From aee3ff5a1c9162c2747aebd05c46e34657bb5e6d Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 7 Jun 2024 16:33:36 -0400 Subject: [PATCH 01/28] initial commit --- inventory/sample/hosts.yml | 3 + roles/cluster_manifest/tasks/main.yml | 13 --- roles/{rke2_common => rke2}/defaults/main.yml | 2 + roles/{rke2_common => rke2}/handlers/main.yml | 15 ++++ .../tasks/add-audit-policy-config.yml | 0 .../tasks/add-manifest-addons.yml | 0 .../add-pod-security-admission-config.yml | 0 .../tasks/add-registry-config.yml | 0 .../tasks/calculate_rke2_version.yml | 0 .../tasks/cis-hardening.yml | 40 +++++---- roles/{rke2_common => rke2}/tasks/config.yml | 0 roles/rke2/tasks/configure_rke2.yml | 27 ++++++ roles/rke2/tasks/first_server.yml | 22 +++++ .../tasks/images_tarball_install.yml | 5 ++ .../tasks/iptables_rules.yml | 0 roles/rke2/tasks/main.yml | 90 +++++++++++++++++++ .../tasks/network_manager_fix.yaml | 1 + .../main.yml => rke2/tasks/other_nodes.yml} | 18 ++-- roles/rke2/tasks/pre_reqs.yml | 21 +++++ .../tasks/previous_install.yml | 37 +++++--- .../tasks/rpm_install.yml | 34 ++++--- .../tasks/tarball_install.yml | 2 +- .../{rke2_server => rke2}/tasks/utilities.yml | 0 .../tasks/wait_for_rke2.yml} | 34 ++----- roles/{rke2_common => rke2}/vars/main.yml | 1 + roles/rke2_agent/defaults/main.yml | 2 - roles/rke2_agent/vars/main.yml | 2 - roles/rke2_common/tasks/main.yml | 80 ----------------- roles/rke2_server/defaults/main.yml | 2 - roles/rke2_server/tasks/main.yml | 22 ----- roles/rke2_server/tasks/other_servers.yml | 71 --------------- roles/rke2_server/vars/main.yml | 1 - site.yml | 23 +---- 33 files changed, 275 insertions(+), 293 deletions(-) delete mode 100644 roles/cluster_manifest/tasks/main.yml rename roles/{rke2_common => rke2}/defaults/main.yml (87%) rename roles/{rke2_common => rke2}/handlers/main.yml (55%) rename roles/{rke2_common => rke2}/tasks/add-audit-policy-config.yml (100%) rename roles/{rke2_common => rke2}/tasks/add-manifest-addons.yml (100%) rename roles/{rke2_server => rke2}/tasks/add-pod-security-admission-config.yml (100%) rename roles/{rke2_common => rke2}/tasks/add-registry-config.yml (100%) rename roles/{rke2_common => rke2}/tasks/calculate_rke2_version.yml (100%) rename roles/{rke2_common => rke2}/tasks/cis-hardening.yml (64%) rename roles/{rke2_common => rke2}/tasks/config.yml (100%) create mode 100644 roles/rke2/tasks/configure_rke2.yml create mode 100644 roles/rke2/tasks/first_server.yml rename roles/{rke2_common => rke2}/tasks/images_tarball_install.yml (95%) rename roles/{rke2_common => rke2}/tasks/iptables_rules.yml (100%) create mode 100644 roles/rke2/tasks/main.yml rename roles/{rke2_common => rke2}/tasks/network_manager_fix.yaml (97%) rename roles/{rke2_agent/tasks/main.yml => rke2/tasks/other_nodes.yml} (78%) create mode 100644 roles/rke2/tasks/pre_reqs.yml rename roles/{rke2_common => rke2}/tasks/previous_install.yml (51%) rename roles/{rke2_common => rke2}/tasks/rpm_install.yml (61%) rename roles/{rke2_common => rke2}/tasks/tarball_install.yml (98%) rename roles/{rke2_server => rke2}/tasks/utilities.yml (100%) rename roles/{rke2_server/tasks/first_server.yml => rke2/tasks/wait_for_rke2.yml} (61%) rename roles/{rke2_common => rke2}/vars/main.yml (80%) delete mode 100644 roles/rke2_agent/defaults/main.yml delete mode 100644 roles/rke2_agent/vars/main.yml delete mode 100644 roles/rke2_common/tasks/main.yml delete mode 100644 roles/rke2_server/defaults/main.yml delete mode 100644 roles/rke2_server/tasks/main.yml delete mode 100644 roles/rke2_server/tasks/other_servers.yml delete mode 100644 roles/rke2_server/vars/main.yml diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 56811651..517838fd 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -8,6 +8,9 @@ all: # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst + # Or specify a tarball that's been prestaged on the ansible control host + # rke2_binary_tarball: {{ inventory_dir }}/tarball/rke2.linux-amd64.tar.gz + rke2_cluster: children: rke2_servers: diff --git a/roles/cluster_manifest/tasks/main.yml b/roles/cluster_manifest/tasks/main.yml deleted file mode 100644 index 4af88cc0..00000000 --- a/roles/cluster_manifest/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: Add cluster manifest addons files - ansible.builtin.copy: - src: "{{ cluster_manifest_config_file_path }}" - dest: "/var/lib/rancher/rke2/server/manifests/" - mode: '0640' - owner: root - group: root - when: - - inventory_hostname in groups['rke2_servers'][0] - - cluster_manifest_config_file_path is defined - - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2/defaults/main.yml similarity index 87% rename from roles/rke2_common/defaults/main.yml rename to roles/rke2/defaults/main.yml index 9c7caf2c..3d481611 100644 --- a/roles/rke2_common/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,5 +1,7 @@ --- +kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" tarball_dir: "/usr/local" +rke2_local_tarball_path: "" rke2_tarball_url: "" rke2_images_urls: [] rke2_channel: stable diff --git a/roles/rke2_common/handlers/main.yml b/roles/rke2/handlers/main.yml similarity index 55% rename from roles/rke2_common/handlers/main.yml rename to roles/rke2/handlers/main.yml index 4f823682..37c2c4a1 100644 --- a/roles/rke2_common/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -4,13 +4,28 @@ ansible.builtin.service: state: restarted name: systemd-sysctl + when: + - reboot is not defined - name: Restart rke2-server ansible.builtin.service: state: restarted name: rke2-server + throttle: 1 + when: + - reboot is not defined - name: Restart rke2-agent ansible.builtin.service: state: restarted name: rke2-agent + throttle: 1 + when: + - reboot is not defined + +- name: Reboot the machine + ansible.builtin.reboot: + reboot_timeout: 300 + throttle: 1 + when: + - reboot diff --git a/roles/rke2_common/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml similarity index 100% rename from roles/rke2_common/tasks/add-audit-policy-config.yml rename to roles/rke2/tasks/add-audit-policy-config.yml diff --git a/roles/rke2_common/tasks/add-manifest-addons.yml b/roles/rke2/tasks/add-manifest-addons.yml similarity index 100% rename from roles/rke2_common/tasks/add-manifest-addons.yml rename to roles/rke2/tasks/add-manifest-addons.yml diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml similarity index 100% rename from roles/rke2_server/tasks/add-pod-security-admission-config.yml rename to roles/rke2/tasks/add-pod-security-admission-config.yml diff --git a/roles/rke2_common/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml similarity index 100% rename from roles/rke2_common/tasks/add-registry-config.yml rename to roles/rke2/tasks/add-registry-config.yml diff --git a/roles/rke2_common/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml similarity index 100% rename from roles/rke2_common/tasks/calculate_rke2_version.yml rename to roles/rke2/tasks/calculate_rke2_version.yml diff --git a/roles/rke2_common/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml similarity index 64% rename from roles/rke2_common/tasks/cis-hardening.yml rename to roles/rke2/tasks/cis-hardening.yml index 67a12bb6..102a84a9 100644 --- a/roles/rke2_common/tasks/cis-hardening.yml +++ b/roles/rke2/tasks/cis-hardening.yml @@ -25,9 +25,11 @@ mode: 0600 register: sysctl_operation_yum when: - - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url is not defined or rke2_tarball_url == "" + - install_method == "rpm" + notify: + - Restart systemd-sysctl + - Restart {{ service_name }} + - Reboot the machine - name: Copy systemctl file for kernel hardening for non-yum installs ansible.builtin.copy: @@ -36,25 +38,33 @@ remote_src: yes mode: 0600 register: sysctl_operation_tarball - when: >- - (ansible_facts['os_family'] != 'RedHat' and - ansible_facts['os_family'] != 'Rocky') or - rke2_binary_tarball_check.stat.exists or - (rke2_tarball_url is defined and rke2_tarball_url != "") + when: + - install_method == "tarball" + notify: + - Restart systemd-sysctl + - Restart {{ service_name }} + - Reboot the machine - - name: Restart systemd-sysctl - ansible.builtin.service: - state: restarted - name: systemd-sysctl - when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed + # - name: Restart systemd-sysctl + # ansible.builtin.service: + # state: restarted + # name: systemd-sysctl + # when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed # Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected # side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were # always rebooting, even if the node was brand new and RKE2 not running yet. - name: Reboot the machine (Wait for 5 min) - ansible.builtin.reboot: - reboot_timeout: 300 + ansible.builtin.set_fact: + reboot: true when: - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - rke2_running is defined - rke2_running + # ansible.builtin.reboot: + # reboot_timeout: 300 + # throttle: 1 + # when: + # - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) + # - rke2_running is defined + # - rke2_running diff --git a/roles/rke2_common/tasks/config.yml b/roles/rke2/tasks/config.yml similarity index 100% rename from roles/rke2_common/tasks/config.yml rename to roles/rke2/tasks/config.yml diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml new file mode 100644 index 00000000..0a0afa38 --- /dev/null +++ b/roles/rke2/tasks/configure_rke2.yml @@ -0,0 +1,27 @@ +--- + +- name: Run CIS-Hardening Tasks + ansible.builtin.include_tasks: cis-hardening.yml + +- name: Configure registries.yaml + ansible.builtin.include_tasks: add-registry-config.yml + when: registry_config_file_path | length > 0 + +- name: Configure audit policy + ansible.builtin.include_tasks: add-audit-policy-config.yml + when: + - inventory_hostname in groups['rke2_servers'] + - audit_policy_config_file_path | length > 0 + +- name: Configure psa policy + ansible.builtin.include_tasks: add-pod-security-admission-config.yml + when: + - inventory_hostname in groups['rke2_servers'] + - pod_security_admission_config_file_path | length > 0 + +- name: Configure first server manifests + ansible.builtin.include_tasks: add-manifest-addons.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + - manifest_config_file_path is defined + - manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml new file mode 100644 index 00000000..6ca9429b --- /dev/null +++ b/roles/rke2/tasks/first_server.yml @@ -0,0 +1,22 @@ +--- + +- name: Generate config.yml on first server + ansible.builtin.include_tasks: config.yml + +- name: Wait for rke2 + ansible.builtin.include_tasks: wait_for_rke2.yml + +- name: Add generated Token if none provided ### <- what's the intent here? + block: + - name: Wait for node-token + ansible.builtin.wait_for: + path: /var/lib/rancher/rke2/server/node-token + + - name: Read node-token from master + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: node_token + + - name: Store Master node-token + ansible.builtin.set_fact: + rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2/tasks/images_tarball_install.yml similarity index 95% rename from roles/rke2_common/tasks/images_tarball_install.yml rename to roles/rke2/tasks/images_tarball_install.yml index 191c97fe..49ee3e09 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2/tasks/images_tarball_install.yml @@ -1,4 +1,5 @@ --- + - name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" # noqa name[template] yaml[line-length] ansible.builtin.stat: path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" @@ -20,6 +21,10 @@ path: /var/lib/rancher/rke2/agent/images state: directory mode: '0644' + when: + - got_images_gz + - got_images_zst + - rke2_images_urls != [] - name: Download images tar files url ansible.builtin.get_url: diff --git a/roles/rke2_common/tasks/iptables_rules.yml b/roles/rke2/tasks/iptables_rules.yml similarity index 100% rename from roles/rke2_common/tasks/iptables_rules.yml rename to roles/rke2/tasks/iptables_rules.yml diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml new file mode 100644 index 00000000..8fcdce6e --- /dev/null +++ b/roles/rke2/tasks/main.yml @@ -0,0 +1,90 @@ +--- + +- name: Populate service facts + ansible.builtin.service_facts: {} + +- name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + +- name: Satisfy OS Pre-Reqs + ansible.builtin.include_tasks: pre_reqs.yml + +- name: Set for install method of tarball + ansible.builtin.set_fact: + install_method: tarball + when: |- + ((ansible_facts['os_family'] != 'RedHat' and + ansible_facts['os_family'] != 'Rocky') or + (rke2_tarball_url is defined and rke2_tarball_url != "") or + (rke2_local_tarball_path is defined and rke2_local_tarball_path != "")) + +- name: Set for install method of rpm + ansible.builtin.set_fact: + install_method: rpm + when: + - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' + - rke2_local_tarball_path == "" + - rke2_tarball_url == "" + +- name: Set as server + ansible.builtin.set_fact: + service_name: rke2-server + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Set as agent + ansible.builtin.set_fact: + service_name: rke2-agent + when: + - inventory_hostname in groups.get('rke2_agents', []) + +- name: Has rke2 been installed already + ansible.builtin.include_tasks: previous_install.yml + +- name: Check for images bundle + ansible.builtin.include_tasks: images_tarball_install.yml + +- name: Determine rke2_version to install + ansible.builtin.include_tasks: calculate_rke2_version.yml + +- name: Tarball Install + ansible.builtin.include_tasks: tarball_install.yml + when: + - install_method == "tarball" + +- name: RPM Install + when: + - install_method == "rpm" + ansible.builtin.include_tasks: rpm_install.yml + +- name: Set rke2 configuration files + ansible.builtin.include_tasks: configure_rke2.yml + +- name: RKE2 on first node + ansible.builtin.include_tasks: first_server.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + +- name: RKE2 on all other nodes + ansible.builtin.include_tasks: other_nodes.yml + when: + - inventory_hostname in groups['rke2_servers'][1:] or + inventory_hostname in groups.get('rke2_agents', []) + +- name: Configure kubectl,crictl,ctr + ansible.builtin.include_tasks: utilities.yml + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Add cluster manifest addons files + ansible.builtin.copy: + src: "{{ cluster_manifest_config_file_path }}" + dest: "/var/lib/rancher/rke2/server/manifests/" + mode: '0640' + owner: root + group: root + when: + - inventory_hostname in groups['rke2_servers'][0] + - cluster_manifest_config_file_path is defined + - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2_common/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml similarity index 97% rename from roles/rke2_common/tasks/network_manager_fix.yaml rename to roles/rke2/tasks/network_manager_fix.yaml index b891b61a..cd65e3c3 100644 --- a/roles/rke2_common/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -3,6 +3,7 @@ # This fixes known issue with NetworkManager # https://docs.rke2.io/known_issues/#networkmanager +# blockinfile or own entire file? - name: Add NetworkManager fix to rke2-canal.conf ansible.builtin.blockinfile: path: /etc/NetworkManager/conf.d/rke2-canal.conf diff --git a/roles/rke2_agent/tasks/main.yml b/roles/rke2/tasks/other_nodes.yml similarity index 78% rename from roles/rke2_agent/tasks/main.yml rename to roles/rke2/tasks/other_nodes.yml index 4d9cfdeb..9f0862c5 100644 --- a/roles/rke2_agent/tasks/main.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,11 +1,7 @@ --- -- name: RKE2 agent and server tasks - vars: - rke2_common_caller_role_name: agent - ansible.builtin.include_role: - name: rke2_common - tasks_from: main +- name: Generate config.yml on other nodes + ansible.builtin.include_tasks: config.yml - name: Does config file already have server token? # noqa command-instead-of-shell ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' @@ -21,6 +17,7 @@ insertbefore: BOF when: - '"token:" not in server_token_check.stdout' + notify: Restart {{ service_name }} - name: Does config file already have server url? # noqa command-instead-of-shell ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' @@ -36,10 +33,7 @@ insertbefore: BOF when: - '"server:" not in server_url_check.stdout' + notify: Restart {{ service_name }} -- name: Start rke2-agent - ansible.builtin.systemd: - name: rke2-agent.service - state: started - enabled: yes - daemon_reload: yes +- name: Wait for rke2 + ansible.builtin.include_tasks: wait_for_rke2.yml diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml new file mode 100644 index 00000000..fc2c737a --- /dev/null +++ b/roles/rke2/tasks/pre_reqs.yml @@ -0,0 +1,21 @@ +--- + +# Disable Firewalld +# We recommend disabling firewalld. For Kubernetes 1.19+, firewalld must be turned off. +- name: Disable FIREWALLD + ansible.builtin.systemd: + name: firewalld + state: stopped + enabled: no + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].status != "not-found" + +- name: Include task file network_manager_fix.yaml + ansible.builtin.include_tasks: network_manager_fix.yaml + +- name: Add server iptables rules + ansible.builtin.include_tasks: iptables_rules.yml + when: + - ansible_facts.services["iptables.service"] is defined + - add_iptables_rules | bool diff --git a/roles/rke2_common/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml similarity index 51% rename from roles/rke2_common/tasks/previous_install.yml rename to roles/rke2/tasks/previous_install.yml index ea1b9c3a..03e59253 100644 --- a/roles/rke2_common/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -3,35 +3,40 @@ - name: Set fact if rke2-server was previously installed ansible.builtin.set_fact: installed: true - when: > - ansible_facts.services["rke2-server.service"] is defined - and not ansible_facts.services["rke2-server.service"].status == 'disabled' + when: + - ansible_facts.services["rke2-server.service"] is defined + - not ansible_facts.services["rke2-server.service"].status == 'disabled' + - inventory_hostname in groups['rke2_servers'] - name: Set fact if rke2-server is running ansible.builtin.set_fact: rke2_running: true - when: > - ansible_facts.services["rke2-server.service"] is defined - and ansible_facts.services["rke2-server.service"].state == 'running' + when: + - ansible_facts.services["rke2-server.service"] is defined + - ansible_facts.services["rke2-server.service"].state == 'running' + - inventory_hostname in groups['rke2_servers'] - name: Set fact if rke2-agent was previously installed ansible.builtin.set_fact: installed: true - when: > - ansible_facts.services["rke2-agent.service"] is defined - and not ansible_facts.services["rke2-agent.service"].status == 'disabled' + when: + - ansible_facts.services["rke2-agent.service"] is defined + - not ansible_facts.services["rke2-agent.service"].status == 'disabled' + - inventory_hostname in groups.get('rke2_agents', []) - name: Set fact if rke2-agent is running ansible.builtin.set_fact: rke2_running: true - when: > - ansible_facts.services["rke2-agent.service"] is defined - and ansible_facts.services["rke2-agent.service"].state == 'running' + when: + - ansible_facts.services["rke2-agent.service"] is defined + - ansible_facts.services["rke2-agent.service"].state == 'running' + - inventory_hostname in groups.get('rke2_agents', []) - name: Check for the rke2 binary ansible.builtin.stat: path: /usr/local/bin/rke2 register: rke2_binary + when: install_method == "tarball" - name: Get current RKE2 version if already installed ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' @@ -39,7 +44,9 @@ changed_when: false args: executable: /usr/bin/bash - when: rke2_binary.stat.exists + when: + - install_method == "tarball" + - rke2_binary.stat.exists failed_when: > (installed_rke2_version_tmp.rc != 141) and (installed_rke2_version_tmp.rc != 0) @@ -47,4 +54,6 @@ - name: Determine if current version differs what what is being installed ansible.builtin.set_fact: installed_rke2_version: "{{ installed_rke2_version_tmp.stdout }}" - when: rke2_binary.stat.exists + when: + - install_method == "tarball" + - rke2_binary.stat.exists diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml similarity index 61% rename from roles/rke2_common/tasks/rpm_install.yml rename to roles/rke2/tasks/rpm_install.yml index 15b2f696..74231452 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -30,20 +30,26 @@ ansible_facts['distribution_major_version'] == "8" or ansible_facts['distribution_major_version'] == "9" -- name: YUM-Based | Install rke2-server +- name: YUM-Based Install ansible.builtin.yum: - name: "rke2-server-{{ rke2_version_rpm }}" + name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest - when: - - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - inventory_hostname in groups['rke2_servers'] + notify: Restart {{ service_name }} -- name: YUM-Based | Install rke2-agent - ansible.builtin.yum: - name: "rke2-agent-{{ rke2_version_rpm }}" - state: latest # noqa package-latest - when: - - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - inventory_hostname in groups.get('rke2_agents', []) +# - name: YUM-Based | Install rke2-server +# ansible.builtin.yum: +# name: "rke2-server-{{ rke2_version_rpm }}" +# state: latest # noqa package-latest +# when: +# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' +# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE +# - inventory_hostname in groups['rke2_servers'] + +# - name: YUM-Based | Install rke2-agent +# ansible.builtin.yum: +# name: "rke2-agent-{{ rke2_version_rpm }}" +# state: latest # noqa package-latest +# when: +# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' +# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE +# - inventory_hostname in groups.get('rke2_agents', []) diff --git a/roles/rke2_common/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml similarity index 98% rename from roles/rke2_common/tasks/tarball_install.yml rename to roles/rke2/tasks/tarball_install.yml index ca0d3f5f..27f61efa 100644 --- a/roles/rke2_common/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -20,7 +20,7 @@ - name: Send provided tarball if available ansible.builtin.copy: - src: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" + src: "{{ rke2_local_tarball_path }}" dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" mode: '0644' when: diff --git a/roles/rke2_server/tasks/utilities.yml b/roles/rke2/tasks/utilities.yml similarity index 100% rename from roles/rke2_server/tasks/utilities.yml rename to roles/rke2/tasks/utilities.yml diff --git a/roles/rke2_server/tasks/first_server.yml b/roles/rke2/tasks/wait_for_rke2.yml similarity index 61% rename from roles/rke2_server/tasks/first_server.yml rename to roles/rke2/tasks/wait_for_rke2.yml index 0b71ea88..35b98c6c 100644 --- a/roles/rke2_server/tasks/first_server.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -1,22 +1,17 @@ --- -- name: Add manifest files - ansible.builtin.include_role: - name: rke2_common - tasks_from: add-manifest-addons.yml - when: - - manifest_config_file_path is defined - - manifest_config_file_path | length > 0 +- name: Start {{ service_name }} + ansible.builtin.meta: flush_handlers -- name: Start rke2-server +- name: Enable {{ service_name }} ansible.builtin.systemd: - name: rke2-server + name: "{{ service_name }}" state: started enabled: yes - name: Wait for k8s apiserver ansible.builtin.wait_for: - host: localhost + host: "{{ kubernetes_api_server_host }}" port: "6443" state: present timeout: 300 @@ -35,6 +30,8 @@ kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" + when: + - inventory_hostname in groups['rke2_servers'] - name: Wait for node to show Ready status ansible.builtin.command: >- @@ -46,18 +43,5 @@ retries: 20 delay: 10 changed_when: false - -- name: Add generated Token if none provided - block: - - name: Wait for node-token - ansible.builtin.wait_for: - path: /var/lib/rancher/rke2/server/node-token - - - name: Read node-token from master - ansible.builtin.slurp: - src: /var/lib/rancher/rke2/server/node-token - register: node_token - - - name: Store Master node-token - ansible.builtin.set_fact: - rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" + when: + - inventory_hostname in groups['rke2_servers'] diff --git a/roles/rke2_common/vars/main.yml b/roles/rke2/vars/main.yml similarity index 80% rename from roles/rke2_common/vars/main.yml rename to roles/rke2/vars/main.yml index da8e48d7..106b1970 100644 --- a/roles/rke2_common/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,4 +1,5 @@ --- +tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 # Possible RKE2 Channels channels: - stable diff --git a/roles/rke2_agent/defaults/main.yml b/roles/rke2_agent/defaults/main.yml deleted file mode 100644 index ae927959..00000000 --- a/roles/rke2_agent/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" diff --git a/roles/rke2_agent/vars/main.yml b/roles/rke2_agent/vars/main.yml deleted file mode 100644 index 53b1ae20..00000000 --- a/roles/rke2_agent/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml deleted file mode 100644 index 8b8bad68..00000000 --- a/roles/rke2_common/tasks/main.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- - -- name: Populate service facts - ansible.builtin.service_facts: {} - -- name: Gather the package facts - ansible.builtin.package_facts: - manager: auto - -- name: Has rke2 been installed already - ansible.builtin.include_tasks: previous_install.yml - -- name: Include images_tarball_install.yml - ansible.builtin.include_tasks: images_tarball_install.yml - -- name: "Check for binary tarball in tarball_install/rke2.linux-amd64.tar.gz" - ansible.builtin.stat: - path: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" - register: rke2_binary_tarball_check - delegate_to: 127.0.0.1 - become: false - -- name: Include calculate_rke2_version.yml - ansible.builtin.include_tasks: calculate_rke2_version.yml - when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url is not defined or rke2_tarball_url == "" - -- name: SLES/Ubuntu/Tarball Installation - ansible.builtin.include_tasks: tarball_install.yml - when: - - |- - ((ansible_facts['os_family'] != 'RedHat' and - ansible_facts['os_family'] != 'Rocky') or - rke2_binary_tarball_check.stat.exists or - (rke2_tarball_url is defined and rke2_tarball_url != "")) - -- name: RHEL/CentOS Installation - when: - - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" - ansible.builtin.include_tasks: rpm_install.yml - -# Disable Firewalld -# We recommend disabling firewalld. For Kubernetes 1.19+, firewalld must be turned off. -- name: Disable FIREWALLD - ansible.builtin.systemd: - name: firewalld - state: stopped - enabled: no - when: - - ansible_facts.services["firewalld.service"] is defined - - ansible_facts.services["firewalld.service"].status != "not-found" - -- name: Include task file network_manager_fix.yaml - ansible.builtin.include_tasks: network_manager_fix.yaml - -- name: Include task file config.yml - ansible.builtin.include_tasks: config.yml - -- name: Add server iptables rules - ansible.builtin.include_tasks: iptables_rules.yml - when: - - ansible_facts.services["iptables.service"] is defined - - add_iptables_rules | bool - -- name: Include task file add-audit-policy-config.yml - ansible.builtin.include_tasks: add-audit-policy-config.yml - when: - - audit_policy_config_file_path | length > 0 - -- name: Include task file add-registry-config.yml - ansible.builtin.include_tasks: add-registry-config.yml - when: registry_config_file_path | length > 0 - -- name: Run CIS-Hardening Tasks - ansible.builtin.include_role: - name: rke2_common - tasks_from: cis-hardening diff --git a/roles/rke2_server/defaults/main.yml b/roles/rke2_server/defaults/main.yml deleted file mode 100644 index ae927959..00000000 --- a/roles/rke2_server/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml deleted file mode 100644 index ef402d14..00000000 --- a/roles/rke2_server/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: RKE2 agent and server tasks - vars: - rke2_common_caller_role_name: server - ansible.builtin.include_role: - name: rke2_common - tasks_from: main - -- name: Include task file add-pod-security-admission-config.yml - ansible.builtin.include_tasks: add-pod-security-admission-config.yml - -- name: Setup initial server - ansible.builtin.include_tasks: first_server.yml - when: inventory_hostname in groups['rke2_servers'][0] - -- name: Setup other servers - ansible.builtin.include_tasks: other_servers.yml - when: inventory_hostname in groups['rke2_servers'][1:] - -- name: Configure Utilities - ansible.builtin.include_tasks: utilities.yml diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml deleted file mode 100644 index c075b058..00000000 --- a/roles/rke2_server/tasks/other_servers.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- - -- name: Does config file already have server token? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' - register: server_token_check - failed_when: server_token_check.rc >= 2 - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" - state: present - insertbefore: BOF - when: - - '"token:" not in server_token_check.stdout' - -- name: Does config file already have server url? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' - register: server_url_check - failed_when: server_url_check.rc >= 2 - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ kubernetes_api_server_host }}:9345" - state: present - insertbefore: BOF - when: - - '"server:" not in server_url_check.stdout' - -- name: Start rke2-server - throttle: 1 - ansible.builtin.systemd: - name: rke2-server - state: started - enabled: yes - -- name: Wait for k8s apiserver reachability - ansible.builtin.wait_for: - host: "{{ kubernetes_api_server_host }}" - port: "6443" - state: present - timeout: 300 - -- name: Wait for kubelet process to be present on host - ansible.builtin.command: >- - ps -C kubelet -F -ww --no-headers - register: kubelet_check - until: kubelet_check.rc == 0 - retries: 20 - delay: 10 - changed_when: false - -- name: Extract the hostname-override parameter from the kubelet process - ansible.builtin.set_fact: - kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ - regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ - '\\1') }}" - -- name: Wait for node to show Ready status - ansible.builtin.command: >- - /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} - -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' - register: status_result - until: status_result.stdout.find("True") != -1 - retries: 20 - delay: 10 - changed_when: false diff --git a/roles/rke2_server/vars/main.yml b/roles/rke2_server/vars/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/roles/rke2_server/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/site.yml b/site.yml index 0d555ce9..71c6d684 100644 --- a/site.yml +++ b/site.yml @@ -1,24 +1,9 @@ --- -- name: Server play - hosts: rke2_servers +- name: RKE2 play + hosts: all any_errors_fatal: true become: true roles: - - role: rke2_server - serial: 5 - -- name: Agent play - hosts: rke2_agents - any_errors_fatal: true - become: true - roles: - - role: rke2_agent - serial: 10 - -- name: Cluster manifest play - hosts: rke2_servers - any_errors_fatal: true - become: true - roles: - - role: cluster_manifest + - role: rke2 + # serial: 5 From d105fb5b087a966bcfac04c096cf8826444a5962 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 17 Jun 2024 15:30:26 -0400 Subject: [PATCH 02/28] validating --- roles/rke2/defaults/main.yml | 2 + roles/rke2/handlers/main.yml | 13 +++-- roles/rke2/tasks/add-audit-policy-config.yml | 41 ++++++++++++--- .../add-pod-security-admission-config.yml | 10 +--- roles/rke2/tasks/add-registry-config.yml | 51 ++++++++++++------- roles/rke2/tasks/calculate_rke2_version.yml | 8 +-- roles/rke2/tasks/cis-hardening.yml | 19 ++----- roles/rke2/tasks/config.yml | 18 ------- roles/rke2/tasks/configure_rke2.yml | 9 ++-- roles/rke2/tasks/first_server.yml | 2 +- roles/rke2/tasks/images_bundle.yml | 28 ++++++++++ roles/rke2/tasks/images_tarball_install.yml | 50 ------------------ roles/rke2/tasks/main.yml | 24 ++++----- roles/rke2/tasks/network_manager_fix.yaml | 14 ++--- roles/rke2/tasks/other_nodes.yml | 4 +- roles/rke2/tasks/pre_reqs.yml | 1 + roles/rke2/tasks/rpm_install.yml | 23 ++------- roles/rke2/vars/main.yml | 17 +------ 18 files changed, 149 insertions(+), 185 deletions(-) create mode 100644 roles/rke2/tasks/images_bundle.yml delete mode 100644 roles/rke2/tasks/images_tarball_install.yml diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 3d481611..4d4bd72b 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -4,11 +4,13 @@ tarball_dir: "/usr/local" rke2_local_tarball_path: "" rke2_tarball_url: "" rke2_images_urls: [] +rke2_images_local_tarball_path: [] rke2_channel: stable audit_policy_config_file_path: "" registry_config_file_path: "" pod_security_admission_config_file_path: "" add_iptables_rules: false +cluster_manifest_config_file_path: "" rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 37c2c4a1..c4211f6b 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -5,7 +5,7 @@ state: restarted name: systemd-sysctl when: - - reboot is not defined + - not reboot - name: Restart rke2-server ansible.builtin.service: @@ -13,7 +13,7 @@ name: rke2-server throttle: 1 when: - - reboot is not defined + - not reboot - name: Restart rke2-agent ansible.builtin.service: @@ -21,7 +21,7 @@ name: rke2-agent throttle: 1 when: - - reboot is not defined + - not reboot - name: Reboot the machine ansible.builtin.reboot: @@ -29,3 +29,10 @@ throttle: 1 when: - reboot + +- name: Reload NetworkManager + ansible.builtin.systemd: + name: NetworkManager + state: reloaded + when: + - not reboot diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml index 66bb82ae..ac452639 100644 --- a/roles/rke2/tasks/add-audit-policy-config.yml +++ b/roles/rke2/tasks/add-audit-policy-config.yml @@ -1,14 +1,39 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - - name: Add audit policy configuration file - ansible.builtin.copy: - src: "{{ audit_policy_config_file_path }}" + vars: + file_contents: "{{ lookup('file', audit_policy_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 dest: "/etc/rancher/rke2/audit-policy.yaml" mode: '0640' owner: root group: root + when: + - audit_policy_config_file_path|length != 0 + notify: "Restart {{ service_name }}" + +- name: Remove audit policy configuration file + when: + - audit_policy_config_file_path|length == 0 + block: + - name: Check that the audit policy config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/audit-policy.yaml" + register: stat_result + + - name: "Check that the audit policy config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/audit-policy.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the audit policy config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/audit-policy.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml index 4b7a1937..b7f537a2 100644 --- a/roles/rke2/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2/tasks/add-pod-security-admission-config.yml @@ -1,10 +1,4 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - - name: Add pod security admission config file vars: file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" @@ -15,9 +9,8 @@ owner: root group: root when: - - pod_security_admission_config_file_path is defined - pod_security_admission_config_file_path|length != 0 - notify: Restart rke2-server + notify: "Restart {{ service_name }}" - name: Remove pod security admission config file when: @@ -43,3 +36,4 @@ state: absent when: - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml index 664afe84..367ab9bf 100644 --- a/roles/rke2/tasks/add-registry-config.yml +++ b/roles/rke2/tasks/add-registry-config.yml @@ -1,26 +1,39 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - - name: Add registry configuration file - ansible.builtin.copy: - src: "{{ registry_config_file_path }}" + vars: + file_contents: "{{ lookup('file', registry_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 dest: "/etc/rancher/rke2/registries.yaml" mode: '0640' owner: root group: root - when: rke2_common_caller_role_name == "server" - notify: Restart rke2-server + when: + - registry_config_file_path|length != 0 + notify: "Restart {{ service_name }}" -- name: Add registry configuration file - ansible.builtin.copy: - src: "{{ registry_config_file_path }}" - dest: "/etc/rancher/rke2/registries.yaml" - mode: '0640' - owner: root - group: root - when: rke2_common_caller_role_name == "agent" - notify: Restart rke2-agent +- name: Remove registry configuration file + when: + - registry_config_file_path|length == 0 + block: + - name: Check that the registry config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/registries.yaml" + register: stat_result + + - name: "Check that the registry config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/registries.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the registry config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/registries.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index e18ae9c5..e64e5b70 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -3,10 +3,10 @@ - name: "Calculate rke2 full version" when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) block: - - name: Stop if the provided is not valid - ansible.builtin.fail: - msg: "Provided channel is not valid" - when: rke2_channel not in channels + # - name: Stop if the provided is not valid + # ansible.builtin.fail: + # msg: "Provided channel is not valid" + # when: rke2_channel not in channels - name: Get full version name url ansible.builtin.uri: diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml index 102a84a9..754d423c 100644 --- a/roles/rke2/tasks/cis-hardening.yml +++ b/roles/rke2/tasks/cis-hardening.yml @@ -1,9 +1,9 @@ --- + - name: CIS MODE become: yes when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$') block: - - name: Create etcd group ansible.builtin.group: name: etcd @@ -28,7 +28,7 @@ - install_method == "rpm" notify: - Restart systemd-sysctl - - Restart {{ service_name }} + - "Restart {{ service_name }}" - Reboot the machine - name: Copy systemctl file for kernel hardening for non-yum installs @@ -42,15 +42,9 @@ - install_method == "tarball" notify: - Restart systemd-sysctl - - Restart {{ service_name }} + - "Restart {{ service_name }}" - Reboot the machine - # - name: Restart systemd-sysctl - # ansible.builtin.service: - # state: restarted - # name: systemd-sysctl - # when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed - # Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected # side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were # always rebooting, even if the node was brand new and RKE2 not running yet. @@ -61,10 +55,3 @@ - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - rke2_running is defined - rke2_running - # ansible.builtin.reboot: - # reboot_timeout: 300 - # throttle: 1 - # when: - # - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - # - rke2_running is defined - # - rke2_running diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index b755f8c5..cf277334 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -256,21 +256,3 @@ path: /tmp/ansible-config.txt state: absent changed_when: false - -- name: Restart rke2-server if package installed and config changed or RKE2 version changed - ansible.builtin.service: - state: restarted - name: rke2-server - when: - - ansible_facts.services["rke2-server.service"] is defined - - "ansible_facts.services['rke2-server.service'].state == 'running'" - - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false))) - -- name: Restart rke2-agent if package installed and config changed or RKE2 version changed - ansible.builtin.service: - state: restarted - name: rke2-agent - when: - - ansible_facts.services["rke2-agent.service"] is defined - - "ansible_facts.services['rke2-agent.service'].state == 'running'" - - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false))) diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 0a0afa38..06774a94 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -1,23 +1,26 @@ --- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + - name: Run CIS-Hardening Tasks ansible.builtin.include_tasks: cis-hardening.yml - name: Configure registries.yaml ansible.builtin.include_tasks: add-registry-config.yml - when: registry_config_file_path | length > 0 - name: Configure audit policy ansible.builtin.include_tasks: add-audit-policy-config.yml when: - inventory_hostname in groups['rke2_servers'] - - audit_policy_config_file_path | length > 0 - name: Configure psa policy ansible.builtin.include_tasks: add-pod-security-admission-config.yml when: - inventory_hostname in groups['rke2_servers'] - - pod_security_admission_config_file_path | length > 0 - name: Configure first server manifests ansible.builtin.include_tasks: add-manifest-addons.yml diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 6ca9429b..2ea88adb 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -6,7 +6,7 @@ - name: Wait for rke2 ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Add generated Token if none provided ### <- what's the intent here? +- name: Add generated Token if none provided block: - name: Wait for node-token ansible.builtin.wait_for: diff --git a/roles/rke2/tasks/images_bundle.yml b/roles/rke2/tasks/images_bundle.yml new file mode 100644 index 00000000..9b069f25 --- /dev/null +++ b/roles/rke2/tasks/images_bundle.yml @@ -0,0 +1,28 @@ +--- + +- name: Create images directory + ansible.builtin.file: + path: /var/lib/rancher/rke2/agent/images + state: directory + mode: '0644' + +- name: Download images tar files url + ansible.builtin.get_url: + url: "{{ item }}" + dest: "/var/lib/rancher/rke2/agent/images" + mode: "0644" + when: + - rke2_images_urls != [] + with_items: "{{ rke2_images_urls }}" + notify: "Restart {{ service_name }}" + +- name: Copy local tarball images + ansible.builtin.copy: + src: "{{ item }}" + dest: /var/lib/rancher/rke2/agent/images/ + mode: '0644' + with_items: + - "{{ rke2_images_local_tarball_path }}" + when: + - rke2_images_local_tarball_path != [] + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/images_tarball_install.yml b/roles/rke2/tasks/images_tarball_install.yml deleted file mode 100644 index 49ee3e09..00000000 --- a/roles/rke2/tasks/images_tarball_install.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" # noqa name[template] yaml[line-length] - ansible.builtin.stat: - path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" - get_checksum: false - register: got_images_gz - delegate_to: 127.0.0.1 - become: false - -- name: "Check for images tar.zst in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" # noqa name[template] yaml[line-length] - ansible.builtin.stat: - path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" - get_checksum: false - register: got_images_zst - delegate_to: 127.0.0.1 - become: false - -- name: Create images directory - ansible.builtin.file: - path: /var/lib/rancher/rke2/agent/images - state: directory - mode: '0644' - when: - - got_images_gz - - got_images_zst - - rke2_images_urls != [] - -- name: Download images tar files url - ansible.builtin.get_url: - url: "{{ item }}" - dest: "/var/lib/rancher/rke2/agent/images" - mode: "0644" - when: - - rke2_images_urls != [] - with_items: "{{ rke2_images_urls }}" - -- name: Add images tar.gz to needed directory if provided - ansible.builtin.copy: - src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" - dest: /var/lib/rancher/rke2/agent/images/ - mode: '0644' - when: got_images_gz.stat.exists - -- name: Add images tar.zst to needed directory if provided - ansible.builtin.copy: - src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" - dest: /var/lib/rancher/rke2/agent/images/ - mode: '0644' - when: got_images_zst.stat.exists diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 8fcdce6e..de76df23 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -7,17 +7,13 @@ ansible.builtin.package_facts: manager: auto -- name: Satisfy OS Pre-Reqs - ansible.builtin.include_tasks: pre_reqs.yml - - name: Set for install method of tarball ansible.builtin.set_fact: install_method: tarball when: |- - ((ansible_facts['os_family'] != 'RedHat' and - ansible_facts['os_family'] != 'Rocky') or - (rke2_tarball_url is defined and rke2_tarball_url != "") or - (rke2_local_tarball_path is defined and rke2_local_tarball_path != "")) + ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or + rke2_tarball_url != "" or + rke2_local_tarball_path != "") - name: Set for install method of rpm ansible.builtin.set_fact: @@ -39,14 +35,17 @@ when: - inventory_hostname in groups.get('rke2_agents', []) +- name: Satisfy OS Pre-Reqs + ansible.builtin.include_tasks: pre_reqs.yml + - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml - name: Check for images bundle - ansible.builtin.include_tasks: images_tarball_install.yml - -- name: Determine rke2_version to install - ansible.builtin.include_tasks: calculate_rke2_version.yml + ansible.builtin.include_tasks: images_bundle.yml + when: + - rke2_images_urls != [] or + rke2_images_local_tarball_path != [] - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml @@ -54,9 +53,9 @@ - install_method == "tarball" - name: RPM Install + ansible.builtin.include_tasks: rpm_install.yml when: - install_method == "rpm" - ansible.builtin.include_tasks: rpm_install.yml - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml @@ -86,5 +85,4 @@ group: root when: - inventory_hostname in groups['rke2_servers'][0] - - cluster_manifest_config_file_path is defined - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml index cd65e3c3..8b1fea1e 100644 --- a/roles/rke2/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -26,6 +26,7 @@ owner: root group: root when: rke2_canal_file.stat.exists + notify: "Restart {{ service_name }}" - name: Disable service nm-cloud-setup ansible.builtin.systemd: @@ -33,6 +34,9 @@ enabled: no state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined + notify: + - Reload NetworkManager + - "Restart {{ service_name }}" - name: Disable nm-cloud-setup.timer unit ansible.builtin.systemd: @@ -40,10 +44,8 @@ state: stopped enabled: no when: ansible_facts.services["nm-cloud-setup.service"] is defined + notify: + - Reload NetworkManager + - "Restart {{ service_name }}" + -- name: Reload NetworkManager - ansible.builtin.systemd: - name: NetworkManager - state: reloaded - when: (ansible_facts.services["NetworkManager.service"] is defined) and - (ansible_facts.services["NetworkManager.service"].status == "running") diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 9f0862c5..a4fe2fe4 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -17,7 +17,7 @@ insertbefore: BOF when: - '"token:" not in server_token_check.stdout' - notify: Restart {{ service_name }} + notify: "Restart {{ service_name }}" - name: Does config file already have server url? # noqa command-instead-of-shell ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' @@ -33,7 +33,7 @@ insertbefore: BOF when: - '"server:" not in server_url_check.stdout' - notify: Restart {{ service_name }} + notify: "Restart {{ service_name }}" - name: Wait for rke2 ansible.builtin.include_tasks: wait_for_rke2.yml diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index fc2c737a..fdf366bf 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -10,6 +10,7 @@ when: - ansible_facts.services["firewalld.service"] is defined - ansible_facts.services["firewalld.service"].status != "not-found" + notify: "Restart {{ service_name }}" - name: Include task file network_manager_fix.yaml ansible.builtin.include_tasks: network_manager_fix.yaml diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 74231452..d0c8f9d7 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -1,5 +1,8 @@ --- +- name: Determine rke2_version to install + ansible.builtin.include_tasks: calculate_rke2_version.yml + # Add RKE2 Common repo - name: Add the rke2-common repo RHEL/CentOS/Rocky ansible.builtin.yum_repository: @@ -34,22 +37,4 @@ ansible.builtin.yum: name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest - notify: Restart {{ service_name }} - -# - name: YUM-Based | Install rke2-server -# ansible.builtin.yum: -# name: "rke2-server-{{ rke2_version_rpm }}" -# state: latest # noqa package-latest -# when: -# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' -# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE -# - inventory_hostname in groups['rke2_servers'] - -# - name: YUM-Based | Install rke2-agent -# ansible.builtin.yum: -# name: "rke2-agent-{{ rke2_version_rpm }}" -# state: latest # noqa package-latest -# when: -# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' -# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE -# - inventory_hostname in groups.get('rke2_agents', []) + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 106b1970..6224d1e3 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,19 +1,6 @@ --- + tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 -# Possible RKE2 Channels -channels: - - stable - - latest - - v1.18 - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 installed: false rke2_version_changed: false +reboot: false \ No newline at end of file From a3850d48bc9b2d5b9b09fa510befae022095c36f Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 17 Jun 2024 17:32:34 -0400 Subject: [PATCH 03/28] fixing linting --- .ansible-lint-ignore | 6 +++++- .github/workflows/rocky8.yml | 4 ++-- .github/workflows/ubuntu20.yml | 4 ++-- README.md | 2 +- inventory/sample/group_vars/rke2_agents.yml | 2 +- inventory/sample/group_vars/rke2_servers.yml | 6 +++--- inventory/sample/hosts.yml | 4 ++-- roles/rke2/defaults/main.yml | 13 +++++++------ roles/rke2/tasks/add-audit-policy-config.yml | 6 +++--- roles/rke2/tasks/add-manifest-addons.yml | 2 +- .../tasks/add-pod-security-admission-config.yml | 6 +++--- roles/rke2/tasks/add-registry-config.yml | 6 +++--- roles/rke2/tasks/cis-hardening.yml | 2 +- roles/rke2/tasks/configure_rke2.yml | 5 +++-- roles/rke2/tasks/main.yml | 12 ++++-------- roles/rke2/tasks/network_manager_fix.yaml | 6 ++---- roles/rke2/tasks/other_nodes.yml | 2 +- roles/rke2/tasks/pre_reqs.yml | 2 +- roles/rke2/tasks/previous_install.yml | 4 ++-- roles/rke2/tasks/rpm_install.yml | 2 +- roles/rke2/tasks/tarball_install.yml | 1 - roles/rke2/tasks/wait_for_rke2.yml | 8 +++----- roles/rke2/vars/main.yml | 5 ++--- site.yml | 1 - 24 files changed, 53 insertions(+), 58 deletions(-) diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore index dc3fc6ac..cb343553 100644 --- a/.ansible-lint-ignore +++ b/.ansible-lint-ignore @@ -1,4 +1,8 @@ # This file contains ignores rule violations for ansible-lint roles/testing/tasks/troubleshooting.yml ignore-errors -inventory/sample/hosts.yml yaml[line-length] \ No newline at end of file +inventory/sample/hosts.yml yaml[line-length] +inventory/sample/hosts.yml yaml[comments-indentation] +roles/rke2/tasks/add-audit-policy-config.yml no-handler +roles/rke2/tasks/add-pod-security-admission-config.yml no-handler +roles/rke2/tasks/add-registry-config.yml no-handler diff --git a/.github/workflows/rocky8.yml b/.github/workflows/rocky8.yml index b4d9973e..f21a42c7 100644 --- a/.github/workflows/rocky8.yml +++ b/.github/workflows/rocky8.yml @@ -119,7 +119,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml echo "" >> ansible.cfg echo "" >> ansible.cfg echo "remote_user=centos" >> ansible.cfg @@ -172,7 +172,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml cp hosts.yml inventory/rocky8/hosts.yml env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/ubuntu20.yml b/.github/workflows/ubuntu20.yml index b3dbeeb5..f87e40e0 100644 --- a/.github/workflows/ubuntu20.yml +++ b/.github/workflows/ubuntu20.yml @@ -117,7 +117,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml echo "" >> ansible.cfg echo "" >> ansible.cfg echo "remote_user=ubuntu" >> ansible.cfg @@ -170,7 +170,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml cp hosts.yml inventory/ubuntu20/hosts.yml env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/README.md b/README.md index a6dc3363..d1789905 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ Kubeconfig To get access to your **Kubernetes** cluster just ```bash -ssh ec2-user@kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes" +ssh ec2-user@rke2_kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes" ``` Available configurations diff --git a/inventory/sample/group_vars/rke2_agents.yml b/inventory/sample/group_vars/rke2_agents.yml index e9d13353..dd8c405d 100644 --- a/inventory/sample/group_vars/rke2_agents.yml +++ b/inventory/sample/group_vars/rke2_agents.yml @@ -7,4 +7,4 @@ rke2_config: {} # See https://docs.rke2.io/install/containerd_registry_configuration/ # Add a registry configuration file by specifying the file path on the control host -# registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" +# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index d451b625..40d7117e 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -36,11 +36,11 @@ rke2_config: {} # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ # Add a policy configuration file by specifying the file path on the control host -# audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" +# rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" # See https://docs.rke2.io/install/containerd_registry_configuration/ # Add a registry configuration file by specifying the file path on the control host -# registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" +# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts # Add manifest files by specifying the directory path on the control host @@ -50,4 +50,4 @@ rke2_config: {} # Available in RKE2 1.25+ # Add a pod security admission config file by specifying the file path on the control host # Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored -# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" +# rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 517838fd..343a7fab 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -49,10 +49,10 @@ rke2_cluster: # write-kubeconfig-mode: "0640" # # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ # # Add a policy configuration file by specifying the file path on the control host - # audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" + # rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" # # See https://docs.rke2.io/install/containerd_registry_configuration/ # # Add a registry configuration file by specifying the file path on the control host - # registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" + # rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" # # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts # # Add manifest files by specifying the directory path on the control host # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 4d4bd72b..75a020dd 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,16 +1,17 @@ --- -kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" +rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" tarball_dir: "/usr/local" rke2_local_tarball_path: "" rke2_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] rke2_channel: stable -audit_policy_config_file_path: "" -registry_config_file_path: "" -pod_security_admission_config_file_path: "" -add_iptables_rules: false -cluster_manifest_config_file_path: "" +rke2_audit_policy_config_file_path: "" +rke2_registry_config_file_path: "" +rke2_pod_security_admission_config_file_path: "" +rke2_add_iptables_rules: false +rke2_initial_manifest_config_file_path: "" +rke2_cluster_manifest_config_file_path: "" rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml index ac452639..10b66c4a 100644 --- a/roles/rke2/tasks/add-audit-policy-config.yml +++ b/roles/rke2/tasks/add-audit-policy-config.yml @@ -1,7 +1,7 @@ --- - name: Add audit policy configuration file vars: - file_contents: "{{ lookup('file', audit_policy_config_file_path) }}" + file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/audit-policy.yaml" @@ -9,12 +9,12 @@ owner: root group: root when: - - audit_policy_config_file_path|length != 0 + - rke2_audit_policy_config_file_path|length != 0 notify: "Restart {{ service_name }}" - name: Remove audit policy configuration file when: - - audit_policy_config_file_path|length == 0 + - rke2_audit_policy_config_file_path|length == 0 block: - name: Check that the audit policy config file exists ansible.builtin.stat: diff --git a/roles/rke2/tasks/add-manifest-addons.yml b/roles/rke2/tasks/add-manifest-addons.yml index a7524f1b..0b55cc88 100644 --- a/roles/rke2/tasks/add-manifest-addons.yml +++ b/roles/rke2/tasks/add-manifest-addons.yml @@ -2,7 +2,7 @@ - name: Add manifest addons files ansible.builtin.copy: - src: "{{ manifest_config_file_path }}" + src: "{{ src }}" dest: "/var/lib/rancher/rke2/server/manifests/" mode: '0640' owner: root diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml index b7f537a2..3237502a 100644 --- a/roles/rke2/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2/tasks/add-pod-security-admission-config.yml @@ -1,7 +1,7 @@ --- - name: Add pod security admission config file vars: - file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" @@ -9,12 +9,12 @@ owner: root group: root when: - - pod_security_admission_config_file_path|length != 0 + - rke2_pod_security_admission_config_file_path|length != 0 notify: "Restart {{ service_name }}" - name: Remove pod security admission config file when: - - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 + - rke2_pod_security_admission_config_file_path|length == 0 block: - name: Check that the PSA config file exists ansible.builtin.stat: diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml index 367ab9bf..205e2253 100644 --- a/roles/rke2/tasks/add-registry-config.yml +++ b/roles/rke2/tasks/add-registry-config.yml @@ -1,7 +1,7 @@ --- - name: Add registry configuration file vars: - file_contents: "{{ lookup('file', registry_config_file_path) }}" + file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/registries.yaml" @@ -9,12 +9,12 @@ owner: root group: root when: - - registry_config_file_path|length != 0 + - rke2_registry_config_file_path|length != 0 notify: "Restart {{ service_name }}" - name: Remove registry configuration file when: - - registry_config_file_path|length == 0 + - rke2_registry_config_file_path|length == 0 block: - name: Check that the registry config file exists ansible.builtin.stat: diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml index 754d423c..ec779eaf 100644 --- a/roles/rke2/tasks/cis-hardening.yml +++ b/roles/rke2/tasks/cis-hardening.yml @@ -50,7 +50,7 @@ # always rebooting, even if the node was brand new and RKE2 not running yet. - name: Reboot the machine (Wait for 5 min) ansible.builtin.set_fact: - reboot: true + rke2_reboot: true when: - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - rke2_running is defined diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 06774a94..ab437335 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -24,7 +24,8 @@ - name: Configure first server manifests ansible.builtin.include_tasks: add-manifest-addons.yml + vars: + src: "{{ rke2_initial_manifest_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'][0] - - manifest_config_file_path is defined - - manifest_config_file_path | length > 0 + - rke2_initial_manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index de76df23..a84d9efd 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -76,13 +76,9 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Add cluster manifest addons files - ansible.builtin.copy: - src: "{{ cluster_manifest_config_file_path }}" - dest: "/var/lib/rancher/rke2/server/manifests/" - mode: '0640' - owner: root - group: root +- name: Configure cluster manifests + ansible.builtin.include_tasks: add-manifest-addons.yml + vars: + src: "{{ rke2_cluster_manifest_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'][0] - - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml index 8b1fea1e..95037c33 100644 --- a/roles/rke2/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -34,7 +34,7 @@ enabled: no state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined - notify: + notify: - Reload NetworkManager - "Restart {{ service_name }}" @@ -44,8 +44,6 @@ state: stopped enabled: no when: ansible_facts.services["nm-cloud-setup.service"] is defined - notify: + notify: - Reload NetworkManager - "Restart {{ service_name }}" - - diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index a4fe2fe4..7f7a0234 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -28,7 +28,7 @@ - name: Add server url to config file ansible.builtin.lineinfile: dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ kubernetes_api_server_host }}:9345" + line: "server: https://{{ rke2_kubernetes_api_server_host }}:9345" state: present insertbefore: BOF when: diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index fdf366bf..ad60ab98 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -19,4 +19,4 @@ ansible.builtin.include_tasks: iptables_rules.yml when: - ansible_facts.services["iptables.service"] is defined - - add_iptables_rules | bool + - rek2_add_iptables_rules | bool diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index 03e59253..e8f4c744 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -2,7 +2,7 @@ - name: Set fact if rke2-server was previously installed ansible.builtin.set_fact: - installed: true + rke2_installed: true when: - ansible_facts.services["rke2-server.service"] is defined - not ansible_facts.services["rke2-server.service"].status == 'disabled' @@ -18,7 +18,7 @@ - name: Set fact if rke2-agent was previously installed ansible.builtin.set_fact: - installed: true + rke2_installed: true when: - ansible_facts.services["rke2-agent.service"] is defined - not ansible_facts.services["rke2-agent.service"].status == 'disabled' diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index d0c8f9d7..f4aa2bb8 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -34,7 +34,7 @@ ansible_facts['distribution_major_version'] == "9" - name: YUM-Based Install - ansible.builtin.yum: + ansible.builtin.dnf: name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 27f61efa..27e6719a 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -36,7 +36,6 @@ - not rke2_binary_tarball_check.stat.exists - rke2_tarball_url != "" - - name: Determine if current version differs what what is being installed ansible.builtin.set_fact: rke2_version_changed: true diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index 35b98c6c..b1a3e96e 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -11,7 +11,7 @@ - name: Wait for k8s apiserver ansible.builtin.wait_for: - host: "{{ kubernetes_api_server_host }}" + host: "{{ rke2_kubernetes_api_server_host }}" port: "6443" state: present timeout: 300 @@ -27,16 +27,14 @@ - name: Extract the hostname-override parameter from the kubelet process ansible.builtin.set_fact: - kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ - regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ - '\\1') }}" + kubelet_hostname: "{{ kubelet_check.stdout | regex_search('\\s--hostname-override=([^\\s]+)', '\\1') }}" when: - inventory_hostname in groups['rke2_servers'] - name: Wait for node to show Ready status ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} + --server https://127.0.0.1:6443 get no {{ kubelet_hostname }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' register: status_result until: status_result.stdout.find("True") != -1 diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 6224d1e3..0f544b40 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,6 +1,5 @@ --- -tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 -installed: false +rke2_installed: false rke2_version_changed: false -reboot: false \ No newline at end of file +rke2_reboot: false diff --git a/site.yml b/site.yml index 71c6d684..7fd240e6 100644 --- a/site.yml +++ b/site.yml @@ -6,4 +6,3 @@ become: true roles: - role: rke2 - # serial: 5 From 61422e44988dd02f7441629672849b81868e03ed Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 17 Jun 2024 20:49:49 -0400 Subject: [PATCH 04/28] initial pass at tarball --- inventory/sample/hosts.yml | 2 +- roles/rke2/defaults/main.yml | 7 +- roles/rke2/handlers/main.yml | 22 +++---- roles/rke2/tasks/main.yml | 13 ++-- roles/rke2/tasks/previous_install.yml | 8 +-- roles/rke2/tasks/rpm_install.yml | 3 - roles/rke2/tasks/tarball_install.yml | 95 ++++++++++++++------------- roles/rke2/tasks/wait_for_rke2.yml | 2 +- 8 files changed, 80 insertions(+), 72 deletions(-) diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 343a7fab..8beb932f 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -3,7 +3,7 @@ all: vars: install_rke2_version: v1.27.10+rke2r1 # # In air-gapped envs, it might be convenient to download the tar files from custom URLs - # rke2_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz + # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz # rke2_image_tar_urls: # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 75a020dd..a44e12dc 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,8 +1,8 @@ --- rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" -tarball_dir: "/usr/local" -rke2_local_tarball_path: "" -rke2_tarball_url: "" +rke2_tarball_install_dir: "/usr/local" +rke2_local_install_tarball_path: "" +rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] rke2_channel: stable @@ -12,6 +12,7 @@ rke2_pod_security_admission_config_file_path: "" rke2_add_iptables_rules: false rke2_initial_manifest_config_file_path: "" rke2_cluster_manifest_config_file_path: "" +rke2_force_tarball_install: false rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index c4211f6b..728c71be 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -5,7 +5,7 @@ state: restarted name: systemd-sysctl when: - - not reboot + - not rke2_reboot - name: Restart rke2-server ansible.builtin.service: @@ -13,7 +13,7 @@ name: rke2-server throttle: 1 when: - - not reboot + - not rke2_reboot - name: Restart rke2-agent ansible.builtin.service: @@ -21,18 +21,18 @@ name: rke2-agent throttle: 1 when: - - not reboot - -- name: Reboot the machine - ansible.builtin.reboot: - reboot_timeout: 300 - throttle: 1 - when: - - reboot + - not rke2_reboot - name: Reload NetworkManager ansible.builtin.systemd: name: NetworkManager state: reloaded when: - - not reboot + - not rke2_reboot + +- name: Reboot the machine + ansible.builtin.reboot: + reboot_timeout: 300 + throttle: 1 + when: + - rke2_reboot diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index a84d9efd..c5a49e04 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -12,16 +12,18 @@ install_method: tarball when: |- ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or - rke2_tarball_url != "" or - rke2_local_tarball_path != "") + rke2_install_tarball_url != "" or + rke2_local_install_tarball_path != "" or + rke2_force_tarball_install|bool) - name: Set for install method of rpm ansible.builtin.set_fact: install_method: rpm when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - rke2_local_tarball_path == "" - - rke2_tarball_url == "" + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" + - not rke2_force_tarball_install|bool - name: Set as server ansible.builtin.set_fact: @@ -47,6 +49,9 @@ - rke2_images_urls != [] or rke2_images_local_tarball_path != [] +- name: Determine rke2_version to install + ansible.builtin.include_tasks: calculate_rke2_version.yml + - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml when: diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index e8f4c744..dbad69a8 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -40,7 +40,7 @@ - name: Get current RKE2 version if already installed ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' - register: installed_rke2_version_tmp + register: rke2_installed_version_tmp changed_when: false args: executable: /usr/bin/bash @@ -48,12 +48,12 @@ - install_method == "tarball" - rke2_binary.stat.exists failed_when: > - (installed_rke2_version_tmp.rc != 141) and - (installed_rke2_version_tmp.rc != 0) + (rke2_installed_version_tmp.rc != 141) and + (rke2_installed_version_tmp.rc != 0) - name: Determine if current version differs what what is being installed ansible.builtin.set_fact: - installed_rke2_version: "{{ installed_rke2_version_tmp.stdout }}" + rke2_installed_version: "{{ rke2_installed_version_tmp.stdout }}" when: - install_method == "tarball" - rke2_binary.stat.exists diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index f4aa2bb8..9b79a414 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -1,8 +1,5 @@ --- -- name: Determine rke2_version to install - ansible.builtin.include_tasks: calculate_rke2_version.yml - # Add RKE2 Common repo - name: Add the rke2-common repo RHEL/CentOS/Rocky ansible.builtin.yum_repository: diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 27e6719a..a2ef7c55 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -14,47 +14,49 @@ - name: TARBALL | Make temp dir ansible.builtin.tempfile: state: directory - suffix: rke2-install.XXXXXXXXXX + suffix: .rke2-install.XXXXXXXXXX path: "{{ tarball_tmp_dir | default(omit) }}" register: temp_dir - name: Send provided tarball if available ansible.builtin.copy: - src: "{{ rke2_local_tarball_path }}" - dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + src: "{{ inventory_dir}}/{{ rke2_local_install_tarball_path }}" + dest: "{{ temp_dir.path }}/" mode: '0644' when: - - rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" + - rke2_local_install_tarball_path != "" - name: Download Tar from provided URL ansible.builtin.get_url: - url: "{{ rke2_tarball_url }}" - dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + url: "{{ rke2_install_tarball_url }}" + dest: "{{ temp_dir.path }}/" mode: "0644" when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url != "" + - rke2_install_tarball_url != "" -- name: Determine if current version differs what what is being installed +- name: Determine if current version differs from what is being installed ansible.builtin.set_fact: rke2_version_changed: true when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" - - not installed or installed_rke2_version != rke2_full_version + # - rke2_local_install_tarball_path == "" + # - rke2_install_tarball_url == "" + - not rke2_installed or rke2_installed_version != rke2_full_version + +- name: Set architecture specific variables + set_fact: + arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - name: TARBALL | Download the tarball ansible.builtin.get_url: - url: https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-amd64.tar.gz - dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + url: "https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-{{ arch }}.tar.gz" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" - rke2_version_changed -- name: TARBALL | Install tar package +- name: TARBALL | Install tar binary ansible.builtin.package: name: tar state: present @@ -62,53 +64,54 @@ - name: Get version of provided tarball when: - - (rke2_binary_tarball_check.stat.exists or rke2_tarball_url != "") + - (rke2_local_install_tarball_path != "" or rke2_install_tarball_url != "") block: - name: Unarchive tarball into temp location ansible.builtin.unarchive: - src: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + src: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" dest: "{{ temp_dir.path }}" remote_src: true + changed_when: false - name: Get tarball RKE2 version from temp location ansible.builtin.shell: set -o pipefail && {{ temp_dir.path }}/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' - register: tarball_rke2_version_tmp + register: rke2_tarball_version_tmp changed_when: false args: executable: /usr/bin/bash - name: Set tarball RKE2 version var ansible.builtin.set_fact: - tarball_rke2_version: "{{ tarball_rke2_version_tmp.stdout }}" + rke2_tarball_version: "{{ rke2_tarball_version_tmp.stdout }}" - - name: Determine if current version differs what what is being installed + - name: Determine if current version differs from what is being installed ansible.builtin.set_fact: rke2_version_changed: true when: - - not installed or installed_rke2_version != tarball_rke2_version + - not rke2_installed or rke2_installed_version != rke2_tarball_version - name: TARBALL | Check Target Mountpoint - ansible.builtin.command: mountpoint -q {{ tarball_dir }} - register: tarball_dir_stat + ansible.builtin.command: mountpoint -q {{ rke2_tarball_install_dir }} + register: rke2_tarball_install_dir_stat failed_when: false changed_when: false -- name: TARBALL | tarball_dir is a mountpoint setting dir to /opt/rke2 +- name: TARBALL | rke2_tarball_install_dir is a mountpoint setting dir to /opt/rke2 ansible.builtin.set_fact: - tarball_dir: "/opt/rke2" - when: tarball_dir_stat.rc == 0 + rke2_tarball_install_dir: "/opt/rke2" + when: rke2_tarball_install_dir_stat.rc == 0 - name: TARBALL | Using /opt/rke2 ansible.builtin.debug: msg: "Using /opt/rke2 for install directory" - when: tarball_dir_stat.rc == 0 + when: rke2_tarball_install_dir_stat.rc == 0 -- name: TARBALL | Create {{ tarball_dir }} +- name: TARBALL | Create {{ rke2_tarball_install_dir }} ansible.builtin.file: - path: "{{ tarball_dir }}" + path: "{{ rke2_tarball_install_dir }}" state: directory recurse: true - when: tarball_dir is defined + when: rke2_tarball_install_dir is defined - name: Final extraction/installation of RKE2 Tar when: @@ -117,31 +120,33 @@ - name: Unarchive rke2 tar ansible.builtin.unarchive: - src: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" - dest: "{{ tarball_dir }}" + src: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" + dest: "{{ rke2_tarball_install_dir }}" remote_src: true - name: TARBALL | Updating rke2-server.service ansible.builtin.replace: - path: "{{ tarball_dir }}/lib/systemd/system/rke2-server.service" + path: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-server.service" regexp: '/usr/local' - replace: '{{ tarball_dir }}' + replace: '{{ rke2_tarball_install_dir }}' + notify: Restart rke2-server - name: TARBALL | Updating rke2-agent.service ansible.builtin.replace: - path: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.service" + path: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-agent.service" regexp: '/usr/local' - replace: '{{ tarball_dir }}' + replace: '{{ rke2_tarball_install_dir }}' + notify: Restart rke2-agent - name: TARBALL | Updating rke2-uninstall.sh ansible.builtin.replace: - path: "{{ tarball_dir }}/bin/rke2-uninstall.sh" + path: "{{ rke2_tarball_install_dir }}/bin/rke2-uninstall.sh" regexp: '/usr/local' - replace: '{{ tarball_dir }}' + replace: '{{ rke2_tarball_install_dir }}' - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.service" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-server.service" dest: /etc/systemd/system/rke2-server.service mode: '0644' owner: root @@ -152,7 +157,7 @@ - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.env" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-server.env" dest: /etc/systemd/system/rke2-server.env mode: '0644' owner: root @@ -163,7 +168,7 @@ - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.service" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-agent.service" dest: /etc/systemd/system/rke2-agent.service mode: '0644' owner: root @@ -174,7 +179,7 @@ - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.env" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-agent.env" dest: /etc/systemd/system/rke2-agent.env mode: '0644' owner: root diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index b1a3e96e..a669fabe 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -34,7 +34,7 @@ - name: Wait for node to show Ready status ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname }} + --server https://127.0.0.1:6443 get no {{ kubelet_hostname[0] }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' register: status_result until: status_result.stdout.find("True") != -1 From 57f7344c4acf1552cba6b5fde4b412578152cb85 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 18 Jun 2024 10:02:02 -0400 Subject: [PATCH 05/28] cleanup --- roles/rke2/tasks/calculate_rke2_version.yml | 15 +++++++-------- roles/rke2/tasks/main.yml | 3 +++ roles/rke2/tasks/previous_install.yml | 4 ++-- roles/rke2/tasks/tarball_install.yml | 8 ++++---- roles/rke2/tasks/wait_for_rke2.yml | 4 ++-- 5 files changed, 18 insertions(+), 16 deletions(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index e64e5b70..d7f0c883 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -1,21 +1,20 @@ --- -- name: "Calculate rke2 full version" - when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) +- name: "Determine latest version from internet" + when: + - ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" block: - # - name: Stop if the provided is not valid - # ansible.builtin.fail: - # msg: "Provided channel is not valid" - # when: rke2_channel not in channels - - name: Get full version name url + - name: Get versions from update.rke2.io ansible.builtin.uri: url: https://update.rke2.io/v1-release/channels/{{ rke2_channel }} follow_redirects: safe remote_src: true register: rke2_version_url - - name: Set full version name + - name: Save version ansible.builtin.shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' register: rke2_full_version changed_when: false diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index c5a49e04..ea7f1092 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -51,6 +51,9 @@ - name: Determine rke2_version to install ansible.builtin.include_tasks: calculate_rke2_version.yml + when: + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index dbad69a8..44edcbcc 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -38,7 +38,7 @@ register: rke2_binary when: install_method == "tarball" -- name: Get current RKE2 version if already installed +- name: Get current rke2 version if already installed ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' register: rke2_installed_version_tmp changed_when: false @@ -51,7 +51,7 @@ (rke2_installed_version_tmp.rc != 141) and (rke2_installed_version_tmp.rc != 0) -- name: Determine if current version differs what what is being installed +- name: Set fact for current rke2 version ansible.builtin.set_fact: rke2_installed_version: "{{ rke2_installed_version_tmp.stdout }}" when: diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index a2ef7c55..a0da6302 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -20,7 +20,7 @@ - name: Send provided tarball if available ansible.builtin.copy: - src: "{{ inventory_dir}}/{{ rke2_local_install_tarball_path }}" + src: "{{ inventory_dir }}/{{ rke2_local_install_tarball_path }}" dest: "{{ temp_dir.path }}/" mode: '0644' when: @@ -38,12 +38,12 @@ ansible.builtin.set_fact: rke2_version_changed: true when: - # - rke2_local_install_tarball_path == "" - # - rke2_install_tarball_url == "" + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" - not rke2_installed or rke2_installed_version != rke2_full_version - name: Set architecture specific variables - set_fact: + ansible.builtin.set_fact: arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - name: TARBALL | Download the tarball diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index a669fabe..04ec0d94 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -1,9 +1,9 @@ --- -- name: Start {{ service_name }} +- name: Start rke2 ansible.builtin.meta: flush_handlers -- name: Enable {{ service_name }} +- name: Enable service ansible.builtin.systemd: name: "{{ service_name }}" state: started From 00943bc9b990839d6aca3a6378ce431d39424560 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 21 Jun 2024 16:05:05 -0400 Subject: [PATCH 06/28] adding logic to determine join token and which node is up --- roles/rke2/defaults/main.yml | 4 +- roles/rke2/handlers/main.yml | 7 ++ roles/rke2/tasks/add-audit-policy-config.yml | 39 ----------- .../add-pod-security-admission-config.yml | 39 ----------- roles/rke2/tasks/add-registry-config.yml | 39 ----------- .../rke2/tasks/add_ansible_managed_config.yml | 37 ++++++++++ ...est-addons.yml => add_manifest_addons.yml} | 0 .../{cis-hardening.yml => cis_hardening.yml} | 0 roles/rke2/tasks/cluster_state.yml | 67 +++++++++++++++++++ roles/rke2/tasks/configure_rke2.yml | 31 ++++++--- roles/rke2/tasks/first_server.yml | 6 +- roles/rke2/tasks/main.yml | 13 +++- roles/rke2/tasks/pre_reqs.yml | 21 +++++- roles/rke2/tasks/previous_install.yml | 2 + roles/rke2/tasks/rpm_install.yml | 4 ++ .../rke2/templates/ansible_managed_yaml.j2 | 2 +- 16 files changed, 178 insertions(+), 133 deletions(-) delete mode 100644 roles/rke2/tasks/add-audit-policy-config.yml delete mode 100644 roles/rke2/tasks/add-pod-security-admission-config.yml delete mode 100644 roles/rke2/tasks/add-registry-config.yml create mode 100644 roles/rke2/tasks/add_ansible_managed_config.yml rename roles/rke2/tasks/{add-manifest-addons.yml => add_manifest_addons.yml} (100%) rename roles/rke2/tasks/{cis-hardening.yml => cis_hardening.yml} (100%) create mode 100644 roles/rke2/tasks/cluster_state.yml rename ansible_header.j2 => roles/rke2/templates/ansible_managed_yaml.j2 (77%) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index a44e12dc..d853ec3b 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,11 +1,11 @@ --- -rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" +rke2_kubernetes_api_server_host: "" rke2_tarball_install_dir: "/usr/local" rke2_local_install_tarball_path: "" rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] -rke2_channel: stable +rke2_channel: "stable" rke2_audit_policy_config_file_path: "" rke2_registry_config_file_path: "" rke2_pod_security_admission_config_file_path: "" diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 728c71be..0c0a6258 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -7,6 +7,13 @@ when: - not rke2_reboot +- name: Restart fapolicyd + ansible.builtin.service: + state: restarted + name: fapolicyd + when: + - not rke2_reboot + - name: Restart rke2-server ansible.builtin.service: state: restarted diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml deleted file mode 100644 index 10b66c4a..00000000 --- a/roles/rke2/tasks/add-audit-policy-config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Add audit policy configuration file - vars: - file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/audit-policy.yaml" - mode: '0640' - owner: root - group: root - when: - - rke2_audit_policy_config_file_path|length != 0 - notify: "Restart {{ service_name }}" - -- name: Remove audit policy configuration file - when: - - rke2_audit_policy_config_file_path|length == 0 - block: - - name: Check that the audit policy config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/audit-policy.yaml" - register: stat_result - - - name: "Check that the audit policy config file has ansible managed comments" - ansible.builtin.lineinfile: - name: "/etc/rancher/rke2/audit-policy.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists | bool is true - - - name: Remove the audit policy config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/audit-policy.yaml" - state: absent - when: - - ansible_managed_check.changed | bool is false - notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml deleted file mode 100644 index 3237502a..00000000 --- a/roles/rke2/tasks/add-pod-security-admission-config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Add pod security admission config file - vars: - file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" - mode: '0640' - owner: root - group: root - when: - - rke2_pod_security_admission_config_file_path|length != 0 - notify: "Restart {{ service_name }}" - -- name: Remove pod security admission config file - when: - - rke2_pod_security_admission_config_file_path|length == 0 - block: - - name: Check that the PSA config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - register: stat_result - - - name: "Check that the PSA config file has ansible managed comments" - ansible.builtin.lineinfile: - name: "/etc/rancher/rke2/pod-security-admission-config.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists | bool is true - - - name: Remove the PSA config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - state: absent - when: - - ansible_managed_check.changed | bool is false - notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml deleted file mode 100644 index 205e2253..00000000 --- a/roles/rke2/tasks/add-registry-config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Add registry configuration file - vars: - file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/registries.yaml" - mode: '0640' - owner: root - group: root - when: - - rke2_registry_config_file_path|length != 0 - notify: "Restart {{ service_name }}" - -- name: Remove registry configuration file - when: - - rke2_registry_config_file_path|length == 0 - block: - - name: Check that the registry config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/registries.yaml" - register: stat_result - - - name: "Check that the registry config file has ansible managed comments" - ansible.builtin.lineinfile: - name: "/etc/rancher/rke2/registries.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists | bool is true - - - name: Remove the registry config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/registries.yaml" - state: absent - when: - - ansible_managed_check.changed | bool is false - notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml new file mode 100644 index 00000000..2da4adc3 --- /dev/null +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -0,0 +1,37 @@ +--- +- name: "Add {{ file_description }} file" + ansible.builtin.template: + src: ansible_managed_yaml.j2 + dest: "{{ file_destination }}" + mode: '0640' + owner: root + group: root + when: + - file_path | default("") | length != 0 + notify: "Restart {{ service_name }}" + +- name: "Remove {{ file_description }} file" + when: + - file_path | default("") | length == 0 + block: + - name: "Check that the {{ file_description }} file exists" + ansible.builtin.stat: + path: "{{ file_destination }}" + register: stat_result + + - name: "Check that the {{ file_description }} config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "{{ file_destination }}" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: "Remove the {{ file_description }} file if exists and has ansible managed comments" + ansible.builtin.file: + path: "{{ file_destination }}" + state: absent + when: + - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-manifest-addons.yml b/roles/rke2/tasks/add_manifest_addons.yml similarity index 100% rename from roles/rke2/tasks/add-manifest-addons.yml rename to roles/rke2/tasks/add_manifest_addons.yml diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis_hardening.yml similarity index 100% rename from roles/rke2/tasks/cis-hardening.yml rename to roles/rke2/tasks/cis_hardening.yml diff --git a/roles/rke2/tasks/cluster_state.yml b/roles/rke2/tasks/cluster_state.yml new file mode 100644 index 00000000..4f860e3b --- /dev/null +++ b/roles/rke2/tasks/cluster_state.yml @@ -0,0 +1,67 @@ +--- + +- name: Check for existing cluster + block: + - name: Check for node-token (existing cluster) + ansible.builtin.stat: + path: /var/lib/rancher/rke2/server/node-token + register: node_token_tmp + + - name: Read node-token (existing cluster) + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: rke2_config_token_tmp + when: + - node_token_tmp.stat.exists + + - name: Set node-token fact (existing cluster) + ansible.builtin.set_fact: + rke2_config_token: "{{ rke2_config_token_tmp.content | b64decode | regex_replace('\n', '') }}" + when: + - rke2_config_token_tmp.stat.exists + + - name: Set node-token fact on all hosts (existing cluster) + ansible.builtin.set_fact: + rke2_config_token: "{{ hostvars[item]['rke2_config_token'] }}" + delegate_to: localhost + run_once: true + loop: "{{ groups['all'] }}" + when: "hostvars[item]['rke2_config_token'] is defined" + vars: + rke2_config_token: "{{ rke2_config_token | default('') }}" + + - name: Debug found token + ansible.builtin.debug: + msg: "rke2_config_token: {{ rke2_config_token }}" + when: rke2_config_token != "" + + - name: Read host with token (existing cluster) + ansible.builtin.set_fact: + existing_join_host: "{{ ansible_hostname }}" + when: + - node_token_tmp.stat.exists + + - name: Set join server fact on all hosts (existing cluster) + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[item]['existing_join_host'] }}" + delegate_to: localhost + run_once: true + loop: "{{ groups['all'] }}" + when: + - "hostvars[item]['existing_join_host'] is defined" + - hostvars[item]['rke2_kubernetes_api_server_host'] == "" + vars: + rke2_kubernetes_api_server_host: "{{ existing_join_host | default('') }}" + when: + - rke2_running is defined + - rke2_running + +- name: No existing cluster found and api server not set + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" + when: + - rke2_kubernetes_api_server_host == "" + +- name: Debug found join_server + ansible.builtin.debug: + msg: "Join Server: {{ rke2_kubernetes_api_server_host }}" diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index ab437335..3b6cf634 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -7,23 +7,38 @@ recurse: yes - name: Run CIS-Hardening Tasks - ansible.builtin.include_tasks: cis-hardening.yml + ansible.builtin.include_tasks: cis_hardening.yml -- name: Configure registries.yaml - ansible.builtin.include_tasks: add-registry-config.yml +- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}" + file_destination: "/etc/rancher/rke2/registries.yaml" + file_description: "registry configuration" + file_path: "{{ rke2_registry_config_file_path }}" -- name: Configure audit policy - ansible.builtin.include_tasks: add-audit-policy-config.yml +- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}" + file_destination: "/etc/rancher/rke2/audit-policy.yaml" + file_description: "audit policy configuration" + file_path: "{{ rke2_audit_policy_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'] -- name: Configure psa policy - ansible.builtin.include_tasks: add-pod-security-admission-config.yml +- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}" + file_destination: "/etc/rancher/rke2/pod-security-admission-config.yaml" + file_description: "pod security admission config" + file_path: "{{ rke2_pod_security_admission_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'] - name: Configure first server manifests - ansible.builtin.include_tasks: add-manifest-addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml vars: src: "{{ rke2_initial_manifest_config_file_path }}" when: diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 2ea88adb..4904fcba 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -6,17 +6,17 @@ - name: Wait for rke2 ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Add generated Token if none provided +- name: Determine generated token block: - name: Wait for node-token ansible.builtin.wait_for: path: /var/lib/rancher/rke2/server/node-token - - name: Read node-token from master + - name: Read node-token from first server ansible.builtin.slurp: src: /var/lib/rancher/rke2/server/node-token register: node_token - - name: Store Master node-token + - name: Store join node-token ansible.builtin.set_fact: rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index ea7f1092..ce04e3bb 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -43,6 +43,9 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml +- name: Determine cluster state + ansible.builtin.include_tasks: cluster_state.yml + - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml when: @@ -71,6 +74,7 @@ - name: RKE2 on first node ansible.builtin.include_tasks: first_server.yml when: + - "rke2_config_token is not defined" - inventory_hostname in groups['rke2_servers'][0] - name: RKE2 on all other nodes @@ -78,6 +82,13 @@ when: - inventory_hostname in groups['rke2_servers'][1:] or inventory_hostname in groups.get('rke2_agents', []) + when: + - "rke2_config_token is not defined" + +- name: Confirm configuration on cluster + when: + - "existing_join_host is defined" + ansible.builtin.include_tasks: other_nodes.yml - name: Configure kubectl,crictl,ctr ansible.builtin.include_tasks: utilities.yml @@ -85,7 +96,7 @@ - inventory_hostname in groups['rke2_servers'] - name: Configure cluster manifests - ansible.builtin.include_tasks: add-manifest-addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml vars: src: "{{ rke2_cluster_manifest_config_file_path }}" when: diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index ad60ab98..2a82ad9d 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -19,4 +19,23 @@ ansible.builtin.include_tasks: iptables_rules.yml when: - ansible_facts.services["iptables.service"] is defined - - rek2_add_iptables_rules | bool + - rke2_add_iptables_rules | bool + +- name: Add fapolicyd rules + ansible.builtin.copy: + content: "{{ fapolicyd_rules }}" + dest: /etc/fapolicyd/rules.d/80-rke2.rules + mode: '0644' + owner: root + group: fapolicyd + when: + - ansible_facts.services["fapolicyd.service"] is defined + - ansible_facts.services["fapolicyd.service"].state == "running" + vars: + fapolicyd_rules: | + allow perm=any all : dir=/var/lib/rancher/ + allow perm=any all : dir=/opt/cni/ + allow perm=any all : dir=/run/k3s/ + allow perm=any all : dir=/var/lib/kubelet/ + notify: Restart fapolicyd + diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index 44edcbcc..3e264a15 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -7,6 +7,7 @@ - ansible_facts.services["rke2-server.service"] is defined - not ansible_facts.services["rke2-server.service"].status == 'disabled' - inventory_hostname in groups['rke2_servers'] + - install_method == "tarball" - name: Set fact if rke2-server is running ansible.builtin.set_fact: @@ -23,6 +24,7 @@ - ansible_facts.services["rke2-agent.service"] is defined - not ansible_facts.services["rke2-agent.service"].status == 'disabled' - inventory_hostname in groups.get('rke2_agents', []) + - install_method == "tarball" - name: Set fact if rke2-agent is running ansible.builtin.set_fact: diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 9b79a414..5edf20af 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -34,4 +34,8 @@ ansible.builtin.dnf: name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest + register: result + retries: 10 + until: result is succeeded + delay: 30 notify: "Restart {{ service_name }}" diff --git a/ansible_header.j2 b/roles/rke2/templates/ansible_managed_yaml.j2 similarity index 77% rename from ansible_header.j2 rename to roles/rke2/templates/ansible_managed_yaml.j2 index 0377d97b..3691a008 100644 --- a/ansible_header.j2 +++ b/roles/rke2/templates/ansible_managed_yaml.j2 @@ -1,3 +1,3 @@ ## This is an Ansible managed file, contents will be overwritten ## -{{ file_contents }} +{{ file_contents }} \ No newline at end of file From cadd44bea448a3269a3ea1f12ebab379dde624d4 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 21 Jun 2024 16:24:26 -0400 Subject: [PATCH 07/28] fixing some linting --- roles/rke2/tasks/cluster_state.yml | 11 +++++------ roles/rke2/tasks/main.yml | 2 -- roles/rke2/tasks/pre_reqs.yml | 1 - 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/roles/rke2/tasks/cluster_state.yml b/roles/rke2/tasks/cluster_state.yml index 4f860e3b..130fe3d2 100644 --- a/roles/rke2/tasks/cluster_state.yml +++ b/roles/rke2/tasks/cluster_state.yml @@ -1,6 +1,9 @@ --- - name: Check for existing cluster + when: + - rke2_running is defined + - rke2_running block: - name: Check for node-token (existing cluster) ansible.builtin.stat: @@ -18,7 +21,8 @@ ansible.builtin.set_fact: rke2_config_token: "{{ rke2_config_token_tmp.content | b64decode | regex_replace('\n', '') }}" when: - - rke2_config_token_tmp.stat.exists + - "rke2_config_token_tmp.content is defined" + - rke2_config_token_tmp.content | length != 0 - name: Set node-token fact on all hosts (existing cluster) ansible.builtin.set_fact: @@ -27,8 +31,6 @@ run_once: true loop: "{{ groups['all'] }}" when: "hostvars[item]['rke2_config_token'] is defined" - vars: - rke2_config_token: "{{ rke2_config_token | default('') }}" - name: Debug found token ansible.builtin.debug: @@ -52,9 +54,6 @@ - hostvars[item]['rke2_kubernetes_api_server_host'] == "" vars: rke2_kubernetes_api_server_host: "{{ existing_join_host | default('') }}" - when: - - rke2_running is defined - - rke2_running - name: No existing cluster found and api server not set ansible.builtin.set_fact: diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index ce04e3bb..407dfb54 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -82,8 +82,6 @@ when: - inventory_hostname in groups['rke2_servers'][1:] or inventory_hostname in groups.get('rke2_agents', []) - when: - - "rke2_config_token is not defined" - name: Confirm configuration on cluster when: diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index 2a82ad9d..93fd03eb 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -38,4 +38,3 @@ allow perm=any all : dir=/run/k3s/ allow perm=any all : dir=/var/lib/kubelet/ notify: Restart fapolicyd - From 0c36930eca4f2e6bddeaaf357850fd400cf22be0 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 24 Jun 2024 16:25:31 -0400 Subject: [PATCH 08/28] fixing some linting --- roles/rke2/tasks/add_ansible_managed_config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml index 2da4adc3..09e8e2fc 100644 --- a/roles/rke2/tasks/add_ansible_managed_config.yml +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -1,5 +1,5 @@ --- -- name: "Add {{ file_description }} file" +- name: "Add {{ file_description }} file" # noqa name[template] ansible.builtin.template: src: ansible_managed_yaml.j2 dest: "{{ file_destination }}" @@ -10,16 +10,16 @@ - file_path | default("") | length != 0 notify: "Restart {{ service_name }}" -- name: "Remove {{ file_description }} file" +- name: "Remove {{ file_description }} file" # noqa name[template] when: - file_path | default("") | length == 0 block: - - name: "Check that the {{ file_description }} file exists" + - name: "Check that the {{ file_description }} file exists" # noqa name[template] ansible.builtin.stat: path: "{{ file_destination }}" register: stat_result - - name: "Check that the {{ file_description }} config file has ansible managed comments" + - name: "Check that the {{ file_description }} config file has ansible managed comments" # noqa name[template] ansible.builtin.lineinfile: name: "{{ file_destination }}" line: '## This is an Ansible managed file, contents will be overwritten ##' @@ -28,7 +28,7 @@ register: ansible_managed_check when: stat_result.stat.exists | bool is true - - name: "Remove the {{ file_description }} file if exists and has ansible managed comments" + - name: "Remove the {{ file_description }} file if exists and has ansible managed comments" # noqa name[template] ansible.builtin.file: path: "{{ file_destination }}" state: absent From aa42bf518e204b0714bdffaa7fa2772b92d5504f Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 12 Jul 2024 10:03:37 -0400 Subject: [PATCH 09/28] allowing rpm downgrade and forcing handlers on failure --- ansible.cfg | 1 + roles/rke2/tasks/rpm_install.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 43a4415d..a351711f 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -12,3 +12,4 @@ host_key_checking = False deprecation_warnings = False callback_whitelist = profile_roles, timer display_skipped_hosts = no +force_handlers = True diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 5edf20af..cb5e747d 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -33,7 +33,8 @@ - name: YUM-Based Install ansible.builtin.dnf: name: "{{ service_name }}-{{ rke2_version_rpm }}" - state: latest # noqa package-latest + state: installed + allow_downgrade: true register: result retries: 10 until: result is succeeded From ca258907722821677ac5ef0b3103aed9510241cb Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 23 Jul 2024 09:19:18 -0400 Subject: [PATCH 10/28] rpm install logic change --- roles/rke2/defaults/main.yml | 5 +- roles/rke2/tasks/calculate_rke2_version.yml | 118 +++++++++++++------- roles/rke2/tasks/rpm_install.yml | 12 +- 3 files changed, 79 insertions(+), 56 deletions(-) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index d853ec3b..b6371180 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -13,10 +13,11 @@ rke2_add_iptables_rules: false rke2_initial_manifest_config_file_path: "" rke2_cluster_manifest_config_file_path: "" rke2_force_tarball_install: false +rke2_install_version: "" rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" - baseurl: "https://rpm.rancher.io/rke2/stable/common/centos/$releasever/noarch" + baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/common/centos/$releasever/noarch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes @@ -24,7 +25,7 @@ rke2_common_yum_repo: rke2_versioned_yum_repo: name: "rancher-rke2-v{{ rke2_version_majmin }}" # noqa jinja[spacing] description: "Rancher RKE2 Version" - baseurl: "https://rpm.rancher.io/rke2/stable/{{ rke2_version_majmin }}/centos/$releasever/$basearch" + baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/{{ rke2_version_majmin }}/centos/$releasever/$basearch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index d7f0c883..6670ee65 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -2,7 +2,8 @@ - name: "Determine latest version from internet" when: - - ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) + - rke2_install_version | length == 0 + - rke2_versioned_yum_repo.baseurl | search ("rpm.rancher.io") - rke2_local_install_tarball_path == "" - rke2_install_tarball_url == "" block: @@ -23,49 +24,80 @@ - name: Set rke2_full_version fact ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or - (install_rke2_version | length == 0)) else install_rke2_version }}" - -- name: Set dot version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 - register: rke2_version_dot_tmp - changed_when: false - args: - executable: /usr/bin/bash - -- name: Set rke2_version_dot fact - ansible.builtin.set_fact: - rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" + rke2_full_version: "{{ rke2_full_version.stdout if (rke2_install_version | length == 0) else rke2_install_version }}" -- name: Set Maj.Min version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" - register: rke2_version_majmin_tmp - changed_when: false - args: - executable: /usr/bin/bash +- name: "Set install version for RPM" + when: + - install_method == "rpm" + block: -- name: Set rke2_version_majmin fact - ansible.builtin.set_fact: - rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" + - name: Set dot version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 + register: rke2_version_dot_tmp + changed_when: false + args: + executable: /usr/bin/bash -- name: Set RPM version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" - register: rke2_version_rpm_tmp - changed_when: false - args: - executable: /usr/bin/bash + - name: Set rke2_version_dot fact + ansible.builtin.set_fact: + rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" -- name: Set rke2_version_rpm fact - ansible.builtin.set_fact: - rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" - -- name: Describe versions - ansible.builtin.debug: - msg: - - "Full version, with revision indication: {{ rke2_full_version }}" - - "Version without revision indication: {{ rke2_version_dot }}" - - "Major and Minor Only: {{ rke2_version_majmin }}" - - "RPM Version (tilde): {{ rke2_version_rpm }}" + - name: Set Maj.Min version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" + register: rke2_version_majmin_tmp + changed_when: false + args: + executable: /usr/bin/bash + + - name: Set rke2_version_majmin fact + ansible.builtin.set_fact: + rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" + + - name: Set RPM version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + register: rke2_version_rpm_tmp + changed_when: false + args: + executable: /usr/bin/bash + + - name: Set rke2_version_rpm fact + ansible.builtin.set_fact: + rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" + + # - name: Describe versions + # ansible.builtin.debug: + # msg: + # - "Full version, with revision indication: {{ rke2_full_version }}" + # - "Version without revision indication: {{ rke2_version_dot }}" + # - "Major and Minor Only: {{ rke2_version_majmin }}" + # - "RPM Version (tilde): {{ rke2_version_rpm }}" + +- name: "Set install version for RPM" + when: + - install_method == "rpm" + block: + + - name: Set RPM version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_install_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + register: rke2_version_rpm_tmp + changed_when: false + args: + executable: /usr/bin/bash + when: + - rke2_install_version | length > 0 + + - name: Set rke2_version_rpm fact + ansible.builtin.set_fact: + rke2_version_rpm_no_dash: "{{ rke2_version_rpm_tmp.stdout }}" + when: + - rke2_version_rpm_tmp is defined + + - name: Prepend 'dash' to version string + ansible.builtin.set_fact: + rke2_version_rpm: "{{ '-' + rke2_version_rpm_no_dash }}" + when: + - rke2_version_rpm_no_dash is defined diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index cb5e747d..82f3a268 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -9,11 +9,6 @@ gpgcheck: "{{ rke2_common_yum_repo.gpgcheck }}" gpgkey: "{{ rke2_common_yum_repo.gpgkey }}" enabled: "{{ rke2_common_yum_repo.enabled }}" - when: - - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Rocky" - - ansible_facts['distribution_major_version'] == "7" or - ansible_facts['distribution_major_version'] == "8" or - ansible_facts['distribution_major_version'] == "9" # Add RKE2 versioned repo - name: Add the rke2 versioned repo CentOS/RHEL/Rocky @@ -24,15 +19,10 @@ gpgcheck: "{{ rke2_versioned_yum_repo.gpgcheck }}" gpgkey: "{{ rke2_versioned_yum_repo.gpgkey }}" enabled: "{{ rke2_versioned_yum_repo.enabled }}" - when: - - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Rocky" - - ansible_facts['distribution_major_version'] == "7" or - ansible_facts['distribution_major_version'] == "8" or - ansible_facts['distribution_major_version'] == "9" - name: YUM-Based Install ansible.builtin.dnf: - name: "{{ service_name }}-{{ rke2_version_rpm }}" + name: "{{ service_name }}{{ rke2_version_rpm }}" state: installed allow_downgrade: true register: result From 163cf74f4627cfe709f78320232b8a6f4b6642f1 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Tue, 23 Jul 2024 14:29:04 -0400 Subject: [PATCH 11/28] large number of changes 01 --- .gitignore | 8 +- roles/rke2/defaults/main.yml | 12 +- roles/rke2/handlers/main.yml | 4 +- roles/rke2/tasks/add_manifest_addons.yml | 32 ++- roles/rke2/tasks/check_node_ready.yml | 80 ++++++ roles/rke2/tasks/cis_hardening.yml | 5 +- roles/rke2/tasks/config.yml | 265 +----------------- roles/rke2/tasks/configure_rke2.yml | 8 +- roles/rke2/tasks/first_server.yml | 30 +- roles/rke2/tasks/main.yml | 74 +++-- roles/rke2/tasks/other_nodes.yml | 42 +-- roles/rke2/tasks/pre_reqs.yml | 2 +- roles/rke2/tasks/save_generated_token.yml | 44 +++ roles/rke2/tasks/tarball_install.yml | 56 ++-- .../manifest-example.yaml | 0 .../tarball_install}/README.md | 0 16 files changed, 286 insertions(+), 376 deletions(-) create mode 100644 roles/rke2/tasks/check_node_ready.yml create mode 100644 roles/rke2/tasks/save_generated_token.yml rename sample_files/{manifest => manifests}/manifest-example.yaml (100%) rename {tarball_install => sample_files/tarball_install}/README.md (100%) diff --git a/.gitignore b/.gitignore index 782a0c73..0e9ac3cb 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,5 @@ venv/ test_inventory* -rke2-images.linux-amd64.tar.gz -rke2.linux-amd64.tar.gz - - -tarball_install/* -!tarball_install/README.md \ No newline at end of file +sample_files/tarball_install/* +!sample_files/tarball_install/README.md \ No newline at end of file diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index b6371180..15700aea 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,7 +1,7 @@ --- rke2_kubernetes_api_server_host: "" rke2_tarball_install_dir: "/usr/local" -rke2_local_install_tarball_path: "" +rke2_install_local_tarball_path: "" rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] @@ -10,8 +10,8 @@ rke2_audit_policy_config_file_path: "" rke2_registry_config_file_path: "" rke2_pod_security_admission_config_file_path: "" rke2_add_iptables_rules: false -rke2_initial_manifest_config_file_path: "" -rke2_cluster_manifest_config_file_path: "" +rke2_manifest_config_directory: "" +rke2_manifest_config_post_run_directory: "" rke2_force_tarball_install: false rke2_install_version: "" rke2_common_yum_repo: @@ -29,5 +29,9 @@ rke2_versioned_yum_repo: gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes - +kubelet_node_name: + - "nodeNameNotFound" rke2_config: {} +metrics_running: false +node_ready: "false" +api_server_running: false \ No newline at end of file diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 0c0a6258..bfd8f5e6 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -17,16 +17,16 @@ - name: Restart rke2-server ansible.builtin.service: state: restarted + enabled: true name: rke2-server - throttle: 1 when: - not rke2_reboot - name: Restart rke2-agent ansible.builtin.service: state: restarted + enabled: true name: rke2-agent - throttle: 1 when: - not rke2_reboot diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 0b55cc88..909693c7 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -1,9 +1,35 @@ --- -- name: Add manifest addons files +- name: look up manifest files on localhost + find: + paths: "{{ source_directory }}" + register: local_files_find_return + delegate_to: localhost + +- name: create array of managed files + ansible.builtin.set_fact: + managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" + +- name: Add manifest addons files from localhost ansible.builtin.copy: - src: "{{ src }}" - dest: "/var/lib/rancher/rke2/server/manifests/" + src: "{{ source_directory | regex_replace('\\/$', '') }}/" + dest: "{{ destination_directory }}" mode: '0640' owner: root group: root + +- name: look up manifest files on remote + find: + paths: "{{ destination_directory }}" + register: remote_files_find_return + +- name: create array of remote files + ansible.builtin.set_fact: + current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" + +- name: remove remote files not in managed files list + ansible.builtin.file: + path: "{{ destination_directory }}/{{ item }}" + state: absent + with_items: "{{current_files}}" + when: item not in managed_files diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml new file mode 100644 index 00000000..a69e5831 --- /dev/null +++ b/roles/rke2/tasks/check_node_ready.yml @@ -0,0 +1,80 @@ +- name: Wait for k8s apiserver + ansible.builtin.wait_for: + host: localhost + port: "6443" + state: present + timeout: "{{ check_node_ready_timeout }}" + changed_when: false + register: api_serve_status + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: set fact + ansible.builtin.set_fact: + api_server_running: true + when: + - api_serve_status.state is not undefined + - api_serve_status.state == "present" + +- name: set fact + ansible.builtin.set_fact: + api_server_running: "{{api_server_running}}" + +- name: Get node_metrics + ansible.builtin.uri: + url: https://localhost:10250/metrics + return_content: true + ca_path: /var/lib/rancher/rke2/server/tls/server-ca.crt + client_cert: /var/lib/rancher/rke2/server/tls/client-admin.crt + client_key: /var/lib/rancher/rke2/server/tls/client-admin.key + register: node_metrics + retries: "{{ check_node_ready_retries }}" + delay: "{{ check_node_ready_delay }}" + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: Check that node_metrics collection was successful + ansible.builtin.set_fact: + metrics_running: true + when: + - 200 | string in node_metrics.status | string + +- name: set fact for metrics_running + ansible.builtin.set_fact: + metrics_running: "{{metrics_running}}" + +- name: Extract the kubelet_node_name from node metrics + ansible.builtin.set_fact: + kubelet_node_name: "{{ node_metrics.content | \ + regex_search('kubelet_node_name{node=\"(.*)\"}',\ + '\\1') }}" + when: + - 200 | string in node_metrics.status | string + +- name: Wait for node to show Ready status + ansible.builtin.command: >- + /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml + --server https://127.0.0.1:6443 get no {{ kubelet_node_name[0] }} + -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' + register: status_result + until: status_result.stdout.find("True") != -1 + retries: "{{ check_node_ready_retries }}" + delay: "{{ check_node_ready_delay }}" + changed_when: false + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: set fact + ansible.builtin.set_fact: + node_ready: "true" + when: + - status_result.rc is not undefined + - status_result.rc | string == "0" + +- name: set fact + ansible.builtin.set_fact: + node_ready: "{{node_ready}}" + +- name: node status + debug: + msg: | + "node_ready: {{node_ready}}" + "metrics_running: {{metrics_running}}" + "api_server_running: {{api_server_running}}" \ No newline at end of file diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index ec779eaf..53acff52 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -2,7 +2,10 @@ - name: CIS MODE become: yes - when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$') + when: + - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) block: - name: Create etcd group ansible.builtin.group: diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index cf277334..602652c7 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -1,258 +1,19 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - mode: "0750" -- name: Does the /etc/rancher/rke2/config.yaml file exist? - ansible.builtin.stat: - path: /etc/rancher/rke2/config.yaml - register: previous_rke2_config - -- name: Read previous_rke2_config - ansible.builtin.slurp: - src: /etc/rancher/rke2/config.yaml - register: full_orig_rke2_config - when: previous_rke2_config.stat.exists - -- name: Decode contents of slurp - ansible.builtin.set_fact: - orig_rke2_config: "{{ full_orig_rke2_config['content'] | b64decode }}" - when: previous_rke2_config.stat.exists - -- name: Create the /etc/rancher/rke2/config.yaml file - ansible.builtin.file: - path: /etc/rancher/rke2/config.yaml - state: touch - mode: "0640" - owner: root - group: root - when: not previous_rke2_config.stat.exists - -# https://github.com/ansible-collections/ansible.utils/issues/135 -- name: Ensure Ansible renders any templated variables in rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ rke2_config | default({}) }}" - -# --node-label value (agent/node) Registering and starting kubelet with set of labels -- name: Get rke2_config node-labels - ansible.builtin.set_fact: - rke2_config_node_labels: "{{ rke2_config['node-label'] | default([]) }}" - -- name: Get host var node-labels - ansible.builtin.set_fact: - host_var_node_labels: "{{ node_labels | default([]) }}" - -- name: Combine rke2_config node labels and hostvar node labels - ansible.builtin.set_fact: - all_node_labels: "{{ rke2_config_node_labels + host_var_node_labels }}" - changed_when: false - -- name: Add node labels to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-label"] - value: "{{ all_node_labels }}" - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - changed_when: false - -# --node-taint value (agent/node) Registering kubelet with set of taints -- name: Get rke2_config node-taints - ansible.builtin.set_fact: - rke2_config_node_taints: "{{ rke2_config['node-taint'] | default([]) }}" - -- name: Get host var node-taints - ansible.builtin.set_fact: - host_var_node_taints: "{{ node_taints | default([]) }}" - -- name: Combine rke2_config node taints and hostvar node taints - ansible.builtin.set_fact: - all_node_taints: "{{ rke2_config_node_taints + host_var_node_taints }}" - changed_when: false - -- name: Add node labels to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-taint"] - value: "{{ all_node_taints }}" - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - changed_when: false - -# --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node -- name: Add node-ip to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-ip"] - value: "{{ node_ip }}" - when: (node_ip is defined) and (node_ip|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_ip is defined) and (node_ip|length > 0) - changed_when: false - -# --node-name value (agent/node) Node name [$RKE2_NODE_NAME] -- name: Add node-name to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-name"] - value: "{{ node_name }}" - when: (node_name is defined) and (node_name|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_name is defined) and (node_name|length > 0) - changed_when: false - -# --bind-address value (listener) rke2 bind address (default: 0.0.0.0) -- name: Add bind-address to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["bind-address"] - value: "{{ bind_address }}" - when: (bind_address is defined) and (bind_address|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler +# combine host and group vars to form primary rke2_config +- name: combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (bind_address is defined) and (bind_address|length > 0) - changed_when: false - -# --advertise-address value (listener) IPv4 address that apiserver uses -# to advertise to members of the cluster (default: node-external-ip/node-ip) -- name: Add advertise-address to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["advertise-address"] - value: "{{ advertise_address }}" - when: (advertise_address is defined) and (advertise_address|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (advertise_address is defined) and (advertise_address|length > 0) - changed_when: false - -# --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node -- name: Add node-external-ip to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-external-ip"] - value: "{{ node_external_ip }}" - when: (node_external_ip is defined) and (node_external_ip|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_external_ip is defined) and (node_external_ip|length > 0) - changed_when: false - -# --cloud-provider-name value (agent/node) Cloud provider name -- name: Add cloud-provider-name to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["cloud-provider-name"] - value: "{{ cloud_provider_name }}" - when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) - register: updated_rke2_config + temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler +# combine host and group vars to form primary rke2_config +- name: combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) + rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Remove tmp config file - ansible.builtin.file: - path: /tmp/ansible-config.txt - state: absent - changed_when: false - -- name: Create tmp config.yaml - ansible.builtin.copy: - content: "{{ rke2_config | to_nice_yaml(indent=0) }}" - dest: /tmp/ansible-config.txt - mode: "0600" - owner: root - group: root - changed_when: false - -- name: Get original token - ansible.builtin.set_fact: - original_token: "{{ orig_rke2_config | regex_search('token: (.+)') }}" - when: previous_rke2_config.stat.exists - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /tmp/ansible-config.txt - line: "{{ original_token }}" - state: present - insertbefore: BOF - when: previous_rke2_config.stat.exists and original_token | length > 0 - changed_when: false - -- name: Get original server - ansible.builtin.set_fact: - original_server: "{{ orig_rke2_config | regex_search('server: https://(.*):9345') }}" - when: previous_rke2_config.stat.exists - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /tmp/ansible-config.txt - line: "{{ original_server }}" - state: present - insertbefore: BOF - when: previous_rke2_config.stat.exists and original_server | length > 0 - changed_when: false - -- name: Stat tmp config - ansible.builtin.stat: - path: /tmp/ansible-config.txt - register: tmp_config - changed_when: false - -- name: Get cksum of tmp config - ansible.builtin.set_fact: - tmp_sha1: "{{ tmp_config.stat.checksum }}" - changed_when: false - -- name: Drop in final /etc/rancher/rke2/config.yaml - ansible.builtin.copy: - src: /tmp/ansible-config.txt - remote_src: yes - dest: /etc/rancher/rke2/config.yaml - mode: "0640" - owner: root - group: root - backup: yes - when: not previous_rke2_config.stat.exists or (tmp_sha1 != previous_rke2_config.stat.checksum) - -- name: Remove tmp config file - ansible.builtin.file: - path: /tmp/ansible-config.txt - state: absent - changed_when: false +# write final config +- name: Create config.yaml + ansible.builtin.blockinfile: + path: /etc/rancher/rke2/config.yaml + block: "{{ rke2_config | to_nice_yaml(indent=0) }}" + create: true + notify: Restart {{service_name}} diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 3b6cf634..a9993651 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -37,10 +37,4 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Configure first server manifests - ansible.builtin.include_tasks: add_manifest_addons.yml - vars: - src: "{{ rke2_initial_manifest_config_file_path }}" - when: - - inventory_hostname in groups['rke2_servers'][0] - - rke2_initial_manifest_config_file_path | length > 0 + diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 4904fcba..080d18e5 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -1,22 +1,18 @@ --- -- name: Generate config.yml on first server - ansible.builtin.include_tasks: config.yml - -- name: Wait for rke2 - ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Determine generated token - block: - - name: Wait for node-token - ansible.builtin.wait_for: - path: /var/lib/rancher/rke2/server/node-token +- name: Include task file config.yml + ansible.builtin.include_tasks: config.yml - - name: Read node-token from first server - ansible.builtin.slurp: - src: /var/lib/rancher/rke2/server/node-token - register: node_token +- name: flush_handlers + ansible.builtin.meta: flush_handlers - - name: Store join node-token - ansible.builtin.set_fact: - rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" +- block: + - name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 300 + check_node_ready_retries: 30 + check_node_ready_delay: 10 + check_node_ready_ignore_errors: false + any_errors_fatal: true \ No newline at end of file diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 407dfb54..72b3fd1e 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -13,7 +13,7 @@ when: |- ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or rke2_install_tarball_url != "" or - rke2_local_install_tarball_path != "" or + rke2_install_local_tarball_path != "" or rke2_force_tarball_install|bool) - name: Set for install method of rpm @@ -21,7 +21,7 @@ install_method: rpm when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" - not rke2_force_tarball_install|bool @@ -43,8 +43,7 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml -- name: Determine cluster state - ansible.builtin.include_tasks: cluster_state.yml + - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml @@ -55,9 +54,29 @@ - name: Determine rke2_version to install ansible.builtin.include_tasks: calculate_rke2_version.yml when: - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" +- name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 2 + check_node_ready_retries: 2 + check_node_ready_delay: 2 + check_node_ready_ignore_errors: true + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Create a list of ready servers + set_fact: + ready_servers: "{{ groups.rke2_servers| + map('extract', hostvars)| + selectattr('node_ready', 'equalto', true)| + map(attribute='inventory_hostname')| + list }}" + delegate_to: localhost + run_once: true + - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml when: @@ -71,21 +90,41 @@ - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml -- name: RKE2 on first node - ansible.builtin.include_tasks: first_server.yml + + +- name: Include task file add_manifest_addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml + vars: + source_directory: "{{ rke2_manifest_config_directory }}" + destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_0 when: - - "rke2_config_token is not defined" + - rke2_manifest_config_directory is defined + - rke2_manifest_config_directory | length > 0 - inventory_hostname in groups['rke2_servers'][0] -- name: RKE2 on all other nodes - ansible.builtin.include_tasks: other_nodes.yml +# is the ready_servers array is empty, we assume it's a new cluster and use the first server in groups['rke2_servers'] +- name: Start the first rke2 node + ansible.builtin.include_tasks: first_server.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + - ready_servers | length == 0 + +- name: save_generated_token.yml + ansible.builtin.include_tasks: save_generated_token.yml + vars: + token_source_node: "{{groups['rke2_servers'][0]}}" when: - - inventory_hostname in groups['rke2_servers'][1:] or - inventory_hostname in groups.get('rke2_agents', []) + - ready_servers | length == 0 -- name: Confirm configuration on cluster +# is the ready_servers array is > 0, we assume it's an established cluster and treat all nodes equally (no need for initial server procedure) +- name: save_generated_token.yml + ansible.builtin.include_tasks: save_generated_token.yml + vars: + token_source_node: "{{ready_servers[0]}}" when: - - "existing_join_host is defined" + - ready_servers | length > 0 + +- name: Start all other rke2 nodes ansible.builtin.include_tasks: other_nodes.yml - name: Configure kubectl,crictl,ctr @@ -93,9 +132,12 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Configure cluster manifests +- name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: - src: "{{ rke2_cluster_manifest_config_file_path }}" + source_directory: "{{rke2_manifest_config_post_run_directory}}" + destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_1 when: + - rke2_manifest_config_post_run_directory is defined + - rke2_manifest_config_post_run_directory | length > 0 - inventory_hostname in groups['rke2_servers'][0] diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 7f7a0234..80825e32 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,39 +1,13 @@ --- -- name: Generate config.yml on other nodes - ansible.builtin.include_tasks: config.yml - -- name: Does config file already have server token? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' - register: server_token_check - failed_when: server_token_check.rc >= 2 - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" - state: present - insertbefore: BOF +- name: Include task file add-manifest-addons.yml + ansible.builtin.include_tasks: add-manifest-addons.yml when: - - '"token:" not in server_token_check.stdout' - notify: "Restart {{ service_name }}" + - manifest_config_file_path is defined + - manifest_config_file_path | length > 0 -- name: Does config file already have server url? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' - register: server_url_check - failed_when: server_url_check.rc >= 2 - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ rke2_kubernetes_api_server_host }}:9345" - state: present - insertbefore: BOF - when: - - '"server:" not in server_url_check.stdout' - notify: "Restart {{ service_name }}" +- name: Generate config.yml on other nodes + ansible.builtin.include_tasks: config.yml -- name: Wait for rke2 - ansible.builtin.include_tasks: wait_for_rke2.yml +- name: flush_handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index 93fd03eb..e6aa81b6 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -18,7 +18,7 @@ - name: Add server iptables rules ansible.builtin.include_tasks: iptables_rules.yml when: - - ansible_facts.services["iptables.service"] is defined + # - ansible_facts.services["iptables.service"] is defined - rke2_add_iptables_rules | bool - name: Add fapolicyd rules diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml new file mode 100644 index 00000000..c2742ea5 --- /dev/null +++ b/roles/rke2/tasks/save_generated_token.yml @@ -0,0 +1,44 @@ + + +- name: Wait for node-token + ansible.builtin.wait_for: + path: /var/lib/rancher/rke2/server/node-token + delegate_to: "{{token_source_node}}" + +- name: Read node-token from master + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: node_token + delegate_to: "{{token_source_node}}" + +- name: Store Master node-token + ansible.builtin.set_fact: + rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" + delegate_to: "{{token_source_node}}" + +- name: Set temp fact to store token config line + ansible.builtin.set_fact: + temp_token: + token: "{{ rke2_config_token }}" + +- name: Update host_rke2_config fact to contain server line + ansible.builtin.set_fact: + host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + +- name: Set temp fact to store server config line with custom join server URL + ansible.builtin.set_fact: + temp_host_rke2_config: + server: "https://{{ rke2_kubernetes_api_server_host }}:9345" + when: + - rke2_kubernetes_api_server_host != "" + +- name: Set temp fact to store server config line with server URL + ansible.builtin.set_fact: + temp_host_rke2_config: + server: "https://{{ token_source_node }}:9345" + when: + - rke2_kubernetes_api_server_host == "" + +- name: Update host_rke2_config fact to contain server line + ansible.builtin.set_fact: + host_rke2_config: "{{temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index a0da6302..0aa960a2 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -1,16 +1,4 @@ --- -# Based off of https://get.rke2.io 's do_install_tar functon - -# do_install_tar() { -# setup_tmp -# get_release_version -# info "using ${INSTALL_RKE2_VERSION:-commit $INSTALL_RKE2_COMMIT} as release" -# download_checksums -# download_tarball -# verify_tarball -# unpack_tarball -# } - - name: TARBALL | Make temp dir ansible.builtin.tempfile: state: directory @@ -18,45 +6,47 @@ path: "{{ tarball_tmp_dir | default(omit) }}" register: temp_dir -- name: Send provided tarball if available +- name: Set architecture specific variables + ansible.builtin.set_fact: + arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" + +- name: Determine if current version differs from what is being installed + ansible.builtin.set_fact: + rke2_version_changed: true + when: + - rke2_install_local_tarball_path == "" + - rke2_install_tarball_url == "" + - not rke2_installed or rke2_installed_version != rke2_full_version + + + +- name: Send provided tarball from local control machine if available ansible.builtin.copy: - src: "{{ inventory_dir }}/{{ rke2_local_install_tarball_path }}" - dest: "{{ temp_dir.path }}/" + src: "{{ rke2_install_local_tarball_path }}" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: '0644' when: - - rke2_local_install_tarball_path != "" + - rke2_install_local_tarball_path != "" - name: Download Tar from provided URL ansible.builtin.get_url: url: "{{ rke2_install_tarball_url }}" - dest: "{{ temp_dir.path }}/" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - rke2_install_tarball_url != "" -- name: Determine if current version differs from what is being installed - ansible.builtin.set_fact: - rke2_version_changed: true - when: - - rke2_local_install_tarball_path == "" - - rke2_install_tarball_url == "" - - not rke2_installed or rke2_installed_version != rke2_full_version - -- name: Set architecture specific variables - ansible.builtin.set_fact: - arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - -- name: TARBALL | Download the tarball +- name: Download the tar from github releases ansible.builtin.get_url: url: "https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-{{ arch }}.tar.gz" dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" - rke2_version_changed -- name: TARBALL | Install tar binary +- name: Ensure Tar utility installed on system ansible.builtin.package: name: tar state: present @@ -64,7 +54,7 @@ - name: Get version of provided tarball when: - - (rke2_local_install_tarball_path != "" or rke2_install_tarball_url != "") + - (rke2_install_local_tarball_path != "" or rke2_install_tarball_url != "") block: - name: Unarchive tarball into temp location ansible.builtin.unarchive: diff --git a/sample_files/manifest/manifest-example.yaml b/sample_files/manifests/manifest-example.yaml similarity index 100% rename from sample_files/manifest/manifest-example.yaml rename to sample_files/manifests/manifest-example.yaml diff --git a/tarball_install/README.md b/sample_files/tarball_install/README.md similarity index 100% rename from tarball_install/README.md rename to sample_files/tarball_install/README.md From aac6e1ba67725218251b23c3d4fc9431b93cf0a7 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Tue, 23 Jul 2024 14:53:23 -0400 Subject: [PATCH 12/28] large number of changes 02 --- roles/rke2/tasks/calculate_rke2_version.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 6670ee65..5eaf09aa 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -4,7 +4,7 @@ when: - rke2_install_version | length == 0 - rke2_versioned_yum_repo.baseurl | search ("rpm.rancher.io") - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" block: From 892f75f4df33c67b7d67ada0b9c37a59e9dace32 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Thu, 25 Jul 2024 09:19:08 -0400 Subject: [PATCH 13/28] readding throttles --- roles/rke2/handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index bfd8f5e6..ac0f71cb 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -19,6 +19,7 @@ state: restarted enabled: true name: rke2-server + throttle: 1 when: - not rke2_reboot @@ -27,6 +28,7 @@ state: restarted enabled: true name: rke2-agent + throttle: 1 when: - not rke2_reboot From 2c04fa439bfecf7c44cdd7074fcfbb14becc4747 Mon Sep 17 00:00:00 2001 From: Daemonslayer2048 Date: Thu, 25 Jul 2024 09:48:50 -0500 Subject: [PATCH 14/28] Add first molecule scenario --- .gitignore | 1 + roles/rke2/molecule/README.md | 30 ++ roles/rke2/molecule/default/converge.yml | 11 + roles/rke2/molecule/default/create.yml | 333 +++++++++++++++++++ roles/rke2/molecule/default/destroy.yml | 143 ++++++++ roles/rke2/molecule/default/molecule.yml | 61 ++++ roles/rke2/molecule/default/requirements.yml | 5 + roles/rke2/molecule/requirements.txt | 28 ++ 8 files changed, 612 insertions(+) create mode 100644 roles/rke2/molecule/README.md create mode 100644 roles/rke2/molecule/default/converge.yml create mode 100644 roles/rke2/molecule/default/create.yml create mode 100644 roles/rke2/molecule/default/destroy.yml create mode 100644 roles/rke2/molecule/default/molecule.yml create mode 100644 roles/rke2/molecule/default/requirements.yml create mode 100644 roles/rke2/molecule/requirements.txt diff --git a/.gitignore b/.gitignore index 0e9ac3cb..66226d30 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ .cache/ venv/ +.venv/ test_inventory* diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md new file mode 100644 index 00000000..f4c7f605 --- /dev/null +++ b/roles/rke2/molecule/README.md @@ -0,0 +1,30 @@ +# Molecule Scenarios +The molecule test scenarios are based on the cookie cutter ec2 instance and require the molecule plugin here: [molecule-plugin](https://github.com/ansible-community/molecule-plugins), the pip3 `requirements.txt` can be found in this directory while the ansible specfic requirements will be installed automatically when running molecule as a part of the `requirements` stage. +As this is an ec2 based scenario an AWS account is needed, you will need to define the following variables either as environment variables or in your aws cli config file (`~/.aws/config`) + +``` +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +``` + +or +``` +[default] +aws_access_key_id= +aws_secret_access_key= +``` + +It is worth noting that the EC2 driver does not provide a way to login to EC2 instances, this needs to be done manually, your ssh key can be found in `~/.cache/molecule/rke2/default/id_rsa` and the default user is `ansible`, you will be able to login like so: +`ssh ansible@000.000.000.000 -i ~/.cache/molecule/rke2/default/id_rsa` note that the keys location is dependant on the scenario name. + +# Available Scenarios +## default +The default scenario is the simplest possible scenario, with a single Ubuntu 20.04 master node and a single Ubuntu 20.04 worker node. + +# To Do + - Add tests + - Ensure node labels are applied + - Ensure setting CIS profile works as expected + - Add scenrios for all supported platforms + - Rocky + - SLES \ No newline at end of file diff --git a/roles/rke2/molecule/default/converge.yml b/roles/rke2/molecule/default/converge.yml new file mode 100644 index 00000000..1966131f --- /dev/null +++ b/roles/rke2/molecule/default/converge.yml @@ -0,0 +1,11 @@ +--- +- name: Converge + hosts: all + gather_facts: true + pre_tasks: + - name: Set api_server_host + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" + roles: + - role: rke2 + become: true \ No newline at end of file diff --git a/roles/rke2/molecule/default/create.yml b/roles/rke2/molecule/default/create.yml new file mode 100644 index 00000000..c128de68 --- /dev/null +++ b/roles/rke2/molecule/default/create.yml @@ -0,0 +1,333 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_assign_public_ip: true + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_boot_wait_seconds: 120 + default_instance_type: t2.medium + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" + default_public_key_path: "{{ default_private_key_path }}.pub" + default_ssh_user: ansible + default_ssh_port: 22 + default_user_data: '' + + default_security_group_name: "molecule-{{ run_config.run_id }}" + default_security_group_description: Ephemeral security group for Molecule instances + default_security_group_rules: + - proto: tcp + from_port: "{{ default_ssh_port }}" + to_port: "{{ default_ssh_port }}" + cidr_ip: "0.0.0.0/0" + - proto: icmp + from_port: 8 + to_port: -1 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 9345 + to_port: 9345 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 6443 + to_port: 6443 + cidr_ip: "0.0.0.0/0" + default_security_group_rules_egress: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ip: "0.0.0.0/0" + + platform_defaults: + assign_public_ip: "{{ default_assign_public_ip }}" + aws_profile: "{{ default_aws_profile }}" + boot_wait_seconds: "{{ default_boot_wait_seconds }}" + instance_type: "{{ default_instance_type }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + private_key_path: "{{ default_private_key_path }}" + public_key_path: "{{ default_public_key_path }}" + security_group_name: "{{ default_security_group_name }}" + security_group_description: "{{ default_security_group_description }}" + security_group_rules: "{{ default_security_group_rules }}" + security_group_rules_egress: "{{ default_security_group_rules_egress }}" + ssh_user: "{{ default_ssh_user }}" + ssh_port: "{{ default_ssh_port }}" + cloud_config: {} + image: "" + image_name: "" + image_owner: [self] + name: "" + region: "" + security_groups: [] + tags: {} + volumes: [] + vpc_id: "" + vpc_subnet_id: "" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.assign_public_ip is boolean + - platform.aws_profile is string + - platform.boot_wait_seconds is integer and platform.boot_wait_seconds >= 0 + - platform.cloud_config is mapping + - platform.image is string + - platform.image_name is string + - platform.image_owner is sequence or (platform.image_owner is string and platform.image_owner | length > 0) + - platform.instance_type is string and platform.instance_type | length > 0 + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.private_key_path is string and platform.private_key_path | length > 0 + - platform.public_key_path is string and platform.public_key_path | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_group_description is string and platform.security_group_description | length > 0 + - platform.security_group_rules is sequence + - platform.security_group_rules_egress is sequence + - platform.security_groups is sequence + - platform.ssh_user is string and platform.ssh_user | length > 0 + - platform.ssh_port is integer and platform.ssh_port in range(1, 65536) + - platform.tags is mapping + - platform.volumes is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Write run config to file + ansible.builtin.copy: + dest: "{{ run_config_path }}" + content: "{{ run_config | to_yaml }}" + mode: "0600" + + - name: Generate local key pairs + community.crypto.openssh_keypair: + path: "{{ item.private_key_path }}" + type: rsa + size: 2048 + regenerate: never + backend: cryptography + private_key_format: pkcs1 + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: local_keypairs + + - name: Look up EC2 AMI(s) by owner and name (if image not set) + amazon.aws.ec2_ami_info: + owners: "{{ item.image_owner }}" + filters: "{{ item.image_filters | default({}) | combine(image_name_map) }}" + vars: + image_name_map: "{% if item.image_name is defined and item.image_name | length > 0 %}{{ {'name': item.image_name} }}{% else %}{}{% endif %}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.image + register: ami_info + + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: + - platform.image or (ami_info.results[index].images | length > 0) + - platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Create ephemeral EC2 keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + key_material: "{{ local_keypair.public_key }}" + vars: + local_keypair: "{{ local_keypairs.results[index] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" + register: ec2_keys + + - name: Create ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + iam_instance_profile: "{{ item.iam_instance_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + description: "{{ item.security_group_description }}" + rules: "{{ item.security_group_rules }}" + rules_egress: "{{ item.security_group_rules_egress }}" + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Create ephemeral EC2 instance(s) + amazon.aws.ec2_instance: + name: "{{ item.name }}" + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + filters: "{{ platform_filters }}" + instance_type: "{{ item.instance_type }}" + image_id: "{{ platform_image_id }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + security_groups: "{{ platform_security_groups }}" + network: + assign_public_ip: "{{ item.assign_public_ip }}" + volumes: "{{ item.volumes }}" + key_name: "{{ (item.key_inject_method == 'ec2') | ternary(item.key_name, omit) }}" + tags: "{{ platform_tags }}" + user_data: "{{ platform_user_data }}" + state: "running" + wait: true + vars: + platform_security_groups: "{{ item.security_groups or [item.security_group_name] }}" + platform_generated_image_id: "{{ (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" + platform_image_id: "{{ item.image or platform_generated_image_id }}" + + platform_generated_cloud_config: + users: + - name: "{{ item.ssh_user }}" + ssh_authorized_keys: + - "{{ local_keypairs.results[index].public_key }}" + sudo: "ALL=(ALL) NOPASSWD:ALL" + platform_cloud_config: >- + {{ (item.key_inject_method == 'cloud-init') + | ternary((item.cloud_config | combine(platform_generated_cloud_config)), item.cloud_config) }} + platform_user_data: |- + #cloud-config + {{ platform_cloud_config | to_yaml }} + + platform_generated_tags: + instance: "{{ item.name }}" + molecule-run-id: "{{ run_config.run_id }}" + platform_tags: "{{ (item.tags or {}) | combine(platform_generated_tags) }}" + platform_filter_keys: "{{ platform_generated_tags.keys() | map('regex_replace', '^(.+)$', 'tag:\\1') }}" + platform_filters: "{{ dict(platform_filter_keys | zip(platform_generated_tags.values())) }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Instance boot block + when: ec2_instances_async is changed + block: + - name: Wait for instance creation to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Collect instance configs + ansible.builtin.set_fact: + instance_config: + instance: "{{ item.name }}" + address: "{{ item.assign_public_ip | ternary(instance.public_ip_address, instance.private_ip_address) }}" + user: "{{ item.ssh_user }}" + port: "{{ item.ssh_port }}" + identity_file: "{{ item.private_key_path }}" + instance_ids: + - "{{ instance.instance_id }}" + vars: + instance: "{{ ec2_instances.results[index].instances[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: instance_configs + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: >- + {{ instance_configs.results + | map(attribute='ansible_facts.instance_config') + | list + | to_json + | from_json + | to_yaml }} + mode: "0600" + + - name: Start SSH pollers + ansible.builtin.wait_for: + host: "{{ item.address }}" + port: "{{ item.port }}" + search_regex: SSH + delay: 10 + timeout: 320 + loop: "{{ instance_configs.results | map(attribute='ansible_facts.instance_config') | list }}" + loop_control: + label: "{{ item.instance }}" + register: ssh_wait_async + async: 300 + poll: 0 + + - name: Wait for SSH + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ssh_wait_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ssh_wait + until: ssh_wait is finished + retries: 300 + delay: 1 + + - name: Wait for boot process to finish + ansible.builtin.pause: + seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file diff --git a/roles/rke2/molecule/default/destroy.yml b/roles/rke2/molecule/default/destroy.yml new file mode 100644 index 00000000..54ca53bd --- /dev/null +++ b/roles/rke2/molecule/default/destroy.yml @@ -0,0 +1,143 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_security_group_name: "molecule-{{ run_config.run_id }}" + + platform_defaults: + aws_profile: "{{ default_aws_profile }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + region: "" + security_group_name: "{{ default_security_group_name }}" + security_groups: [] + vpc_id: "" + vpc_subnet_id: "" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + + # Stored instance config + instance_config: "{{ (lookup('file', molecule_instance_config, errors='ignore') or '{}') | from_yaml }}" + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.aws_profile is string + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_groups is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Destroy resources + when: instance_config | length != 0 + block: + - name: Destroy ephemeral EC2 instances + amazon.aws.ec2_instance: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + instance_ids: "{{ instance_config | map(attribute='instance_ids') | flatten }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + state: absent + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Wait for instance destruction to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: "{{ {} | to_yaml }}" + + - name: Destroy ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + state: absent + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Destroy ephemeral keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + state: absent + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" \ No newline at end of file diff --git a/roles/rke2/molecule/default/molecule.yml b/roles/rke2/molecule/default/molecule.yml new file mode 100644 index 00000000..f6834eaa --- /dev/null +++ b/roles/rke2/molecule/default/molecule.yml @@ -0,0 +1,61 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-0862be96e41dcbf74 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + vpc_subnet_id: subnet-095d88c4efe5abf6a + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-0862be96e41dcbf74 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + vpc_subnet_id: subnet-095d88c4efe5abf6a + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: converge.yml + inventory: + hosts: + rke2_cluster: + vars: + rke2_install_version: v1.27.15+rke2r1 + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/default/requirements.yml b/roles/rke2/molecule/default/requirements.yml new file mode 100644 index 00000000..4ece6bc1 --- /dev/null +++ b/roles/rke2/molecule/default/requirements.yml @@ -0,0 +1,5 @@ +--- +collections: + - name: ansible.utils + - name: amazon.aws + - name: community.crypto \ No newline at end of file diff --git a/roles/rke2/molecule/requirements.txt b/roles/rke2/molecule/requirements.txt new file mode 100644 index 00000000..60a88857 --- /dev/null +++ b/roles/rke2/molecule/requirements.txt @@ -0,0 +1,28 @@ +ansible-compat==24.7.0 +ansible-core==2.17.2 +attrs==23.2.0 +bracex==2.4 +cffi==1.16.0 +click==8.1.7 +click-help-colors==0.9.4 +cryptography==42.0.8 +enrich==1.2.7 +Jinja2==3.1.4 +jsonschema==4.23.0 +jsonschema-specifications==2023.12.1 +markdown-it-py==3.0.0 +MarkupSafe==2.1.5 +mdurl==0.1.2 +molecule==24.7.0 +molecule-plugins==23.5.3 +packaging==24.1 +pluggy==1.5.0 +pycparser==2.22 +Pygments==2.18.0 +PyYAML==6.0.1 +referencing==0.35.1 +resolvelib==1.0.1 +rich==13.7.1 +rpds-py==0.19.0 +subprocess-tee==0.4.2 +wcmatch==8.5.2 From 329548d1c090cfd9f5e593df2d9329b637c66d6e Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Thu, 25 Jul 2024 10:14:11 -0500 Subject: [PATCH 15/28] Move VPC subnet to env var --- roles/rke2/molecule/README.md | 2 ++ roles/rke2/molecule/default/create.yml | 2 +- roles/rke2/molecule/default/destroy.yml | 2 +- roles/rke2/molecule/default/molecule.yml | 2 -- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md index f4c7f605..0847c961 100644 --- a/roles/rke2/molecule/README.md +++ b/roles/rke2/molecule/README.md @@ -17,6 +17,8 @@ aws_secret_access_key= It is worth noting that the EC2 driver does not provide a way to login to EC2 instances, this needs to be done manually, your ssh key can be found in `~/.cache/molecule/rke2/default/id_rsa` and the default user is `ansible`, you will be able to login like so: `ssh ansible@000.000.000.000 -i ~/.cache/molecule/rke2/default/id_rsa` note that the keys location is dependant on the scenario name. +The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. + # Available Scenarios ## default The default scenario is the simplest possible scenario, with a single Ubuntu 20.04 master node and a single Ubuntu 20.04 worker node. diff --git a/roles/rke2/molecule/default/create.yml b/roles/rke2/molecule/default/create.yml index c128de68..50ffe4a9 100644 --- a/roles/rke2/molecule/default/create.yml +++ b/roles/rke2/molecule/default/create.yml @@ -77,7 +77,7 @@ tags: {} volumes: [] vpc_id: "" - vpc_subnet_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" # Merging defaults into a list of dicts is, it turns out, not straightforward platforms: >- diff --git a/roles/rke2/molecule/default/destroy.yml b/roles/rke2/molecule/default/destroy.yml index 54ca53bd..ea993823 100644 --- a/roles/rke2/molecule/default/destroy.yml +++ b/roles/rke2/molecule/default/destroy.yml @@ -28,7 +28,7 @@ security_group_name: "{{ default_security_group_name }}" security_groups: [] vpc_id: "" - vpc_subnet_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" # Merging defaults into a list of dicts is, it turns out, not straightforward platforms: >- diff --git a/roles/rke2/molecule/default/molecule.yml b/roles/rke2/molecule/default/molecule.yml index f6834eaa..73833d34 100644 --- a/roles/rke2/molecule/default/molecule.yml +++ b/roles/rke2/molecule/default/molecule.yml @@ -8,7 +8,6 @@ platforms: instance_type: t2.medium region: us-east-2 assign_public_ip: true - vpc_subnet_id: subnet-095d88c4efe5abf6a tags: deployed-with: "molecule" molecule-scenario: "default" @@ -19,7 +18,6 @@ platforms: instance_type: t2.medium region: us-east-2 assign_public_ip: true - vpc_subnet_id: subnet-095d88c4efe5abf6a tags: deployed-with: "molecule" molecule-scenario: "default" From c65fa36715ac96032690ef826fee4425a2987dac Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Thu, 25 Jul 2024 12:20:28 -0500 Subject: [PATCH 16/28] Convert default scenario to a template and ubuntu-2404 --- roles/rke2/molecule/README.md | 8 +- .../{default => template}/converge.yml | 0 .../molecule/{default => template}/create.yml | 0 .../{default => template}/destroy.yml | 0 .../{default => template}/requirements.yml | 0 roles/rke2/molecule/ubuntu-2404/converge.yml | 11 + roles/rke2/molecule/ubuntu-2404/create.yml | 333 ++++++++++++++++++ roles/rke2/molecule/ubuntu-2404/destroy.yml | 143 ++++++++ .../{default => ubuntu-2404}/molecule.yml | 5 +- .../molecule/ubuntu-2404/requirements.yml | 5 + 10 files changed, 502 insertions(+), 3 deletions(-) rename roles/rke2/molecule/{default => template}/converge.yml (100%) rename roles/rke2/molecule/{default => template}/create.yml (100%) rename roles/rke2/molecule/{default => template}/destroy.yml (100%) rename roles/rke2/molecule/{default => template}/requirements.yml (100%) create mode 100644 roles/rke2/molecule/ubuntu-2404/converge.yml create mode 100644 roles/rke2/molecule/ubuntu-2404/create.yml create mode 100644 roles/rke2/molecule/ubuntu-2404/destroy.yml rename roles/rke2/molecule/{default => ubuntu-2404}/molecule.yml (89%) create mode 100644 roles/rke2/molecule/ubuntu-2404/requirements.yml diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md index 0847c961..0f5a9743 100644 --- a/roles/rke2/molecule/README.md +++ b/roles/rke2/molecule/README.md @@ -20,8 +20,12 @@ It is worth noting that the EC2 driver does not provide a way to login to EC2 in The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. # Available Scenarios -## default -The default scenario is the simplest possible scenario, with a single Ubuntu 20.04 master node and a single Ubuntu 20.04 worker node. +## template +As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template. + +## ubuntu-2404 +The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 20.04 worker node. + # To Do - Add tests diff --git a/roles/rke2/molecule/default/converge.yml b/roles/rke2/molecule/template/converge.yml similarity index 100% rename from roles/rke2/molecule/default/converge.yml rename to roles/rke2/molecule/template/converge.yml diff --git a/roles/rke2/molecule/default/create.yml b/roles/rke2/molecule/template/create.yml similarity index 100% rename from roles/rke2/molecule/default/create.yml rename to roles/rke2/molecule/template/create.yml diff --git a/roles/rke2/molecule/default/destroy.yml b/roles/rke2/molecule/template/destroy.yml similarity index 100% rename from roles/rke2/molecule/default/destroy.yml rename to roles/rke2/molecule/template/destroy.yml diff --git a/roles/rke2/molecule/default/requirements.yml b/roles/rke2/molecule/template/requirements.yml similarity index 100% rename from roles/rke2/molecule/default/requirements.yml rename to roles/rke2/molecule/template/requirements.yml diff --git a/roles/rke2/molecule/ubuntu-2404/converge.yml b/roles/rke2/molecule/ubuntu-2404/converge.yml new file mode 100644 index 00000000..1966131f --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/converge.yml @@ -0,0 +1,11 @@ +--- +- name: Converge + hosts: all + gather_facts: true + pre_tasks: + - name: Set api_server_host + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" + roles: + - role: rke2 + become: true \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/create.yml b/roles/rke2/molecule/ubuntu-2404/create.yml new file mode 100644 index 00000000..50ffe4a9 --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/create.yml @@ -0,0 +1,333 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_assign_public_ip: true + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_boot_wait_seconds: 120 + default_instance_type: t2.medium + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" + default_public_key_path: "{{ default_private_key_path }}.pub" + default_ssh_user: ansible + default_ssh_port: 22 + default_user_data: '' + + default_security_group_name: "molecule-{{ run_config.run_id }}" + default_security_group_description: Ephemeral security group for Molecule instances + default_security_group_rules: + - proto: tcp + from_port: "{{ default_ssh_port }}" + to_port: "{{ default_ssh_port }}" + cidr_ip: "0.0.0.0/0" + - proto: icmp + from_port: 8 + to_port: -1 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 9345 + to_port: 9345 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 6443 + to_port: 6443 + cidr_ip: "0.0.0.0/0" + default_security_group_rules_egress: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ip: "0.0.0.0/0" + + platform_defaults: + assign_public_ip: "{{ default_assign_public_ip }}" + aws_profile: "{{ default_aws_profile }}" + boot_wait_seconds: "{{ default_boot_wait_seconds }}" + instance_type: "{{ default_instance_type }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + private_key_path: "{{ default_private_key_path }}" + public_key_path: "{{ default_public_key_path }}" + security_group_name: "{{ default_security_group_name }}" + security_group_description: "{{ default_security_group_description }}" + security_group_rules: "{{ default_security_group_rules }}" + security_group_rules_egress: "{{ default_security_group_rules_egress }}" + ssh_user: "{{ default_ssh_user }}" + ssh_port: "{{ default_ssh_port }}" + cloud_config: {} + image: "" + image_name: "" + image_owner: [self] + name: "" + region: "" + security_groups: [] + tags: {} + volumes: [] + vpc_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.assign_public_ip is boolean + - platform.aws_profile is string + - platform.boot_wait_seconds is integer and platform.boot_wait_seconds >= 0 + - platform.cloud_config is mapping + - platform.image is string + - platform.image_name is string + - platform.image_owner is sequence or (platform.image_owner is string and platform.image_owner | length > 0) + - platform.instance_type is string and platform.instance_type | length > 0 + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.private_key_path is string and platform.private_key_path | length > 0 + - platform.public_key_path is string and platform.public_key_path | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_group_description is string and platform.security_group_description | length > 0 + - platform.security_group_rules is sequence + - platform.security_group_rules_egress is sequence + - platform.security_groups is sequence + - platform.ssh_user is string and platform.ssh_user | length > 0 + - platform.ssh_port is integer and platform.ssh_port in range(1, 65536) + - platform.tags is mapping + - platform.volumes is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Write run config to file + ansible.builtin.copy: + dest: "{{ run_config_path }}" + content: "{{ run_config | to_yaml }}" + mode: "0600" + + - name: Generate local key pairs + community.crypto.openssh_keypair: + path: "{{ item.private_key_path }}" + type: rsa + size: 2048 + regenerate: never + backend: cryptography + private_key_format: pkcs1 + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: local_keypairs + + - name: Look up EC2 AMI(s) by owner and name (if image not set) + amazon.aws.ec2_ami_info: + owners: "{{ item.image_owner }}" + filters: "{{ item.image_filters | default({}) | combine(image_name_map) }}" + vars: + image_name_map: "{% if item.image_name is defined and item.image_name | length > 0 %}{{ {'name': item.image_name} }}{% else %}{}{% endif %}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.image + register: ami_info + + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: + - platform.image or (ami_info.results[index].images | length > 0) + - platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Create ephemeral EC2 keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + key_material: "{{ local_keypair.public_key }}" + vars: + local_keypair: "{{ local_keypairs.results[index] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" + register: ec2_keys + + - name: Create ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + iam_instance_profile: "{{ item.iam_instance_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + description: "{{ item.security_group_description }}" + rules: "{{ item.security_group_rules }}" + rules_egress: "{{ item.security_group_rules_egress }}" + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Create ephemeral EC2 instance(s) + amazon.aws.ec2_instance: + name: "{{ item.name }}" + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + filters: "{{ platform_filters }}" + instance_type: "{{ item.instance_type }}" + image_id: "{{ platform_image_id }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + security_groups: "{{ platform_security_groups }}" + network: + assign_public_ip: "{{ item.assign_public_ip }}" + volumes: "{{ item.volumes }}" + key_name: "{{ (item.key_inject_method == 'ec2') | ternary(item.key_name, omit) }}" + tags: "{{ platform_tags }}" + user_data: "{{ platform_user_data }}" + state: "running" + wait: true + vars: + platform_security_groups: "{{ item.security_groups or [item.security_group_name] }}" + platform_generated_image_id: "{{ (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" + platform_image_id: "{{ item.image or platform_generated_image_id }}" + + platform_generated_cloud_config: + users: + - name: "{{ item.ssh_user }}" + ssh_authorized_keys: + - "{{ local_keypairs.results[index].public_key }}" + sudo: "ALL=(ALL) NOPASSWD:ALL" + platform_cloud_config: >- + {{ (item.key_inject_method == 'cloud-init') + | ternary((item.cloud_config | combine(platform_generated_cloud_config)), item.cloud_config) }} + platform_user_data: |- + #cloud-config + {{ platform_cloud_config | to_yaml }} + + platform_generated_tags: + instance: "{{ item.name }}" + molecule-run-id: "{{ run_config.run_id }}" + platform_tags: "{{ (item.tags or {}) | combine(platform_generated_tags) }}" + platform_filter_keys: "{{ platform_generated_tags.keys() | map('regex_replace', '^(.+)$', 'tag:\\1') }}" + platform_filters: "{{ dict(platform_filter_keys | zip(platform_generated_tags.values())) }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Instance boot block + when: ec2_instances_async is changed + block: + - name: Wait for instance creation to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Collect instance configs + ansible.builtin.set_fact: + instance_config: + instance: "{{ item.name }}" + address: "{{ item.assign_public_ip | ternary(instance.public_ip_address, instance.private_ip_address) }}" + user: "{{ item.ssh_user }}" + port: "{{ item.ssh_port }}" + identity_file: "{{ item.private_key_path }}" + instance_ids: + - "{{ instance.instance_id }}" + vars: + instance: "{{ ec2_instances.results[index].instances[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: instance_configs + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: >- + {{ instance_configs.results + | map(attribute='ansible_facts.instance_config') + | list + | to_json + | from_json + | to_yaml }} + mode: "0600" + + - name: Start SSH pollers + ansible.builtin.wait_for: + host: "{{ item.address }}" + port: "{{ item.port }}" + search_regex: SSH + delay: 10 + timeout: 320 + loop: "{{ instance_configs.results | map(attribute='ansible_facts.instance_config') | list }}" + loop_control: + label: "{{ item.instance }}" + register: ssh_wait_async + async: 300 + poll: 0 + + - name: Wait for SSH + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ssh_wait_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ssh_wait + until: ssh_wait is finished + retries: 300 + delay: 1 + + - name: Wait for boot process to finish + ansible.builtin.pause: + seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/destroy.yml b/roles/rke2/molecule/ubuntu-2404/destroy.yml new file mode 100644 index 00000000..ea993823 --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/destroy.yml @@ -0,0 +1,143 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_security_group_name: "molecule-{{ run_config.run_id }}" + + platform_defaults: + aws_profile: "{{ default_aws_profile }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + region: "" + security_group_name: "{{ default_security_group_name }}" + security_groups: [] + vpc_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + + # Stored instance config + instance_config: "{{ (lookup('file', molecule_instance_config, errors='ignore') or '{}') | from_yaml }}" + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.aws_profile is string + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_groups is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Destroy resources + when: instance_config | length != 0 + block: + - name: Destroy ephemeral EC2 instances + amazon.aws.ec2_instance: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + instance_ids: "{{ instance_config | map(attribute='instance_ids') | flatten }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + state: absent + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Wait for instance destruction to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: "{{ {} | to_yaml }}" + + - name: Destroy ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + state: absent + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Destroy ephemeral keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + state: absent + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" \ No newline at end of file diff --git a/roles/rke2/molecule/default/molecule.yml b/roles/rke2/molecule/ubuntu-2404/molecule.yml similarity index 89% rename from roles/rke2/molecule/default/molecule.yml rename to roles/rke2/molecule/ubuntu-2404/molecule.yml index 73833d34..9c34b870 100644 --- a/roles/rke2/molecule/default/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2404/molecule.yml @@ -27,7 +27,10 @@ platforms: provisioner: name: ansible playbooks: - converge: converge.yml + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml inventory: hosts: rke2_cluster: diff --git a/roles/rke2/molecule/ubuntu-2404/requirements.yml b/roles/rke2/molecule/ubuntu-2404/requirements.yml new file mode 100644 index 00000000..4ece6bc1 --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/requirements.yml @@ -0,0 +1,5 @@ +--- +collections: + - name: ansible.utils + - name: amazon.aws + - name: community.crypto \ No newline at end of file From 2dc929fd3e028af4a67c2b5c29b4309de37b17c1 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Thu, 25 Jul 2024 12:43:27 -0500 Subject: [PATCH 17/28] Remove unused scenario files --- roles/rke2/molecule/ubuntu-2404/converge.yml | 11 - roles/rke2/molecule/ubuntu-2404/create.yml | 333 ------------------ roles/rke2/molecule/ubuntu-2404/destroy.yml | 143 -------- .../molecule/ubuntu-2404/requirements.yml | 5 - 4 files changed, 492 deletions(-) delete mode 100644 roles/rke2/molecule/ubuntu-2404/converge.yml delete mode 100644 roles/rke2/molecule/ubuntu-2404/create.yml delete mode 100644 roles/rke2/molecule/ubuntu-2404/destroy.yml delete mode 100644 roles/rke2/molecule/ubuntu-2404/requirements.yml diff --git a/roles/rke2/molecule/ubuntu-2404/converge.yml b/roles/rke2/molecule/ubuntu-2404/converge.yml deleted file mode 100644 index 1966131f..00000000 --- a/roles/rke2/molecule/ubuntu-2404/converge.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Converge - hosts: all - gather_facts: true - pre_tasks: - - name: Set api_server_host - ansible.builtin.set_fact: - rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" - roles: - - role: rke2 - become: true \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/create.yml b/roles/rke2/molecule/ubuntu-2404/create.yml deleted file mode 100644 index 50ffe4a9..00000000 --- a/roles/rke2/molecule/ubuntu-2404/create.yml +++ /dev/null @@ -1,333 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - # Run config handling - default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" - default_run_config: - run_id: "{{ default_run_id }}" - - run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" - run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" - run_config: '{{ default_run_config | combine(run_config_from_file) }}' - - # Platform settings handling - default_assign_public_ip: true - default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" - default_boot_wait_seconds: 120 - default_instance_type: t2.medium - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] - default_key_name: "molecule-{{ run_config.run_id }}" - default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" - default_public_key_path: "{{ default_private_key_path }}.pub" - default_ssh_user: ansible - default_ssh_port: 22 - default_user_data: '' - - default_security_group_name: "molecule-{{ run_config.run_id }}" - default_security_group_description: Ephemeral security group for Molecule instances - default_security_group_rules: - - proto: tcp - from_port: "{{ default_ssh_port }}" - to_port: "{{ default_ssh_port }}" - cidr_ip: "0.0.0.0/0" - - proto: icmp - from_port: 8 - to_port: -1 - cidr_ip: "0.0.0.0/0" - - proto: tcp - from_port: 9345 - to_port: 9345 - cidr_ip: "0.0.0.0/0" - - proto: tcp - from_port: 6443 - to_port: 6443 - cidr_ip: "0.0.0.0/0" - default_security_group_rules_egress: - - proto: -1 - from_port: 0 - to_port: 0 - cidr_ip: "0.0.0.0/0" - - platform_defaults: - assign_public_ip: "{{ default_assign_public_ip }}" - aws_profile: "{{ default_aws_profile }}" - boot_wait_seconds: "{{ default_boot_wait_seconds }}" - instance_type: "{{ default_instance_type }}" - key_inject_method: "{{ default_key_inject_method }}" - key_name: "{{ default_key_name }}" - private_key_path: "{{ default_private_key_path }}" - public_key_path: "{{ default_public_key_path }}" - security_group_name: "{{ default_security_group_name }}" - security_group_description: "{{ default_security_group_description }}" - security_group_rules: "{{ default_security_group_rules }}" - security_group_rules_egress: "{{ default_security_group_rules_egress }}" - ssh_user: "{{ default_ssh_user }}" - ssh_port: "{{ default_ssh_port }}" - cloud_config: {} - image: "" - image_name: "" - image_owner: [self] - name: "" - region: "" - security_groups: [] - tags: {} - volumes: [] - vpc_id: "" - vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" - - # Merging defaults into a list of dicts is, it turns out, not straightforward - platforms: >- - {{ [platform_defaults | dict2items] - | product(molecule_yml.platforms | map('dict2items') | list) - | map('flatten', levels=1) - | list - | map('items2dict') - | list }} - pre_tasks: - - name: Validate platform configurations - ansible.builtin.assert: - that: - - platforms | length > 0 - - platform.name is string and platform.name | length > 0 - - platform.assign_public_ip is boolean - - platform.aws_profile is string - - platform.boot_wait_seconds is integer and platform.boot_wait_seconds >= 0 - - platform.cloud_config is mapping - - platform.image is string - - platform.image_name is string - - platform.image_owner is sequence or (platform.image_owner is string and platform.image_owner | length > 0) - - platform.instance_type is string and platform.instance_type | length > 0 - - platform.key_inject_method is in ["cloud-init", "ec2"] - - platform.key_name is string and platform.key_name | length > 0 - - platform.private_key_path is string and platform.private_key_path | length > 0 - - platform.public_key_path is string and platform.public_key_path | length > 0 - - platform.region is string - - platform.security_group_name is string and platform.security_group_name | length > 0 - - platform.security_group_description is string and platform.security_group_description | length > 0 - - platform.security_group_rules is sequence - - platform.security_group_rules_egress is sequence - - platform.security_groups is sequence - - platform.ssh_user is string and platform.ssh_user | length > 0 - - platform.ssh_port is integer and platform.ssh_port in range(1, 65536) - - platform.tags is mapping - - platform.volumes is sequence - - platform.vpc_id is string - - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 - quiet: true - loop: '{{ platforms }}' - loop_control: - loop_var: platform - label: "{{ platform.name }}" - tasks: - - name: Write run config to file - ansible.builtin.copy: - dest: "{{ run_config_path }}" - content: "{{ run_config | to_yaml }}" - mode: "0600" - - - name: Generate local key pairs - community.crypto.openssh_keypair: - path: "{{ item.private_key_path }}" - type: rsa - size: 2048 - regenerate: never - backend: cryptography - private_key_format: pkcs1 - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - register: local_keypairs - - - name: Look up EC2 AMI(s) by owner and name (if image not set) - amazon.aws.ec2_ami_info: - owners: "{{ item.image_owner }}" - filters: "{{ item.image_filters | default({}) | combine(image_name_map) }}" - vars: - image_name_map: "{% if item.image_name is defined and item.image_name | length > 0 %}{{ {'name': item.image_name} }}{% else %}{}{% endif %}" - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - when: not item.image - register: ami_info - - - name: Look up subnets to determine VPCs (if needed) - amazon.aws.ec2_vpc_subnet_info: - subnet_ids: "{{ item.vpc_subnet_id }}" - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - when: not item.vpc_id - register: subnet_info - - - name: Validate discovered information - ansible.builtin.assert: - that: - - platform.image or (ami_info.results[index].images | length > 0) - - platform.vpc_id or (subnet_info.results[index].subnets | length > 0) - quiet: true - loop: "{{ platforms }}" - loop_control: - loop_var: platform - index_var: index - label: "{{ platform.name }}" - - - name: Create ephemeral EC2 keys (if needed) - amazon.aws.ec2_key: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - name: "{{ item.key_name }}" - key_material: "{{ local_keypair.public_key }}" - vars: - local_keypair: "{{ local_keypairs.results[index] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.key_inject_method == "ec2" - register: ec2_keys - - - name: Create ephemeral security groups (if needed) - amazon.aws.ec2_security_group: - profile: "{{ item.aws_profile | default(omit) }}" - iam_instance_profile: "{{ item.iam_instance_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" - name: "{{ item.security_group_name }}" - description: "{{ item.security_group_description }}" - rules: "{{ item.security_group_rules }}" - rules_egress: "{{ item.security_group_rules_egress }}" - vars: - vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.security_groups | length == 0 - - - name: Create ephemeral EC2 instance(s) - amazon.aws.ec2_instance: - name: "{{ item.name }}" - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - filters: "{{ platform_filters }}" - instance_type: "{{ item.instance_type }}" - image_id: "{{ platform_image_id }}" - vpc_subnet_id: "{{ item.vpc_subnet_id }}" - security_groups: "{{ platform_security_groups }}" - network: - assign_public_ip: "{{ item.assign_public_ip }}" - volumes: "{{ item.volumes }}" - key_name: "{{ (item.key_inject_method == 'ec2') | ternary(item.key_name, omit) }}" - tags: "{{ platform_tags }}" - user_data: "{{ platform_user_data }}" - state: "running" - wait: true - vars: - platform_security_groups: "{{ item.security_groups or [item.security_group_name] }}" - platform_generated_image_id: "{{ (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" - platform_image_id: "{{ item.image or platform_generated_image_id }}" - - platform_generated_cloud_config: - users: - - name: "{{ item.ssh_user }}" - ssh_authorized_keys: - - "{{ local_keypairs.results[index].public_key }}" - sudo: "ALL=(ALL) NOPASSWD:ALL" - platform_cloud_config: >- - {{ (item.key_inject_method == 'cloud-init') - | ternary((item.cloud_config | combine(platform_generated_cloud_config)), item.cloud_config) }} - platform_user_data: |- - #cloud-config - {{ platform_cloud_config | to_yaml }} - - platform_generated_tags: - instance: "{{ item.name }}" - molecule-run-id: "{{ run_config.run_id }}" - platform_tags: "{{ (item.tags or {}) | combine(platform_generated_tags) }}" - platform_filter_keys: "{{ platform_generated_tags.keys() | map('regex_replace', '^(.+)$', 'tag:\\1') }}" - platform_filters: "{{ dict(platform_filter_keys | zip(platform_generated_tags.values())) }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - register: ec2_instances_async - async: 7200 - poll: 0 - - - name: Instance boot block - when: ec2_instances_async is changed - block: - - name: Wait for instance creation to complete - ansible.builtin.async_status: - jid: "{{ item.ansible_job_id }}" - loop: "{{ ec2_instances_async.results }}" - loop_control: - index_var: index - label: "{{ platforms[index].name }}" - register: ec2_instances - until: ec2_instances is finished - retries: 300 - - - name: Collect instance configs - ansible.builtin.set_fact: - instance_config: - instance: "{{ item.name }}" - address: "{{ item.assign_public_ip | ternary(instance.public_ip_address, instance.private_ip_address) }}" - user: "{{ item.ssh_user }}" - port: "{{ item.ssh_port }}" - identity_file: "{{ item.private_key_path }}" - instance_ids: - - "{{ instance.instance_id }}" - vars: - instance: "{{ ec2_instances.results[index].instances[0] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - register: instance_configs - - - name: Write Molecule instance configs - ansible.builtin.copy: - dest: "{{ molecule_instance_config }}" - content: >- - {{ instance_configs.results - | map(attribute='ansible_facts.instance_config') - | list - | to_json - | from_json - | to_yaml }} - mode: "0600" - - - name: Start SSH pollers - ansible.builtin.wait_for: - host: "{{ item.address }}" - port: "{{ item.port }}" - search_regex: SSH - delay: 10 - timeout: 320 - loop: "{{ instance_configs.results | map(attribute='ansible_facts.instance_config') | list }}" - loop_control: - label: "{{ item.instance }}" - register: ssh_wait_async - async: 300 - poll: 0 - - - name: Wait for SSH - ansible.builtin.async_status: - jid: "{{ item.ansible_job_id }}" - loop: "{{ ssh_wait_async.results }}" - loop_control: - index_var: index - label: "{{ platforms[index].name }}" - register: ssh_wait - until: ssh_wait is finished - retries: 300 - delay: 1 - - - name: Wait for boot process to finish - ansible.builtin.pause: - seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/destroy.yml b/roles/rke2/molecule/ubuntu-2404/destroy.yml deleted file mode 100644 index ea993823..00000000 --- a/roles/rke2/molecule/ubuntu-2404/destroy.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - # Run config handling - default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" - default_run_config: - run_id: "{{ default_run_id }}" - - run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" - run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" - run_config: '{{ default_run_config | combine(run_config_from_file) }}' - - # Platform settings handling - default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] - default_key_name: "molecule-{{ run_config.run_id }}" - default_security_group_name: "molecule-{{ run_config.run_id }}" - - platform_defaults: - aws_profile: "{{ default_aws_profile }}" - key_inject_method: "{{ default_key_inject_method }}" - key_name: "{{ default_key_name }}" - region: "" - security_group_name: "{{ default_security_group_name }}" - security_groups: [] - vpc_id: "" - vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" - - # Merging defaults into a list of dicts is, it turns out, not straightforward - platforms: >- - {{ [platform_defaults | dict2items] - | product(molecule_yml.platforms | map('dict2items') | list) - | map('flatten', levels=1) - | list - | map('items2dict') - | list }} - - # Stored instance config - instance_config: "{{ (lookup('file', molecule_instance_config, errors='ignore') or '{}') | from_yaml }}" - pre_tasks: - - name: Validate platform configurations - ansible.builtin.assert: - that: - - platforms | length > 0 - - platform.name is string and platform.name | length > 0 - - platform.aws_profile is string - - platform.key_inject_method is in ["cloud-init", "ec2"] - - platform.key_name is string and platform.key_name | length > 0 - - platform.region is string - - platform.security_group_name is string and platform.security_group_name | length > 0 - - platform.security_groups is sequence - - platform.vpc_id is string - - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 - quiet: true - loop: '{{ platforms }}' - loop_control: - loop_var: platform - label: "{{ platform.name }}" - tasks: - - name: Look up subnets to determine VPCs (if needed) - amazon.aws.ec2_vpc_subnet_info: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - subnet_ids: "{{ item.vpc_subnet_id }}" - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - when: not item.vpc_id - register: subnet_info - - - name: Validate discovered information - ansible.builtin.assert: - that: platform.vpc_id or (subnet_info.results[index].subnets | length > 0) - quiet: true - loop: "{{ platforms }}" - loop_control: - loop_var: platform - index_var: index - label: "{{ platform.name }}" - - - name: Destroy resources - when: instance_config | length != 0 - block: - - name: Destroy ephemeral EC2 instances - amazon.aws.ec2_instance: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - instance_ids: "{{ instance_config | map(attribute='instance_ids') | flatten }}" - vpc_subnet_id: "{{ item.vpc_subnet_id }}" - state: absent - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - register: ec2_instances_async - async: 7200 - poll: 0 - - - name: Wait for instance destruction to complete - ansible.builtin.async_status: - jid: "{{ item.ansible_job_id }}" - loop: "{{ ec2_instances_async.results }}" - loop_control: - index_var: index - label: "{{ platforms[index].name }}" - register: ec2_instances - until: ec2_instances is finished - retries: 300 - - - name: Write Molecule instance configs - ansible.builtin.copy: - dest: "{{ molecule_instance_config }}" - content: "{{ {} | to_yaml }}" - - - name: Destroy ephemeral security groups (if needed) - amazon.aws.ec2_security_group: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" - name: "{{ item.security_group_name }}" - state: absent - vars: - vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.security_groups | length == 0 - - - name: Destroy ephemeral keys (if needed) - amazon.aws.ec2_key: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - name: "{{ item.key_name }}" - state: absent - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.key_inject_method == "ec2" \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/requirements.yml b/roles/rke2/molecule/ubuntu-2404/requirements.yml deleted file mode 100644 index 4ece6bc1..00000000 --- a/roles/rke2/molecule/ubuntu-2404/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -collections: - - name: ansible.utils - - name: amazon.aws - - name: community.crypto \ No newline at end of file From a10877e4e905ab9ba9c1817f38a16766d2d85c85 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 12:51:57 -0400 Subject: [PATCH 18/28] updating full rpm logic --- roles/rke2/defaults/main.yml | 2 +- roles/rke2/tasks/calculate_rke2_version.yml | 72 +++++++++------------ roles/rke2/tasks/rpm_install.yml | 6 +- roles/rke2/vars/main.yml | 3 + 4 files changed, 38 insertions(+), 45 deletions(-) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 15700aea..89059c18 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -34,4 +34,4 @@ kubelet_node_name: rke2_config: {} metrics_running: false node_ready: "false" -api_server_running: false \ No newline at end of file +api_server_running: false diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 5eaf09aa..5e62124a 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -3,7 +3,7 @@ - name: "Determine latest version from internet" when: - rke2_install_version | length == 0 - - rke2_versioned_yum_repo.baseurl | search ("rpm.rancher.io") + - '"rpm.rancher.io" in rke2_versioned_yum_repo.baseurl' - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" block: @@ -22,27 +22,34 @@ args: executable: /usr/bin/bash -- name: Set rke2_full_version fact + - name: Set rke2_full_version fact from internet source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_full_version.stdout }}" + +- name: Unset rke2_full_version if skipped + ansible.builtin.set_fact: + rke2_full_version: "" + when: + rke2_full_version is skipped + +- name: Set rke2_full_version fact from variable source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_install_version }}" + when: + - rke2_install_version | length > 0 + +- name: Set rke2_package_state to latest ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout if (rke2_install_version | length == 0) else rke2_install_version }}" + rke2_package_state: "latest" + when: + - rke2_full_version | length == 0 - name: "Set install version for RPM" when: - install_method == "rpm" + - rke2_full_version | length > 0 block: - - name: Set dot version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 - register: rke2_version_dot_tmp - changed_when: false - args: - executable: /usr/bin/bash - - - name: Set rke2_version_dot fact - ansible.builtin.set_fact: - rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" - - name: Set Maj.Min version ansible.builtin.shell: cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" @@ -67,37 +74,16 @@ ansible.builtin.set_fact: rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" + - name: Prepend 'dash' to version string + ansible.builtin.set_fact: + rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" + when: + - rke2_version_rpm | length > 0 + # - name: Describe versions # ansible.builtin.debug: # msg: # - "Full version, with revision indication: {{ rke2_full_version }}" - # - "Version without revision indication: {{ rke2_version_dot }}" + # # - "Version without revision indication: {{ rke2_version_dot }}" # - "Major and Minor Only: {{ rke2_version_majmin }}" # - "RPM Version (tilde): {{ rke2_version_rpm }}" - -- name: "Set install version for RPM" - when: - - install_method == "rpm" - block: - - - name: Set RPM version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_install_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" - register: rke2_version_rpm_tmp - changed_when: false - args: - executable: /usr/bin/bash - when: - - rke2_install_version | length > 0 - - - name: Set rke2_version_rpm fact - ansible.builtin.set_fact: - rke2_version_rpm_no_dash: "{{ rke2_version_rpm_tmp.stdout }}" - when: - - rke2_version_rpm_tmp is defined - - - name: Prepend 'dash' to version string - ansible.builtin.set_fact: - rke2_version_rpm: "{{ '-' + rke2_version_rpm_no_dash }}" - when: - - rke2_version_rpm_no_dash is defined diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 82f3a268..3f9b601e 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -20,10 +20,14 @@ gpgkey: "{{ rke2_versioned_yum_repo.gpgkey }}" enabled: "{{ rke2_versioned_yum_repo.enabled }}" +- name: debug install + debug: + msg: installing {{ service_name }}{{ rke2_version_rpm }} + - name: YUM-Based Install ansible.builtin.dnf: name: "{{ service_name }}{{ rke2_version_rpm }}" - state: installed + state: "{{ rke2_package_state}}" allow_downgrade: true register: result retries: 10 diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 0f544b40..d2944ee3 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -3,3 +3,6 @@ rke2_installed: false rke2_version_changed: false rke2_reboot: false +rke2_version_majmin: "" +rke2_version_rpm: "" +rke2_package_state: "installed" \ No newline at end of file From 41525c21f2f1087de04bc5b441527bb1f5c17c36 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 13:15:23 -0400 Subject: [PATCH 19/28] fixed rpm logic --- roles/rke2/tasks/calculate_rke2_version.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 5e62124a..0a47cfc7 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -22,9 +22,9 @@ args: executable: /usr/bin/bash - - name: Set rke2_full_version fact from internet source - ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout }}" + # - name: Set rke2_full_version fact from internet source + # ansible.builtin.set_fact: + # rke2_full_version: "{{ rke2_full_version.stdout }}" - name: Unset rke2_full_version if skipped ansible.builtin.set_fact: @@ -32,11 +32,16 @@ when: rke2_full_version is skipped -- name: Set rke2_full_version fact from variable source +- name: Set rke2_full_version fact ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_install_version }}" - when: - - rke2_install_version | length > 0 + rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or + (install_rke2_version | length == 0)) else install_rke2_version }}" + +# - name: Set rke2_full_version fact from variable source +# ansible.builtin.set_fact: +# rke2_full_version: "{{ rke2_install_version }}" +# when: +# - rke2_install_version | length > 0 - name: Set rke2_package_state to latest ansible.builtin.set_fact: From bd13dc8ca0e8039a42eaa233c388579e190309ee Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 15:22:24 -0400 Subject: [PATCH 20/28] linting round 1 --- roles/rke2/tasks/add_manifest_addons.yml | 12 ++++---- roles/rke2/tasks/calculate_rke2_version.yml | 25 ++++++++------- roles/rke2/tasks/check_node_ready.yml | 34 +++++++++++---------- roles/rke2/tasks/cis_hardening.yml | 8 ++--- roles/rke2/tasks/config.yml | 4 +-- roles/rke2/tasks/configure_rke2.yml | 2 -- roles/rke2/tasks/first_server.yml | 5 +-- roles/rke2/tasks/main.yml | 20 +++++------- roles/rke2/tasks/other_nodes.yml | 2 +- roles/rke2/tasks/rpm_install.yml | 6 ++-- roles/rke2/tasks/save_generated_token.yml | 6 ++-- roles/rke2/tasks/tarball_install.yml | 2 -- roles/rke2/vars/main.yml | 2 +- 13 files changed, 61 insertions(+), 67 deletions(-) diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 909693c7..8397da87 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -1,12 +1,12 @@ --- -- name: look up manifest files on localhost - find: +- name: Look up manifest files on localhost + ansible.builtin.find: paths: "{{ source_directory }}" register: local_files_find_return delegate_to: localhost -- name: create array of managed files +- name: Create array of managed files ansible.builtin.set_fact: managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" @@ -18,16 +18,16 @@ owner: root group: root -- name: look up manifest files on remote +- name: Look up manifest files on remote find: paths: "{{ destination_directory }}" register: remote_files_find_return -- name: create array of remote files +- name: Create array of remote files ansible.builtin.set_fact: current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" -- name: remove remote files not in managed files list +- name: Remove remote files not in managed files list ansible.builtin.file: path: "{{ destination_directory }}/{{ item }}" state: absent diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 0a47cfc7..a8994a0d 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -22,9 +22,9 @@ args: executable: /usr/bin/bash - # - name: Set rke2_full_version fact from internet source - # ansible.builtin.set_fact: - # rke2_full_version: "{{ rke2_full_version.stdout }}" + - name: Set rke2_full_version fact from internet source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_full_version.stdout }}" - name: Unset rke2_full_version if skipped ansible.builtin.set_fact: @@ -32,16 +32,15 @@ when: rke2_full_version is skipped -- name: Set rke2_full_version fact - ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or - (install_rke2_version | length == 0)) else install_rke2_version }}" - -# - name: Set rke2_full_version fact from variable source +# - name: Set rke2_full_version fact # ansible.builtin.set_fact: -# rke2_full_version: "{{ rke2_install_version }}" -# when: -# - rke2_install_version | length > 0 + # rke2_full_version: "{{ rke2_full_version.stdout if (install_rke2_version | length == 0) else install_rke2_version }}" + +- name: Set rke2_full_version fact from variable source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_install_version }}" + when: + - rke2_install_version | length > 0 - name: Set rke2_package_state to latest ansible.builtin.set_fact: @@ -83,7 +82,7 @@ ansible.builtin.set_fact: rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" when: - - rke2_version_rpm | length > 0 + - rke2_version_rpm | length > 0 # - name: Describe versions # ansible.builtin.debug: diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml index a69e5831..1ce68e30 100644 --- a/roles/rke2/tasks/check_node_ready.yml +++ b/roles/rke2/tasks/check_node_ready.yml @@ -1,3 +1,5 @@ +--- + - name: Wait for k8s apiserver ansible.builtin.wait_for: host: localhost @@ -8,14 +10,14 @@ register: api_serve_status ignore_errors: "{{check_node_ready_ignore_errors}}" -- name: set fact +- name: Set fact ansible.builtin.set_fact: api_server_running: true - when: - - api_serve_status.state is not undefined - - api_serve_status.state == "present" + when: + - api_serve_status.state is not undefined + - api_serve_status.state == "present" -- name: set fact +- name: Set fact ansible.builtin.set_fact: api_server_running: "{{api_server_running}}" @@ -35,9 +37,9 @@ ansible.builtin.set_fact: metrics_running: true when: - - 200 | string in node_metrics.status | string + - 200 | string in node_metrics.status | string -- name: set fact for metrics_running +- name: Set fact for metrics_running ansible.builtin.set_fact: metrics_running: "{{metrics_running}}" @@ -46,8 +48,8 @@ kubelet_node_name: "{{ node_metrics.content | \ regex_search('kubelet_node_name{node=\"(.*)\"}',\ '\\1') }}" - when: - - 200 | string in node_metrics.status | string + when: + - 200 | string in node_metrics.status | string - name: Wait for node to show Ready status ansible.builtin.command: >- @@ -61,20 +63,20 @@ changed_when: false ignore_errors: "{{check_node_ready_ignore_errors}}" -- name: set fact +- name: Set fact ansible.builtin.set_fact: node_ready: "true" when: - - status_result.rc is not undefined - - status_result.rc | string == "0" + - status_result.rc is not undefined + - status_result.rc | string == "0" -- name: set fact +- name: Set fact ansible.builtin.set_fact: node_ready: "{{node_ready}}" -- name: node status - debug: +- name: Node status + ansible.builtin.debug: msg: | "node_ready: {{node_ready}}" "metrics_running: {{metrics_running}}" - "api_server_running: {{api_server_running}}" \ No newline at end of file + "api_server_running: {{api_server_running}}" diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index 53acff52..dec33eb2 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -2,10 +2,10 @@ - name: CIS MODE become: yes - when: - - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or - (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or - (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) + when: + - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) block: - name: Create etcd group ansible.builtin.group: diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index 602652c7..edff3b99 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -1,12 +1,12 @@ --- # combine host and group vars to form primary rke2_config -- name: combine host and group config vars +- name: Combine host and group config vars ansible.builtin.set_fact: temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" # combine host and group vars to form primary rke2_config -- name: combine host and group config vars +- name: Combine host and group config vars ansible.builtin.set_fact: rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index a9993651..6036a23a 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -36,5 +36,3 @@ file_path: "{{ rke2_pod_security_admission_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'] - - diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 080d18e5..d84b658b 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -4,7 +4,7 @@ - name: Include task file config.yml ansible.builtin.include_tasks: config.yml -- name: flush_handlers +- name: Flush_handlers ansible.builtin.meta: flush_handlers - block: @@ -15,4 +15,5 @@ check_node_ready_retries: 30 check_node_ready_delay: 10 check_node_ready_ignore_errors: false - any_errors_fatal: true \ No newline at end of file + any_errors_fatal: true + \ No newline at end of file diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 72b3fd1e..f4323928 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -43,8 +43,6 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml - - - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml when: @@ -65,10 +63,10 @@ check_node_ready_delay: 2 check_node_ready_ignore_errors: true when: - - inventory_hostname in groups['rke2_servers'] + - inventory_hostname in groups['rke2_servers'] - name: Create a list of ready servers - set_fact: + ansible.builtin.set_fact: ready_servers: "{{ groups.rke2_servers| map('extract', hostvars)| selectattr('node_ready', 'equalto', true)| @@ -90,8 +88,6 @@ - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml - - - name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: @@ -106,23 +102,23 @@ - name: Start the first rke2 node ansible.builtin.include_tasks: first_server.yml when: - - inventory_hostname in groups['rke2_servers'][0] - - ready_servers | length == 0 + - inventory_hostname in groups['rke2_servers'][0] + - ready_servers | length == 0 -- name: save_generated_token.yml +- name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: token_source_node: "{{groups['rke2_servers'][0]}}" when: - - ready_servers | length == 0 + - ready_servers | length == 0 # is the ready_servers array is > 0, we assume it's an established cluster and treat all nodes equally (no need for initial server procedure) -- name: save_generated_token.yml +- name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: token_source_node: "{{ready_servers[0]}}" when: - - ready_servers | length > 0 + - ready_servers | length > 0 - name: Start all other rke2 nodes ansible.builtin.include_tasks: other_nodes.yml diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 80825e32..59ae3c11 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -9,5 +9,5 @@ - name: Generate config.yml on other nodes ansible.builtin.include_tasks: config.yml -- name: flush_handlers +- name: Flush_handlers ansible.builtin.meta: flush_handlers diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 3f9b601e..e9a4fd50 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -20,9 +20,9 @@ gpgkey: "{{ rke2_versioned_yum_repo.gpgkey }}" enabled: "{{ rke2_versioned_yum_repo.enabled }}" -- name: debug install - debug: - msg: installing {{ service_name }}{{ rke2_version_rpm }} +# - name: Debug install +# ansible.builtin.debug: +# msg: installing {{ service_name }}{{ rke2_version_rpm }} - name: YUM-Based Install ansible.builtin.dnf: diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml index c2742ea5..4717fd75 100644 --- a/roles/rke2/tasks/save_generated_token.yml +++ b/roles/rke2/tasks/save_generated_token.yml @@ -1,4 +1,4 @@ - +--- - name: Wait for node-token ansible.builtin.wait_for: @@ -30,14 +30,14 @@ temp_host_rke2_config: server: "https://{{ rke2_kubernetes_api_server_host }}:9345" when: - - rke2_kubernetes_api_server_host != "" + - rke2_kubernetes_api_server_host != "" - name: Set temp fact to store server config line with server URL ansible.builtin.set_fact: temp_host_rke2_config: server: "https://{{ token_source_node }}:9345" when: - - rke2_kubernetes_api_server_host == "" + - rke2_kubernetes_api_server_host == "" - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 0aa960a2..3247d6ba 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -18,8 +18,6 @@ - rke2_install_tarball_url == "" - not rke2_installed or rke2_installed_version != rke2_full_version - - - name: Send provided tarball from local control machine if available ansible.builtin.copy: src: "{{ rke2_install_local_tarball_path }}" diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index d2944ee3..879b4f8c 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -5,4 +5,4 @@ rke2_version_changed: false rke2_reboot: false rke2_version_majmin: "" rke2_version_rpm: "" -rke2_package_state: "installed" \ No newline at end of file +rke2_package_state: "installed" From 0e77adc8c87f5e2f8d69f72b286f180e49690a29 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Fri, 26 Jul 2024 14:56:03 -0500 Subject: [PATCH 21/28] Add supported platforms --- roles/rke2/molecule/README.md | 47 +++++++++++---- roles/rke2/molecule/rocky-89/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/rocky-94/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/sles-15/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/ubuntu-2204/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/ubuntu-2404/molecule.yml | 2 - 6 files changed, 275 insertions(+), 14 deletions(-) create mode 100644 roles/rke2/molecule/rocky-89/molecule.yml create mode 100644 roles/rke2/molecule/rocky-94/molecule.yml create mode 100644 roles/rke2/molecule/sles-15/molecule.yml create mode 100644 roles/rke2/molecule/ubuntu-2204/molecule.yml diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md index 0f5a9743..72bad79b 100644 --- a/roles/rke2/molecule/README.md +++ b/roles/rke2/molecule/README.md @@ -1,4 +1,38 @@ -# Molecule Scenarios +# Molecule Scenarios +| Scenario | Passing | +| ----------- | ------- | +| rocky-89 | False | +| rocky-94 | True | +| ubuntu-2404 | True | +| ubuntu-2204 | True | +| sles-15 | False | + +## template +As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template. + +## rocky-94 +The rocky-94 scenario is the simplest possible scenario, with a single Rocky 9.4 master node and a single Rocky 9.4 worker node. + +## rocky-89 +The rocky-89 scenario is the simplest possible scenario, with a single Rocky 8.9 master node and a single Rocky 8.9 worker node. + +## ubuntu-2404 +The ubuntu-2204 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 24.04 worker node. + +## ubuntu-2204 +The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 22.04 master node and a single Ubuntu 22.04 worker node. + + +--- +# Development +## Required ENV Vars +| Name | Purpose | +| --------------------- | ------- | +| AWS_ACCESS_KEY_ID | Access to AWS | +| AWS_SECRET_ACCESS_KEY | Access to AWS | +| VPC_SUBNET_ID | Subnet to assign EC2s to | + +## Summary The molecule test scenarios are based on the cookie cutter ec2 instance and require the molecule plugin here: [molecule-plugin](https://github.com/ansible-community/molecule-plugins), the pip3 `requirements.txt` can be found in this directory while the ansible specfic requirements will be installed automatically when running molecule as a part of the `requirements` stage. As this is an ec2 based scenario an AWS account is needed, you will need to define the following variables either as environment variables or in your aws cli config file (`~/.aws/config`) @@ -19,18 +53,7 @@ It is worth noting that the EC2 driver does not provide a way to login to EC2 in The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. -# Available Scenarios -## template -As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template. - -## ubuntu-2404 -The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 20.04 worker node. - - # To Do - Add tests - Ensure node labels are applied - Ensure setting CIS profile works as expected - - Add scenrios for all supported platforms - - Rocky - - SLES \ No newline at end of file diff --git a/roles/rke2/molecule/rocky-89/molecule.yml b/roles/rke2/molecule/rocky-89/molecule.yml new file mode 100644 index 00000000..31539f3d --- /dev/null +++ b/roles/rke2/molecule/rocky-89/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-02391db2758465a87 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-02391db2758465a87 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/rocky-94/molecule.yml b/roles/rke2/molecule/rocky-94/molecule.yml new file mode 100644 index 00000000..33c405eb --- /dev/null +++ b/roles/rke2/molecule/rocky-94/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-051a0f669bb174783 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-051a0f669bb174783 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/sles-15/molecule.yml b/roles/rke2/molecule/sles-15/molecule.yml new file mode 100644 index 00000000..d911f3cd --- /dev/null +++ b/roles/rke2/molecule/sles-15/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-05e760b0ec1a5588a + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-05e760b0ec1a5588a + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2204/molecule.yml b/roles/rke2/molecule/ubuntu-2204/molecule.yml new file mode 100644 index 00000000..5977f8db --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2204/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-0677b91957321ed76 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-0677b91957321ed76 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/molecule.yml b/roles/rke2/molecule/ubuntu-2404/molecule.yml index 9c34b870..dbdc8b2c 100644 --- a/roles/rke2/molecule/ubuntu-2404/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2404/molecule.yml @@ -34,8 +34,6 @@ provisioner: inventory: hosts: rke2_cluster: - vars: - rke2_install_version: v1.27.15+rke2r1 children: rke2_servers: vars: From ed3ff7e4641f6e306371b3a839134e930b58fe57 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 16:32:30 -0400 Subject: [PATCH 22/28] fixing VIP join logic --- ...luster_state.yml => NOT_USED_cluster_state.yml} | 0 roles/rke2/tasks/first_server.yml | 7 ++++++- roles/rke2/tasks/other_nodes.yml | 14 ++++++++++++++ roles/rke2/tasks/save_generated_token.yml | 13 +++++-------- site.yml | 2 +- 5 files changed, 26 insertions(+), 10 deletions(-) rename roles/rke2/tasks/{cluster_state.yml => NOT_USED_cluster_state.yml} (100%) diff --git a/roles/rke2/tasks/cluster_state.yml b/roles/rke2/tasks/NOT_USED_cluster_state.yml similarity index 100% rename from roles/rke2/tasks/cluster_state.yml rename to roles/rke2/tasks/NOT_USED_cluster_state.yml diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index d84b658b..facf649b 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -1,12 +1,17 @@ --- - - name: Include task file config.yml ansible.builtin.include_tasks: config.yml - name: Flush_handlers ansible.builtin.meta: flush_handlers +- name: Ensure rke2 is running + ansible.builtin.service: + state: started + enabled: true + name: "{{ service_name }}" + - block: - name: Start check_node_ready.yml ansible.builtin.include_tasks: check_node_ready.yml diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 59ae3c11..9fdd3ad6 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,5 +1,13 @@ --- +- name: Wait for remote k8s apiserver + ansible.builtin.wait_for: + host: "{{ rke2_kubernetes_api_server_host }}" + port: "6443" + state: present + timeout: "300" + changed_when: false + - name: Include task file add-manifest-addons.yml ansible.builtin.include_tasks: add-manifest-addons.yml when: @@ -11,3 +19,9 @@ - name: Flush_handlers ansible.builtin.meta: flush_handlers + +- name: Ensure rke2 is running + ansible.builtin.service: + state: started + enabled: true + name: "{{ service_name }}" \ No newline at end of file diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml index 4717fd75..fe5df4b6 100644 --- a/roles/rke2/tasks/save_generated_token.yml +++ b/roles/rke2/tasks/save_generated_token.yml @@ -25,19 +25,16 @@ ansible.builtin.set_fact: host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Set temp fact to store server config line with custom join server URL +- name: Set temp fact for api host ansible.builtin.set_fact: - temp_host_rke2_config: - server: "https://{{ rke2_kubernetes_api_server_host }}:9345" + rke2_kubernetes_api_server_host: "{{ token_source_node }}" when: - - rke2_kubernetes_api_server_host != "" + - rke2_kubernetes_api_server_host == "" -- name: Set temp fact to store server config line with server URL +- name: Set temp fact to store server config line with custom join server URL ansible.builtin.set_fact: temp_host_rke2_config: - server: "https://{{ token_source_node }}:9345" - when: - - rke2_kubernetes_api_server_host == "" + server: "https://{{ rke2_kubernetes_api_server_host }}:9345" - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: diff --git a/site.yml b/site.yml index 7fd240e6..9d204c83 100644 --- a/site.yml +++ b/site.yml @@ -3,6 +3,6 @@ - name: RKE2 play hosts: all any_errors_fatal: true - become: true + # become: true roles: - role: rke2 From ee61292c97b185d66e1224c2e725afc4dc7c90ce Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 16:53:23 -0400 Subject: [PATCH 23/28] fix --- roles/rke2/tasks/calculate_rke2_version.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index a8994a0d..0010e920 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -30,7 +30,8 @@ ansible.builtin.set_fact: rke2_full_version: "" when: - rke2_full_version is skipped + - rke2_full_version.skipped is defined + - rke2_full_version is skipped # - name: Set rke2_full_version fact # ansible.builtin.set_fact: From 7c3e47b5e22daa70fd9d93bbd9c8ffca1dc4938c Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 17:42:44 -0400 Subject: [PATCH 24/28] linting 2 --- .ansible-lint | 3 +- roles/rke2/defaults/main.yml | 8 +-- .../rke2/tasks/add_ansible_managed_config.yml | 2 +- roles/rke2/tasks/add_manifest_addons.yml | 8 +-- roles/rke2/tasks/calculate_rke2_version.yml | 66 +++++++++---------- roles/rke2/tasks/check_node_ready.yml | 30 ++++----- roles/rke2/tasks/config.yml | 7 +- roles/rke2/tasks/first_server.yml | 18 ++--- roles/rke2/tasks/main.yml | 12 ++-- roles/rke2/tasks/other_nodes.yml | 12 ++-- roles/rke2/tasks/rpm_install.yml | 2 +- roles/rke2/tasks/save_generated_token.yml | 10 +-- 12 files changed, 87 insertions(+), 91 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index ba0c6d31..a90f5bf2 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -8,4 +8,5 @@ warn_list: - var-naming - yaml[comments-indentation] skip_list: - - experimental \ No newline at end of file + - experimental + - yaml[line-length] \ No newline at end of file diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 89059c18..e47a1402 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -29,9 +29,9 @@ rke2_versioned_yum_repo: gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes -kubelet_node_name: +rke2_kubelet_node_name: - "nodeNameNotFound" rke2_config: {} -metrics_running: false -node_ready: "false" -api_server_running: false +rke2_metrics_running: false +rke2_node_ready: "false" +rke2_api_server_running: false diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml index 09e8e2fc..29103cd1 100644 --- a/roles/rke2/tasks/add_ansible_managed_config.yml +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -33,5 +33,5 @@ path: "{{ file_destination }}" state: absent when: - - ansible_managed_check.changed | bool is false + - ansible_managed_check.changed | bool is false # noqa no-handler notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 8397da87..e8421971 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -8,7 +8,7 @@ - name: Create array of managed files ansible.builtin.set_fact: - managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" + managed_files: "{{ local_files_find_return.files | map(attribute='path') | map('basename') }}" - name: Add manifest addons files from localhost ansible.builtin.copy: @@ -19,17 +19,17 @@ group: root - name: Look up manifest files on remote - find: + ansible.builtin.find: paths: "{{ destination_directory }}" register: remote_files_find_return - name: Create array of remote files ansible.builtin.set_fact: - current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" + current_files: "{{ remote_files_find_return.files | map(attribute='path') | map('basename') }}" - name: Remove remote files not in managed files list ansible.builtin.file: path: "{{ destination_directory }}/{{ item }}" state: absent - with_items: "{{current_files}}" + with_items: "{{ current_files }}" when: item not in managed_files diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 0010e920..12c0712e 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -35,7 +35,7 @@ # - name: Set rke2_full_version fact # ansible.builtin.set_fact: - # rke2_full_version: "{{ rke2_full_version.stdout if (install_rke2_version | length == 0) else install_rke2_version }}" +# rke2_full_version: "{{ rke2_full_version.stdout if (install_rke2_version | length == 0) else install_rke2_version }}" - name: Set rke2_full_version fact from variable source ansible.builtin.set_fact: @@ -55,40 +55,40 @@ - rke2_full_version | length > 0 block: - - name: Set Maj.Min version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" - register: rke2_version_majmin_tmp - changed_when: false - args: - executable: /usr/bin/bash + - name: Set Maj.Min version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" + register: rke2_version_majmin_tmp + changed_when: false + args: + executable: /usr/bin/bash - - name: Set rke2_version_majmin fact - ansible.builtin.set_fact: - rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" + - name: Set rke2_version_majmin fact + ansible.builtin.set_fact: + rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" - - name: Set RPM version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" - register: rke2_version_rpm_tmp - changed_when: false - args: - executable: /usr/bin/bash + - name: Set RPM version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + register: rke2_version_rpm_tmp + changed_when: false + args: + executable: /usr/bin/bash - - name: Set rke2_version_rpm fact - ansible.builtin.set_fact: - rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" + - name: Set rke2_version_rpm fact + ansible.builtin.set_fact: + rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" - - name: Prepend 'dash' to version string - ansible.builtin.set_fact: - rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" - when: - - rke2_version_rpm | length > 0 + - name: Prepend 'dash' to version string + ansible.builtin.set_fact: + rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" + when: + - rke2_version_rpm | length > 0 - # - name: Describe versions - # ansible.builtin.debug: - # msg: - # - "Full version, with revision indication: {{ rke2_full_version }}" - # # - "Version without revision indication: {{ rke2_version_dot }}" - # - "Major and Minor Only: {{ rke2_version_majmin }}" - # - "RPM Version (tilde): {{ rke2_version_rpm }}" + # - name: Describe versions + # ansible.builtin.debug: + # msg: + # - "Full version, with revision indication: {{ rke2_full_version }}" + # # - "Version without revision indication: {{ rke2_version_dot }}" + # - "Major and Minor Only: {{ rke2_version_majmin }}" + # - "RPM Version (tilde): {{ rke2_version_rpm }}" diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml index 1ce68e30..e543852d 100644 --- a/roles/rke2/tasks/check_node_ready.yml +++ b/roles/rke2/tasks/check_node_ready.yml @@ -8,18 +8,18 @@ timeout: "{{ check_node_ready_timeout }}" changed_when: false register: api_serve_status - ignore_errors: "{{check_node_ready_ignore_errors}}" + ignore_errors: "{{ check_node_ready_ignore_errors }}" - name: Set fact ansible.builtin.set_fact: - api_server_running: true + rke2_api_server_running: true when: - api_serve_status.state is not undefined - api_serve_status.state == "present" - name: Set fact ansible.builtin.set_fact: - api_server_running: "{{api_server_running}}" + rke2_api_server_running: "{{ rke2_api_server_running }}" - name: Get node_metrics ansible.builtin.uri: @@ -31,23 +31,21 @@ register: node_metrics retries: "{{ check_node_ready_retries }}" delay: "{{ check_node_ready_delay }}" - ignore_errors: "{{check_node_ready_ignore_errors}}" + ignore_errors: "{{ check_node_ready_ignore_errors }}" - name: Check that node_metrics collection was successful ansible.builtin.set_fact: - metrics_running: true + rke2_metrics_running: true when: - 200 | string in node_metrics.status | string -- name: Set fact for metrics_running +- name: Set fact for rke2_metrics_running ansible.builtin.set_fact: - metrics_running: "{{metrics_running}}" + rke2_metrics_running: "{{ rke2_metrics_running }}" - name: Extract the kubelet_node_name from node metrics ansible.builtin.set_fact: - kubelet_node_name: "{{ node_metrics.content | \ - regex_search('kubelet_node_name{node=\"(.*)\"}',\ - '\\1') }}" + kubelet_node_name: "{{ node_metrics.content | regex_search('kubelet_node_name{node=\"(.*)\"}', '\\1') }}" when: - 200 | string in node_metrics.status | string @@ -61,22 +59,22 @@ retries: "{{ check_node_ready_retries }}" delay: "{{ check_node_ready_delay }}" changed_when: false - ignore_errors: "{{check_node_ready_ignore_errors}}" + ignore_errors: "{{ check_node_ready_ignore_errors }}" - name: Set fact ansible.builtin.set_fact: - node_ready: "true" + rke2_node_ready: "true" when: - status_result.rc is not undefined - status_result.rc | string == "0" - name: Set fact ansible.builtin.set_fact: - node_ready: "{{node_ready}}" + rke2_node_ready: "{{ rke2_node_ready }}" - name: Node status ansible.builtin.debug: msg: | - "node_ready: {{node_ready}}" - "metrics_running: {{metrics_running}}" - "api_server_running: {{api_server_running}}" + "rke2_node_ready: {{ rke2_node_ready }}" + "rke2_metrics_running: {{ rke2_metrics_running }}" + "rke2_api_server_running: {{ rke2_api_server_running }}" diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index edff3b99..ace77c77 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -3,12 +3,12 @@ # combine host and group vars to form primary rke2_config - name: Combine host and group config vars ansible.builtin.set_fact: - temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" + temp_group_rke2_config: "{{ cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" # combine host and group vars to form primary rke2_config - name: Combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + rke2_config: "{{ temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" # write final config - name: Create config.yaml @@ -16,4 +16,5 @@ path: /etc/rancher/rke2/config.yaml block: "{{ rke2_config | to_nice_yaml(indent=0) }}" create: true - notify: Restart {{service_name}} + mode: "0640" + notify: Restart {{ service_name }} diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index facf649b..c126799f 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -12,13 +12,13 @@ enabled: true name: "{{ service_name }}" -- block: - - name: Start check_node_ready.yml - ansible.builtin.include_tasks: check_node_ready.yml - vars: - check_node_ready_timeout: 300 - check_node_ready_retries: 30 - check_node_ready_delay: 10 - check_node_ready_ignore_errors: false +- name: Check_node_ready any_errors_fatal: true - \ No newline at end of file + block: + - name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 300 + check_node_ready_retries: 30 + check_node_ready_delay: 10 + check_node_ready_ignore_errors: false diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index f4323928..07cdbc18 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -67,11 +67,7 @@ - name: Create a list of ready servers ansible.builtin.set_fact: - ready_servers: "{{ groups.rke2_servers| - map('extract', hostvars)| - selectattr('node_ready', 'equalto', true)| - map(attribute='inventory_hostname')| - list }}" + ready_servers: "{{ groups.rke2_servers | map('extract', hostvars) | selectattr('rke2_node_ready', 'equalto', true) | map(attribute='inventory_hostname') | list }}" delegate_to: localhost run_once: true @@ -108,7 +104,7 @@ - name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: - token_source_node: "{{groups['rke2_servers'][0]}}" + token_source_node: "{{ groups['rke2_servers'][0] }}" when: - ready_servers | length == 0 @@ -116,7 +112,7 @@ - name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: - token_source_node: "{{ready_servers[0]}}" + token_source_node: "{{ ready_servers[0] }}" when: - ready_servers | length > 0 @@ -131,7 +127,7 @@ - name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: - source_directory: "{{rke2_manifest_config_post_run_directory}}" + source_directory: "{{ rke2_manifest_config_post_run_directory }}" destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_1 when: - rke2_manifest_config_post_run_directory is defined diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 9fdd3ad6..1d004b02 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -8,11 +8,11 @@ timeout: "300" changed_when: false -- name: Include task file add-manifest-addons.yml - ansible.builtin.include_tasks: add-manifest-addons.yml - when: - - manifest_config_file_path is defined - - manifest_config_file_path | length > 0 +# - name: Include task file add-manifest-addons.yml +# ansible.builtin.include_tasks: add-manifest-addons.yml +# when: +# - manifest_config_file_path is defined +# - manifest_config_file_path | length > 0 - name: Generate config.yml on other nodes ansible.builtin.include_tasks: config.yml @@ -24,4 +24,4 @@ ansible.builtin.service: state: started enabled: true - name: "{{ service_name }}" \ No newline at end of file + name: "{{ service_name }}" diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index e9a4fd50..189d60dd 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -27,7 +27,7 @@ - name: YUM-Based Install ansible.builtin.dnf: name: "{{ service_name }}{{ rke2_version_rpm }}" - state: "{{ rke2_package_state}}" + state: "{{ rke2_package_state }}" allow_downgrade: true register: result retries: 10 diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml index fe5df4b6..92400b4a 100644 --- a/roles/rke2/tasks/save_generated_token.yml +++ b/roles/rke2/tasks/save_generated_token.yml @@ -3,18 +3,18 @@ - name: Wait for node-token ansible.builtin.wait_for: path: /var/lib/rancher/rke2/server/node-token - delegate_to: "{{token_source_node}}" + delegate_to: "{{ token_source_node }}" - name: Read node-token from master ansible.builtin.slurp: src: /var/lib/rancher/rke2/server/node-token register: node_token - delegate_to: "{{token_source_node}}" + delegate_to: "{{ token_source_node }}" - name: Store Master node-token ansible.builtin.set_fact: rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" - delegate_to: "{{token_source_node}}" + delegate_to: "{{ token_source_node }}" - name: Set temp fact to store token config line ansible.builtin.set_fact: @@ -23,7 +23,7 @@ - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: - host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + host_rke2_config: "{{ temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" - name: Set temp fact for api host ansible.builtin.set_fact: @@ -38,4 +38,4 @@ - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: - host_rke2_config: "{{temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + host_rke2_config: "{{ temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" From f84d647d70e5ca395d11e1bc0e6baa3650f0f56e Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Fri, 26 Jul 2024 16:55:31 -0500 Subject: [PATCH 25/28] Easy win yamllints --- roles/rke2/molecule/rocky-89/molecule.yml | 4 ++-- roles/rke2/molecule/rocky-94/molecule.yml | 4 ++-- roles/rke2/molecule/sles-15/molecule.yml | 4 ++-- roles/rke2/molecule/template/converge.yml | 4 ++-- roles/rke2/molecule/template/create.yml | 4 ++-- roles/rke2/molecule/template/destroy.yml | 4 ++-- roles/rke2/molecule/template/requirements.yml | 2 +- roles/rke2/molecule/ubuntu-2204/molecule.yml | 4 ++-- roles/rke2/molecule/ubuntu-2404/molecule.yml | 4 ++-- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/rke2/molecule/rocky-89/molecule.yml b/roles/rke2/molecule/rocky-89/molecule.yml index 31539f3d..aacfede6 100644 --- a/roles/rke2/molecule/rocky-89/molecule.yml +++ b/roles/rke2/molecule/rocky-89/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/rocky-94/molecule.yml b/roles/rke2/molecule/rocky-94/molecule.yml index 33c405eb..8b0808e3 100644 --- a/roles/rke2/molecule/rocky-94/molecule.yml +++ b/roles/rke2/molecule/rocky-94/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/sles-15/molecule.yml b/roles/rke2/molecule/sles-15/molecule.yml index d911f3cd..8fd4ca6a 100644 --- a/roles/rke2/molecule/sles-15/molecule.yml +++ b/roles/rke2/molecule/sles-15/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/template/converge.yml b/roles/rke2/molecule/template/converge.yml index 1966131f..2c5f85ba 100644 --- a/roles/rke2/molecule/template/converge.yml +++ b/roles/rke2/molecule/template/converge.yml @@ -3,9 +3,9 @@ hosts: all gather_facts: true pre_tasks: - - name: Set api_server_host + - name: Set api_server_host ansible.builtin.set_fact: rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" roles: - role: rke2 - become: true \ No newline at end of file + become: true diff --git a/roles/rke2/molecule/template/create.yml b/roles/rke2/molecule/template/create.yml index 50ffe4a9..3008c936 100644 --- a/roles/rke2/molecule/template/create.yml +++ b/roles/rke2/molecule/template/create.yml @@ -19,7 +19,7 @@ default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" default_boot_wait_seconds: 120 default_instance_type: t2.medium - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] default_key_name: "molecule-{{ run_config.run_id }}" default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" default_public_key_path: "{{ default_private_key_path }}.pub" @@ -330,4 +330,4 @@ - name: Wait for boot process to finish ansible.builtin.pause: - seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file + seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" diff --git a/roles/rke2/molecule/template/destroy.yml b/roles/rke2/molecule/template/destroy.yml index ea993823..5ec0eaf4 100644 --- a/roles/rke2/molecule/template/destroy.yml +++ b/roles/rke2/molecule/template/destroy.yml @@ -16,7 +16,7 @@ # Platform settings handling default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] default_key_name: "molecule-{{ run_config.run_id }}" default_security_group_name: "molecule-{{ run_config.run_id }}" @@ -140,4 +140,4 @@ loop_control: index_var: index label: "{{ item.name }}" - when: item.key_inject_method == "ec2" \ No newline at end of file + when: item.key_inject_method == "ec2" diff --git a/roles/rke2/molecule/template/requirements.yml b/roles/rke2/molecule/template/requirements.yml index 4ece6bc1..35a10503 100644 --- a/roles/rke2/molecule/template/requirements.yml +++ b/roles/rke2/molecule/template/requirements.yml @@ -2,4 +2,4 @@ collections: - name: ansible.utils - name: amazon.aws - - name: community.crypto \ No newline at end of file + - name: community.crypto diff --git a/roles/rke2/molecule/ubuntu-2204/molecule.yml b/roles/rke2/molecule/ubuntu-2204/molecule.yml index 5977f8db..96dddaa1 100644 --- a/roles/rke2/molecule/ubuntu-2204/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2204/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/ubuntu-2404/molecule.yml b/roles/rke2/molecule/ubuntu-2404/molecule.yml index dbdc8b2c..dea82735 100644 --- a/roles/rke2/molecule/ubuntu-2404/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2404/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible From b8b580c38d2276baf56e2c325059cd359c63940b Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Fri, 2 Aug 2024 10:47:01 -0500 Subject: [PATCH 26/28] yes/no are not bools --- .yamllint | 2 -- roles/rke2/defaults/main.yml | 4 ++-- roles/rke2/tasks/add_ansible_managed_config.yml | 2 +- roles/rke2/tasks/calculate_rke2_version.yml | 13 ++++++------- roles/rke2/tasks/cis_hardening.yml | 4 ++-- roles/rke2/tasks/configure_rke2.yml | 2 +- roles/rke2/tasks/network_manager_fix.yaml | 6 +++--- roles/rke2/tasks/pre_reqs.yml | 4 ++-- roles/rke2/tasks/tarball_install.yml | 10 +++++----- roles/rke2/tasks/wait_for_rke2.yml | 2 +- roles/testing/tasks/basic_tests.yml | 2 +- testing.yml | 2 +- 12 files changed, 25 insertions(+), 28 deletions(-) diff --git a/.yamllint b/.yamllint index c2321b0f..b2e05b7f 100644 --- a/.yamllint +++ b/.yamllint @@ -5,8 +5,6 @@ rules: line-length: max: 120 level: warning - truthy: - allowed-values: ['true', 'false', 'yes', 'no'] ignore: | .github/ diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index e47a1402..ed16321c 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -20,7 +20,7 @@ rke2_common_yum_repo: baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/common/centos/$releasever/noarch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" - enabled: yes + enabled: true rke2_versioned_yum_repo: name: "rancher-rke2-v{{ rke2_version_majmin }}" # noqa jinja[spacing] @@ -28,7 +28,7 @@ rke2_versioned_yum_repo: baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/{{ rke2_version_majmin }}/centos/$releasever/$basearch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" - enabled: yes + enabled: true rke2_kubelet_node_name: - "nodeNameNotFound" rke2_config: {} diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml index 29103cd1..cb07f931 100644 --- a/roles/rke2/tasks/add_ansible_managed_config.yml +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -24,7 +24,7 @@ name: "{{ file_destination }}" line: '## This is an Ansible managed file, contents will be overwritten ##' state: present - check_mode: yes + check_mode: true register: ansible_managed_check when: stat_result.stat.exists | bool is true diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 12c0712e..7c0a939d 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -85,10 +85,9 @@ when: - rke2_version_rpm | length > 0 - # - name: Describe versions - # ansible.builtin.debug: - # msg: - # - "Full version, with revision indication: {{ rke2_full_version }}" - # # - "Version without revision indication: {{ rke2_version_dot }}" - # - "Major and Minor Only: {{ rke2_version_majmin }}" - # - "RPM Version (tilde): {{ rke2_version_rpm }}" +# - name: Describe versions +# ansible.builtin.debug: +# msg: +# - "Full version, with revision indication: {{ rke2_full_version }}" +# - "Major and Minor Only: {{ rke2_version_majmin }}" +# - "RPM Version (tilde): {{ rke2_version_rpm }}" diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index dec33eb2..b2d194b2 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -1,7 +1,7 @@ --- - name: CIS MODE - become: yes + become: true when: - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or @@ -38,7 +38,7 @@ ansible.builtin.copy: src: /usr/local/share/rke2/rke2-cis-sysctl.conf dest: /etc/sysctl.d/60-rke2-cis.conf - remote_src: yes + remote_src: true mode: 0600 register: sysctl_operation_tarball when: diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 6036a23a..5673884c 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -4,7 +4,7 @@ ansible.builtin.file: path: /etc/rancher/rke2 state: directory - recurse: yes + recurse: true - name: Run CIS-Hardening Tasks ansible.builtin.include_tasks: cis_hardening.yml diff --git a/roles/rke2/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml index 95037c33..4e61c1eb 100644 --- a/roles/rke2/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -10,7 +10,7 @@ block: | [keyfile] unmanaged-devices=interface-name:cali*;interface-name:flannel* - create: yes + create: true mode: 0600 when: ansible_facts.services["NetworkManager.service"] is defined @@ -31,7 +31,7 @@ - name: Disable service nm-cloud-setup ansible.builtin.systemd: name: nm-cloud-setup.service - enabled: no + enabled: false state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined notify: @@ -42,7 +42,7 @@ ansible.builtin.systemd: name: nm-cloud-setup.timer state: stopped - enabled: no + enabled: false when: ansible_facts.services["nm-cloud-setup.service"] is defined notify: - Reload NetworkManager diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index e6aa81b6..3a47e02e 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -6,7 +6,7 @@ ansible.builtin.systemd: name: firewalld state: stopped - enabled: no + enabled: false when: - ansible_facts.services["firewalld.service"] is defined - ansible_facts.services["firewalld.service"].status != "not-found" @@ -18,7 +18,7 @@ - name: Add server iptables rules ansible.builtin.include_tasks: iptables_rules.yml when: - # - ansible_facts.services["iptables.service"] is defined + # - ansible_facts.services["iptables.service"] is defined - rke2_add_iptables_rules | bool - name: Add fapolicyd rules diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 3247d6ba..8f857bd2 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -139,7 +139,7 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups['rke2_servers'] @@ -150,7 +150,7 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups['rke2_servers'] @@ -161,7 +161,7 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups.get('rke2_agents', []) @@ -172,13 +172,13 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups.get('rke2_agents', []) - name: TARBALL | Refreshing systemd unit files ansible.builtin.systemd: - daemon-reload: yes + daemon-reload: true - name: Remove the temp_dir ansible.builtin.file: diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index 04ec0d94..ea027d97 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -7,7 +7,7 @@ ansible.builtin.systemd: name: "{{ service_name }}" state: started - enabled: yes + enabled: true - name: Wait for k8s apiserver ansible.builtin.wait_for: diff --git a/roles/testing/tasks/basic_tests.yml b/roles/testing/tasks/basic_tests.yml index 5eb79a40..d4ff5c5a 100644 --- a/roles/testing/tasks/basic_tests.yml +++ b/roles/testing/tasks/basic_tests.yml @@ -9,7 +9,7 @@ ansible.builtin.lineinfile: path: /etc/rancher/rke2/config.yaml line: "selinux: true" - check_mode: yes + check_mode: true register: test_is_selinux_true - name: Assertions diff --git a/testing.yml b/testing.yml index 8e6c89be..57be9470 100644 --- a/testing.yml +++ b/testing.yml @@ -1,6 +1,6 @@ --- - name: Testing play hosts: all - become: yes + become: true roles: - role: testing From 3c3eaab2af84dc90b3f06358f9ecc11e421d1453 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin <43078293+Daemonslayer2048@users.noreply.github.com> Date: Tue, 1 Oct 2024 15:03:21 -0500 Subject: [PATCH 27/28] Create galaxy.yml --- galaxy.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 galaxy.yml diff --git a/galaxy.yml b/galaxy.yml new file mode 100644 index 00000000..4e52df6b --- /dev/null +++ b/galaxy.yml @@ -0,0 +1,22 @@ +--- +namespace: rancherfederal +name: rke2_ansible +version: 1.0.0 +readme: README.md +authors: + - Rancher Government +description: Collection for rancherfederal/rke2-ansible + +license_file: 'LICENSE' + +tags: [infrastructure, linux, kubernetes, rancher, rke2] + +repository: https://github.com/rancherfederal/rke2-ansible +documentation: https://github.com/rancherfederal/rke2-ansible +homepage: https://github.com/rancherfederal/rke2-ansible +issues: https://github.com/rancherfederal/rke2-ansible/issues + +build_ignore: + - tarball_install/* + - testing + - .github From b31aa884ad442d4f017739e9ba124e4555231137 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin <43078293+Daemonslayer2048@users.noreply.github.com> Date: Wed, 16 Oct 2024 10:27:21 -0500 Subject: [PATCH 28/28] Update variable in example hosts.yml install_rke2_version was renamed to rke2_install_version --- inventory/sample/hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 8beb932f..82aeab26 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -1,7 +1,7 @@ --- all: vars: - install_rke2_version: v1.27.10+rke2r1 + rke2_install_version: v1.27.10+rke2r1 # # In air-gapped envs, it might be convenient to download the tar files from custom URLs # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz # rke2_image_tar_urls: