Skip to content
Snippets Groups Projects
Unverified Commit a676c106 authored by R. P. Taylor's avatar R. P. Taylor Committed by GitHub
Browse files

change bash for loop for SAN check (#9060) 

fix merge conflict
parent acbf44a1
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+ 16
15
View file @ a676c106
...@@ -108,22 +108,23 @@ ...@@ -108,22 +108,23 @@
- item in kube_apiserver_admission_plugins_needs_configuration - item in kube_apiserver_admission_plugins_needs_configuration
loop: "{{ kube_apiserver_enable_admission_plugins }}" loop: "{{ kube_apiserver_enable_admission_plugins }}"
- name: kubeadm | Check if apiserver.crt contains all needed SANs - name: kubeadm | Check apiserver.crt SANs
shell: | block:
set -o pipefail - name: kubeadm | Check apiserver.crt SAN IPs
for IP in {{ apiserver_ips | join(' ') }}; do command:
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW' cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkip {{ item }}"
done loop: "{{ apiserver_ips }}"
for HOST in {{ apiserver_hosts | join(' ') }}; do register: apiserver_sans_ip_check
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW' changed_when: apiserver_sans_ip_check.stdout is not search('does match certificate')
done - name: kubeadm | Check apiserver.crt SAN hosts
command:
cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkhost {{ item }}"
loop: "{{ apiserver_hosts }}"
register: apiserver_sans_host_check
changed_when: apiserver_sans_host_check.stdout is not search('does match certificate')
vars: vars:
apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}" apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}" apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
args:
executable: /bin/bash
register: apiserver_sans_check
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
when: when:
- kubeadm_already_run.stat.exists - kubeadm_already_run.stat.exists
- not kube_external_ca_mode - not kube_external_ca_mode
...@@ -137,7 +138,7 @@ ...@@ -137,7 +138,7 @@
- apiserver.key - apiserver.key
when: when:
- kubeadm_already_run.stat.exists - kubeadm_already_run.stat.exists
- apiserver_sans_check.changed - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode - not kube_external_ca_mode
- name: kubeadm | regenerate apiserver cert 2/2 - name: kubeadm | regenerate apiserver cert 2/2
...@@ -147,7 +148,7 @@ ...@@ -147,7 +148,7 @@
--config={{ kube_config_dir }}/kubeadm-config.yaml --config={{ kube_config_dir }}/kubeadm-config.yaml
when: when:
- kubeadm_already_run.stat.exists - kubeadm_already_run.stat.exists
- apiserver_sans_check.changed - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode - not kube_external_ca_mode
- name: kubeadm | Create directory to store kubeadm patches - name: kubeadm | Create directory to store kubeadm patches
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment