C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

change bash for loop for SAN check

Browse source 
fix merge conflict
This commit is contained in:
Ryan Taylor 2022-07-05 15:54:58 -07:00
parent 9ca5632582
commit a6455a93dc
1 changed files with 16 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View file

@ -107,22 +107,23 @@
- item in kube_apiserver_admission_plugins_needs_configuration - item in kube_apiserver_admission_plugins_needs_configuration
loop: "{{ kube_apiserver_enable_admission_plugins[0].split(',') }}" loop: "{{ kube_apiserver_enable_admission_plugins[0].split(',') }}"
- name: kubeadm | Check if apiserver.crt contains all needed SANs - name: kubeadm | Check apiserver.crt SANs
shell: | block:
set -o pipefail - name: kubeadm | Check apiserver.crt SAN IPs
for IP in {{ apiserver_ips | join(' ') }}; do command:
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW' cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkip {{ item }}"
done loop: "{{ apiserver_ips }}"
for HOST in {{ apiserver_hosts | join(' ') }}; do register: apiserver_sans_ip_check
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW' changed_when: apiserver_sans_ip_check.stdout is not search('does match certificate')
done - name: kubeadm | Check apiserver.crt SAN hosts
command:
cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkhost {{ item }}"
loop: "{{ apiserver_hosts }}"
register: apiserver_sans_host_check
changed_when: apiserver_sans_host_check.stdout is not search('does match certificate')
vars: vars:
apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}" apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}" apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
args:
executable: /bin/bash
register: apiserver_sans_check
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
when: when:
- kubeadm_already_run.stat.exists - kubeadm_already_run.stat.exists
- not kube_external_ca_mode - not kube_external_ca_mode
@ -136,7 +137,7 @@
- apiserver.key - apiserver.key
when: when:
- kubeadm_already_run.stat.exists - kubeadm_already_run.stat.exists
- apiserver_sans_check.changed - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode - not kube_external_ca_mode
- name: kubeadm | regenerate apiserver cert 2/2 - name: kubeadm | regenerate apiserver cert 2/2
@ -146,7 +147,7 @@
--config={{ kube_config_dir }}/kubeadm-config.yaml --config={{ kube_config_dir }}/kubeadm-config.yaml
when: when:
- kubeadm_already_run.stat.exists - kubeadm_already_run.stat.exists
- apiserver_sans_check.changed - apiserver_sans_ip_check.changed or apiserver_sans_host_check.changed
- not kube_external_ca_mode - not kube_external_ca_mode
- name: kubeadm | Initialize first master - name: kubeadm | Initialize first master