---
- import_tasks: pre-upgrade.yml
  tags:
    - k8s-pre-upgrade

- import_tasks: users-file.yml
  when: kube_basic_auth|default(true)

- import_tasks: encrypt-at-rest.yml
  when: kube_encrypt_secret_data

- name: Compare host kubectl with hyperkube container
  command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/cmp /hyperkube /systembindir/kubectl"
  register: kubectl_task_compare_result
  until: kubectl_task_compare_result.rc in [0,1,2]
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
  failed_when: "kubectl_task_compare_result.rc not in [0,1,2]"
  tags:
    - hyperkube
    - kubectl
    - upgrade

- name: Copy kubectl from hyperkube container
  command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -f /hyperkube /systembindir/kubectl"
  when: kubectl_task_compare_result.rc != 0
  register: kubectl_task_result
  until: kubectl_task_result.rc == 0
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false
  tags:
    - hyperkube
    - kubectl
    - upgrade

- name: Install kubectl bash completion
  shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
  when: kubectl_task_compare_result.rc != 0 and ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl

- name: Set kubectl bash completion file
  file:
    path: /etc/bash_completion.d/kubectl.sh
    owner: root
    group: root
    mode: 0755
  when: ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl
    - upgrade

- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
  set_fact:
    kube_apiserver_admission_control: "{{ kube_apiserver_admission_control | default([]) | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
    kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
  when: podsecuritypolicy_enabled

- name: Include kubeadm setup if enabled
  import_tasks: kubeadm-setup.yml
  when: kubeadm_enabled|bool|default(false)

- name: Include static pod setup if not using kubeadm
  import_tasks: static-pod-setup.yml
  when: not kubeadm_enabled|bool|default(false)