From f624a42ef0a32520f32b0520a3dd029fe0e0e2c1 Mon Sep 17 00:00:00 2001
From: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
Date: Wed, 25 Sep 2024 20:54:42 -0700
Subject: [PATCH 1/2] Prevent multiple tokens in k3s.service.env

If site.yml playbook is executed multiple times with different tokens,
they will all accumulate in k3s.service.env. They won't do any harm
because the last one wins, however it is a matter of good housekeeping
to delete the old before inserting a new one.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---
 roles/k3s_agent/tasks/main.yml  |  6 ++++++
 roles/k3s_server/tasks/main.yml | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml
index 2dafa3ce..b65b84e6 100644
--- a/roles/k3s_agent/tasks/main.yml
+++ b/roles/k3s_agent/tasks/main.yml
@@ -35,6 +35,12 @@
         INSTALL_K3S_EXEC: "agent"
       changed_when: true
 
+- name: Delete any existing token from the environment
+  ansible.builtin.lineinfile:
+    state: absent
+    path: "{{ systemd_dir }}/k3s-agent.service.env"
+    search_string: "K3S_TOKEN="
+
 - name: Add the token for joining the cluster to the environment
   no_log: true # avoid logging the server token
   ansible.builtin.lineinfile:
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
index a61eb0b6..a4f8c4cb 100644
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -86,6 +86,12 @@
         line: "{{ item }}"
       with_items: "{{ extra_service_envs }}"
 
+    - name: Delete any existing token from the environment
+      ansible.builtin.lineinfile:
+        state: absent
+        path: "{{ systemd_dir }}/k3s.service.env"
+        search_string: "K3S_TOKEN="
+
     # Add the token to the environment.
     - name: Add token as an environment variable
       no_log: true # avoid logging the server token
@@ -181,6 +187,12 @@
     - (groups[server_group] | length) > 1
     - inventory_hostname != groups[server_group][0]
   block:
+    - name: Delete any existing token from the environment
+      ansible.builtin.lineinfile:
+        state: absent
+        path: "{{ systemd_dir }}/k3s.service.env"
+        search_string: "K3S_TOKEN="
+
     - name: Add the token for joining the cluster to the environment
       no_log: true # avoid logging the server token
       ansible.builtin.lineinfile:

From 65d4fc8cb6cd719925d3dddca2ed1ae9ddcef02f Mon Sep 17 00:00:00 2001
From: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
Date: Fri, 27 Sep 2024 13:37:16 -0700
Subject: [PATCH 2/2] Selectively remove existing token from the environment
 file

If the existing token in the environment file is the same as the token
used for the playbook run, leave it in the file to avoid false changed
status from the task.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---
 roles/k3s_agent/tasks/main.yml  | 4 ++--
 roles/k3s_server/tasks/main.yml | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml
index b65b84e6..565ef258 100644
--- a/roles/k3s_agent/tasks/main.yml
+++ b/roles/k3s_agent/tasks/main.yml
@@ -35,11 +35,11 @@
         INSTALL_K3S_EXEC: "agent"
       changed_when: true
 
-- name: Delete any existing token from the environment
+- name: Delete any existing token from the environment if different from the new one
   ansible.builtin.lineinfile:
     state: absent
     path: "{{ systemd_dir }}/k3s-agent.service.env"
-    search_string: "K3S_TOKEN="
+    regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
 
 - name: Add the token for joining the cluster to the environment
   no_log: true # avoid logging the server token
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
index a4f8c4cb..12131f2a 100644
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -86,11 +86,11 @@
         line: "{{ item }}"
       with_items: "{{ extra_service_envs }}"
 
-    - name: Delete any existing token from the environment
+    - name: Delete any existing token from the environment if different from the new one
       ansible.builtin.lineinfile:
         state: absent
         path: "{{ systemd_dir }}/k3s.service.env"
-        search_string: "K3S_TOKEN="
+        regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
 
     # Add the token to the environment.
     - name: Add token as an environment variable
@@ -187,11 +187,11 @@
     - (groups[server_group] | length) > 1
     - inventory_hostname != groups[server_group][0]
   block:
-    - name: Delete any existing token from the environment
+    - name: Delete any existing token from the environment if different from the new one
       ansible.builtin.lineinfile:
         state: absent
         path: "{{ systemd_dir }}/k3s.service.env"
-        search_string: "K3S_TOKEN="
+        regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)"
 
     - name: Add the token for joining the cluster to the environment
       no_log: true # avoid logging the server token