From 6f9f450cce4ea1d46d5c4165dcd91223bb314ec6 Mon Sep 17 00:00:00 2001
From: Etienne Champetier <e.champetier@ateme.com>
Date: Mon, 12 Apr 2021 12:17:38 -0400
Subject: [PATCH] Regenerate apiserver.crt on all control-plane nodes (#7463)

We were regenerating only the cert of the first node
While at it speed up the check step

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit e444b3c1401fb69182283ec87616bceda287e21e)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-setup.yml
---
 .../kubernetes/master/tasks/kubeadm-setup.yml | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 0486cb50c..5ed944e45 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -81,12 +81,22 @@
     mode: 0640
 
 - name: kubeadm | Check if apiserver.crt contains all needed SANs
-  command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
-  with_items: "{{ apiserver_sans }}"
+  shell: |
+    set -o pipefail
+    for IP in {{ apiserver_ips | join(' ') }}; do
+      openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW'
+    done
+    for HOST in {{ apiserver_hosts | join(' ') }}; do
+      openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW'
+    done
+  vars:
+    apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
+    apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
+  args:
+    executable: /bin/bash
   register: apiserver_sans_check
-  changed_when: "'does match certificate' not in apiserver_sans_check.stdout"
+  changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
 
 - name: kubeadm | regenerate apiserver cert 1/2
@@ -97,7 +107,6 @@
     - apiserver.crt
     - apiserver.key
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
     - apiserver_sans_check.changed
 
@@ -107,7 +116,6 @@
     init phase certs apiserver
     --config={{ kube_config_dir }}/kubeadm-config.yaml
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
     - apiserver_sans_check.changed