More idempotency fixes

Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks

roles/kubernetes/secrets/tasks/gen_certs_script.yml

@@ -106,6 +106,8 @@
 - name: Gen_certs | Prepare tempfile for unpacking certs
   shell: mktemp /tmp/certsXXXXX.tar.gz
   register: cert_tempfile
+  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]
 
 - name: Gen_certs | Write master certs to tempfile
   copy:
@@ -149,13 +151,9 @@
     path: "{{ kube_cert_dir }}"
     group: "{{ kube_cert_group }}"
     owner: kube
+    mode: "u=rwX,g-rwx,o-rwx"
     recurse: yes
 
-- name: Gen_certs | set permissions on keys
-  shell: chmod 0600 {{ kube_cert_dir}}/*key.pem
-  when: inventory_hostname in groups['kube-master']
-  changed_when: false
-
 - name: Gen_certs | target ca-certificates path
   set_fact:
     ca_cert_path: |-