From a676c106d3cfa44147beeafbef731f608b03b028 Mon Sep 17 00:00:00 2001
From: "R. P. Taylor" <1686627+rptaylor@users.noreply.github.com>
Date: Mon, 27 Mar 2023 06:36:30 -0700
Subject: [PATCH] change bash for loop for SAN check (#9060)

fix merge conflict
---
 .../control-plane/tasks/kubeadm-setup.yml     | 31 ++++++++++---------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
index 3bfd8e27d..097fb0f44 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -108,22 +108,23 @@
     - item in kube_apiserver_admission_plugins_needs_configuration
   loop: "{{ kube_apiserver_enable_admission_plugins }}"
 
-- name: kubeadm | Check if apiserver.crt contains all needed SANs
-  shell: |
-    set -o pipefail
-    for IP in {{ apiserver_ips | join(' ') }}; do
-      openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW'
-    done
-    for HOST in {{ apiserver_hosts | join(' ') }}; do
-      openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW'
-    done
+- name: kubeadm | Check apiserver.crt SANs
+  block:
+    - name: kubeadm | Check apiserver.crt SAN IPs
+      command:
+        cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkip {{ item }}"
+      loop: "{{ apiserver_ips }}"
+      register: apiserver_sans_ip_check
+      changed_when: apiserver_sans_ip_check.stdout is not search('does match certificate')
+    - name: kubeadm | Check apiserver.crt SAN hosts
+      command:
+        cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkhost {{ item }}"
+      loop: "{{ apiserver_hosts }}"
+      register: apiserver_sans_host_check
+      changed_when: apiserver_sans_host_check.stdout is not search('does match certificate')
   vars:
     apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
     apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
-  args:
-    executable: /bin/bash
-  register: apiserver_sans_check
-  changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
   when:
     - kubeadm_already_run.stat.exists
     - not kube_external_ca_mode
@@ -137,7 +138,7 @@
     - apiserver.key
   when:
     - kubeadm_already_run.stat.exists
-    - apiserver_sans_check.changed
+    - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
     - not kube_external_ca_mode
 
 - name: kubeadm | regenerate apiserver cert 2/2
@@ -147,7 +148,7 @@
     --config={{ kube_config_dir }}/kubeadm-config.yaml
   when:
     - kubeadm_already_run.stat.exists
-    - apiserver_sans_check.changed
+    - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
     - not kube_external_ca_mode
 
 - name: kubeadm | Create directory to store kubeadm patches
-- 
GitLab