---
- name: Refresh certificates so they are fresh and not expired
  command: >-
    {{ bin_dir }}/kubeadm init phase
    --config {{ kube_config_dir }}/kubeadm-config.yaml
    upload-certs
    --upload-certs
  register: kubeadm_upload_cert
  delegate_to: "{{ groups['kube-master'][0] }}"
  when: kubeadm_etcd_refresh_cert_key
  run_once: yes

- name: Parse certificate key if not set
  set_fact:
    kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
  when: kubeadm_certificate_key is undefined

- name: Pull control plane certs down
  shell: >-
    {{ bin_dir }}/kubeadm join phase
    control-plane-prepare download-certs
    --certificate-key {{ kubeadm_certificate_key }}
    --control-plane
    --token {{ kubeadm_token }}
    --discovery-token-unsafe-skip-ca-verification
    {{ kubeadm_discovery_address }}
    &&
    {{ bin_dir }}/kubeadm join phase
    control-plane-prepare certs
    --control-plane
    --token {{ kubeadm_token }}
    --discovery-token-unsafe-skip-ca-verification
    {{ kubeadm_discovery_address }}
  args:
    creates: "{{ kube_cert_dir }}/apiserver-etcd-client.key"

- name: Delete unneeded certificates
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - "{{ kube_cert_dir }}/apiserver.crt"
    - "{{ kube_cert_dir }}/apiserver.key"
    - "{{ kube_cert_dir }}/ca.key"
    - "{{ kube_cert_dir }}/etcd/ca.key"
    - "{{ kube_cert_dir }}/etcd/healthcheck-client.crt"
    - "{{ kube_cert_dir }}/etcd/healthcheck-client.key"
    - "{{ kube_cert_dir }}/etcd/peer.crt"
    - "{{ kube_cert_dir }}/etcd/peer.key"
    - "{{ kube_cert_dir }}/etcd/server.crt"
    - "{{ kube_cert_dir }}/etcd/server.key"
    - "{{ kube_cert_dir }}/front-proxy-ca.crt"
    - "{{ kube_cert_dir }}/front-proxy-ca.key"
    - "{{ kube_cert_dir }}/front-proxy-client.crt"
    - "{{ kube_cert_dir }}/front-proxy-client.key"
    - "{{ kube_cert_dir }}/sa.key"
    - "{{ kube_cert_dir }}/sa.pub"

- name: Calculate etcd cert serial
  command: "openssl x509 -in {{ kube_cert_dir }}/apiserver-etcd-client.crt -noout -serial"
  register: "etcd_client_cert_serial_result"
  changed_when: false
  when:
    - inventory_hostname in groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique|sort
  tags:
    - network

- name: Set etcd_client_cert_serial
  set_fact:
    etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout.split('=')[1] }}"
  tags:
    - network