From 040d37878b51ca9289417c4a9796698425fabf89 Mon Sep 17 00:00:00 2001
From: anon-software <8951449+anon-software@users.noreply.github.com>
Date: Mon, 7 Oct 2024 09:44:28 -0700
Subject: [PATCH] Prevent multiple tokens in k3s.service.env (#364)

* Prevent multiple tokens in k3s.service.env

If site.yml playbook is executed multiple times with different tokens,
they will all accumulate in k3s.service.env. They won't do any harm
because the last one wins, however it is a matter of good housekeeping
to delete the old before inserting a new one.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

* Selectively remove existing token from the environment file

If the existing token in the environment file is the same as the token
used for the playbook run, leave it in the file to avoid false changed
status from the task.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

---------

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---
 roles/k3s_agent/tasks/main.yml  |  6 ++++++
 roles/k3s_server/tasks/main.yml | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml
index 2dafa3c..565ef25 100644
--- a/roles/k3s_agent/tasks/main.yml
+++ b/roles/k3s_agent/tasks/main.yml
@@ -35,6 +35,12 @@
         INSTALL_K3S_EXEC: "agent"
       changed_when: true
 
+- name: Delete any existing token from the environment if different from the new one
+  ansible.builtin.lineinfile:
+    state: absent
+    path: "{{ systemd_dir }}/k3s-agent.service.env"
+    regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
+
 - name: Add the token for joining the cluster to the environment
   no_log: true # avoid logging the server token
   ansible.builtin.lineinfile:
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
index a61eb0b..12131f2 100644
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -86,6 +86,12 @@
         line: "{{ item }}"
       with_items: "{{ extra_service_envs }}"
 
+    - name: Delete any existing token from the environment if different from the new one
+      ansible.builtin.lineinfile:
+        state: absent
+        path: "{{ systemd_dir }}/k3s.service.env"
+        regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
+
     # Add the token to the environment.
     - name: Add token as an environment variable
       no_log: true # avoid logging the server token
@@ -181,6 +187,12 @@
     - (groups[server_group] | length) > 1
     - inventory_hostname != groups[server_group][0]
   block:
+    - name: Delete any existing token from the environment if different from the new one
+      ansible.builtin.lineinfile:
+        state: absent
+        path: "{{ systemd_dir }}/k3s.service.env"
+        regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
+
     - name: Add the token for joining the cluster to the environment
       no_log: true # avoid logging the server token
       ansible.builtin.lineinfile: