From 3f2eae6e3d167c231805b88f9ec624c2f8d5b88c Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 14 May 2023 04:10:08 +0200
Subject: kubernetes/kubeadm: nuke all bootstrap tokens on cluster-cleanup

---
 common/kubernetes-cluster-cleanup.yml              | 10 +++
 inventory/group_vars/k8s-chtest/vars.yml           | 75 +++++++++++-----------
 .../control-plane/templates/kubeadm-init.config.j2 |  4 --
 3 files changed, 46 insertions(+), 43 deletions(-)

diff --git a/common/kubernetes-cluster-cleanup.yml b/common/kubernetes-cluster-cleanup.yml
index 69a9fc7e..5c2fac45 100644
--- a/common/kubernetes-cluster-cleanup.yml
+++ b/common/kubernetes-cluster-cleanup.yml
@@ -19,6 +19,16 @@
       kubernetes_node_name: "{{ item[0] }}"
     changed_when: False
 
+  - name: get list of bootstrap-tokens
+    command: "kubeadm token list --show-managed-fields  -o  jsonpath='{.token};'"
+    changed_when: False
+    check_mode: no
+    register: kubeadm_token_list_json
+
+  - name: delete all bootstrap tokens
+    loop: "{{ kubeadm_token_list_json.stdout | split(';') | reject('==', '') }}"
+    command: "kubeadm token delete {{ item }}"
+
 - name: prune superflous nodes from cluster
   hosts: _kubernetes_nodes_
   roles:
diff --git a/inventory/group_vars/k8s-chtest/vars.yml b/inventory/group_vars/k8s-chtest/vars.yml
index 2aa63de7..8ffa66b8 100644
--- a/inventory/group_vars/k8s-chtest/vars.yml
+++ b/inventory/group_vars/k8s-chtest/vars.yml
@@ -6,54 +6,51 @@ kubernetes_cri_tools_pkg_version: 1.26.0-00
 kubernetes_container_runtime: containerd
 containerd_pkg_provider: docker-com
 
+
 ### Kube-Router
 #
-#kubernetes_network_plugin: kube-router
-#kubernetes_network_plugin_version: 1.5.1
-#kubernetes_network_plugin_replaces_kube_proxy: yes
-#kubernetes_enable_nodelocal_dnscache: yes
-
+kubernetes_network_plugin: kube-router
+kubernetes_network_plugin_version: 1.5.1
+kubernetes_network_plugin_replaces_kube_proxy: yes
+kubernetes_enable_nodelocal_dnscache: yes
 
 ### kubeguard
 #
-kubernetes_network_plugin: kubeguard
-kubernetes_network_plugin_replaces_kube_proxy: no
-kubernetes_enable_nodelocal_dnscache: yes
-kubeguard:
-  ## node_index must be in the range between 1 and 190 -> 189 hosts possible
-  ##
-  ## hardcoded hostnames are not nice but if we do this via host_vars
-  ## the info is spread over multiple files and this makes it more diffcult
-  ## to find mistakes, so it is nicer to keep it in one place...
-  node_index:
-    ch-calypso: 125
-    ch-thetys: 126
-    ch-k8s-ctrl: 127
-kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ansible.utils.ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
-
+#kubernetes_network_plugin: kubeguard
+#kubernetes_network_plugin_replaces_kube_proxy: no
+#kubernetes_enable_nodelocal_dnscache: yes
+#kubeguard:
+#  ## node_index must be in the range between 1 and 190 -> 189 hosts possible
+#  ##
+#  ## hardcoded hostnames are not nice but if we do this via host_vars
+#  ## the info is spread over multiple files and this makes it more diffcult
+#  ## to find mistakes, so it is nicer to keep it in one place...
+#  node_index:
+#    ch-calypso: 125
+#    ch-thetys: 126
+#    ch-k8s-ctrl: 127
+#kubernetes_overlay_node_ip: "{{ kubernetes.pod_ip_range | ansible.utils.ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
 
 ### Cilium
 #
-# kubernetes_network_plugin: cilium
-# kubernetes_network_plugin_version: 1.13.2
-# kubernetes_network_plugin_replaces_kube_proxy: yes
-# kubernetes_enable_nodelocal_dnscache: no
-# kubernetes_cilium_config:
-#   ipam: kubernetes
-#   tunnel: disabled
-#   ipv4-native-routing-cidr: 192.168.28.0/24
-#   auto-direct-node-routes: yes
-# base_sysctl_config_user:
-#   net.ipv4.conf.all.rp_filter: 0
-#   net.ipv4.conf.default.rp_filter: 0
-
-
-#### None
+#kubernetes_network_plugin: cilium
+#kubernetes_network_plugin_version: 1.13.2
+#kubernetes_network_plugin_replaces_kube_proxy: yes
+#kubernetes_enable_nodelocal_dnscache: no
+#kubernetes_cilium_config:
+#  ipam: kubernetes
+#  tunnel: disabled
+#  ipv4-native-routing-cidr: 192.168.28.0/24
+#  auto-direct-node-routes: yes
+#base_sysctl_config_user:
+#  net.ipv4.conf.all.rp_filter: 0
+#  net.ipv4.conf.default.rp_filter: 0
+
+### None
 #
-# kubernetes_network_plugin: none
-# kubernetes_network_plugin_replaces_kube_proxy: yes
-# kubernetes_enable_nodelocal_dnscache: no
-
+#kubernetes_network_plugin: none
+#kubernetes_network_plugin_replaces_kube_proxy: yes
+#kubernetes_enable_nodelocal_dnscache: no
 
 
 kubernetes:
diff --git a/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2 b/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2
index b58c4d02..9aba276c 100644
--- a/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2
+++ b/roles/kubernetes/kubeadm/control-plane/templates/kubeadm-init.config.j2
@@ -2,10 +2,6 @@
 {#  #}
 apiVersion: kubeadm.k8s.io/v1beta3
 kind: InitConfiguration
-{# it's easier to extract the bootstap token from separate `kubeadm token create` call #}
-{# so make sure the token created by init expires fast #}
-bootstrapTokens:
-- ttl: "1s"
 localAPIEndpoint:
   bindPort: 6442
 {% if kubernetes_overlay_node_ip is defined %}
-- 
cgit v1.2.3