---
# Step 1: Install base packages on new CP nodes
- hosts: new_control_planes
  become: yes
  roles:
    - common
    - wireguard
    - containerd
    - kubernetes

# Step 2: Update WireGuard on existing nodes to know about new peers
- hosts: k8s_workers
  become: yes
  roles:
    - wireguard

# Step 3: Get join credentials from existing CP
- hosts: k8s_control_plane[0]
  become: yes
  roles:
    - kubeadm_cp_discovery

# Step 4: Join new nodes as control planes
- hosts: new_control_planes
  become: yes
  serial: 1  # Join one at a time for safety
  tasks:
    - name: Join as control plane
      command: >-
        {{ hostvars[groups['k8s_control_plane'][0]].kubeadm_cp_join_cmd }}
        --control-plane-endpoint cp.k8s.betelgeusebytes.io:6443
        --apiserver-advertise-address {{ wg_address }}
      args:
        creates: /etc/kubernetes/kubelet.conf

    - name: Setup kubeconfig
      shell: |
        mkdir -p /root/.kube
        cp -f /etc/kubernetes/admin.conf /root/.kube/config

    - name: Update kubelet server to DNS endpoint
      replace:
        path: /etc/kubernetes/kubelet.conf
        regexp: 'server: https://[0-9.]+:6443'
        replace: 'server: https://cp.k8s.betelgeusebytes.io:6443'

    - name: Update admin.conf server to DNS endpoint
      replace:
        path: /etc/kubernetes/admin.conf
        regexp: 'server: https://[0-9.]+:6443'
        replace: 'server: https://cp.k8s.betelgeusebytes.io:6443'

    - name: Restart kubelet
      service:
        name: kubelet
        state: restarted

    - name: Taint node as control-plane only
      command: kubectl taint nodes {{ inventory_hostname }} node-role.kubernetes.io/control-plane:NoSchedule --overwrite
      delegate_to: "{{ groups['k8s_control_plane'][0] }}"