Automatically inject tls-san when api_endpoint differs from hostname (#434)

.vagrant

inventory.yml

playbook/debug.yml

.ansible/

PR_DESCRIPTION.md

 No newline at end of file

        }) }}

      changed_when: true

- name: Compute final agent arguments

  ansible.builtin.set_fact:

    _api_endpoint_in_agent_config: >-

      {% if agent_config_yaml is defined and api_endpoint is defined and agent_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}

      true

      {% else %}

      false

      {% endif %}

    _api_endpoint_in_agent_args: >-

      {% if api_endpoint is defined and extra_agent_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}

      true

      {% else %}

      false

      {% endif %}

- name: Add TLS SAN to agent arguments if needed

  ansible.builtin.set_fact:

    opt_tls_san: >-

      {% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_agent_config | bool == false and _api_endpoint_in_agent_args | bool == false %}

      --tls-san={{ api_endpoint }}

      {% endif %}

- name: Setup optional config file

  when: agent_config_yaml is defined

  block:

ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'

ExecStartPre=-/sbin/modprobe br_netfilter

ExecStartPre=-/sbin/modprobe overlay

ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}

ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ opt_tls_san }} {{ extra_agent_args }}

    regexp: '\.\s+<\(k3s completion bash\)'

    line: ". <(k3s completion bash)  # Added by k3s-ansible"

- name: Compute final server arguments

  ansible.builtin.set_fact:

    _api_endpoint_in_config: >-

      {% if server_config_yaml is defined and api_endpoint is defined and server_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}

      true

      {% else %}

      false

      {% endif %}

    _api_endpoint_in_args: >-

      {% if api_endpoint is defined and extra_server_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}

      true

      {% else %}

      false

      {% endif %}

- name: Add TLS SAN to server arguments if needed

  ansible.builtin.set_fact:

    final_server_args: >-

      {{ extra_server_args }}

      {% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_config | bool == false and _api_endpoint_in_args | bool == false %}

      --tls-san={{ api_endpoint }}

      {% endif %}

- name: Setup optional config file

  when: server_config_yaml is defined

  block:

RestartSec=5s

ExecStartPre=-/sbin/modprobe br_netfilter

ExecStartPre=-/sbin/modprobe overlay

ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} 

ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ final_server_args }}