--- - hosts: kube_control_plane[0] vars: test_image_repo: registry.k8s.io/e2e-test-images/agnhost test_image_tag: "2.40" tasks: - name: Force binaries directory for Flatcar Container Linux by Kinvolk set_fact: bin_dir: "/opt/bin" when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] - name: Force binaries directory for other hosts set_fact: bin_dir: "/usr/local/bin" when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] - name: Check kubelet serving certificates approved with kubelet_csr_approver block: - name: Get certificate signing requests command: "{{ bin_dir }}/kubectl get csr" register: get_csr changed_when: false - debug: # noqa unnamed-task msg: "{{ get_csr.stdout.split('\n') }}" - name: Check there are csrs assert: that: get_csr.stdout_lines | length > 0 fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found - name: Get Denied/Pending certificate signing requests shell: "{{ bin_dir }}/kubectl get csr | grep -e Denied -e Pending || true" register: get_csr_denied_pending changed_when: false - name: Check there are Denied/Pending csrs assert: that: get_csr_denied_pending.stdout_lines | length == 0 fail_msg: kubelet_csr_approver is enabled but CSRs are not approved when: - kubelet_rotate_server_certificates | default(false) - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)) - name: Approve kubelet serving certificates block: - name: Get certificate signing requests command: "{{ bin_dir }}/kubectl get csr -o name" register: get_csr changed_when: false - name: Check there are csrs assert: that: get_csr.stdout_lines | length > 0 fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found - name: Approve certificates command: "{{ bin_dir }}/kubectl certificate approve {{ get_csr.stdout_lines | join(' ') }}" register: certificate_approve when: get_csr.stdout_lines | length > 0 changed_when: certificate_approve.stdout - debug: # noqa unnamed-task msg: "{{ certificate_approve.stdout.split('\n') }}" when: - kubelet_rotate_server_certificates | default(false) - not (kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))) - name: Create test namespace command: "{{ bin_dir }}/kubectl create namespace test" changed_when: false - name: Wait for API token of test namespace shell: "set -o pipefail && {{ bin_dir }}/kubectl describe serviceaccounts default --namespace test | grep Tokens | awk '{print $2}'" args: executable: /bin/bash changed_when: false register: default_token until: default_token.stdout | length > 0 retries: 5 delay: 5 - name: Run 2 agnhost pods in test ns shell: cmd: | cat <