Fix upgrade for canal and apiserver cert

Fixes #1573

roles/kubernetes-apps/network_plugin/canal/tasks/main.yml

@@ -8,18 +8,6 @@
     resource: "configmap"
     namespace: "{{system_namespace}}"
 
-# FIXME: remove if kubernetes/features#124 is implemented
-- name: Purge old flannel and canal-node
-  run_once: true
-  kube:
-    name: "canal-node"
-    kubectl: "{{ bin_dir }}/kubectl"
-    filename: "{{ kube_config_dir }}/canal-node.yaml"
-    resource: "ds"
-    namespace: "{{system_namespace}}"
-    state: absent
-  when: inventory_hostname == groups['kube-master'][0] and canal_node_manifest.changed
-
 - name: Start flannel and calico-node
   run_once: true
   kube:

roles/kubernetes/secrets/files/make-ssl.sh

@@ -82,10 +82,13 @@ gen_key_and_cert() {
 
 # Admins
 if [ -n "$MASTERS" ]; then
-    # If any host requires new certs, just regenerate all master certs
     # kube-apiserver
-    gen_key_and_cert "apiserver" "/CN=kube-apiserver"
+    # Generate only if we don't have existing ca and apiserver certs
-    cat ca.pem >> apiserver.pem
+    if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
+      gen_key_and_cert "apiserver" "/CN=kube-apiserver"
+      cat ca.pem >> apiserver.pem
+    fi
+    # If any host requires new certs, just regenerate scheduler and controller-manager master certs
     # kube-scheduler
     gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
     # kube-controller-manager

roles/network_plugin/canal/templates/canal-node.yml.j2

@@ -3,6 +3,7 @@ kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
   name: canal-node
+  namespace: {{ system_namespace }}
   labels:
     k8s-app: canal-node
 spec:
@@ -180,3 +181,7 @@ spec:
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
               readOnly: true
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate