Skip to content
Snippets Groups Projects
Commit dae9f6d3 authored by Matthew Mosesohn's avatar Matthew Mosesohn Committed by GitHub
Browse files

Test if tokens are expired from host instead of inside container (#1727)

* Test if tokens are expired from host instead of inside container

* Update main.yml
parent 8e1210f9
No related branches found
No related tags found
No related merge requests found
--- ---
- name: Rotate Tokens | Get default token name
shell: "{{ bin_dir }}/kubectl get secrets -o custom-columns=name:{.metadata.name} --no-headers | grep -m1 default-token"
register: default_token
- name: Rotate Tokens | Get default token data
command: "{{ bin_dir }}/kubectl get secrets {{ default_token.stdout }} -ojson"
register: default_token_data
run_once: true
- name: Rotate Tokens | Test if default certificate is expired - name: Rotate Tokens | Test if default certificate is expired
shell: >- uri:
kubectl run -i test-rotate-tokens url: https://{{ kube_apiserver_ip }}/api/v1/nodes
--image={{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} method: GET
--restart=Never --rm return_content: no
kubectl get nodes validate_certs: no
headers:
Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
register: check_secret register: check_secret
failed_when: false
run_once: true run_once: true
failed_when: false
- name: Rotate Tokens | Determine if certificate is expired - name: Rotate Tokens | Determine if certificate is expired
set_fact: set_fact:
needs_rotation: '{{ "You must be logged in" in check_secret.stderr }}' needs_rotation: '{{ check_secret.status not in [200, 403] }}'
# FIXME(mattymo): Exclude built in secrets that were automatically rotated, # FIXME(mattymo): Exclude built in secrets that were automatically rotated,
# instead of filtering manually # instead of filtering manually
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment