From c10b84f0f473616c80e10dfd569239c1edb65743 Mon Sep 17 00:00:00 2001
From: anon-software <8951449+anon-software@users.noreply.github.com>
Date: Mon, 11 Nov 2024 13:07:31 -0800
Subject: [PATCH] enable autogenerating token (#375)

* Generate token

If a token is not explicitly provided, let the first server generate a
random one. Such a token is saved on the first server and the playbook
can retrieve it from there and store it a a fact. All other servers and
agents can use that token later to join the cluster. It will be saved
into their environment file as usual.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

* Document that token is (mostly) optional now

The token is still required when using Vagrant.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---
 Vagrantfile                       |  1 +
 inventory-sample.yml              |  1 +
 roles/k3s_agent/defaults/main.yml |  1 +
 roles/k3s_agent/tasks/main.yml    |  4 ++++
 roles/k3s_server/tasks/main.yml   | 26 ++++++++++++++++++++++++--
 5 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/Vagrantfile b/Vagrantfile
index c26c6270e..4f4c7c058 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -28,6 +28,7 @@ def provision(vm, role, node_num)
     ansible.extra_vars = {
       k3s_version: "v1.28.14+k3s1",
       api_endpoint: "#{NETWORK_PREFIX}.100",
+      # Required for vagrant ansible provisioner
       token: "myvagrant",
       # Required to use the private network configured above
       extra_server_args: "--node-external-ip #{node_ip} --flannel-iface eth1", 
diff --git a/inventory-sample.yml b/inventory-sample.yml
index 8c09d3fb4..e237881fd 100644
--- a/inventory-sample.yml
+++ b/inventory-sample.yml
@@ -19,6 +19,7 @@ k3s_cluster:
     # - openssl rand -base64 64
     # - pwgen -s 64 1
     # You can use ansible-vault to encrypt this value / keep it secret.
+    # Or you can omit it if not using Vagrant and let the first server automatically generate one.
     token: "changeme!"
     api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
     extra_server_args: ""
diff --git a/roles/k3s_agent/defaults/main.yml b/roles/k3s_agent/defaults/main.yml
index cf5acb9f4..c190cc64d 100644
--- a/roles/k3s_agent/defaults/main.yml
+++ b/roles/k3s_agent/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+server_group: server  # noqa var-naming[no-role-prefix]
 k3s_server_location: "/var/lib/rancher/k3s"  # noqa var-naming[no-role-prefix]
 systemd_dir: "/etc/systemd/system"  # noqa var-naming[no-role-prefix]
 api_port: 6443  # noqa var-naming[no-role-prefix]
diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml
index 39df326ac..c7f9b9609 100644
--- a/roles/k3s_agent/tasks/main.yml
+++ b/roles/k3s_agent/tasks/main.yml
@@ -35,6 +35,10 @@
         INSTALL_K3S_EXEC: "agent"
       changed_when: true
 
+- name: Get the token from the first server
+  ansible.builtin.set_fact:
+    token: "{{ hostvars[groups[server_group][0]].token }}"
+
 - name: Delete any existing token from the environment if different from the new one
   ansible.builtin.lineinfile:
     state: absent
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
index 833119037..4c434b6ed 100644
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -90,14 +90,16 @@
       ansible.builtin.lineinfile:
         state: absent
         path: "{{ systemd_dir }}/k3s.service.env"
-        regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
+        regexp: "^K3S_TOKEN=\\s*(?!{{ token | default('') }}\\s*$)"
 
-    # Add the token to the environment.
+    # Add the token to the environment if it has been provided.
+    # Otherwise, let the first server create one on the first run.
     - name: Add token as an environment variable
       no_log: true # avoid logging the server token
       ansible.builtin.lineinfile:
         path: "{{ systemd_dir }}/k3s.service.env"
         line: "K3S_TOKEN={{ token }}"
+      when: token is defined
 
     - name: Restart K3s service
       when:
@@ -182,11 +184,31 @@
           changed_when:
             - mv_result.rc == 0
 
+    - name: Get the token if randomly generated
+      when: token is not defined
+      block:
+        - name: Wait for token
+          ansible.builtin.wait_for:
+            path: /var/lib/rancher/k3s/server/token
+
+        - name: Read node-token from master
+          ansible.builtin.slurp:
+            src: /var/lib/rancher/k3s/server/token
+          register: node_token
+
+        - name: Store Master node-token
+          ansible.builtin.set_fact:
+            token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}"
+
 - name: Start other server if any and verify status
   when:
     - (groups[server_group] | length) > 1
     - inventory_hostname != groups[server_group][0]
   block:
+    - name: Get the token from the first server
+      ansible.builtin.set_fact:
+        token: "{{ hostvars[groups[server_group][0]].token }}"
+
     - name: Delete any existing token from the environment if different from the new one
       ansible.builtin.lineinfile:
         state: absent