Regenerate apiserver.crt on all control-plane nodes (kubernetes-sigs#…

…7463) We were regenerating only the cert of the first node While at it speed up the check step Signed-off-by: Etienne Champetier <e.champetier@ateme.com> (cherry picked from commit e444b3c) Conflicts: roles/kubernetes/master/tasks/kubeadm-setup.yml
champtar · Apr 12, 2021 · 0959c26 · 0959c26
1 parent b5d4fbf
commit 0959c26
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -81,12 +81,22 @@
     mode: 0640
 
 - name: kubeadm | Check if apiserver.crt contains all needed SANs
-  command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
-  with_items: "{{ apiserver_sans }}"
+  shell: |
+    set -o pipefail
+    for IP in {{ apiserver_ips | join(' ') }}; do
+      openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW'
+    done
+    for HOST in {{ apiserver_hosts | join(' ') }}; do
+      openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW'
+    done
+  vars:
+    apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
+    apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
+  args:
+    executable: /bin/bash
   register: apiserver_sans_check
-  changed_when: "'does match certificate' not in apiserver_sans_check.stdout"
+  changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
 
 - name: kubeadm | regenerate apiserver cert 1/2
@@ -97,7 +107,6 @@
     - apiserver.crt
     - apiserver.key
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
     - apiserver_sans_check.changed
 
@@ -107,7 +116,6 @@
     init phase certs apiserver
     --config={{ kube_config_dir }}/kubeadm-config.yaml
   when:
-    - inventory_hostname == groups['kube-master']|first
     - kubeadm_already_run.stat.exists
     - apiserver_sans_check.changed