fix graceful upgrade (#1704)

Fix system namespace creation
Only rotate tokens when necessary

roles/kubernetes-apps/rotate_tokens/tasks/main.yml

 ---
+- name: Rotate Tokens | Test if default certificate is expired
+  shell: >-
+    kubectl run -i test-rotate-tokens
+    --image={{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
+    --restart=Never --rm
+    kubectl get nodes
+  register: check_secret
+  failed_when: false
+  run_once: true
+
+- name: Rotate Tokens | Determine if certificate is expired
+  set_fact:
+    needs_rotation: '{{ "You must be logged in" in check_secret.stderr }}'
+
 # FIXME(mattymo): Exclude built in secrets that were automatically rotated,
 # instead of filtering manually
 - name: Rotate Tokens | Get all serviceaccount tokens to expire
@@ -9,12 +23,15 @@
     | egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
   register: tokens_to_delete
   run_once: true
+  when: needs_rotation
 
 - name: Rotate Tokens | Delete expired tokens
   command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
   with_items: "{{ tokens_to_delete.stdout_lines }}"
   run_once: true
+  when: needs_rotation
 
 - name: Rotate Tokens | Delete pods in system namespace
   command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
   run_once: true
+  when: needs_rotation

roles/kubernetes/master/tasks/static-pod-setup.yml

@@ -30,7 +30,7 @@
   register: create_system_ns
   until: create_system_ns.rc == 0
   changed_when: False
-  when: kubesystem.rc != 0 and inventory_hostname == groups['kube-master'][0]
+  when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
   tags: apps
 
 - name: Write kube-scheduler kubeconfig