I have an Ansible playbook that amongst other generates a Let’s Encrypt certificate by cert-manager on my cluster server.

But I have to wait until the certificate is ready, before I can continue to the next task in my playbook.

That gave me the following Ansible task:

- name: Get TLS certificate secret and wait until ready
  command:
    cmd: 'kubectl get certificate tls-rancher-ingress -n cattle-system -ojson'
  register: certificate_result
  changed_when: (certificate_result.stdout | json_query('status.conditions[0].status') == '"True"')
  retries: 10
  delay: 30

In the code above the certificate is named tls-rancher-ingress and I am getting general information about the certificate by calling the kubectl. The output is presented as JSON.

Output (slightly anonymised) from the kubectl command is on this form:

{
        "apiVersion": "cert-manager.io/v1",
        "kind": "Certificate",
        "metadata": {
            "creationTimestamp": "2024-05-27T23:19:38Z",
            "generation": 2,
            "name": "tls-rancher-ingress",
            "namespace": "cattle-system",
            "resourceVersion": "2331753",
            "uid": "30b816cd-f548-4bf7-90d2-47a0406cdbb1"
        },
        "spec": {
            "commonName": "rancher.example.com",
            "dnsNames": [
                "rancher.example.com"
            ],
            "issuerRef": {
                "kind": "ClusterIssuer",
                "name": "letsencrypt-prod"
            },
            "secretName": "tls-rancher-ingress"
        },
        "status": {
            "conditions": [
                {
                    "lastTransitionTime": "2024-05-28T00:38:38Z",
                    "message": "Certificate is up to date and has not expired",
                    "observedGeneration": 2,
                    "reason": "Ready",
                    "status": "True",
                    "type": "Ready"
                }
            ],
            "notAfter": "2024-08-25T23:38:35Z",
            "notBefore": "2024-05-27T23:38:36Z",
            "renewalTime": "2024-07-26T23:38:35Z",
            "revision": 2
        }
    }

But I am not interested in the whole JSON object, but rather only when the path status.conditions[0].status is equal to "True".

I thought I could just use the pipe filter to send certificate_result.stdout over to json_query("status.conditions[0].status") and then get a response back that is either "True" or "False".

Hover using a task to debug the change_when line reveals json_query returns an empty string?

I used the following task for my debug:

- name: Debug changed_when
  debug:
    msg: "DEBUG: {{ certificate_result.stdout | community.general.json_query('status.conditions[0].status') }}"

It doesn’t matter if I encapsulate the string using single quotes or double quotes.

Is there anyone that can explain what is going on?

Is it because stdout is not being treated as an JSON object and if so: What is the right way to send it to json_query?

And for reference:

json_query is part of the community.general collection, that has been installed where I run my Ansible playbook.