change bash for loop for SAN check
fix merge conflict
This commit is contained in:
parent
9ca5632582
commit
a6455a93dc
1 changed files with 16 additions and 15 deletions
|
@ -107,22 +107,23 @@
|
||||||
- item in kube_apiserver_admission_plugins_needs_configuration
|
- item in kube_apiserver_admission_plugins_needs_configuration
|
||||||
loop: "{{ kube_apiserver_enable_admission_plugins[0].split(',') }}"
|
loop: "{{ kube_apiserver_enable_admission_plugins[0].split(',') }}"
|
||||||
|
|
||||||
- name: kubeadm | Check if apiserver.crt contains all needed SANs
|
- name: kubeadm | Check apiserver.crt SANs
|
||||||
shell: |
|
block:
|
||||||
set -o pipefail
|
- name: kubeadm | Check apiserver.crt SAN IPs
|
||||||
for IP in {{ apiserver_ips | join(' ') }}; do
|
command:
|
||||||
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW'
|
cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkip {{ item }}"
|
||||||
done
|
loop: "{{ apiserver_ips }}"
|
||||||
for HOST in {{ apiserver_hosts | join(' ') }}; do
|
register: apiserver_sans_ip_check
|
||||||
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW'
|
changed_when: apiserver_sans_ip_check.stdout is not search('does match certificate')
|
||||||
done
|
- name: kubeadm | Check apiserver.crt SAN hosts
|
||||||
|
command:
|
||||||
|
cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkhost {{ item }}"
|
||||||
|
loop: "{{ apiserver_hosts }}"
|
||||||
|
register: apiserver_sans_host_check
|
||||||
|
changed_when: apiserver_sans_host_check.stdout is not search('does match certificate')
|
||||||
vars:
|
vars:
|
||||||
apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
|
apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
|
||||||
apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
|
apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
register: apiserver_sans_check
|
|
||||||
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
|
|
||||||
when:
|
when:
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- not kube_external_ca_mode
|
- not kube_external_ca_mode
|
||||||
|
@ -136,7 +137,7 @@
|
||||||
- apiserver.key
|
- apiserver.key
|
||||||
when:
|
when:
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- apiserver_sans_check.changed
|
- apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
|
||||||
- not kube_external_ca_mode
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
- name: kubeadm | regenerate apiserver cert 2/2
|
- name: kubeadm | regenerate apiserver cert 2/2
|
||||||
|
@ -146,7 +147,7 @@
|
||||||
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
||||||
when:
|
when:
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- apiserver_sans_check.changed
|
- apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
|
||||||
- not kube_external_ca_mode
|
- not kube_external_ca_mode
|
||||||
|
|
||||||
- name: kubeadm | Initialize first master
|
- name: kubeadm | Initialize first master
|
||||||
|
|
Loading…
Reference in a new issue