From 6327f50ca3ff1d8fcf9d568b2a46d0fb98471ad9 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Thu, 14 Sep 2017 08:14:25 +0100
Subject: [PATCH] Enable upgrade to kubeadm

---
 .../tasks/kubeadm-cleanup-old-certs.yml       |  4 ++
 .../master/tasks/kubeadm-migrate-certs.yml    | 12 ++++++
 .../kubernetes/master/tasks/kubeadm-setup.yml | 38 +++++++++++++++++--
 3 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
 create mode 100644 roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml

diff --git a/roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml b/roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
new file mode 100644
index 000000000..5ec19046d
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
@@ -0,0 +1,4 @@
+---
+- name: kubeadm | Purge old certs
+  file:
+    command: "rm -f {{kube_cert_dir }}/*.pem"
diff --git a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
new file mode 100644
index 000000000..3120126ae
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
@@ -0,0 +1,12 @@
+---
+- name: Copy old certs to the kubeadm expected path
+  copy:
+    src: "{{ kube_cert_dir }}/{{ item.src }}"
+    dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    remote_src: yes
+  with_items:
+    - {src: apiserver.pem, dest: apiserver.crt}
+    - {src: apiserver.pem, dest: apiserver.key}
+    - {src: ca.pem, dest: ca.crt}
+    - {src: ca-key.pem, dest: ca.key}
+  register: kubeadm_copy_old_certs
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 03254e481..6ca909339 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -1,4 +1,34 @@
 ---
+- name: kubeadm | Check if old apiserver cert exists on host
+  stat:
+    path: "{{ kube_cert_dir }}/apiserver.pem"
+  register: old_apiserver_cert
+  delegate_to: "{{groups['kube-master']|first}}"
+  run_once: true
+
+- name: kubeadm | Check if kubeadm has already run
+  stat:
+    path: "{{ kube_config_dir }}/admin.conf"
+  register: admin_conf
+
+- name: kubeadm | Migrate certificates to prepare for kubeadm
+  include: kubeadm-migrate-certs.yml
+  when:
+    - inventory_hostname == groups['kube-master']|first
+    - old_apiserver_cert.stat.exists
+
+- name: kubeadm | Delete old static pods
+  file:
+    path: "{{ kube_config_dir }}/manifests/{{item}}.manifest"
+    state: absent
+  with_items: ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
+  when: old_apiserver_cert.stat.exists
+
+- name: kubeadm | Forcefully delete old static pods
+  shell: "docker ps -f name=k8s-{{item}}* -q | xargs --no-run-if-empty docker rm -f"
+  with_items: ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
+  when: old_apiserver_cert.stat.exists
+
 - name: kubeadm | aggregate all SANs
   set_fact:
     apiserver_sans: >-
@@ -29,10 +59,6 @@
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
   register: kubeadm_config
 
-- name: Check if kubeadm has already run
-  stat:
-    path: "{{ kube_config_dir }}/admin.conf"
-  register: admin_conf
 
 
 - name: kubeadm | Initialize first master
@@ -80,3 +106,7 @@
   #Retry is because upload config sometimes fails
   retries: 3
   when: inventory_hostname != groups['kube-master']|first and (kubeadm_config.changed or not admin_conf.stat.exists or copy_kubeadm_certs.changed)
+
+- name: kubeadm | cleanup old certs if necessary
+  include: kubeadm_cleanup_old_certs.yml
+  when: old_apiserver_cert.stat.exists