---
- name: Download kubernetes-client archive
  get_url:
    url: "https://dl.k8s.io/v{{kubectl_version}}/kubernetes-client-{{kubectl_os}}-{{kubectl_arch}}.tar.gz"
    checksum: "{{kubectl_checksum}}"
    dest: "{{kubectl_tmp_directory}}"
  tags:
    - kubectl

- name: Unarchive kubernetes-client
  unarchive:
    src: "{{kubectl_tmp_directory}}/kubernetes-client-{{kubectl_os}}-{{kubectl_arch}}.tar.gz"
    dest: "{{kubectl_tmp_directory}}"
  tags:
    - kubectl

- name: Copy kubectl binary to destination directory
  copy:
    src: "{{kubectl_tmp_directory}}/kubernetes/client/bin/{{item}}"
    dest: "{{kubectl_bin_directory}}/{{item}}"
    mode: 0755
    owner: root
    group: root
    remote_src: yes
  with_items:
    - kubectl

- name: Generate a kubeconfig file for each worker node (set-cluster)
  shell: "kubectl config set-cluster {{k8s_config_cluster_name}} --certificate-authority={{k8s_ca_conf_directory}}/ca.pem --embed-certs=true --server=https://{{hostvars[groups['k8s_master'][0]]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}}:{{k8s_apiserver_secure_port}} --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
  with_inventory_hostnames:
    - k8s_worker
  tags:
    - k8s-auth-config-kubelet

- name: Generate a kubeconfig file for each worker node (set-credentials)
  shell: "kubectl config set-credentials system:node:{{hostvars[item]['ansible_hostname']}} --client-certificate={{k8s_ca_conf_directory}}/{{item}}.pem --client-key={{k8s_ca_conf_directory}}/{{item}}-key.pem --embed-certs=true --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
  with_inventory_hostnames:
    - k8s_worker
  tags:
    - k8s-auth-config-kubelet

- name: Generate a kubeconfig file for each worker node (set-context)
  shell: "kubectl config set-context default --cluster={{k8s_config_cluster_name}} --user=system:node:{{hostvars[item]['ansible_hostname']}} --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
  with_inventory_hostnames:
    - k8s_worker
  tags:
    - k8s-auth-config-kubelet

- name: Set use-context
  shell: "kubectl config use-context default --kubeconfig={{k8s_config_directory}}/{{item}}.kubeconfig"
  with_inventory_hostnames:
    - k8s_worker
  tags:
    - k8s-auth-config-kubelet

- name: Get IP address of first host in k8s_master group and use as API server
  set_fact:
    apiServer: |
      {% set item = groups["k8s_master"][0] %}
      {{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}

- name: Remove newline from API server IP address
  set_fact:
    apiServer: "{{apiServer |replace('\n', '')}}"

- include_tasks: kubectl-config.yml
  loop:
    - kube-proxy
    - kube-controller-manager
    - kube-scheduler
    - admin
  loop_control:
    loop_var: service

- include_tasks: kubectl-cluster-config.yml

- name: Create encryption config file
  template:
    src: "templates/encryption-config.yaml.j2"
    dest: "{{k8s_encryption_config_directory}}/encryption-config.yaml"
    mode: 0600