Regenerate apiserver.crt on all control-plane nodes (#7463)
We were regenerating only the cert of the first node While at it speed up the check step Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
This commit is contained in:
parent
d56ac216f4
commit
e444b3c140
1 changed files with 14 additions and 6 deletions
|
@ -81,12 +81,22 @@
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
|
||||||
- name: kubeadm | Check if apiserver.crt contains all needed SANs
|
- name: kubeadm | Check if apiserver.crt contains all needed SANs
|
||||||
command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
|
shell: |
|
||||||
with_items: "{{ apiserver_sans }}"
|
set -o pipefail
|
||||||
|
for IP in {{ apiserver_ips | join(' ') }}; do
|
||||||
|
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW'
|
||||||
|
done
|
||||||
|
for HOST in {{ apiserver_hosts | join(' ') }}; do
|
||||||
|
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW'
|
||||||
|
done
|
||||||
|
vars:
|
||||||
|
apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
|
||||||
|
apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
|
||||||
|
args:
|
||||||
|
executable: /bin/bash
|
||||||
register: apiserver_sans_check
|
register: apiserver_sans_check
|
||||||
changed_when: "'does match certificate' not in apiserver_sans_check.stdout"
|
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == groups['kube_control_plane']|first
|
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
|
|
||||||
- name: kubeadm | regenerate apiserver cert 1/2
|
- name: kubeadm | regenerate apiserver cert 1/2
|
||||||
|
@ -97,7 +107,6 @@
|
||||||
- apiserver.crt
|
- apiserver.crt
|
||||||
- apiserver.key
|
- apiserver.key
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == groups['kube_control_plane']|first
|
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- apiserver_sans_check.changed
|
- apiserver_sans_check.changed
|
||||||
|
|
||||||
|
@ -107,7 +116,6 @@
|
||||||
init phase certs apiserver
|
init phase certs apiserver
|
||||||
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
||||||
when:
|
when:
|
||||||
- inventory_hostname == groups['kube_control_plane']|first
|
|
||||||
- kubeadm_already_run.stat.exists
|
- kubeadm_already_run.stat.exists
|
||||||
- apiserver_sans_check.changed
|
- apiserver_sans_check.changed
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue