Skip to content

Commit

Permalink
Optimize CA cert hash calculation with community.crypto
Browse files Browse the repository at this point in the history 
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
  • Loading branch information
@ErikJiang
ErikJiang committed Dec 1, 2024
1 parent 70b75d3 commit 33503a7
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 10 deletions.
1 change: 1 addition & 0 deletions galaxy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ documentation: https://kubespray.io
license_file: LICENSE
dependencies:
ansible.utils: '>=2.5.0'
community.crypto: '>=2.22.3'
community.general: '>=7.0.0'
ansible.netcommon: '>=5.3.0'
ansible.posix: '>=1.5.4'
Expand Down
2 changes: 2 additions & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,5 @@ jmespath==1.0.1
jsonschema==4.23.0
# Needed for ansible.utils.ipaddr
netaddr==1.3.0
# Needed for community.crypto module
cryptography==44.0.0
19 changes: 11 additions & 8 deletions roles/kubernetes/kubeadm/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,19 +29,22 @@
delegate_to: "{{ groups['kube_control_plane'][0] }}"
run_once: true

- name: Calculate kubeadm CA cert hash
shell: |
set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
args:
executable: /bin/bash
register: kubeadm_ca_hash
- name: Fetch CA certificate from control plane node
slurp:
src: "{{ kube_cert_dir }}/ca.crt"
register: ca_cert_content
when:
- kubeadm_ca_stat.stat is defined
- kubeadm_ca_stat.stat.exists
delegate_to: "{{ groups['kube_control_plane'][0] }}"
run_once: true

- name: Calculate kubeadm CA cert hash
set_fact:
kubeadm_ca_hash: "{{ (ca_cert_content.content | b64decode | community.crypto.x509_certificate_info).public_key_fingerprints.sha256 }}"
when: ca_cert_content.content | length > 0
delegate_to: localhost
run_once: true
changed_when: false

- name: Create kubeadm token for joining nodes with 24h expiration (default)
Expand Down
4 changes: 2 additions & 2 deletions roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ discovery:
apiServerEndpoint: {{ kubeadm_discovery_address }}
{% endif %}
token: {{ kubeadm_token }}
{% if kubeadm_ca_hash.stdout is defined %}
{% if kubeadm_ca_hash is defined %}
caCertHashes:
- sha256:{{ kubeadm_ca_hash.stdout }}
- sha256:{{ kubeadm_ca_hash.replace(':', '') }}
{% else %}
unsafeSkipCAVerification: true
{% endif %}
Expand Down

0 comments on commit 33503a7

Please sign in to comment.