From 163cf74f4627cfe709f78320232b8a6f4b6642f1 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Tue, 23 Jul 2024 14:29:04 -0400 Subject: [PATCH] large number of changes 01 --- .gitignore | 8 +- roles/rke2/defaults/main.yml | 12 +- roles/rke2/handlers/main.yml | 4 +- roles/rke2/tasks/add_manifest_addons.yml | 32 ++- roles/rke2/tasks/check_node_ready.yml | 80 ++++++ roles/rke2/tasks/cis_hardening.yml | 5 +- roles/rke2/tasks/config.yml | 265 +----------------- roles/rke2/tasks/configure_rke2.yml | 8 +- roles/rke2/tasks/first_server.yml | 30 +- roles/rke2/tasks/main.yml | 74 +++-- roles/rke2/tasks/other_nodes.yml | 42 +-- roles/rke2/tasks/pre_reqs.yml | 2 +- roles/rke2/tasks/save_generated_token.yml | 44 +++ roles/rke2/tasks/tarball_install.yml | 56 ++-- .../manifest-example.yaml | 0 .../tarball_install}/README.md | 0 16 files changed, 286 insertions(+), 376 deletions(-) create mode 100644 roles/rke2/tasks/check_node_ready.yml create mode 100644 roles/rke2/tasks/save_generated_token.yml rename sample_files/{manifest => manifests}/manifest-example.yaml (100%) rename {tarball_install => sample_files/tarball_install}/README.md (100%) diff --git a/.gitignore b/.gitignore index 782a0c73..0e9ac3cb 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,5 @@ venv/ test_inventory* -rke2-images.linux-amd64.tar.gz -rke2.linux-amd64.tar.gz - - -tarball_install/* -!tarball_install/README.md \ No newline at end of file +sample_files/tarball_install/* +!sample_files/tarball_install/README.md \ No newline at end of file diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index b6371180..15700aea 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,7 +1,7 @@ --- rke2_kubernetes_api_server_host: "" rke2_tarball_install_dir: "/usr/local" -rke2_local_install_tarball_path: "" +rke2_install_local_tarball_path: "" rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] @@ -10,8 +10,8 @@ rke2_audit_policy_config_file_path: "" rke2_registry_config_file_path: "" rke2_pod_security_admission_config_file_path: "" rke2_add_iptables_rules: false -rke2_initial_manifest_config_file_path: "" -rke2_cluster_manifest_config_file_path: "" +rke2_manifest_config_directory: "" +rke2_manifest_config_post_run_directory: "" rke2_force_tarball_install: false rke2_install_version: "" rke2_common_yum_repo: @@ -29,5 +29,9 @@ rke2_versioned_yum_repo: gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes - +kubelet_node_name: + - "nodeNameNotFound" rke2_config: {} +metrics_running: false +node_ready: "false" +api_server_running: false \ No newline at end of file diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 0c0a6258..bfd8f5e6 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -17,16 +17,16 @@ - name: Restart rke2-server ansible.builtin.service: state: restarted + enabled: true name: rke2-server - throttle: 1 when: - not rke2_reboot - name: Restart rke2-agent ansible.builtin.service: state: restarted + enabled: true name: rke2-agent - throttle: 1 when: - not rke2_reboot diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 0b55cc88..909693c7 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -1,9 +1,35 @@ --- -- name: Add manifest addons files +- name: look up manifest files on localhost + find: + paths: "{{ source_directory }}" + register: local_files_find_return + delegate_to: localhost + +- name: create array of managed files + ansible.builtin.set_fact: + managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" + +- name: Add manifest addons files from localhost ansible.builtin.copy: - src: "{{ src }}" - dest: "/var/lib/rancher/rke2/server/manifests/" + src: "{{ source_directory | regex_replace('\\/$', '') }}/" + dest: "{{ destination_directory }}" mode: '0640' owner: root group: root + +- name: look up manifest files on remote + find: + paths: "{{ destination_directory }}" + register: remote_files_find_return + +- name: create array of remote files + ansible.builtin.set_fact: + current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" + +- name: remove remote files not in managed files list + ansible.builtin.file: + path: "{{ destination_directory }}/{{ item }}" + state: absent + with_items: "{{current_files}}" + when: item not in managed_files diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml new file mode 100644 index 00000000..a69e5831 --- /dev/null +++ b/roles/rke2/tasks/check_node_ready.yml @@ -0,0 +1,80 @@ +- name: Wait for k8s apiserver + ansible.builtin.wait_for: + host: localhost + port: "6443" + state: present + timeout: "{{ check_node_ready_timeout }}" + changed_when: false + register: api_serve_status + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: set fact + ansible.builtin.set_fact: + api_server_running: true + when: + - api_serve_status.state is not undefined + - api_serve_status.state == "present" + +- name: set fact + ansible.builtin.set_fact: + api_server_running: "{{api_server_running}}" + +- name: Get node_metrics + ansible.builtin.uri: + url: https://localhost:10250/metrics + return_content: true + ca_path: /var/lib/rancher/rke2/server/tls/server-ca.crt + client_cert: /var/lib/rancher/rke2/server/tls/client-admin.crt + client_key: /var/lib/rancher/rke2/server/tls/client-admin.key + register: node_metrics + retries: "{{ check_node_ready_retries }}" + delay: "{{ check_node_ready_delay }}" + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: Check that node_metrics collection was successful + ansible.builtin.set_fact: + metrics_running: true + when: + - 200 | string in node_metrics.status | string + +- name: set fact for metrics_running + ansible.builtin.set_fact: + metrics_running: "{{metrics_running}}" + +- name: Extract the kubelet_node_name from node metrics + ansible.builtin.set_fact: + kubelet_node_name: "{{ node_metrics.content | \ + regex_search('kubelet_node_name{node=\"(.*)\"}',\ + '\\1') }}" + when: + - 200 | string in node_metrics.status | string + +- name: Wait for node to show Ready status + ansible.builtin.command: >- + /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml + --server https://127.0.0.1:6443 get no {{ kubelet_node_name[0] }} + -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' + register: status_result + until: status_result.stdout.find("True") != -1 + retries: "{{ check_node_ready_retries }}" + delay: "{{ check_node_ready_delay }}" + changed_when: false + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: set fact + ansible.builtin.set_fact: + node_ready: "true" + when: + - status_result.rc is not undefined + - status_result.rc | string == "0" + +- name: set fact + ansible.builtin.set_fact: + node_ready: "{{node_ready}}" + +- name: node status + debug: + msg: | + "node_ready: {{node_ready}}" + "metrics_running: {{metrics_running}}" + "api_server_running: {{api_server_running}}" \ No newline at end of file diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index ec779eaf..53acff52 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -2,7 +2,10 @@ - name: CIS MODE become: yes - when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$') + when: + - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) block: - name: Create etcd group ansible.builtin.group: diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index cf277334..602652c7 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -1,258 +1,19 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - mode: "0750" -- name: Does the /etc/rancher/rke2/config.yaml file exist? - ansible.builtin.stat: - path: /etc/rancher/rke2/config.yaml - register: previous_rke2_config - -- name: Read previous_rke2_config - ansible.builtin.slurp: - src: /etc/rancher/rke2/config.yaml - register: full_orig_rke2_config - when: previous_rke2_config.stat.exists - -- name: Decode contents of slurp - ansible.builtin.set_fact: - orig_rke2_config: "{{ full_orig_rke2_config['content'] | b64decode }}" - when: previous_rke2_config.stat.exists - -- name: Create the /etc/rancher/rke2/config.yaml file - ansible.builtin.file: - path: /etc/rancher/rke2/config.yaml - state: touch - mode: "0640" - owner: root - group: root - when: not previous_rke2_config.stat.exists - -# https://github.com/ansible-collections/ansible.utils/issues/135 -- name: Ensure Ansible renders any templated variables in rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ rke2_config | default({}) }}" - -# --node-label value (agent/node) Registering and starting kubelet with set of labels -- name: Get rke2_config node-labels - ansible.builtin.set_fact: - rke2_config_node_labels: "{{ rke2_config['node-label'] | default([]) }}" - -- name: Get host var node-labels - ansible.builtin.set_fact: - host_var_node_labels: "{{ node_labels | default([]) }}" - -- name: Combine rke2_config node labels and hostvar node labels - ansible.builtin.set_fact: - all_node_labels: "{{ rke2_config_node_labels + host_var_node_labels }}" - changed_when: false - -- name: Add node labels to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-label"] - value: "{{ all_node_labels }}" - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - changed_when: false - -# --node-taint value (agent/node) Registering kubelet with set of taints -- name: Get rke2_config node-taints - ansible.builtin.set_fact: - rke2_config_node_taints: "{{ rke2_config['node-taint'] | default([]) }}" - -- name: Get host var node-taints - ansible.builtin.set_fact: - host_var_node_taints: "{{ node_taints | default([]) }}" - -- name: Combine rke2_config node taints and hostvar node taints - ansible.builtin.set_fact: - all_node_taints: "{{ rke2_config_node_taints + host_var_node_taints }}" - changed_when: false - -- name: Add node labels to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-taint"] - value: "{{ all_node_taints }}" - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - changed_when: false - -# --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node -- name: Add node-ip to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-ip"] - value: "{{ node_ip }}" - when: (node_ip is defined) and (node_ip|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_ip is defined) and (node_ip|length > 0) - changed_when: false - -# --node-name value (agent/node) Node name [$RKE2_NODE_NAME] -- name: Add node-name to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-name"] - value: "{{ node_name }}" - when: (node_name is defined) and (node_name|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_name is defined) and (node_name|length > 0) - changed_when: false - -# --bind-address value (listener) rke2 bind address (default: 0.0.0.0) -- name: Add bind-address to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["bind-address"] - value: "{{ bind_address }}" - when: (bind_address is defined) and (bind_address|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler +# combine host and group vars to form primary rke2_config +- name: combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (bind_address is defined) and (bind_address|length > 0) - changed_when: false - -# --advertise-address value (listener) IPv4 address that apiserver uses -# to advertise to members of the cluster (default: node-external-ip/node-ip) -- name: Add advertise-address to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["advertise-address"] - value: "{{ advertise_address }}" - when: (advertise_address is defined) and (advertise_address|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (advertise_address is defined) and (advertise_address|length > 0) - changed_when: false - -# --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node -- name: Add node-external-ip to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-external-ip"] - value: "{{ node_external_ip }}" - when: (node_external_ip is defined) and (node_external_ip|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_external_ip is defined) and (node_external_ip|length > 0) - changed_when: false - -# --cloud-provider-name value (agent/node) Cloud provider name -- name: Add cloud-provider-name to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["cloud-provider-name"] - value: "{{ cloud_provider_name }}" - when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) - register: updated_rke2_config + temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler +# combine host and group vars to form primary rke2_config +- name: combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) + rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Remove tmp config file - ansible.builtin.file: - path: /tmp/ansible-config.txt - state: absent - changed_when: false - -- name: Create tmp config.yaml - ansible.builtin.copy: - content: "{{ rke2_config | to_nice_yaml(indent=0) }}" - dest: /tmp/ansible-config.txt - mode: "0600" - owner: root - group: root - changed_when: false - -- name: Get original token - ansible.builtin.set_fact: - original_token: "{{ orig_rke2_config | regex_search('token: (.+)') }}" - when: previous_rke2_config.stat.exists - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /tmp/ansible-config.txt - line: "{{ original_token }}" - state: present - insertbefore: BOF - when: previous_rke2_config.stat.exists and original_token | length > 0 - changed_when: false - -- name: Get original server - ansible.builtin.set_fact: - original_server: "{{ orig_rke2_config | regex_search('server: https://(.*):9345') }}" - when: previous_rke2_config.stat.exists - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /tmp/ansible-config.txt - line: "{{ original_server }}" - state: present - insertbefore: BOF - when: previous_rke2_config.stat.exists and original_server | length > 0 - changed_when: false - -- name: Stat tmp config - ansible.builtin.stat: - path: /tmp/ansible-config.txt - register: tmp_config - changed_when: false - -- name: Get cksum of tmp config - ansible.builtin.set_fact: - tmp_sha1: "{{ tmp_config.stat.checksum }}" - changed_when: false - -- name: Drop in final /etc/rancher/rke2/config.yaml - ansible.builtin.copy: - src: /tmp/ansible-config.txt - remote_src: yes - dest: /etc/rancher/rke2/config.yaml - mode: "0640" - owner: root - group: root - backup: yes - when: not previous_rke2_config.stat.exists or (tmp_sha1 != previous_rke2_config.stat.checksum) - -- name: Remove tmp config file - ansible.builtin.file: - path: /tmp/ansible-config.txt - state: absent - changed_when: false +# write final config +- name: Create config.yaml + ansible.builtin.blockinfile: + path: /etc/rancher/rke2/config.yaml + block: "{{ rke2_config | to_nice_yaml(indent=0) }}" + create: true + notify: Restart {{service_name}} diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 3b6cf634..a9993651 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -37,10 +37,4 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Configure first server manifests - ansible.builtin.include_tasks: add_manifest_addons.yml - vars: - src: "{{ rke2_initial_manifest_config_file_path }}" - when: - - inventory_hostname in groups['rke2_servers'][0] - - rke2_initial_manifest_config_file_path | length > 0 + diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 4904fcba..080d18e5 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -1,22 +1,18 @@ --- -- name: Generate config.yml on first server - ansible.builtin.include_tasks: config.yml - -- name: Wait for rke2 - ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Determine generated token - block: - - name: Wait for node-token - ansible.builtin.wait_for: - path: /var/lib/rancher/rke2/server/node-token +- name: Include task file config.yml + ansible.builtin.include_tasks: config.yml - - name: Read node-token from first server - ansible.builtin.slurp: - src: /var/lib/rancher/rke2/server/node-token - register: node_token +- name: flush_handlers + ansible.builtin.meta: flush_handlers - - name: Store join node-token - ansible.builtin.set_fact: - rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" +- block: + - name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 300 + check_node_ready_retries: 30 + check_node_ready_delay: 10 + check_node_ready_ignore_errors: false + any_errors_fatal: true \ No newline at end of file diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 407dfb54..72b3fd1e 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -13,7 +13,7 @@ when: |- ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or rke2_install_tarball_url != "" or - rke2_local_install_tarball_path != "" or + rke2_install_local_tarball_path != "" or rke2_force_tarball_install|bool) - name: Set for install method of rpm @@ -21,7 +21,7 @@ install_method: rpm when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" - not rke2_force_tarball_install|bool @@ -43,8 +43,7 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml -- name: Determine cluster state - ansible.builtin.include_tasks: cluster_state.yml + - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml @@ -55,9 +54,29 @@ - name: Determine rke2_version to install ansible.builtin.include_tasks: calculate_rke2_version.yml when: - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" +- name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 2 + check_node_ready_retries: 2 + check_node_ready_delay: 2 + check_node_ready_ignore_errors: true + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Create a list of ready servers + set_fact: + ready_servers: "{{ groups.rke2_servers| + map('extract', hostvars)| + selectattr('node_ready', 'equalto', true)| + map(attribute='inventory_hostname')| + list }}" + delegate_to: localhost + run_once: true + - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml when: @@ -71,21 +90,41 @@ - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml -- name: RKE2 on first node - ansible.builtin.include_tasks: first_server.yml + + +- name: Include task file add_manifest_addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml + vars: + source_directory: "{{ rke2_manifest_config_directory }}" + destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_0 when: - - "rke2_config_token is not defined" + - rke2_manifest_config_directory is defined + - rke2_manifest_config_directory | length > 0 - inventory_hostname in groups['rke2_servers'][0] -- name: RKE2 on all other nodes - ansible.builtin.include_tasks: other_nodes.yml +# is the ready_servers array is empty, we assume it's a new cluster and use the first server in groups['rke2_servers'] +- name: Start the first rke2 node + ansible.builtin.include_tasks: first_server.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + - ready_servers | length == 0 + +- name: save_generated_token.yml + ansible.builtin.include_tasks: save_generated_token.yml + vars: + token_source_node: "{{groups['rke2_servers'][0]}}" when: - - inventory_hostname in groups['rke2_servers'][1:] or - inventory_hostname in groups.get('rke2_agents', []) + - ready_servers | length == 0 -- name: Confirm configuration on cluster +# is the ready_servers array is > 0, we assume it's an established cluster and treat all nodes equally (no need for initial server procedure) +- name: save_generated_token.yml + ansible.builtin.include_tasks: save_generated_token.yml + vars: + token_source_node: "{{ready_servers[0]}}" when: - - "existing_join_host is defined" + - ready_servers | length > 0 + +- name: Start all other rke2 nodes ansible.builtin.include_tasks: other_nodes.yml - name: Configure kubectl,crictl,ctr @@ -93,9 +132,12 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Configure cluster manifests +- name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: - src: "{{ rke2_cluster_manifest_config_file_path }}" + source_directory: "{{rke2_manifest_config_post_run_directory}}" + destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_1 when: + - rke2_manifest_config_post_run_directory is defined + - rke2_manifest_config_post_run_directory | length > 0 - inventory_hostname in groups['rke2_servers'][0] diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 7f7a0234..80825e32 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,39 +1,13 @@ --- -- name: Generate config.yml on other nodes - ansible.builtin.include_tasks: config.yml - -- name: Does config file already have server token? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' - register: server_token_check - failed_when: server_token_check.rc >= 2 - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" - state: present - insertbefore: BOF +- name: Include task file add-manifest-addons.yml + ansible.builtin.include_tasks: add-manifest-addons.yml when: - - '"token:" not in server_token_check.stdout' - notify: "Restart {{ service_name }}" + - manifest_config_file_path is defined + - manifest_config_file_path | length > 0 -- name: Does config file already have server url? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' - register: server_url_check - failed_when: server_url_check.rc >= 2 - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ rke2_kubernetes_api_server_host }}:9345" - state: present - insertbefore: BOF - when: - - '"server:" not in server_url_check.stdout' - notify: "Restart {{ service_name }}" +- name: Generate config.yml on other nodes + ansible.builtin.include_tasks: config.yml -- name: Wait for rke2 - ansible.builtin.include_tasks: wait_for_rke2.yml +- name: flush_handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index 93fd03eb..e6aa81b6 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -18,7 +18,7 @@ - name: Add server iptables rules ansible.builtin.include_tasks: iptables_rules.yml when: - - ansible_facts.services["iptables.service"] is defined + # - ansible_facts.services["iptables.service"] is defined - rke2_add_iptables_rules | bool - name: Add fapolicyd rules diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml new file mode 100644 index 00000000..c2742ea5 --- /dev/null +++ b/roles/rke2/tasks/save_generated_token.yml @@ -0,0 +1,44 @@ + + +- name: Wait for node-token + ansible.builtin.wait_for: + path: /var/lib/rancher/rke2/server/node-token + delegate_to: "{{token_source_node}}" + +- name: Read node-token from master + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: node_token + delegate_to: "{{token_source_node}}" + +- name: Store Master node-token + ansible.builtin.set_fact: + rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" + delegate_to: "{{token_source_node}}" + +- name: Set temp fact to store token config line + ansible.builtin.set_fact: + temp_token: + token: "{{ rke2_config_token }}" + +- name: Update host_rke2_config fact to contain server line + ansible.builtin.set_fact: + host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + +- name: Set temp fact to store server config line with custom join server URL + ansible.builtin.set_fact: + temp_host_rke2_config: + server: "https://{{ rke2_kubernetes_api_server_host }}:9345" + when: + - rke2_kubernetes_api_server_host != "" + +- name: Set temp fact to store server config line with server URL + ansible.builtin.set_fact: + temp_host_rke2_config: + server: "https://{{ token_source_node }}:9345" + when: + - rke2_kubernetes_api_server_host == "" + +- name: Update host_rke2_config fact to contain server line + ansible.builtin.set_fact: + host_rke2_config: "{{temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index a0da6302..0aa960a2 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -1,16 +1,4 @@ --- -# Based off of https://get.rke2.io 's do_install_tar functon - -# do_install_tar() { -# setup_tmp -# get_release_version -# info "using ${INSTALL_RKE2_VERSION:-commit $INSTALL_RKE2_COMMIT} as release" -# download_checksums -# download_tarball -# verify_tarball -# unpack_tarball -# } - - name: TARBALL | Make temp dir ansible.builtin.tempfile: state: directory @@ -18,45 +6,47 @@ path: "{{ tarball_tmp_dir | default(omit) }}" register: temp_dir -- name: Send provided tarball if available +- name: Set architecture specific variables + ansible.builtin.set_fact: + arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" + +- name: Determine if current version differs from what is being installed + ansible.builtin.set_fact: + rke2_version_changed: true + when: + - rke2_install_local_tarball_path == "" + - rke2_install_tarball_url == "" + - not rke2_installed or rke2_installed_version != rke2_full_version + + + +- name: Send provided tarball from local control machine if available ansible.builtin.copy: - src: "{{ inventory_dir }}/{{ rke2_local_install_tarball_path }}" - dest: "{{ temp_dir.path }}/" + src: "{{ rke2_install_local_tarball_path }}" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: '0644' when: - - rke2_local_install_tarball_path != "" + - rke2_install_local_tarball_path != "" - name: Download Tar from provided URL ansible.builtin.get_url: url: "{{ rke2_install_tarball_url }}" - dest: "{{ temp_dir.path }}/" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - rke2_install_tarball_url != "" -- name: Determine if current version differs from what is being installed - ansible.builtin.set_fact: - rke2_version_changed: true - when: - - rke2_local_install_tarball_path == "" - - rke2_install_tarball_url == "" - - not rke2_installed or rke2_installed_version != rke2_full_version - -- name: Set architecture specific variables - ansible.builtin.set_fact: - arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - -- name: TARBALL | Download the tarball +- name: Download the tar from github releases ansible.builtin.get_url: url: "https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-{{ arch }}.tar.gz" dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" - rke2_version_changed -- name: TARBALL | Install tar binary +- name: Ensure Tar utility installed on system ansible.builtin.package: name: tar state: present @@ -64,7 +54,7 @@ - name: Get version of provided tarball when: - - (rke2_local_install_tarball_path != "" or rke2_install_tarball_url != "") + - (rke2_install_local_tarball_path != "" or rke2_install_tarball_url != "") block: - name: Unarchive tarball into temp location ansible.builtin.unarchive: diff --git a/sample_files/manifest/manifest-example.yaml b/sample_files/manifests/manifest-example.yaml similarity index 100% rename from sample_files/manifest/manifest-example.yaml rename to sample_files/manifests/manifest-example.yaml diff --git a/tarball_install/README.md b/sample_files/tarball_install/README.md similarity index 100% rename from tarball_install/README.md rename to sample_files/tarball_install/README.md