From ef56ec479cbb640a2595d85e08cfc6213aba8200 Mon Sep 17 00:00:00 2001
From: Michal Opala <sk4zuzu@gmail.com>
Date: Tue, 28 Apr 2020 02:30:54 +0200
Subject: [PATCH] reversing unneeded delegate_to privilege elevation (fix)

---
 .../kubernetes_master/tasks/copy-kubeconfig.yml      |  2 ++
 .../kubernetes_master/tasks/copy-kubernetes-pki.yml  | 12 +++++++++---
 .../tasks/generate-cluster-credentials.yml           |  3 +++
 .../playbooks/roles/preflight_facts/tasks/assert.yml |  4 +++-
 .../playbooks/roles/preflight_facts/tasks/store.yml  |  1 +
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubeconfig.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubeconfig.yml
index 4a03da63b7..c6197b9fbf 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubeconfig.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubeconfig.yml
@@ -1,6 +1,7 @@
 ---
 - name: Check if the secrets file exists
   delegate_to: localhost
+  become: false
   stat:
     path: "{{ vault_location }}/kubernetes-secrets.yml"
     get_attributes: false
@@ -13,6 +14,7 @@
   block:
     - name: Include vars of Kubernetes secrets
       delegate_to: localhost
+      become: false
       include_vars:
         file: "{{ vault_location }}/kubernetes-secrets.yml"
 
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubernetes-pki.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubernetes-pki.yml
index 57b3b2f142..c358bb9b45 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubernetes-pki.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/copy-kubernetes-pki.yml
@@ -1,5 +1,6 @@
 ---
-- set_fact:
+- name: Prepare PKI relative paths
+  set_fact:
     kubernetes_pki_folders:
       - pki/
       - pki/etcd/
@@ -16,6 +17,7 @@
 
 - name: Check if the PKI file exists
   delegate_to: localhost
+  become: false
   stat:
     path: "{{ vault_location }}/kubernetes-pki.yml"
     get_attributes: false
@@ -26,7 +28,8 @@
 - name: Copy PKI from master node to Ephiphany's vault
   when: not stat_kubernetes_pki.stat.exists
   block:
-    - delegate_to: "{{ kubernetes_common.automation_designated_master }}"
+    - name: Slurp PKI files
+      delegate_to: "{{ kubernetes_common.automation_designated_master }}"
       slurp:
         src: "/etc/kubernetes/{{ item }}"
       loop: >-
@@ -34,7 +37,9 @@
       register: slurp_kubernetes_pki_files
       no_log: true
 
-    - delegate_to: localhost
+    - name: Copy PKI files
+      delegate_to: localhost
+      become: false
       vars:
         # Decoding slurp's contents
         kubernetes_pki_files_slurped_content: >-
@@ -75,6 +80,7 @@
 
 - name: Load PKI variables
   delegate_to: localhost
+  become: false
   environment:
     ANSIBLE_VAULT_PASSWORD_FILE: "{{ vault_tmp_file_location }}"
   include_vars:
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-cluster-credentials.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-cluster-credentials.yml
index c69d5b4cba..5fa600f757 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-cluster-credentials.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_master/tasks/generate-cluster-credentials.yml
@@ -21,6 +21,7 @@
 
 - name: Encrypt tokens
   delegate_to: localhost
+  become: false
   environment:
     ANSIBLE_VAULT_PASSWORD_FILE: "{{ vault_tmp_file_location }}"
   shell: |
@@ -58,6 +59,7 @@
 
 - name: Encrypt CA data
   delegate_to: localhost
+  become: false
   environment:
     ANSIBLE_VAULT_PASSWORD_FILE: "{{ vault_tmp_file_location }}"
   shell: |
@@ -75,6 +77,7 @@
 
 - name: Create credentials file
   delegate_to: localhost
+  become: false
   template:
     src: kubernetes-secrets.yml.j2
     dest: "{{ vault_location }}/kubernetes-secrets.yml"
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/assert.yml b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/assert.yml
index 8f6125ac01..b3bea11861 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/assert.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/assert.yml
@@ -1,5 +1,7 @@
 ---
-- delegate_to: localhost
+- name: Applying HA-related assertions for Kubernetes
+  delegate_to: localhost
+  become: false
   run_once: true
   block:
     - assert:
diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml
index 2f625ba0fa..2209555fe2 100644
--- a/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml
+++ b/core/src/epicli/data/common/ansible/playbooks/roles/preflight_facts/tasks/store.yml
@@ -3,6 +3,7 @@
 
 - name: Store preflight facts
   delegate_to: localhost
+  become: false
   run_once: true
   copy:
     dest: "{{ vault_location }}/../preflight_facts.yml"