Skip to content

Commit

Permalink
Regenerate apiserver.crt on all control-plane nodes (kubernetes-sigs#…
Browse files Browse the repository at this point in the history
…7463)

We were regenerating only the cert of the first node
While at it speed up the check step

Signed-off-by: Etienne Champetier <[email protected]>
  • Loading branch information
champtar authored Apr 12, 2021
1 parent d56ac21 commit e444b3c
Showing 1 changed file with 14 additions and 6 deletions.
20 changes: 14 additions & 6 deletions roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,22 @@
mode: 0640

- name: kubeadm | Check if apiserver.crt contains all needed SANs
command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
with_items: "{{ apiserver_sans }}"
shell: |
set -o pipefail
for IP in {{ apiserver_ips | join(' ') }}; do
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkip $IP | grep -q 'does match certificate' || echo 'NEED-RENEW'
done
for HOST in {{ apiserver_hosts | join(' ') }}; do
openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -checkhost $HOST | grep -q 'does match certificate' || echo 'NEED-RENEW'
done
vars:
apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
args:
executable: /bin/bash
register: apiserver_sans_check
changed_when: "'does match certificate' not in apiserver_sans_check.stdout"
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
when:
- inventory_hostname == groups['kube_control_plane']|first
- kubeadm_already_run.stat.exists

- name: kubeadm | regenerate apiserver cert 1/2
Expand All @@ -97,7 +107,6 @@
- apiserver.crt
- apiserver.key
when:
- inventory_hostname == groups['kube_control_plane']|first
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed

Expand All @@ -107,7 +116,6 @@
init phase certs apiserver
--config={{ kube_config_dir }}/kubeadm-config.yaml
when:
- inventory_hostname == groups['kube_control_plane']|first
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed

Expand Down

0 comments on commit e444b3c

Please sign in to comment.