kubespray/roles/kubernetes/tokens/tasks/gen_tokens.yml

---
- name: Gen_tokens | copy tokens generation script
  copy:
    src: "kube-gen-token.sh"
    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
    mode: 0700
  run_once: yes
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: gen_tokens|default(false)

- name: Gen_tokens | generate tokens for master components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ "system:kubectl" ]
    - "{{ groups['kube_control_plane'] }}"
  register: gentoken_master
  changed_when: "'Added' in gentoken_master.stdout"
  run_once: yes
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: gen_tokens|default(false)

- name: Gen_tokens | generate tokens for node components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ 'system:kubelet' ]
    - "{{ groups['kube_node'] }}"
  register: gentoken_node
  changed_when: "'Added' in gentoken_node.stdout"
  run_once: yes
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  when: gen_tokens|default(false)

- name: Gen_tokens | Get list of tokens from first master
  command: "find {{ kube_token_dir }} -maxdepth 1 -type f"
  register: tokens_list
  check_mode: no
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  when: sync_tokens|default(false)

- name: Gen_tokens | Gather tokens
  shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0"
  args:
    executable: /bin/bash
  register: tokens_data
  check_mode: no
  delegate_to: "{{ groups['kube_control_plane'][0] }}"
  run_once: true
  when: sync_tokens|default(false)

- name: Gen_tokens | Copy tokens on masters
  shell: "set -o pipefail && echo '{{ tokens_data.stdout|quote }}' | base64 -d | tar xz -C /"
  args:
    executable: /bin/bash
  when:
    - inventory_hostname in groups['kube_control_plane']
    - sync_tokens|default(false)
    - inventory_hostname != groups['kube_control_plane'][0]
    - tokens_data.stdout