- name: Upload certs and get certificate key
  shell: kubeadm init phase upload-certs --upload-certs | tail -n 1
  register: cert_key

- name: Compute CA cert hash
  shell: |
    openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt     | openssl rsa -pubin -outform der 2>/dev/null     | openssl dgst -sha256 -hex | awk '{print $2}'
  register: ca_hash

- name: Create short-lived token
  shell: kubeadm token create --ttl 30m
  register: join_token

- name: Determine control-plane endpoint
  set_fact:
    cp_endpoint: "{{ hostvars[inventory_hostname].control_plane_endpoint | default(ansible_host ~ ':6443') }}"

- set_fact:
    kubeadm_cp_join_cmd: >-
      kubeadm join {{ cp_endpoint }}
      --token {{ join_token.stdout }}
      --discovery-token-ca-cert-hash sha256:{{ ca_hash.stdout }}
      --control-plane
      --certificate-key {{ cert_key.stdout }}