From d54cfba6c2eda8e10085ff0125745b09bb309350 Mon Sep 17 00:00:00 2001
From: "M. Hamzah Khan" <hamzah@hamzahkhan.com>
Date: Mon, 9 Sep 2024 10:04:27 +0100
Subject: [PATCH] Fix SAN check on newer versions versions of openssl (#11277)

---
 roles/kubernetes/control-plane/tasks/kubeadm-setup.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
index 18bf2ec0f7d..c13b6e833d3 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -145,12 +145,14 @@
       loop: "{{ apiserver_ips }}"
       register: apiserver_sans_ip_check
       changed_when: apiserver_sans_ip_check.stdout is not search('does match certificate')
+      failed_when: apiserver_sans_ip_check.rc != 0 and apiserver_sans_ip_check.stdout is not search('does NOT match certificate')
     - name: Kubeadm | Check apiserver.crt SAN hosts
       command:
         cmd: "openssl x509 -noout -in {{ kube_cert_dir }}/apiserver.crt -checkhost {{ item }}"
       loop: "{{ apiserver_hosts }}"
       register: apiserver_sans_host_check
       changed_when: apiserver_sans_host_check.stdout is not search('does match certificate')
+      failed_when: apiserver_sans_host_check.rc != 0 and apiserver_sans_host_check.stdout is not search('does NOT match certificate')
 
 - name: Kubeadm | regenerate apiserver cert 1/2
   file: