一定时间间隔内多次重试是脚本书写中的常见场景，一般就是循环+sleep，这篇文章以kubernetes的证书签名请求自动批准为例介绍一下这种常见的写法。

手动证书签名请求批准

• 使用kubectl get csr获取当前的证书签名请求

[root@host132 ansible]# kubectl get csr
NAME        AGE   REQUESTOR                     CONDITION
csr-4mnvj   12m   kubelet-bootstrap             Approved,Issued
csr-b9mmc   12m   kubelet-bootstrap             Pending
csr-z2hrz   12m   system:node:192.168.163.133   Pending
[root@host132 ansible]# 

• 对pending中的请求进行approve动作

[root@host132 ansible]# kubectl certificate approve csr-b9mmc
certificatesigningrequest.certificates.k8s.io/csr-b9mmc approved
[root@host132 ansible]# kubectl get csr
NAME        AGE   REQUESTOR                     CONDITION
csr-4mnvj   14m   kubelet-bootstrap             Approved,Issued
csr-b9mmc   14m   kubelet-bootstrap             Approved,Issued
csr-mz4bb   4s    system:node:192.168.163.132   Pending
csr-z2hrz   14m   system:node:192.168.163.133   Pending
[root@host132 ansible]# 

retry + sleep

- name: wait for kubelet csr requestor
  shell: "kubectl get csr | grep kubelet-bootstrap |grep Pending"
  register: csr_status
  until: '"Pending" in csr_status.stdout'
  retries: "{{ var_retry_max }}"
  delay: "{{ var_delay_cnt }}"
  tags:
    - "csr-approve"

- name: auto approve kubelet csr requestor
  shell: "csr_name=`kubectl get csr | grep kubelet-bootstrap |grep Pending|grep -v grep |head -n1 |awk '{print $1}'` \
          && kubectl certificate approve ${csr_name}"
  register: approve_status
  until: '"approved" in approve_status.stdout'
  retries: "{{ var_retry_max }}"
  delay: "{{ var_delay_cnt }}"
  tags:
    - "csr-approve"

总结

可以看到上述的写法基本上已经没有新的知识点，就像前面提到的drop-if-exist的写法那样都是在Ansible的脚本中常见的写法。