From 3ff5f40bdb6955f05ee1e9e3e977cb4e16a30678 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Wed, 27 Sep 2017 14:49:20 +0100
Subject: [PATCH] fix graceful upgrade (#1704)

Fix system namespace creation
Only rotate tokens when necessary
---
 .../rotate_tokens/tasks/main.yml                | 17 +++++++++++++++++
 .../master/tasks/static-pod-setup.yml           |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
index 0e257a65a..5bab7120a 100644
--- a/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
+++ b/roles/kubernetes-apps/rotate_tokens/tasks/main.yml
@@ -1,4 +1,18 @@
 ---
+- name: Rotate Tokens | Test if default certificate is expired
+  shell: >-
+    kubectl run -i test-rotate-tokens
+    --image={{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
+    --restart=Never --rm
+    kubectl get nodes
+  register: check_secret
+  failed_when: false
+  run_once: true
+
+- name: Rotate Tokens | Determine if certificate is expired
+  set_fact:
+    needs_rotation: '{{ "You must be logged in" in check_secret.stderr }}'
+
 # FIXME(mattymo): Exclude built in secrets that were automatically rotated,
 # instead of filtering manually
 - name: Rotate Tokens | Get all serviceaccount tokens to expire
@@ -9,12 +23,15 @@
     | egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
   register: tokens_to_delete
   run_once: true
+  when: needs_rotation
 
 - name: Rotate Tokens | Delete expired tokens
   command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
   with_items: "{{ tokens_to_delete.stdout_lines }}"
   run_once: true
+  when: needs_rotation
 
 - name: Rotate Tokens | Delete pods in system namespace
   command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
   run_once: true
+  when: needs_rotation
diff --git a/roles/kubernetes/master/tasks/static-pod-setup.yml b/roles/kubernetes/master/tasks/static-pod-setup.yml
index d20557e95..1a431e9dc 100644
--- a/roles/kubernetes/master/tasks/static-pod-setup.yml
+++ b/roles/kubernetes/master/tasks/static-pod-setup.yml
@@ -30,7 +30,7 @@
   register: create_system_ns
   until: create_system_ns.rc == 0
   changed_when: False
-  when: kubesystem.rc != 0 and inventory_hostname == groups['kube-master'][0]
+  when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
   tags: apps
 
 - name: Write kube-scheduler kubeconfig