From 93f6690f261e72c7321ce806dfdb20977e882c8b Mon Sep 17 00:00:00 2001
From: Erik Wilson <Erik.E.Wilson@gmail.com>
Date: Fri, 21 Jun 2019 10:45:31 -0700
Subject: [PATCH] Graceful upgrade token to server CA

---
 pkg/daemons/control/server.go | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
index fa9299d71a..027173d78d 100644
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -524,8 +524,25 @@ func genClientCerts(config *config.Control, runtime *config.ControlRuntime) erro
 	return nil
 }
 
+func createServerSigningCertKey(config *config.Control, runtime *config.ControlRuntime) (bool, error) {
+	TokenCA := path.Join(config.DataDir, "tls", "token-ca.crt")
+	TokenCAKey := path.Join(config.DataDir, "tls", "token-ca.key")
+
+	if exists(TokenCA, TokenCAKey) && !exists(runtime.ServerCA) && !exists(runtime.ServerCAKey) {
+		logrus.Infof("Upgrading token-ca files to server-ca")
+		if err := os.Link(TokenCA, runtime.ServerCA); err != nil {
+			return false, err
+		}
+		if err := os.Link(TokenCAKey, runtime.ServerCAKey); err != nil {
+			return false, err
+		}
+		return true, nil
+	}
+	return createSigningCertKey("k3s-server", runtime.ServerCA, runtime.ServerCAKey)
+}
+
 func genServerCerts(config *config.Control, runtime *config.ControlRuntime) error {
-	regen, err := createSigningCertKey("k3s-server", runtime.ServerCA, runtime.ServerCAKey)
+	regen, err := createServerSigningCertKey(config, runtime)
 	if err != nil {
 		return err
 	}