From 04dcca623c0a3516b258c4180af5a9f706173dd0 Mon Sep 17 00:00:00 2001
From: Bogdan Peste <20840804+pestebogdan@users.noreply.github.com>
Date: Mon, 12 Oct 2020 16:02:48 +0300
Subject: [PATCH] =?UTF-8?q?Added=20option=20to=20force=20apiserver=20and?=
 =?UTF-8?q?=20respective=20client=20certificate=20to=20=E2=80=A6=20(#6403)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Added option to force apiserver and respective client certificate to be regenerated without necessarily needing to bump the K8S cluster version

* Removed extra blank line
---
 inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml | 2 ++
 roles/kubernetes/master/defaults/main/main.yml          | 2 ++
 roles/kubernetes/master/tasks/kubeadm-setup.yml         | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index 7d73f79acd1..2b5e10c8eb2 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -313,3 +313,5 @@ persistent_volumes_enabled: false
 
 ## Amount of time to retain events. (default 1h0m0s)
 event_ttl_duration: "1h0m0s"
+##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
+force_certificate_regeneration: false
diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml
index 1fff8054072..b5171288952 100644
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@@ -231,3 +231,5 @@ secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm
 
 ## Amount of time to retain events. (default 1h0m0s)
 event_ttl_duration: "1h0m0s"
+##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
+force_certificate_regeneration: false
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 45668cedd8f..647f05d16a0 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -127,7 +127,7 @@
   when:
     - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
-    - apiserver_sans_check.changed
+    - apiserver_sans_check.changed or force_certificate_regeneration
 
 - name: kubeadm | regenerate apiserver cert 2/2
   command: >-
@@ -137,7 +137,7 @@
   when:
     - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
-    - apiserver_sans_check.changed
+    - apiserver_sans_check.changed or force_certificate_regeneration
 
 - name: kubeadm | Initialize first master
   command: >-