Remove rotate_tokens logic

kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods Signed-off-by: Etienne Champetier <e.champetier@ateme.com> (cherry picked from commit 8800b5c01d)
2026-02-03 18:48:17 -03:30 · 2021-03-03 17:16:23 -05:00
parent 591a51aa75
commit 9ecbf75cb4
7 changed files with 0 additions and 109 deletions
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -121,21 +121,3 @@
  until: result.status == 200
  retries: 60
  delay: 1
-
- name: Master | set secret_changed
-  command: /bin/true
-  notify:
-    - Master | set secret_changed to true
-    - Master | Copy new kubeconfig for root user
-
- name: Master | set secret_changed to true
-  set_fact:
-    secret_changed: true
-
- name: Master | Copy new kubeconfig for root user
-  copy:
-    src: "{{ kube_config_dir }}/admin.conf"
-    dest: "{{ ansible_env.HOME | default('/root') }}/.kube/config"
-    remote_src: yes
-    mode: "0600"
-    backup: yes
--- a/roles/kubernetes/master/tasks/kubeadm-secondary.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary.yml
@@ -66,7 +66,3 @@
  when:
    - inventory_hostname != groups['kube-master']|first
    - kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists
-
- name: Set secret_changed to false to avoid extra token rotation
-  set_fact:
-    secret_changed: false
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -10,15 +10,6 @@
    - kube_oidc_auth
    - kube_oidc_ca_cert is defined

- name: kubeadm | Check serviceaccount key
-  stat:
-    path: "{{ kube_cert_dir }}/sa.key"
-    get_attributes: no
-    get_checksum: yes
-    get_mime: no
-  register: sa_key_before
-  run_once: true
-
 - name: kubeadm | Check if kubeadm has already run
  stat:
    path: "/var/lib/kubelet/config.yaml"
@@ -180,20 +171,6 @@
    - upgrade_cluster_setup
    - kubeadm_already_run.stat.exists

- name: kubeadm | Check serviceaccount key again
-  stat:
-    path: "{{ kube_cert_dir }}/sa.key"
-    get_attributes: no
-    get_checksum: yes
-    get_mime: no
-  register: sa_key_after
-  run_once: true
-
- name: kubeadm | Set secret_changed if service account key was updated
-  command: /bin/true
-  notify: Master | set secret_changed
-  when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
-
 # FIXME(mattymo): from docs: If you don't want to taint your control-plane node, set this field to an empty slice, i.e. `taints: {}` in the YAML file.
 - name: kubeadm | Remove taint for master with node role
  command: "{{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf taint node {{ inventory_hostname }} node-role.kubernetes.io/master:NoSchedule-"