From 67419e8d0a4ee68b50a782af026cf1641e7990f8 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Wed, 15 Nov 2017 18:50:23 +0000
Subject: [PATCH] Run rotate_tokens role only once (#1970)

---
 cluster.yml                                        | 7 ++++++-
 roles/kubernetes-apps/rotate_tokens/tasks/main.yml | 5 -----
 upgrade-cluster.yml                                | 7 ++++++-
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/cluster.yml b/cluster.yml
index 05c913828..0e014371e 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -82,11 +82,16 @@
     - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
     - { role: network_plugin, tags: network }
 
-- hosts: kube-master
+- hosts: kube-master[0]
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
+
+- hosts: kube-master
+  any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
+  roles:
+    - { role: kubespray-defaults}
     - { role: kubernetes-apps/network_plugin, tags: network }
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
 
diff --git a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
index 23b63ee8a..d475cc8bf 100644
--- a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
+++ b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
@@ -8,7 +8,6 @@
   command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
   register: default_token_data
   changed_when: false
-  run_once: true
 
 - name: Rotate Tokens | Test if default certificate is expired
   uri:
@@ -19,7 +18,6 @@
     headers:
       Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
   register: check_secret
-  run_once: true
   failed_when: false
 
 - name: Rotate Tokens | Determine if certificate is expired
@@ -35,16 +33,13 @@
     | grep kubernetes.io/service-account-token
     | egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
   register: tokens_to_delete
-  run_once: true
   when: needs_rotation
 
 - name: Rotate Tokens | Delete expired tokens
   command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
   with_items: "{{ tokens_to_delete.stdout_lines }}"
-  run_once: true
   when: needs_rotation
 
 - name: Rotate Tokens | Delete pods in system namespace
   command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
-  run_once: true
   when: needs_rotation
diff --git a/upgrade-cluster.yml b/upgrade-cluster.yml
index 652ae9a08..3044a629d 100644
--- a/upgrade-cluster.yml
+++ b/upgrade-cluster.yml
@@ -85,11 +85,16 @@
     - { role: kubernetes/kubeadm, tags: kubeadm, when: "kubeadm_enabled" }
     - { role: kubespray-defaults}
 
-- hosts: kube-master
+- hosts: kube-master[0]
   any_errors_fatal: true
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
+
+- hosts: kube-master
+  any_errors_fatal: true
+  roles:
+    - { role: kubespray-defaults}
     - { role: kubernetes-apps/network_plugin, tags: network }
     - { role: kubernetes-apps/policy_controller, tags: policy-controller }
     - { role: kubernetes/client, tags: client }