Optimize CA cert hash calculation with community.crypto (#11758)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>

roles/kubernetes/kubeadm/tasks/main.yml

@@ -29,20 +29,15 @@
   delegate_to: "{{ groups['kube_control_plane'][0] }}"
   run_once: true
 
-- name: Calculate kubeadm CA cert hash
-  shell: |
-    set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
-    openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
-    openssl dgst -sha256 -hex | sed 's/^.* //'
-  args:
-    executable: /bin/bash
-  register: kubeadm_ca_hash
+- name: Fetch CA certificate from control plane node
+  slurp:
+    src: "{{ kube_cert_dir }}/ca.crt"
+  register: ca_cert_content
   when:
     - kubeadm_ca_stat.stat is defined
     - kubeadm_ca_stat.stat.exists
   delegate_to: "{{ groups['kube_control_plane'][0] }}"
   run_once: true
-  changed_when: false
 
 - name: Create kubeadm token for joining nodes with 24h expiration (default)
   command: "{{ bin_dir }}/kubeadm token create"

roles/kubernetes/kubeadm/templates/kubeadm-client.conf.j2

@@ -13,9 +13,9 @@ discovery:
     apiServerEndpoint: {{ kubeadm_discovery_address }}
 {% endif %}
     token: {{ kubeadm_token }}
-{% if kubeadm_ca_hash.stdout is defined %}
+{% if ca_cert_content is defined %}
     caCertHashes:
-    - sha256:{{ kubeadm_ca_hash.stdout }}
+    - sha256:{{ (ca_cert_content.content | b64decode | community.crypto.x509_certificate_info).public_key_fingerprints.sha256.replace(':', '') }}
 {% else %}
     unsafeSkipCAVerification: true
 {% endif %}