
+- name: add node to cluster
-  delegate_to: '{{ groups["k8s-controller"][0] }}'
+  #when:
-  command:
+  #  not stat_kublet_config.stat.exists
-    kubeadm token create
+  tags:
-    --kubeconfig /etc/kubernetes/admin.conf
+  - kubeadm-join
-    --ttl 1h
+  block:
-    --print-join-command
+  - name: generate bootstrap token
-  when:
+    set_fact:
-    not stat_kublet_config.stat.exists
+      bootstrap_token_id: >-
-  changed_when: true
+        {{ lookup("password", "/dev/null length=6 chars=ascii_lowercase,digits") }}
-  register: kubeadm_token_create
+      bootstrap_token_secret: >-
+        {{ lookup("password", "/dev/null length=16 chars=ascii_lowercase,digits") }}
+      cacheable: false
     tags:
     - bootstrap-token
-  - kubeadm-join
+
-- name: join the kubernetes cluster
+  - name: create bootstrap token secret
+    delegate_to: localhost
+    become: false
+    kubernetes.core.k8s:
+      definition:
+        apiVersion: v1
+        kind: Secret
+        type: bootstrap.kubernetes.io/token
+        metadata:
+          name: bootstrap-token-{{ bootstrap_token_id }}
+          namespace: kube-system
+        stringData:
+          description: Bootstrap token for {{ inventory_hostname }}
+          token-id: '{{ bootstrap_token_id }}'
+          token-secret: '{{ bootstrap_token_secret }}'
+          expiration: >-
+            {{ now().utcfromtimestamp(
+                 now().timestamp() + 300
+               ).strftime("%Y-%m-%dT%H:%M:%SZ")
+            }}
+          usage-bootstrap-authentication: 'true'
+          usage-bootstrap-signing: 'true'
+          auth-extra-groups: 'system:bootstrappers:kubeadm:default-node-token'
+    tags:
+    - bootstrap-token
+
+  - name: get cluster info
+    delegate_to: localhost
+    become: false
+    kubernetes.core.k8s:
+      namespace: kube-public
+      api_version: v1
+      kind: ConfigMap
+      name: cluster-info
+    register: cluster_info
+    tags:
+    - cluster-info
+
+  - name: generate kubeconfig for kubeadm join
+    vars:
+      kubeconfig: '{{ cluster_info.result.data.kubeconfig | from_yaml }}'
+      config:
+        apiVersion: v1
+        kind: Config
+        clusters:
+        - name: kubernetes
+          cluster: '{{ kubeconfig.clusters[0].cluster }}'
+        contexts:
+        - name: kubeadm
+          context:
+            cluster: kubernetes
+            user: kubeadm
+        users:
+        - name: kubeadm
+          token: '{{ bootstrap_token_id }}.{{ bootstrap_token_secret }}'
+    copy:
+      dest: /tmp/kubeconfig
+      owner: root
+      group: root
+      mode: u=rw,go=
+      content: '{{ config | to_nice_yaml(indent=2) }}'
+    tags:
+    - kubeconfig
+
+  - name: generate join configuration file
+    vars:
+      config:
+        apiVersion: kubeadm.k8s.io/v1beta3
+        kind: JoinConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            config: /var/lib/kubelet/config.yaml
+        discovery:
+          file:
+            kubeConfigPath: /tmp/kubeconfig
+    copy:
+      dest: /tmp/joinconfiguration
+      owner: root
+      group: root
+      mode: u=rw,go=
+      content: '{{ config | to_nice_yaml(indent=2) }}'
+
+  - name: join the kubernetes cluster
     command: >-
-    {{ kubeadm_token_create.stdout }}
+      kubeadm join --config=/tmp/joinconfiguration
-  when:
-    not stat_kublet_config.stat.exists
     changed_when: true
     tags:
-  - kubeadm-join
+    - run-kubeadm-join
+
+- name: ensure temporary join configuration files are removed
+  file:
+    path: '{{ item }}'
+    state: absent
+  loop:
+  - /tmp/kubeconfig
+  - /tmp/joinconfiguration
+  tags:
+  - kubeadm-join-cleanup
+  - cleanup