Only use stat get_checksum: yes when needed (#7270)

By default Ansible stat module compute checksum, list extended attributes and find mime type To find all stat invocations that really use one of those: git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)' Signed-off-by: Etienne Champetier <e.champetier@ateme.com> (cherry picked from commit de1d9df787) Conflicts: roles/etcd/tasks/check_certs.yml
2026-03-19 01:47:33 -02:30 · 2021-02-10 08:36:59 -05:00
parent 5563ed8084
commit f26cc9f75b
29 changed files with 142 additions and 2 deletions
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -13,11 +13,17 @@
 - name: Check if kubelet.conf exists
  stat:
    path: "{{ kube_config_dir }}/kubelet.conf"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kubelet_conf

 - name: Check if kubeadm CA cert is accessible
  stat:
    path: "{{ kube_cert_dir }}/ca.crt"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kubeadm_ca_stat
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: true
--- a/roles/kubernetes/master/tasks/encrypt-at-rest.yml
+++ b/roles/kubernetes/master/tasks/encrypt-at-rest.yml
@@ -2,6 +2,9 @@
 - name: Check if secret for encrypting data at rest already exist
  stat:
    path: "{{ kube_cert_dir }}/secrets_encryption.yaml"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: secrets_encryption_file

 - name: Slurp secrets_encryption file if it exists
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -2,6 +2,9 @@
 - name: kubeadm | Check if old apiserver cert exists on host
  stat:
    path: "{{ kube_cert_dir }}/apiserver.pem"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: old_apiserver_cert
  delegate_to: "{{ groups['kube-master'] | first }}"
  run_once: true
@@ -24,12 +27,18 @@
 - name: kubeadm | Check serviceaccount key
  stat:
    path: "{{ kube_cert_dir }}/sa.key"
+    get_attributes: no
+    get_checksum: yes
+    get_mime: no
  register: sa_key_before
  run_once: true

 - name: kubeadm | Check if kubeadm has already run
  stat:
    path: "/var/lib/kubelet/config.yaml"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kubeadm_already_run

 - name: kubeadm | Delete old admin.conf
@@ -211,6 +220,9 @@
 - name: kubeadm | Check serviceaccount key again
  stat:
    path: "{{ kube_cert_dir }}/sa.key"
+    get_attributes: no
+    get_checksum: yes
+    get_mime: no
  register: sa_key_after
  run_once: true

--- a/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/haproxy.yml
@@ -22,6 +22,9 @@
 - name: haproxy | Get checksum from config
  stat:
    path: "{{ haproxy_config_dir }}/haproxy.cfg"
+    get_attributes: no
+    get_checksum: yes
+    get_mime: no
  register: haproxy_stat

 - name: haproxy | Write static pod
--- a/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/nginx-proxy.yml
@@ -22,6 +22,9 @@
 - name: nginx-proxy | Get checksum from config
  stat:
    path: "{{ nginx_config_dir }}/nginx.conf"
+    get_attributes: no
+    get_checksum: yes
+    get_mime: no
  register: nginx_stat

 - name: nginx-proxy | Write static pod
--- a/roles/kubernetes/preinstall/handlers/main.yml
+++ b/roles/kubernetes/preinstall/handlers/main.yml
@@ -50,13 +50,21 @@

 # FIXME(mattymo): Also restart for kubeadm mode
 - name: Preinstall | kube-apiserver configured
-  stat: path="{{ kube_manifest_dir }}/kube-apiserver.manifest"
+  stat:
+    path: "{{ kube_manifest_dir }}/kube-apiserver.manifest"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kube_apiserver_set
  when: inventory_hostname in groups['kube-master'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'

 # FIXME(mattymo): Also restart for kubeadm mode
 - name: Preinstall | kube-controller configured
-  stat: path="{{ kube_manifest_dir }}/kube-controller-manager.manifest"
+  stat:
+    path: "{{ kube_manifest_dir }}/kube-controller-manager.manifest"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kube_controller_set
  when: inventory_hostname in groups['kube-master'] and dns_mode != 'none' and resolvconf_mode == 'host_resolvconf'

--- a/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-set_facts.yml
@@ -9,6 +9,9 @@
 - name: check if booted with ostree
  stat:
    path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: ostree

 - name: set is_fedora_coreos
@@ -59,6 +62,9 @@
 - name: check if kubelet is configured
  stat:
    path: "{{ kube_config_dir }}/kubelet.env"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kubelet_configured
  changed_when: false

@@ -84,6 +90,9 @@
 - name: check if /etc/dhclient.conf exists
  stat:
    path: /etc/dhclient.conf
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: dhclient_stat

 - name: target dhclient conf file for /etc/dhclient.conf
@@ -94,6 +103,9 @@
 - name: check if /etc/dhcp/dhclient.conf exists
  stat:
    path: /etc/dhcp/dhclient.conf
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: dhcp_dhclient_stat

 - name: target dhclient conf file for /etc/dhcp/dhclient.conf
@@ -170,6 +182,9 @@
 - name: check /usr readonly
  stat:
    path: "/usr"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: usr

 - name: set alternate flexvolume path
--- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
+++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -46,6 +46,9 @@
 - name: Check if kubernetes kubeadm compat cert dir exists
  stat:
    path: "{{ kube_cert_compat_dir }}"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: kube_cert_compat_dir_check
  when:
    - inventory_hostname in groups['k8s-cluster']
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -3,6 +3,9 @@
 - name: Confirm selinux deployed
  stat:
    path: /etc/selinux/config
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  when:
    - ansible_os_family == "RedHat"
    - "'Amazon' not in ansible_distribution"
@@ -36,6 +39,9 @@
 - name: Stat sysctl file configuration
  stat:
    path: "{{ sysctl_file_path }}"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: sysctl_file_stat
  tags:
    - bootstrap-os
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -92,6 +92,9 @@
 - name: Check if we are running inside a Azure VM
  stat:
    path: /var/lib/waagent/
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
  register: azure_check
  when:
    - not dns_late
--- a/roles/kubernetes/tokens/tasks/check-tokens.yml
+++ b/roles/kubernetes/tokens/tasks/check-tokens.yml
@@ -2,6 +2,9 @@
 - name: "Check_tokens | check if the tokens have already been generated on first master"
  stat:
    path: "{{ kube_token_dir }}/known_tokens.csv"
+    get_attributes: no
+    get_checksum: yes
+    get_mime: no
  delegate_to: "{{ groups['kube-master'][0] }}"
  register: known_tokens_master
  run_once: true
@@ -20,6 +23,9 @@
 - name: "Check tokens | check if a cert already exists"
  stat:
    path: "{{ kube_token_dir }}/known_tokens.csv"
+    get_attributes: no
+    get_checksum: yes
+    get_mime: no
  register: known_tokens

 - name: "Check_tokens | Set 'sync_tokens' to true"