diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
index 00df73cd3..073f8b6f5 100644
--- a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
@@ -10,22 +10,6 @@
   tags:
     - facts
 
-- name: Create kubeadm ControlPlane config
-  template:
-    src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
-    dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
-    backup: yes
-  when:
-    - inventory_hostname != groups['kube-master']|first
-    - not kubeadm_already_run.stat.exists
-
-- name: Wait for k8s apiserver
-  wait_for:
-    host: "{{ kubeadm_discovery_address.split(':')[0] }}"
-    port: "{{ kubeadm_discovery_address.split(':')[1] }}"
-    timeout: 180
-
-
 - name: Upload certificates so they are fresh and not expired
   command: >-
     {{ bin_dir }}/kubeadm init phase
@@ -48,6 +32,23 @@
     kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
   when: kubeadm_certificate_key is undefined
 
+
+- name: Create kubeadm ControlPlane config
+  template:
+    src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
+    dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
+    backup: yes
+  when:
+    - inventory_hostname != groups['kube-master']|first
+    - not kubeadm_already_run.stat.exists
+
+- name: Wait for k8s apiserver
+  wait_for:
+    host: "{{ kubeadm_discovery_address.split(':')[0] }}"
+    port: "{{ kubeadm_discovery_address.split(':')[1] }}"
+    timeout: 180
+
+
 - name: check already run
   debug:
     msg: "{{ kubeadm_already_run.stat.exists }}"