From f4f9ee8e12ed5297d3f1c7946a01effbe73b83ed Mon Sep 17 00:00:00 2001
From: Bogdan Peste <pestebogdan@yahoo.com>
Date: Wed, 15 Jul 2020 16:32:40 +0300
Subject: [PATCH 1/2] Added option to force apiserver and respective client
 certificate to be regenerated without necessarily needing to bump the K8S
 cluster version

---
 inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml | 2 ++
 roles/kubernetes/master/defaults/main/main.yml          | 3 +++
 roles/kubernetes/master/tasks/kubeadm-setup.yml         | 4 ++--
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index 767802885ff..1bb57e2591c 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -312,3 +312,5 @@ persistent_volumes_enabled: false
 
 ## Amount of time to retain events. (default 1h0m0s)
 event_ttl_duration: "1h0m0s"
+##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
+force_certificate_regeneration: false
diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
index bf9d1aade80..e18534669cd 100644
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@@ -197,3 +197,6 @@ secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm
 
 ## Amount of time to retain events. (default 1h0m0s)
 event_ttl_duration: "1h0m0s"
+##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
+force_certificate_regeneration: false
+
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 920286eab35..5f09e3deae2 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -122,7 +122,7 @@
   when:
     - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
-    - apiserver_sans_check.changed
+    - apiserver_sans_check.changed or force_certificate_regeneration
 
 - name: kubeadm | regenerate apiserver cert 2/2
   command: >-
@@ -132,7 +132,7 @@
   when:
     - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
-    - apiserver_sans_check.changed
+    - apiserver_sans_check.changed or force_certificate_regeneration
 
 - name: kubeadm | Initialize first master
   command: >-

From 1ba2a8ac4ec2010a4156c98883efbfd24b7fb58e Mon Sep 17 00:00:00 2001
From: Bogdan Peste <pestebogdan@yahoo.com>
Date: Wed, 15 Jul 2020 17:20:01 +0300
Subject: [PATCH 2/2] Removed extra blank line

---
 roles/kubernetes/master/defaults/main/main.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
index e18534669cd..c8d823f5c67 100644
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@@ -199,4 +199,3 @@ secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm
 event_ttl_duration: "1h0m0s"
 ##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
 force_certificate_regeneration: false
-