rancherfederal · aleiner · Jun 7, 2024 · Jun 17, 2024 · Jun 17, 2024 · Jun 18, 2024
diff --git a/.ansible-lint b/.ansible-lint
@@ -8,4 +8,5 @@ warn_list:
   - var-naming
   - yaml[comments-indentation]
 skip_list:
-  - experimental
+  - experimental
+  - yaml[line-length]
diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore
@@ -1,4 +1,8 @@
 # This file contains ignores rule violations for ansible-lint
 
 roles/testing/tasks/troubleshooting.yml ignore-errors
-inventory/sample/hosts.yml yaml[line-length]
+inventory/sample/hosts.yml yaml[line-length]
+inventory/sample/hosts.yml yaml[comments-indentation]
+roles/rke2/tasks/add-audit-policy-config.yml no-handler
+roles/rke2/tasks/add-pod-security-admission-config.yml no-handler
+roles/rke2/tasks/add-registry-config.yml no-handler
diff --git a/.github/workflows/rocky8.yml b/.github/workflows/rocky8.yml
@@ -119,7 +119,7 @@ jobs:
           echo "        $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml
           echo "all:" >> hosts.yml
           echo "  vars:" >> hosts.yml
-          echo "    kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
+          echo "    rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
           echo "" >> ansible.cfg
           echo "" >> ansible.cfg
           echo "remote_user=centos" >> ansible.cfg
@@ -172,7 +172,7 @@ jobs:
           echo "        $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml
           echo "all:" >> hosts.yml
           echo "  vars:" >> hosts.yml
-          echo "    kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
+          echo "    rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
           cp hosts.yml inventory/rocky8/hosts.yml
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

diff --git a/.github/workflows/ubuntu20.yml b/.github/workflows/ubuntu20.yml
@@ -117,7 +117,7 @@ jobs:
           echo "        $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml
           echo "all:" >> hosts.yml
           echo "  vars:" >> hosts.yml
-          echo "    kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
+          echo "    rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
           echo "" >> ansible.cfg
           echo "" >> ansible.cfg
           echo "remote_user=ubuntu" >> ansible.cfg
@@ -170,7 +170,7 @@ jobs:
           echo "        $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml
           echo "all:" >> hosts.yml
           echo "  vars:" >> hosts.yml
-          echo "    kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
+          echo "    rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml
           cp hosts.yml inventory/ubuntu20/hosts.yml
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

diff --git a/.gitignore b/.gitignore
@@ -2,12 +2,9 @@
 .cache/
 
 venv/
+.venv/
 
 test_inventory*
 
-rke2-images.linux-amd64.tar.gz
-rke2.linux-amd64.tar.gz
-
-
-tarball_install/*
-!tarball_install/README.md
+sample_files/tarball_install/*
+!sample_files/tarball_install/README.md
diff --git a/.yamllint b/.yamllint
@@ -5,8 +5,6 @@ rules:
   line-length:
     max: 120
     level: warning
-  truthy:
-    allowed-values: ['true', 'false', 'yes', 'no']
 
 ignore: |
   .github/

diff --git a/README.md b/README.md
@@ -109,7 +109,7 @@ Kubeconfig
 To get access to your **Kubernetes** cluster just
 
 ```bash
-ssh ec2-user@kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes"
+ssh ec2-user@rke2_kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes"
 ```
 
 Available configurations

diff --git a/ansible.cfg b/ansible.cfg
@@ -12,3 +12,4 @@ host_key_checking = False
 deprecation_warnings = False
 callback_whitelist = profile_roles, timer
 display_skipped_hosts = no
+force_handlers = True
diff --git a/galaxy.yml b/galaxy.yml
@@ -0,0 +1,22 @@
+---
+namespace: rancherfederal
+name: rke2_ansible
+version: 1.0.0
+readme: README.md
+authors:
+  - Rancher Government <[email protected]>
+description: Collection for rancherfederal/rke2-ansible
+
+license_file: 'LICENSE'
+
+tags: [infrastructure, linux, kubernetes, rancher, rke2]
+
+repository: https://github.com/rancherfederal/rke2-ansible
+documentation: https://github.com/rancherfederal/rke2-ansible
+homepage: https://github.com/rancherfederal/rke2-ansible
+issues: https://github.com/rancherfederal/rke2-ansible/issues
+
+build_ignore:
+  - tarball_install/*
+  - testing
+  - .github
diff --git a/inventory/sample/group_vars/rke2_agents.yml b/inventory/sample/group_vars/rke2_agents.yml
@@ -7,4 +7,4 @@ rke2_config: {}
 
 # See https://docs.rke2.io/install/containerd_registry_configuration/
 # Add a registry configuration file by specifying the file path on the control host
-# registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
+# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml
@@ -36,11 +36,11 @@ rke2_config: {}
 
 # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
 # Add a policy configuration file by specifying the file path on the control host
-# audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"
+# rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"
 
 # See https://docs.rke2.io/install/containerd_registry_configuration/
 # Add a registry configuration file by specifying the file path on the control host
-# registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
+# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
 
 # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
 # Add manifest files by specifying the directory path on the control host
@@ -50,4 +50,4 @@ rke2_config: {}
 # Available in RKE2 1.25+
 # Add a pod security admission config file by specifying the file path on the control host
 # Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored
-# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml"
+# rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml"
diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml
@@ -1,13 +1,16 @@
 ---
 all:
   vars:
-    install_rke2_version: v1.27.10+rke2r1
+    rke2_install_version: v1.27.10+rke2r1
     # # In air-gapped envs, it might be convenient to download the tar files from custom URLs
-    # rke2_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz
+    # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz
     # rke2_image_tar_urls:
     # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst
     # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst
 
+    # Or specify a tarball that's been prestaged on the ansible control host
+    # rke2_binary_tarball: {{ inventory_dir }}/tarball/rke2.linux-amd64.tar.gz
+
 rke2_cluster:
   children:
     rke2_servers:
@@ -19,16 +22,16 @@
        rke2_config:
          node-label:
            - serverGroupLabel=true
          # profile: cis-1.6
          # kube-controller-manager-arg:
          # - "tls-min-version=VersionTLS12"
          # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
          # kube-scheduler-arg:
          # - "tls-min-version=VersionTLS12"
          # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
          # kube-apiserver-arg:
          # - "tls-min-version=VersionTLS12"
          # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
          # - "enable-admission-plugins=ValidatingAdmissionWebhook,NodeRestriction,PodSecurityPolicy"
          # - "request-timeout=300s"
          # # Enable only when auditing is enabled, blocks API when audit fails
@@ -46,10 +49,10 @@
           # write-kubeconfig-mode: "0640"
           # # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
           # # Add a policy configuration file by specifying the file path on the control host
-          # audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"
+          # rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"
           # # See https://docs.rke2.io/install/containerd_registry_configuration/
           # # Add a registry configuration file by specifying the file path on the control host
-          # registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
+          # rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
           # # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
           # # Add manifest files by specifying the directory path on the control host
           # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/"
@@ -60,7 +63,7 @@
        server0.example.com:
          node_labels:
            - server0Label=true
          # node_ip: "10.10.10.10"
          # node_name: "server0.example.com"
          # bind_address: "10.10.10.10"
          # advertise_address: "10.10.10.10"

diff --git a/roles/cluster_manifest/tasks/main.yml b/roles/cluster_manifest/tasks/main.yml
diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml
@@ -0,0 +1,37 @@
+---
+rke2_kubernetes_api_server_host: ""
+rke2_tarball_install_dir: "/usr/local"
+rke2_install_local_tarball_path: ""
+rke2_install_tarball_url: ""
+rke2_images_urls: []
+rke2_images_local_tarball_path: []
+rke2_channel: "stable"
+rke2_audit_policy_config_file_path: ""
+rke2_registry_config_file_path: ""
+rke2_pod_security_admission_config_file_path: ""
+rke2_add_iptables_rules: false
+rke2_manifest_config_directory: ""
+rke2_manifest_config_post_run_directory: ""
+rke2_force_tarball_install: false
+rke2_install_version: ""
+rke2_common_yum_repo:
+  name: rancher-rke2-common
+  description: "Rancher RKE2 Common Latest"
+  baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/common/centos/$releasever/noarch"
+  gpgcheck: true
+  gpgkey: "https://rpm.rancher.io/public.key"
+  enabled: true
+
+rke2_versioned_yum_repo:
+  name: "rancher-rke2-v{{ rke2_version_majmin }}"  # noqa jinja[spacing]
+  description: "Rancher RKE2 Version"
+  baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/{{ rke2_version_majmin }}/centos/$releasever/$basearch"
+  gpgcheck: true
+  gpgkey: "https://rpm.rancher.io/public.key"
+  enabled: true
+rke2_kubelet_node_name:
+  - "nodeNameNotFound"
+rke2_config: {}
+rke2_metrics_running: false
+rke2_node_ready: "false"
+rke2_api_server_running: false
diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml
@@ -0,0 +1,47 @@
+---
+
+- name: Restart systemd-sysctl
+  ansible.builtin.service:
+    state: restarted
+    name: systemd-sysctl
+  when:
+    - not rke2_reboot
+
+- name: Restart fapolicyd
+  ansible.builtin.service:
+    state: restarted
+    name: fapolicyd
+  when:
+    - not rke2_reboot
+
+- name: Restart rke2-server
+  ansible.builtin.service:
+    state: restarted
+    enabled: true
+    name: rke2-server
+  throttle: 1
+  when:
+    - not rke2_reboot
+
+- name: Restart rke2-agent
+  ansible.builtin.service:
+    state: restarted
+    enabled: true
+    name: rke2-agent
+  throttle: 1
+  when:
+    - not rke2_reboot
+
+- name: Reload NetworkManager
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: reloaded
+  when:
+    - not rke2_reboot
+
+- name: Reboot the machine
+  ansible.builtin.reboot:
+    reboot_timeout: 300
+  throttle: 1
+  when:
+    - rke2_reboot
diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md
@@ -0,0 +1,59 @@
+# Molecule Scenarios    
+| Scenario    | Passing |
+| ----------- | ------- |
+| rocky-89    | False   |
+| rocky-94    | True    | 
+| ubuntu-2404 | True    |
+| ubuntu-2204 | True    |
+| sles-15     | False   |
+
+## template  
+As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template.
+
+## rocky-94
+The rocky-94 scenario is the simplest possible scenario, with a single Rocky 9.4 master node and a single Rocky 9.4 worker node. 
+
+## rocky-89
+The rocky-89 scenario is the simplest possible scenario, with a single Rocky 8.9 master node and a single Rocky 8.9 worker node. 
+
+## ubuntu-2404
+The ubuntu-2204 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 24.04 worker node. 
+
+## ubuntu-2204
+The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 22.04 master node and a single Ubuntu 22.04 worker node. 
+
+
+---   
+# Development  
+## Required ENV Vars
+| Name                  | Purpose |   
+| --------------------- | ------- | 
+| AWS_ACCESS_KEY_ID     | Access to AWS |  
+| AWS_SECRET_ACCESS_KEY | Access to AWS |  
+| VPC_SUBNET_ID         | Subnet to assign EC2s to |   
+
+## Summary  
+The molecule test scenarios are based on the cookie cutter ec2 instance and require the molecule plugin here: [molecule-plugin](https://github.com/ansible-community/molecule-plugins), the pip3 `requirements.txt` can be found in this directory while the ansible specfic requirements will be installed automatically when running molecule as a part of the `requirements` stage.   
+As this is an ec2 based scenario an AWS account is needed, you will need to define the following variables either as environment variables or in your aws cli config file (`~/.aws/config`)
+
+```
+export AWS_ACCESS_KEY_ID=""
+export AWS_SECRET_ACCESS_KEY=""
+```  
+
+or  
+```
+[default]
+aws_access_key_id=
+aws_secret_access_key=
+```
+
+It is worth noting that the EC2 driver does not provide a way to login to EC2 instances, this needs to be done manually, your ssh key can be found in `~/.cache/molecule/rke2/default/id_rsa` and the default user is `ansible`, you will be able to login like so:  
+`ssh [email protected] -i ~/.cache/molecule/rke2/default/id_rsa` note that the keys location is dependant on the scenario name. 
+
+The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. 
+
+# To Do
+  - Add tests
+    - Ensure node labels are applied
+    - Ensure setting CIS profile works as expected
diff --git a/roles/rke2/molecule/requirements.txt b/roles/rke2/molecule/requirements.txt
@@ -0,0 +1,28 @@
+ansible-compat==24.7.0
+ansible-core==2.17.2
+attrs==23.2.0
+bracex==2.4
+cffi==1.16.0
+click==8.1.7
+click-help-colors==0.9.4
+cryptography==42.0.8
+enrich==1.2.7
+Jinja2==3.1.4
+jsonschema==4.23.0
+jsonschema-specifications==2023.12.1
+markdown-it-py==3.0.0
+MarkupSafe==2.1.5
+mdurl==0.1.2
+molecule==24.7.0
+molecule-plugins==23.5.3
+packaging==24.1
+pluggy==1.5.0
+pycparser==2.22
+Pygments==2.18.0
+PyYAML==6.0.1
+referencing==0.35.1
+resolvelib==1.0.1
+rich==13.7.1
+rpds-py==0.19.0
+subprocess-tee==0.4.2
+wcmatch==8.5.2