---
- import_tasks: pre-upgrade.yml
  tags:
    - k8s-pre-upgrade

- import_tasks: users-file.yml
  when: kube_basic_auth|default(true)

- import_tasks: encrypt-at-rest.yml
  when: kube_encrypt_secret_data

- name: install | Copy kubectl binary from download dir
  command: rsync -piu "{{ local_release_dir }}/hyperkube" "{{ bin_dir }}/kubectl"
  changed_when: false
  tags:
    - hyperkube
    - kubectl
    - upgrade

- name: install | Set kubectl binary permissions
  file:
    path: "{{ bin_dir }}/kubectl"
    mode: "0755"
    state: file
  tags:
    - hyperkube
    - kubectl
    - upgrade

- name: Install kubectl bash completion
  shell: "{{ bin_dir }}/kubectl completion bash >/etc/bash_completion.d/kubectl.sh"
  when: ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl

- name: Set kubectl bash completion file
  file:
    path: /etc/bash_completion.d/kubectl.sh
    owner: root
    group: root
    mode: 0755
  when: ansible_os_family in ["Debian","RedHat"]
  tags:
    - kubectl
    - upgrade

- name: Disable SecurityContextDeny admission-controller and enable PodSecurityPolicy
  set_fact:
    kube_apiserver_admission_control: "{{ kube_apiserver_admission_control | default([]) | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
    kube_apiserver_enable_admission_plugins: "{{ kube_apiserver_enable_admission_plugins | difference(['SecurityContextDeny']) | union(['PodSecurityPolicy']) | unique }}"
  when: podsecuritypolicy_enabled

- name: Include kubeadm setup if enabled
  import_tasks: kubeadm-setup.yml
  when: kubeadm_enabled|bool|default(false)

- name: Include static pod setup if not using kubeadm
  import_tasks: static-pod-setup.yml
  when: not kubeadm_enabled|bool|default(false)