large number of changes 01

.gitignore

@@ -5,9 +5,5 @@ venv/
 
 test_inventory*
 
-rke2-images.linux-amd64.tar.gz
-rke2.linux-amd64.tar.gz
-
-
-tarball_install/*
-!tarball_install/README.md
+sample_files/tarball_install/*
+!sample_files/tarball_install/README.md

roles/rke2/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 rke2_kubernetes_api_server_host: ""
 rke2_tarball_install_dir: "/usr/local"
-rke2_local_install_tarball_path: ""
+rke2_install_local_tarball_path: ""
 rke2_install_tarball_url: ""
 rke2_images_urls: []
 rke2_images_local_tarball_path: []
@@ -10,8 +10,8 @@ rke2_audit_policy_config_file_path: ""
 rke2_registry_config_file_path: ""
 rke2_pod_security_admission_config_file_path: ""
 rke2_add_iptables_rules: false
-rke2_initial_manifest_config_file_path: ""
-rke2_cluster_manifest_config_file_path: ""
+rke2_manifest_config_directory: ""
+rke2_manifest_config_post_run_directory: ""
 rke2_force_tarball_install: false
 rke2_install_version: ""
 rke2_common_yum_repo:
@@ -29,5 +29,9 @@ rke2_versioned_yum_repo:
   gpgcheck: true
   gpgkey: "https://rpm.rancher.io/public.key"
   enabled: yes
-
+kubelet_node_name:
+  - "nodeNameNotFound"
 rke2_config: {}
+metrics_running: false
+node_ready: "false"
+api_server_running: false

roles/rke2/handlers/main.yml

@@ -17,16 +17,16 @@
 - name: Restart rke2-server
   ansible.builtin.service:
     state: restarted
+    enabled: true
     name: rke2-server
-  throttle: 1
   when:
     - not rke2_reboot
 
 - name: Restart rke2-agent
   ansible.builtin.service:
     state: restarted
+    enabled: true
     name: rke2-agent
-  throttle: 1
   when:
     - not rke2_reboot
 

roles/rke2/tasks/add_manifest_addons.yml

@@ -1,9 +1,35 @@
 ---
 
-- name: Add manifest addons files
+- name: look up manifest files on localhost
+  find:
+    paths: "{{ source_directory }}"
+  register: local_files_find_return
+  delegate_to: localhost
+
+- name: create array of managed files
+  ansible.builtin.set_fact:
+    managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}"
+
+- name: Add manifest addons files from localhost
   ansible.builtin.copy:
-    src: "{{ src }}"
-    dest: "/var/lib/rancher/rke2/server/manifests/"
+    src: "{{ source_directory | regex_replace('\\/$', '') }}/"
+    dest: "{{ destination_directory }}"
     mode: '0640'
     owner: root
     group: root
+
+- name: look up manifest files on remote
+  find:
+    paths: "{{ destination_directory }}"
+  register: remote_files_find_return
+
+- name: create array of remote files
+  ansible.builtin.set_fact:
+    current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}"
+
+- name: remove remote files not in managed files list
+  ansible.builtin.file:
+    path: "{{ destination_directory }}/{{ item }}"
+    state: absent
+  with_items: "{{current_files}}"
+  when: item not in managed_files

roles/rke2/tasks/check_node_ready.yml

@@ -0,0 +1,80 @@
+- name: Wait for k8s apiserver
+  ansible.builtin.wait_for:
+    host: localhost
+    port: "6443"
+    state: present
+    timeout: "{{ check_node_ready_timeout }}"
+  changed_when: false
+  register: api_serve_status
+  ignore_errors: "{{check_node_ready_ignore_errors}}"
+
+- name: set fact
+  ansible.builtin.set_fact:
+    api_server_running: true
+  when: 
+  - api_serve_status.state is not undefined
+  - api_serve_status.state == "present"
+
+- name: set fact
+  ansible.builtin.set_fact:
+    api_server_running: "{{api_server_running}}"
+
+- name: Get node_metrics
+  ansible.builtin.uri:
+    url: https://localhost:10250/metrics
+    return_content: true
+    ca_path: /var/lib/rancher/rke2/server/tls/server-ca.crt
+    client_cert: /var/lib/rancher/rke2/server/tls/client-admin.crt
+    client_key: /var/lib/rancher/rke2/server/tls/client-admin.key
+  register: node_metrics
+  retries: "{{ check_node_ready_retries }}"
+  delay: "{{ check_node_ready_delay }}"
+  ignore_errors: "{{check_node_ready_ignore_errors}}"
+
+- name: Check that node_metrics collection was successful
+  ansible.builtin.set_fact:
+    metrics_running: true
+  when:
+  - 200 | string in node_metrics.status | string
+
+- name: set fact for metrics_running
+  ansible.builtin.set_fact:
+    metrics_running: "{{metrics_running}}"
+
+- name: Extract the kubelet_node_name from node metrics
+  ansible.builtin.set_fact:
+    kubelet_node_name: "{{ node_metrics.content | \
+      regex_search('kubelet_node_name{node=\"(.*)\"}',\
+      '\\1') }}"
+  when: 
+  - 200 | string in node_metrics.status | string
+
+- name: Wait for node to show Ready status
+  ansible.builtin.command: >-
+    /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml
+    --server https://127.0.0.1:6443 get no {{ kubelet_node_name[0] }}
+    -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
+  register: status_result
+  until: status_result.stdout.find("True") != -1
+  retries: "{{ check_node_ready_retries }}"
+  delay: "{{ check_node_ready_delay }}"
+  changed_when: false
+  ignore_errors: "{{check_node_ready_ignore_errors}}"
+
+- name: set fact
+  ansible.builtin.set_fact:
+    node_ready: "true"
+  when:
+  - status_result.rc is not undefined
+  - status_result.rc | string == "0"
+
+- name: set fact
+  ansible.builtin.set_fact:
+    node_ready: "{{node_ready}}"
+
+- name: node status
+  debug:
+    msg: |
+      "node_ready: {{node_ready}}"
+      "metrics_running: {{metrics_running}}"
+      "api_server_running: {{api_server_running}}"

roles/rke2/tasks/cis_hardening.yml

@@ -2,7 +2,10 @@
 
 - name: CIS MODE
   become: yes
-  when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')
+  when: 
+  - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or
+    (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or
+    (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$'))
   block:
     - name: Create etcd group
       ansible.builtin.group: