From aee3ff5a1c9162c2747aebd05c46e34657bb5e6d Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 7 Jun 2024 16:33:36 -0400 Subject: [PATCH 01/36] initial commit --- inventory/sample/hosts.yml | 3 + roles/cluster_manifest/tasks/main.yml | 13 --- roles/{rke2_common => rke2}/defaults/main.yml | 2 + roles/{rke2_common => rke2}/handlers/main.yml | 15 ++++ .../tasks/add-audit-policy-config.yml | 0 .../tasks/add-manifest-addons.yml | 0 .../add-pod-security-admission-config.yml | 0 .../tasks/add-registry-config.yml | 0 .../tasks/calculate_rke2_version.yml | 0 .../tasks/cis-hardening.yml | 40 +++++---- roles/{rke2_common => rke2}/tasks/config.yml | 0 roles/rke2/tasks/configure_rke2.yml | 27 ++++++ roles/rke2/tasks/first_server.yml | 22 +++++ .../tasks/images_tarball_install.yml | 5 ++ .../tasks/iptables_rules.yml | 0 roles/rke2/tasks/main.yml | 90 +++++++++++++++++++ .../tasks/network_manager_fix.yaml | 1 + .../main.yml => rke2/tasks/other_nodes.yml} | 18 ++-- roles/rke2/tasks/pre_reqs.yml | 21 +++++ .../tasks/previous_install.yml | 37 +++++--- .../tasks/rpm_install.yml | 34 ++++--- .../tasks/tarball_install.yml | 2 +- .../{rke2_server => rke2}/tasks/utilities.yml | 0 .../tasks/wait_for_rke2.yml} | 34 ++----- roles/{rke2_common => rke2}/vars/main.yml | 1 + roles/rke2_agent/defaults/main.yml | 2 - roles/rke2_agent/vars/main.yml | 2 - roles/rke2_common/tasks/main.yml | 80 ----------------- roles/rke2_server/defaults/main.yml | 2 - roles/rke2_server/tasks/main.yml | 22 ----- roles/rke2_server/tasks/other_servers.yml | 71 --------------- roles/rke2_server/vars/main.yml | 1 - site.yml | 23 +---- 33 files changed, 275 insertions(+), 293 deletions(-) delete mode 100644 roles/cluster_manifest/tasks/main.yml rename roles/{rke2_common => rke2}/defaults/main.yml (87%) rename roles/{rke2_common => rke2}/handlers/main.yml (55%) rename roles/{rke2_common => rke2}/tasks/add-audit-policy-config.yml (100%) rename roles/{rke2_common => rke2}/tasks/add-manifest-addons.yml (100%) rename roles/{rke2_server => rke2}/tasks/add-pod-security-admission-config.yml (100%) rename roles/{rke2_common => rke2}/tasks/add-registry-config.yml (100%) rename roles/{rke2_common => rke2}/tasks/calculate_rke2_version.yml (100%) rename roles/{rke2_common => rke2}/tasks/cis-hardening.yml (64%) rename roles/{rke2_common => rke2}/tasks/config.yml (100%) create mode 100644 roles/rke2/tasks/configure_rke2.yml create mode 100644 roles/rke2/tasks/first_server.yml rename roles/{rke2_common => rke2}/tasks/images_tarball_install.yml (95%) rename roles/{rke2_common => rke2}/tasks/iptables_rules.yml (100%) create mode 100644 roles/rke2/tasks/main.yml rename roles/{rke2_common => rke2}/tasks/network_manager_fix.yaml (97%) rename roles/{rke2_agent/tasks/main.yml => rke2/tasks/other_nodes.yml} (78%) create mode 100644 roles/rke2/tasks/pre_reqs.yml rename roles/{rke2_common => rke2}/tasks/previous_install.yml (51%) rename roles/{rke2_common => rke2}/tasks/rpm_install.yml (61%) rename roles/{rke2_common => rke2}/tasks/tarball_install.yml (98%) rename roles/{rke2_server => rke2}/tasks/utilities.yml (100%) rename roles/{rke2_server/tasks/first_server.yml => rke2/tasks/wait_for_rke2.yml} (61%) rename roles/{rke2_common => rke2}/vars/main.yml (80%) delete mode 100644 roles/rke2_agent/defaults/main.yml delete mode 100644 roles/rke2_agent/vars/main.yml delete mode 100644 roles/rke2_common/tasks/main.yml delete mode 100644 roles/rke2_server/defaults/main.yml delete mode 100644 roles/rke2_server/tasks/main.yml delete mode 100644 roles/rke2_server/tasks/other_servers.yml delete mode 100644 roles/rke2_server/vars/main.yml diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 56811651..517838fd 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -8,6 +8,9 @@ all: # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst + # Or specify a tarball that's been prestaged on the ansible control host + # rke2_binary_tarball: {{ inventory_dir }}/tarball/rke2.linux-amd64.tar.gz + rke2_cluster: children: rke2_servers: diff --git a/roles/cluster_manifest/tasks/main.yml b/roles/cluster_manifest/tasks/main.yml deleted file mode 100644 index 4af88cc0..00000000 --- a/roles/cluster_manifest/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: Add cluster manifest addons files - ansible.builtin.copy: - src: "{{ cluster_manifest_config_file_path }}" - dest: "/var/lib/rancher/rke2/server/manifests/" - mode: '0640' - owner: root - group: root - when: - - inventory_hostname in groups['rke2_servers'][0] - - cluster_manifest_config_file_path is defined - - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2_common/defaults/main.yml b/roles/rke2/defaults/main.yml similarity index 87% rename from roles/rke2_common/defaults/main.yml rename to roles/rke2/defaults/main.yml index 9c7caf2c..3d481611 100644 --- a/roles/rke2_common/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,5 +1,7 @@ --- +kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" tarball_dir: "/usr/local" +rke2_local_tarball_path: "" rke2_tarball_url: "" rke2_images_urls: [] rke2_channel: stable diff --git a/roles/rke2_common/handlers/main.yml b/roles/rke2/handlers/main.yml similarity index 55% rename from roles/rke2_common/handlers/main.yml rename to roles/rke2/handlers/main.yml index 4f823682..37c2c4a1 100644 --- a/roles/rke2_common/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -4,13 +4,28 @@ ansible.builtin.service: state: restarted name: systemd-sysctl + when: + - reboot is not defined - name: Restart rke2-server ansible.builtin.service: state: restarted name: rke2-server + throttle: 1 + when: + - reboot is not defined - name: Restart rke2-agent ansible.builtin.service: state: restarted name: rke2-agent + throttle: 1 + when: + - reboot is not defined + +- name: Reboot the machine + ansible.builtin.reboot: + reboot_timeout: 300 + throttle: 1 + when: + - reboot diff --git a/roles/rke2_common/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml similarity index 100% rename from roles/rke2_common/tasks/add-audit-policy-config.yml rename to roles/rke2/tasks/add-audit-policy-config.yml diff --git a/roles/rke2_common/tasks/add-manifest-addons.yml b/roles/rke2/tasks/add-manifest-addons.yml similarity index 100% rename from roles/rke2_common/tasks/add-manifest-addons.yml rename to roles/rke2/tasks/add-manifest-addons.yml diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml similarity index 100% rename from roles/rke2_server/tasks/add-pod-security-admission-config.yml rename to roles/rke2/tasks/add-pod-security-admission-config.yml diff --git a/roles/rke2_common/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml similarity index 100% rename from roles/rke2_common/tasks/add-registry-config.yml rename to roles/rke2/tasks/add-registry-config.yml diff --git a/roles/rke2_common/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml similarity index 100% rename from roles/rke2_common/tasks/calculate_rke2_version.yml rename to roles/rke2/tasks/calculate_rke2_version.yml diff --git a/roles/rke2_common/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml similarity index 64% rename from roles/rke2_common/tasks/cis-hardening.yml rename to roles/rke2/tasks/cis-hardening.yml index 67a12bb6..102a84a9 100644 --- a/roles/rke2_common/tasks/cis-hardening.yml +++ b/roles/rke2/tasks/cis-hardening.yml @@ -25,9 +25,11 @@ mode: 0600 register: sysctl_operation_yum when: - - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url is not defined or rke2_tarball_url == "" + - install_method == "rpm" + notify: + - Restart systemd-sysctl + - Restart {{ service_name }} + - Reboot the machine - name: Copy systemctl file for kernel hardening for non-yum installs ansible.builtin.copy: @@ -36,25 +38,33 @@ remote_src: yes mode: 0600 register: sysctl_operation_tarball - when: >- - (ansible_facts['os_family'] != 'RedHat' and - ansible_facts['os_family'] != 'Rocky') or - rke2_binary_tarball_check.stat.exists or - (rke2_tarball_url is defined and rke2_tarball_url != "") + when: + - install_method == "tarball" + notify: + - Restart systemd-sysctl + - Restart {{ service_name }} + - Reboot the machine - - name: Restart systemd-sysctl - ansible.builtin.service: - state: restarted - name: systemd-sysctl - when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed + # - name: Restart systemd-sysctl + # ansible.builtin.service: + # state: restarted + # name: systemd-sysctl + # when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed # Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected # side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were # always rebooting, even if the node was brand new and RKE2 not running yet. - name: Reboot the machine (Wait for 5 min) - ansible.builtin.reboot: - reboot_timeout: 300 + ansible.builtin.set_fact: + reboot: true when: - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - rke2_running is defined - rke2_running + # ansible.builtin.reboot: + # reboot_timeout: 300 + # throttle: 1 + # when: + # - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) + # - rke2_running is defined + # - rke2_running diff --git a/roles/rke2_common/tasks/config.yml b/roles/rke2/tasks/config.yml similarity index 100% rename from roles/rke2_common/tasks/config.yml rename to roles/rke2/tasks/config.yml diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml new file mode 100644 index 00000000..0a0afa38 --- /dev/null +++ b/roles/rke2/tasks/configure_rke2.yml @@ -0,0 +1,27 @@ +--- + +- name: Run CIS-Hardening Tasks + ansible.builtin.include_tasks: cis-hardening.yml + +- name: Configure registries.yaml + ansible.builtin.include_tasks: add-registry-config.yml + when: registry_config_file_path | length > 0 + +- name: Configure audit policy + ansible.builtin.include_tasks: add-audit-policy-config.yml + when: + - inventory_hostname in groups['rke2_servers'] + - audit_policy_config_file_path | length > 0 + +- name: Configure psa policy + ansible.builtin.include_tasks: add-pod-security-admission-config.yml + when: + - inventory_hostname in groups['rke2_servers'] + - pod_security_admission_config_file_path | length > 0 + +- name: Configure first server manifests + ansible.builtin.include_tasks: add-manifest-addons.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + - manifest_config_file_path is defined + - manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml new file mode 100644 index 00000000..6ca9429b --- /dev/null +++ b/roles/rke2/tasks/first_server.yml @@ -0,0 +1,22 @@ +--- + +- name: Generate config.yml on first server + ansible.builtin.include_tasks: config.yml + +- name: Wait for rke2 + ansible.builtin.include_tasks: wait_for_rke2.yml + +- name: Add generated Token if none provided ### <- what's the intent here? + block: + - name: Wait for node-token + ansible.builtin.wait_for: + path: /var/lib/rancher/rke2/server/node-token + + - name: Read node-token from master + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: node_token + + - name: Store Master node-token + ansible.builtin.set_fact: + rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" diff --git a/roles/rke2_common/tasks/images_tarball_install.yml b/roles/rke2/tasks/images_tarball_install.yml similarity index 95% rename from roles/rke2_common/tasks/images_tarball_install.yml rename to roles/rke2/tasks/images_tarball_install.yml index 191c97fe..49ee3e09 100644 --- a/roles/rke2_common/tasks/images_tarball_install.yml +++ b/roles/rke2/tasks/images_tarball_install.yml @@ -1,4 +1,5 @@ --- + - name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" # noqa name[template] yaml[line-length] ansible.builtin.stat: path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" @@ -20,6 +21,10 @@ path: /var/lib/rancher/rke2/agent/images state: directory mode: '0644' + when: + - got_images_gz + - got_images_zst + - rke2_images_urls != [] - name: Download images tar files url ansible.builtin.get_url: diff --git a/roles/rke2_common/tasks/iptables_rules.yml b/roles/rke2/tasks/iptables_rules.yml similarity index 100% rename from roles/rke2_common/tasks/iptables_rules.yml rename to roles/rke2/tasks/iptables_rules.yml diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml new file mode 100644 index 00000000..8fcdce6e --- /dev/null +++ b/roles/rke2/tasks/main.yml @@ -0,0 +1,90 @@ +--- + +- name: Populate service facts + ansible.builtin.service_facts: {} + +- name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + +- name: Satisfy OS Pre-Reqs + ansible.builtin.include_tasks: pre_reqs.yml + +- name: Set for install method of tarball + ansible.builtin.set_fact: + install_method: tarball + when: |- + ((ansible_facts['os_family'] != 'RedHat' and + ansible_facts['os_family'] != 'Rocky') or + (rke2_tarball_url is defined and rke2_tarball_url != "") or + (rke2_local_tarball_path is defined and rke2_local_tarball_path != "")) + +- name: Set for install method of rpm + ansible.builtin.set_fact: + install_method: rpm + when: + - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' + - rke2_local_tarball_path == "" + - rke2_tarball_url == "" + +- name: Set as server + ansible.builtin.set_fact: + service_name: rke2-server + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Set as agent + ansible.builtin.set_fact: + service_name: rke2-agent + when: + - inventory_hostname in groups.get('rke2_agents', []) + +- name: Has rke2 been installed already + ansible.builtin.include_tasks: previous_install.yml + +- name: Check for images bundle + ansible.builtin.include_tasks: images_tarball_install.yml + +- name: Determine rke2_version to install + ansible.builtin.include_tasks: calculate_rke2_version.yml + +- name: Tarball Install + ansible.builtin.include_tasks: tarball_install.yml + when: + - install_method == "tarball" + +- name: RPM Install + when: + - install_method == "rpm" + ansible.builtin.include_tasks: rpm_install.yml + +- name: Set rke2 configuration files + ansible.builtin.include_tasks: configure_rke2.yml + +- name: RKE2 on first node + ansible.builtin.include_tasks: first_server.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + +- name: RKE2 on all other nodes + ansible.builtin.include_tasks: other_nodes.yml + when: + - inventory_hostname in groups['rke2_servers'][1:] or + inventory_hostname in groups.get('rke2_agents', []) + +- name: Configure kubectl,crictl,ctr + ansible.builtin.include_tasks: utilities.yml + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Add cluster manifest addons files + ansible.builtin.copy: + src: "{{ cluster_manifest_config_file_path }}" + dest: "/var/lib/rancher/rke2/server/manifests/" + mode: '0640' + owner: root + group: root + when: + - inventory_hostname in groups['rke2_servers'][0] + - cluster_manifest_config_file_path is defined + - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2_common/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml similarity index 97% rename from roles/rke2_common/tasks/network_manager_fix.yaml rename to roles/rke2/tasks/network_manager_fix.yaml index b891b61a..cd65e3c3 100644 --- a/roles/rke2_common/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -3,6 +3,7 @@ # This fixes known issue with NetworkManager # https://docs.rke2.io/known_issues/#networkmanager +# blockinfile or own entire file? - name: Add NetworkManager fix to rke2-canal.conf ansible.builtin.blockinfile: path: /etc/NetworkManager/conf.d/rke2-canal.conf diff --git a/roles/rke2_agent/tasks/main.yml b/roles/rke2/tasks/other_nodes.yml similarity index 78% rename from roles/rke2_agent/tasks/main.yml rename to roles/rke2/tasks/other_nodes.yml index 4d9cfdeb..9f0862c5 100644 --- a/roles/rke2_agent/tasks/main.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,11 +1,7 @@ --- -- name: RKE2 agent and server tasks - vars: - rke2_common_caller_role_name: agent - ansible.builtin.include_role: - name: rke2_common - tasks_from: main +- name: Generate config.yml on other nodes + ansible.builtin.include_tasks: config.yml - name: Does config file already have server token? # noqa command-instead-of-shell ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' @@ -21,6 +17,7 @@ insertbefore: BOF when: - '"token:" not in server_token_check.stdout' + notify: Restart {{ service_name }} - name: Does config file already have server url? # noqa command-instead-of-shell ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' @@ -36,10 +33,7 @@ insertbefore: BOF when: - '"server:" not in server_url_check.stdout' + notify: Restart {{ service_name }} -- name: Start rke2-agent - ansible.builtin.systemd: - name: rke2-agent.service - state: started - enabled: yes - daemon_reload: yes +- name: Wait for rke2 + ansible.builtin.include_tasks: wait_for_rke2.yml diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml new file mode 100644 index 00000000..fc2c737a --- /dev/null +++ b/roles/rke2/tasks/pre_reqs.yml @@ -0,0 +1,21 @@ +--- + +# Disable Firewalld +# We recommend disabling firewalld. For Kubernetes 1.19+, firewalld must be turned off. +- name: Disable FIREWALLD + ansible.builtin.systemd: + name: firewalld + state: stopped + enabled: no + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].status != "not-found" + +- name: Include task file network_manager_fix.yaml + ansible.builtin.include_tasks: network_manager_fix.yaml + +- name: Add server iptables rules + ansible.builtin.include_tasks: iptables_rules.yml + when: + - ansible_facts.services["iptables.service"] is defined + - add_iptables_rules | bool diff --git a/roles/rke2_common/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml similarity index 51% rename from roles/rke2_common/tasks/previous_install.yml rename to roles/rke2/tasks/previous_install.yml index ea1b9c3a..03e59253 100644 --- a/roles/rke2_common/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -3,35 +3,40 @@ - name: Set fact if rke2-server was previously installed ansible.builtin.set_fact: installed: true - when: > - ansible_facts.services["rke2-server.service"] is defined - and not ansible_facts.services["rke2-server.service"].status == 'disabled' + when: + - ansible_facts.services["rke2-server.service"] is defined + - not ansible_facts.services["rke2-server.service"].status == 'disabled' + - inventory_hostname in groups['rke2_servers'] - name: Set fact if rke2-server is running ansible.builtin.set_fact: rke2_running: true - when: > - ansible_facts.services["rke2-server.service"] is defined - and ansible_facts.services["rke2-server.service"].state == 'running' + when: + - ansible_facts.services["rke2-server.service"] is defined + - ansible_facts.services["rke2-server.service"].state == 'running' + - inventory_hostname in groups['rke2_servers'] - name: Set fact if rke2-agent was previously installed ansible.builtin.set_fact: installed: true - when: > - ansible_facts.services["rke2-agent.service"] is defined - and not ansible_facts.services["rke2-agent.service"].status == 'disabled' + when: + - ansible_facts.services["rke2-agent.service"] is defined + - not ansible_facts.services["rke2-agent.service"].status == 'disabled' + - inventory_hostname in groups.get('rke2_agents', []) - name: Set fact if rke2-agent is running ansible.builtin.set_fact: rke2_running: true - when: > - ansible_facts.services["rke2-agent.service"] is defined - and ansible_facts.services["rke2-agent.service"].state == 'running' + when: + - ansible_facts.services["rke2-agent.service"] is defined + - ansible_facts.services["rke2-agent.service"].state == 'running' + - inventory_hostname in groups.get('rke2_agents', []) - name: Check for the rke2 binary ansible.builtin.stat: path: /usr/local/bin/rke2 register: rke2_binary + when: install_method == "tarball" - name: Get current RKE2 version if already installed ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' @@ -39,7 +44,9 @@ changed_when: false args: executable: /usr/bin/bash - when: rke2_binary.stat.exists + when: + - install_method == "tarball" + - rke2_binary.stat.exists failed_when: > (installed_rke2_version_tmp.rc != 141) and (installed_rke2_version_tmp.rc != 0) @@ -47,4 +54,6 @@ - name: Determine if current version differs what what is being installed ansible.builtin.set_fact: installed_rke2_version: "{{ installed_rke2_version_tmp.stdout }}" - when: rke2_binary.stat.exists + when: + - install_method == "tarball" + - rke2_binary.stat.exists diff --git a/roles/rke2_common/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml similarity index 61% rename from roles/rke2_common/tasks/rpm_install.yml rename to roles/rke2/tasks/rpm_install.yml index 15b2f696..74231452 100644 --- a/roles/rke2_common/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -30,20 +30,26 @@ ansible_facts['distribution_major_version'] == "8" or ansible_facts['distribution_major_version'] == "9" -- name: YUM-Based | Install rke2-server +- name: YUM-Based Install ansible.builtin.yum: - name: "rke2-server-{{ rke2_version_rpm }}" + name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest - when: - - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - inventory_hostname in groups['rke2_servers'] + notify: Restart {{ service_name }} -- name: YUM-Based | Install rke2-agent - ansible.builtin.yum: - name: "rke2-agent-{{ rke2_version_rpm }}" - state: latest # noqa package-latest - when: - - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - inventory_hostname in groups.get('rke2_agents', []) +# - name: YUM-Based | Install rke2-server +# ansible.builtin.yum: +# name: "rke2-server-{{ rke2_version_rpm }}" +# state: latest # noqa package-latest +# when: +# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' +# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE +# - inventory_hostname in groups['rke2_servers'] + +# - name: YUM-Based | Install rke2-agent +# ansible.builtin.yum: +# name: "rke2-agent-{{ rke2_version_rpm }}" +# state: latest # noqa package-latest +# when: +# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' +# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE +# - inventory_hostname in groups.get('rke2_agents', []) diff --git a/roles/rke2_common/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml similarity index 98% rename from roles/rke2_common/tasks/tarball_install.yml rename to roles/rke2/tasks/tarball_install.yml index ca0d3f5f..27f61efa 100644 --- a/roles/rke2_common/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -20,7 +20,7 @@ - name: Send provided tarball if available ansible.builtin.copy: - src: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" + src: "{{ rke2_local_tarball_path }}" dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" mode: '0644' when: diff --git a/roles/rke2_server/tasks/utilities.yml b/roles/rke2/tasks/utilities.yml similarity index 100% rename from roles/rke2_server/tasks/utilities.yml rename to roles/rke2/tasks/utilities.yml diff --git a/roles/rke2_server/tasks/first_server.yml b/roles/rke2/tasks/wait_for_rke2.yml similarity index 61% rename from roles/rke2_server/tasks/first_server.yml rename to roles/rke2/tasks/wait_for_rke2.yml index 0b71ea88..35b98c6c 100644 --- a/roles/rke2_server/tasks/first_server.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -1,22 +1,17 @@ --- -- name: Add manifest files - ansible.builtin.include_role: - name: rke2_common - tasks_from: add-manifest-addons.yml - when: - - manifest_config_file_path is defined - - manifest_config_file_path | length > 0 +- name: Start {{ service_name }} + ansible.builtin.meta: flush_handlers -- name: Start rke2-server +- name: Enable {{ service_name }} ansible.builtin.systemd: - name: rke2-server + name: "{{ service_name }}" state: started enabled: yes - name: Wait for k8s apiserver ansible.builtin.wait_for: - host: localhost + host: "{{ kubernetes_api_server_host }}" port: "6443" state: present timeout: 300 @@ -35,6 +30,8 @@ kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ '\\1') }}" + when: + - inventory_hostname in groups['rke2_servers'] - name: Wait for node to show Ready status ansible.builtin.command: >- @@ -46,18 +43,5 @@ retries: 20 delay: 10 changed_when: false - -- name: Add generated Token if none provided - block: - - name: Wait for node-token - ansible.builtin.wait_for: - path: /var/lib/rancher/rke2/server/node-token - - - name: Read node-token from master - ansible.builtin.slurp: - src: /var/lib/rancher/rke2/server/node-token - register: node_token - - - name: Store Master node-token - ansible.builtin.set_fact: - rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" + when: + - inventory_hostname in groups['rke2_servers'] diff --git a/roles/rke2_common/vars/main.yml b/roles/rke2/vars/main.yml similarity index 80% rename from roles/rke2_common/vars/main.yml rename to roles/rke2/vars/main.yml index da8e48d7..106b1970 100644 --- a/roles/rke2_common/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,4 +1,5 @@ --- +tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 # Possible RKE2 Channels channels: - stable diff --git a/roles/rke2_agent/defaults/main.yml b/roles/rke2_agent/defaults/main.yml deleted file mode 100644 index ae927959..00000000 --- a/roles/rke2_agent/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" diff --git a/roles/rke2_agent/vars/main.yml b/roles/rke2_agent/vars/main.yml deleted file mode 100644 index 53b1ae20..00000000 --- a/roles/rke2_agent/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml deleted file mode 100644 index 8b8bad68..00000000 --- a/roles/rke2_common/tasks/main.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- - -- name: Populate service facts - ansible.builtin.service_facts: {} - -- name: Gather the package facts - ansible.builtin.package_facts: - manager: auto - -- name: Has rke2 been installed already - ansible.builtin.include_tasks: previous_install.yml - -- name: Include images_tarball_install.yml - ansible.builtin.include_tasks: images_tarball_install.yml - -- name: "Check for binary tarball in tarball_install/rke2.linux-amd64.tar.gz" - ansible.builtin.stat: - path: "{{ playbook_dir }}/tarball_install/rke2.linux-amd64.tar.gz" - register: rke2_binary_tarball_check - delegate_to: 127.0.0.1 - become: false - -- name: Include calculate_rke2_version.yml - ansible.builtin.include_tasks: calculate_rke2_version.yml - when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url is not defined or rke2_tarball_url == "" - -- name: SLES/Ubuntu/Tarball Installation - ansible.builtin.include_tasks: tarball_install.yml - when: - - |- - ((ansible_facts['os_family'] != 'RedHat' and - ansible_facts['os_family'] != 'Rocky') or - rke2_binary_tarball_check.stat.exists or - (rke2_tarball_url is defined and rke2_tarball_url != "")) - -- name: RHEL/CentOS Installation - when: - - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" - ansible.builtin.include_tasks: rpm_install.yml - -# Disable Firewalld -# We recommend disabling firewalld. For Kubernetes 1.19+, firewalld must be turned off. -- name: Disable FIREWALLD - ansible.builtin.systemd: - name: firewalld - state: stopped - enabled: no - when: - - ansible_facts.services["firewalld.service"] is defined - - ansible_facts.services["firewalld.service"].status != "not-found" - -- name: Include task file network_manager_fix.yaml - ansible.builtin.include_tasks: network_manager_fix.yaml - -- name: Include task file config.yml - ansible.builtin.include_tasks: config.yml - -- name: Add server iptables rules - ansible.builtin.include_tasks: iptables_rules.yml - when: - - ansible_facts.services["iptables.service"] is defined - - add_iptables_rules | bool - -- name: Include task file add-audit-policy-config.yml - ansible.builtin.include_tasks: add-audit-policy-config.yml - when: - - audit_policy_config_file_path | length > 0 - -- name: Include task file add-registry-config.yml - ansible.builtin.include_tasks: add-registry-config.yml - when: registry_config_file_path | length > 0 - -- name: Run CIS-Hardening Tasks - ansible.builtin.include_role: - name: rke2_common - tasks_from: cis-hardening diff --git a/roles/rke2_server/defaults/main.yml b/roles/rke2_server/defaults/main.yml deleted file mode 100644 index ae927959..00000000 --- a/roles/rke2_server/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml deleted file mode 100644 index ef402d14..00000000 --- a/roles/rke2_server/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: RKE2 agent and server tasks - vars: - rke2_common_caller_role_name: server - ansible.builtin.include_role: - name: rke2_common - tasks_from: main - -- name: Include task file add-pod-security-admission-config.yml - ansible.builtin.include_tasks: add-pod-security-admission-config.yml - -- name: Setup initial server - ansible.builtin.include_tasks: first_server.yml - when: inventory_hostname in groups['rke2_servers'][0] - -- name: Setup other servers - ansible.builtin.include_tasks: other_servers.yml - when: inventory_hostname in groups['rke2_servers'][1:] - -- name: Configure Utilities - ansible.builtin.include_tasks: utilities.yml diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml deleted file mode 100644 index c075b058..00000000 --- a/roles/rke2_server/tasks/other_servers.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- - -- name: Does config file already have server token? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' - register: server_token_check - failed_when: server_token_check.rc >= 2 - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" - state: present - insertbefore: BOF - when: - - '"token:" not in server_token_check.stdout' - -- name: Does config file already have server url? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' - register: server_url_check - failed_when: server_url_check.rc >= 2 - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ kubernetes_api_server_host }}:9345" - state: present - insertbefore: BOF - when: - - '"server:" not in server_url_check.stdout' - -- name: Start rke2-server - throttle: 1 - ansible.builtin.systemd: - name: rke2-server - state: started - enabled: yes - -- name: Wait for k8s apiserver reachability - ansible.builtin.wait_for: - host: "{{ kubernetes_api_server_host }}" - port: "6443" - state: present - timeout: 300 - -- name: Wait for kubelet process to be present on host - ansible.builtin.command: >- - ps -C kubelet -F -ww --no-headers - register: kubelet_check - until: kubelet_check.rc == 0 - retries: 20 - delay: 10 - changed_when: false - -- name: Extract the hostname-override parameter from the kubelet process - ansible.builtin.set_fact: - kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ - regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ - '\\1') }}" - -- name: Wait for node to show Ready status - ansible.builtin.command: >- - /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} - -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' - register: status_result - until: status_result.stdout.find("True") != -1 - retries: 20 - delay: 10 - changed_when: false diff --git a/roles/rke2_server/vars/main.yml b/roles/rke2_server/vars/main.yml deleted file mode 100644 index ed97d539..00000000 --- a/roles/rke2_server/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/site.yml b/site.yml index 0d555ce9..71c6d684 100644 --- a/site.yml +++ b/site.yml @@ -1,24 +1,9 @@ --- -- name: Server play - hosts: rke2_servers +- name: RKE2 play + hosts: all any_errors_fatal: true become: true roles: - - role: rke2_server - serial: 5 - -- name: Agent play - hosts: rke2_agents - any_errors_fatal: true - become: true - roles: - - role: rke2_agent - serial: 10 - -- name: Cluster manifest play - hosts: rke2_servers - any_errors_fatal: true - become: true - roles: - - role: cluster_manifest + - role: rke2 + # serial: 5 From d105fb5b087a966bcfac04c096cf8826444a5962 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 17 Jun 2024 15:30:26 -0400 Subject: [PATCH 02/36] validating --- roles/rke2/defaults/main.yml | 2 + roles/rke2/handlers/main.yml | 13 +++-- roles/rke2/tasks/add-audit-policy-config.yml | 41 ++++++++++++--- .../add-pod-security-admission-config.yml | 10 +--- roles/rke2/tasks/add-registry-config.yml | 51 ++++++++++++------- roles/rke2/tasks/calculate_rke2_version.yml | 8 +-- roles/rke2/tasks/cis-hardening.yml | 19 ++----- roles/rke2/tasks/config.yml | 18 ------- roles/rke2/tasks/configure_rke2.yml | 9 ++-- roles/rke2/tasks/first_server.yml | 2 +- roles/rke2/tasks/images_bundle.yml | 28 ++++++++++ roles/rke2/tasks/images_tarball_install.yml | 50 ------------------ roles/rke2/tasks/main.yml | 24 ++++----- roles/rke2/tasks/network_manager_fix.yaml | 14 ++--- roles/rke2/tasks/other_nodes.yml | 4 +- roles/rke2/tasks/pre_reqs.yml | 1 + roles/rke2/tasks/rpm_install.yml | 23 ++------- roles/rke2/vars/main.yml | 17 +------ 18 files changed, 149 insertions(+), 185 deletions(-) create mode 100644 roles/rke2/tasks/images_bundle.yml delete mode 100644 roles/rke2/tasks/images_tarball_install.yml diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 3d481611..4d4bd72b 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -4,11 +4,13 @@ tarball_dir: "/usr/local" rke2_local_tarball_path: "" rke2_tarball_url: "" rke2_images_urls: [] +rke2_images_local_tarball_path: [] rke2_channel: stable audit_policy_config_file_path: "" registry_config_file_path: "" pod_security_admission_config_file_path: "" add_iptables_rules: false +cluster_manifest_config_file_path: "" rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 37c2c4a1..c4211f6b 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -5,7 +5,7 @@ state: restarted name: systemd-sysctl when: - - reboot is not defined + - not reboot - name: Restart rke2-server ansible.builtin.service: @@ -13,7 +13,7 @@ name: rke2-server throttle: 1 when: - - reboot is not defined + - not reboot - name: Restart rke2-agent ansible.builtin.service: @@ -21,7 +21,7 @@ name: rke2-agent throttle: 1 when: - - reboot is not defined + - not reboot - name: Reboot the machine ansible.builtin.reboot: @@ -29,3 +29,10 @@ throttle: 1 when: - reboot + +- name: Reload NetworkManager + ansible.builtin.systemd: + name: NetworkManager + state: reloaded + when: + - not reboot diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml index 66bb82ae..ac452639 100644 --- a/roles/rke2/tasks/add-audit-policy-config.yml +++ b/roles/rke2/tasks/add-audit-policy-config.yml @@ -1,14 +1,39 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - - name: Add audit policy configuration file - ansible.builtin.copy: - src: "{{ audit_policy_config_file_path }}" + vars: + file_contents: "{{ lookup('file', audit_policy_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 dest: "/etc/rancher/rke2/audit-policy.yaml" mode: '0640' owner: root group: root + when: + - audit_policy_config_file_path|length != 0 + notify: "Restart {{ service_name }}" + +- name: Remove audit policy configuration file + when: + - audit_policy_config_file_path|length == 0 + block: + - name: Check that the audit policy config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/audit-policy.yaml" + register: stat_result + + - name: "Check that the audit policy config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/audit-policy.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the audit policy config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/audit-policy.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml index 4b7a1937..b7f537a2 100644 --- a/roles/rke2/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2/tasks/add-pod-security-admission-config.yml @@ -1,10 +1,4 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - - name: Add pod security admission config file vars: file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" @@ -15,9 +9,8 @@ owner: root group: root when: - - pod_security_admission_config_file_path is defined - pod_security_admission_config_file_path|length != 0 - notify: Restart rke2-server + notify: "Restart {{ service_name }}" - name: Remove pod security admission config file when: @@ -43,3 +36,4 @@ state: absent when: - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml index 664afe84..367ab9bf 100644 --- a/roles/rke2/tasks/add-registry-config.yml +++ b/roles/rke2/tasks/add-registry-config.yml @@ -1,26 +1,39 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - recurse: yes - - name: Add registry configuration file - ansible.builtin.copy: - src: "{{ registry_config_file_path }}" + vars: + file_contents: "{{ lookup('file', registry_config_file_path) }}" + ansible.builtin.template: + src: ansible_header.j2 dest: "/etc/rancher/rke2/registries.yaml" mode: '0640' owner: root group: root - when: rke2_common_caller_role_name == "server" - notify: Restart rke2-server + when: + - registry_config_file_path|length != 0 + notify: "Restart {{ service_name }}" -- name: Add registry configuration file - ansible.builtin.copy: - src: "{{ registry_config_file_path }}" - dest: "/etc/rancher/rke2/registries.yaml" - mode: '0640' - owner: root - group: root - when: rke2_common_caller_role_name == "agent" - notify: Restart rke2-agent +- name: Remove registry configuration file + when: + - registry_config_file_path|length == 0 + block: + - name: Check that the registry config file exists + ansible.builtin.stat: + path: "/etc/rancher/rke2/registries.yaml" + register: stat_result + + - name: "Check that the registry config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "/etc/rancher/rke2/registries.yaml" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: Remove the registry config file if exists and has ansible managed comments + ansible.builtin.file: + path: "/etc/rancher/rke2/registries.yaml" + state: absent + when: + - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index e18ae9c5..e64e5b70 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -3,10 +3,10 @@ - name: "Calculate rke2 full version" when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) block: - - name: Stop if the provided is not valid - ansible.builtin.fail: - msg: "Provided channel is not valid" - when: rke2_channel not in channels + # - name: Stop if the provided is not valid + # ansible.builtin.fail: + # msg: "Provided channel is not valid" + # when: rke2_channel not in channels - name: Get full version name url ansible.builtin.uri: diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml index 102a84a9..754d423c 100644 --- a/roles/rke2/tasks/cis-hardening.yml +++ b/roles/rke2/tasks/cis-hardening.yml @@ -1,9 +1,9 @@ --- + - name: CIS MODE become: yes when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$') block: - - name: Create etcd group ansible.builtin.group: name: etcd @@ -28,7 +28,7 @@ - install_method == "rpm" notify: - Restart systemd-sysctl - - Restart {{ service_name }} + - "Restart {{ service_name }}" - Reboot the machine - name: Copy systemctl file for kernel hardening for non-yum installs @@ -42,15 +42,9 @@ - install_method == "tarball" notify: - Restart systemd-sysctl - - Restart {{ service_name }} + - "Restart {{ service_name }}" - Reboot the machine - # - name: Restart systemd-sysctl - # ansible.builtin.service: - # state: restarted - # name: systemd-sysctl - # when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed - # Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected # side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were # always rebooting, even if the node was brand new and RKE2 not running yet. @@ -61,10 +55,3 @@ - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - rke2_running is defined - rke2_running - # ansible.builtin.reboot: - # reboot_timeout: 300 - # throttle: 1 - # when: - # - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - # - rke2_running is defined - # - rke2_running diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index b755f8c5..cf277334 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -256,21 +256,3 @@ path: /tmp/ansible-config.txt state: absent changed_when: false - -- name: Restart rke2-server if package installed and config changed or RKE2 version changed - ansible.builtin.service: - state: restarted - name: rke2-server - when: - - ansible_facts.services["rke2-server.service"] is defined - - "ansible_facts.services['rke2-server.service'].state == 'running'" - - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false))) - -- name: Restart rke2-agent if package installed and config changed or RKE2 version changed - ansible.builtin.service: - state: restarted - name: rke2-agent - when: - - ansible_facts.services["rke2-agent.service"] is defined - - "ansible_facts.services['rke2-agent.service'].state == 'running'" - - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false))) diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 0a0afa38..06774a94 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -1,23 +1,26 @@ --- +- name: Create the /etc/rancher/rke2 config dir + ansible.builtin.file: + path: /etc/rancher/rke2 + state: directory + recurse: yes + - name: Run CIS-Hardening Tasks ansible.builtin.include_tasks: cis-hardening.yml - name: Configure registries.yaml ansible.builtin.include_tasks: add-registry-config.yml - when: registry_config_file_path | length > 0 - name: Configure audit policy ansible.builtin.include_tasks: add-audit-policy-config.yml when: - inventory_hostname in groups['rke2_servers'] - - audit_policy_config_file_path | length > 0 - name: Configure psa policy ansible.builtin.include_tasks: add-pod-security-admission-config.yml when: - inventory_hostname in groups['rke2_servers'] - - pod_security_admission_config_file_path | length > 0 - name: Configure first server manifests ansible.builtin.include_tasks: add-manifest-addons.yml diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 6ca9429b..2ea88adb 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -6,7 +6,7 @@ - name: Wait for rke2 ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Add generated Token if none provided ### <- what's the intent here? +- name: Add generated Token if none provided block: - name: Wait for node-token ansible.builtin.wait_for: diff --git a/roles/rke2/tasks/images_bundle.yml b/roles/rke2/tasks/images_bundle.yml new file mode 100644 index 00000000..9b069f25 --- /dev/null +++ b/roles/rke2/tasks/images_bundle.yml @@ -0,0 +1,28 @@ +--- + +- name: Create images directory + ansible.builtin.file: + path: /var/lib/rancher/rke2/agent/images + state: directory + mode: '0644' + +- name: Download images tar files url + ansible.builtin.get_url: + url: "{{ item }}" + dest: "/var/lib/rancher/rke2/agent/images" + mode: "0644" + when: + - rke2_images_urls != [] + with_items: "{{ rke2_images_urls }}" + notify: "Restart {{ service_name }}" + +- name: Copy local tarball images + ansible.builtin.copy: + src: "{{ item }}" + dest: /var/lib/rancher/rke2/agent/images/ + mode: '0644' + with_items: + - "{{ rke2_images_local_tarball_path }}" + when: + - rke2_images_local_tarball_path != [] + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/images_tarball_install.yml b/roles/rke2/tasks/images_tarball_install.yml deleted file mode 100644 index 49ee3e09..00000000 --- a/roles/rke2/tasks/images_tarball_install.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" # noqa name[template] yaml[line-length] - ansible.builtin.stat: - path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" - get_checksum: false - register: got_images_gz - delegate_to: 127.0.0.1 - become: false - -- name: "Check for images tar.zst in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" # noqa name[template] yaml[line-length] - ansible.builtin.stat: - path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" - get_checksum: false - register: got_images_zst - delegate_to: 127.0.0.1 - become: false - -- name: Create images directory - ansible.builtin.file: - path: /var/lib/rancher/rke2/agent/images - state: directory - mode: '0644' - when: - - got_images_gz - - got_images_zst - - rke2_images_urls != [] - -- name: Download images tar files url - ansible.builtin.get_url: - url: "{{ item }}" - dest: "/var/lib/rancher/rke2/agent/images" - mode: "0644" - when: - - rke2_images_urls != [] - with_items: "{{ rke2_images_urls }}" - -- name: Add images tar.gz to needed directory if provided - ansible.builtin.copy: - src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz" - dest: /var/lib/rancher/rke2/agent/images/ - mode: '0644' - when: got_images_gz.stat.exists - -- name: Add images tar.zst to needed directory if provided - ansible.builtin.copy: - src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst" - dest: /var/lib/rancher/rke2/agent/images/ - mode: '0644' - when: got_images_zst.stat.exists diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 8fcdce6e..de76df23 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -7,17 +7,13 @@ ansible.builtin.package_facts: manager: auto -- name: Satisfy OS Pre-Reqs - ansible.builtin.include_tasks: pre_reqs.yml - - name: Set for install method of tarball ansible.builtin.set_fact: install_method: tarball when: |- - ((ansible_facts['os_family'] != 'RedHat' and - ansible_facts['os_family'] != 'Rocky') or - (rke2_tarball_url is defined and rke2_tarball_url != "") or - (rke2_local_tarball_path is defined and rke2_local_tarball_path != "")) + ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or + rke2_tarball_url != "" or + rke2_local_tarball_path != "") - name: Set for install method of rpm ansible.builtin.set_fact: @@ -39,14 +35,17 @@ when: - inventory_hostname in groups.get('rke2_agents', []) +- name: Satisfy OS Pre-Reqs + ansible.builtin.include_tasks: pre_reqs.yml + - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml - name: Check for images bundle - ansible.builtin.include_tasks: images_tarball_install.yml - -- name: Determine rke2_version to install - ansible.builtin.include_tasks: calculate_rke2_version.yml + ansible.builtin.include_tasks: images_bundle.yml + when: + - rke2_images_urls != [] or + rke2_images_local_tarball_path != [] - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml @@ -54,9 +53,9 @@ - install_method == "tarball" - name: RPM Install + ansible.builtin.include_tasks: rpm_install.yml when: - install_method == "rpm" - ansible.builtin.include_tasks: rpm_install.yml - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml @@ -86,5 +85,4 @@ group: root when: - inventory_hostname in groups['rke2_servers'][0] - - cluster_manifest_config_file_path is defined - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml index cd65e3c3..8b1fea1e 100644 --- a/roles/rke2/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -26,6 +26,7 @@ owner: root group: root when: rke2_canal_file.stat.exists + notify: "Restart {{ service_name }}" - name: Disable service nm-cloud-setup ansible.builtin.systemd: @@ -33,6 +34,9 @@ enabled: no state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined + notify: + - Reload NetworkManager + - "Restart {{ service_name }}" - name: Disable nm-cloud-setup.timer unit ansible.builtin.systemd: @@ -40,10 +44,8 @@ state: stopped enabled: no when: ansible_facts.services["nm-cloud-setup.service"] is defined + notify: + - Reload NetworkManager + - "Restart {{ service_name }}" + -- name: Reload NetworkManager - ansible.builtin.systemd: - name: NetworkManager - state: reloaded - when: (ansible_facts.services["NetworkManager.service"] is defined) and - (ansible_facts.services["NetworkManager.service"].status == "running") diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 9f0862c5..a4fe2fe4 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -17,7 +17,7 @@ insertbefore: BOF when: - '"token:" not in server_token_check.stdout' - notify: Restart {{ service_name }} + notify: "Restart {{ service_name }}" - name: Does config file already have server url? # noqa command-instead-of-shell ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' @@ -33,7 +33,7 @@ insertbefore: BOF when: - '"server:" not in server_url_check.stdout' - notify: Restart {{ service_name }} + notify: "Restart {{ service_name }}" - name: Wait for rke2 ansible.builtin.include_tasks: wait_for_rke2.yml diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index fc2c737a..fdf366bf 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -10,6 +10,7 @@ when: - ansible_facts.services["firewalld.service"] is defined - ansible_facts.services["firewalld.service"].status != "not-found" + notify: "Restart {{ service_name }}" - name: Include task file network_manager_fix.yaml ansible.builtin.include_tasks: network_manager_fix.yaml diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 74231452..d0c8f9d7 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -1,5 +1,8 @@ --- +- name: Determine rke2_version to install + ansible.builtin.include_tasks: calculate_rke2_version.yml + # Add RKE2 Common repo - name: Add the rke2-common repo RHEL/CentOS/Rocky ansible.builtin.yum_repository: @@ -34,22 +37,4 @@ ansible.builtin.yum: name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest - notify: Restart {{ service_name }} - -# - name: YUM-Based | Install rke2-server -# ansible.builtin.yum: -# name: "rke2-server-{{ rke2_version_rpm }}" -# state: latest # noqa package-latest -# when: -# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' -# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE -# - inventory_hostname in groups['rke2_servers'] - -# - name: YUM-Based | Install rke2-agent -# ansible.builtin.yum: -# name: "rke2-agent-{{ rke2_version_rpm }}" -# state: latest # noqa package-latest -# when: -# - ansible_facts['os_family'] == 'RedHat' or ansible_facts['os_family'] == 'Rocky' -# - not rke2_binary_tarball_check.stat.exists #<- THIS SHOULD NEVER BE TRUE -# - inventory_hostname in groups.get('rke2_agents', []) + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 106b1970..6224d1e3 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,19 +1,6 @@ --- + tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 -# Possible RKE2 Channels -channels: - - stable - - latest - - v1.18 - - v1.19 - - v1.20 - - v1.21 - - v1.22 - - v1.23 - - v1.24 - - v1.25 - - v1.26 - - v1.27 - - v1.28 installed: false rke2_version_changed: false +reboot: false \ No newline at end of file From a3850d48bc9b2d5b9b09fa510befae022095c36f Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 17 Jun 2024 17:32:34 -0400 Subject: [PATCH 03/36] fixing linting --- .ansible-lint-ignore | 6 +++++- .github/workflows/rocky8.yml | 4 ++-- .github/workflows/ubuntu20.yml | 4 ++-- README.md | 2 +- inventory/sample/group_vars/rke2_agents.yml | 2 +- inventory/sample/group_vars/rke2_servers.yml | 6 +++--- inventory/sample/hosts.yml | 4 ++-- roles/rke2/defaults/main.yml | 13 +++++++------ roles/rke2/tasks/add-audit-policy-config.yml | 6 +++--- roles/rke2/tasks/add-manifest-addons.yml | 2 +- .../tasks/add-pod-security-admission-config.yml | 6 +++--- roles/rke2/tasks/add-registry-config.yml | 6 +++--- roles/rke2/tasks/cis-hardening.yml | 2 +- roles/rke2/tasks/configure_rke2.yml | 5 +++-- roles/rke2/tasks/main.yml | 12 ++++-------- roles/rke2/tasks/network_manager_fix.yaml | 6 ++---- roles/rke2/tasks/other_nodes.yml | 2 +- roles/rke2/tasks/pre_reqs.yml | 2 +- roles/rke2/tasks/previous_install.yml | 4 ++-- roles/rke2/tasks/rpm_install.yml | 2 +- roles/rke2/tasks/tarball_install.yml | 1 - roles/rke2/tasks/wait_for_rke2.yml | 8 +++----- roles/rke2/vars/main.yml | 5 ++--- site.yml | 1 - 24 files changed, 53 insertions(+), 58 deletions(-) diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore index dc3fc6ac..cb343553 100644 --- a/.ansible-lint-ignore +++ b/.ansible-lint-ignore @@ -1,4 +1,8 @@ # This file contains ignores rule violations for ansible-lint roles/testing/tasks/troubleshooting.yml ignore-errors -inventory/sample/hosts.yml yaml[line-length] \ No newline at end of file +inventory/sample/hosts.yml yaml[line-length] +inventory/sample/hosts.yml yaml[comments-indentation] +roles/rke2/tasks/add-audit-policy-config.yml no-handler +roles/rke2/tasks/add-pod-security-admission-config.yml no-handler +roles/rke2/tasks/add-registry-config.yml no-handler diff --git a/.github/workflows/rocky8.yml b/.github/workflows/rocky8.yml index b4d9973e..f21a42c7 100644 --- a/.github/workflows/rocky8.yml +++ b/.github/workflows/rocky8.yml @@ -119,7 +119,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml echo "" >> ansible.cfg echo "" >> ansible.cfg echo "remote_user=centos" >> ansible.cfg @@ -172,7 +172,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml cp hosts.yml inventory/rocky8/hosts.yml env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/ubuntu20.yml b/.github/workflows/ubuntu20.yml index b3dbeeb5..f87e40e0 100644 --- a/.github/workflows/ubuntu20.yml +++ b/.github/workflows/ubuntu20.yml @@ -117,7 +117,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml echo "" >> ansible.cfg echo "" >> ansible.cfg echo "remote_user=ubuntu" >> ansible.cfg @@ -170,7 +170,7 @@ jobs: echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml echo "all:" >> hosts.yml echo " vars:" >> hosts.yml - echo " kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml + echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml cp hosts.yml inventory/ubuntu20/hosts.yml env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} diff --git a/README.md b/README.md index a6dc3363..d1789905 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ Kubeconfig To get access to your **Kubernetes** cluster just ```bash -ssh ec2-user@kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes" +ssh ec2-user@rke2_kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes" ``` Available configurations diff --git a/inventory/sample/group_vars/rke2_agents.yml b/inventory/sample/group_vars/rke2_agents.yml index e9d13353..dd8c405d 100644 --- a/inventory/sample/group_vars/rke2_agents.yml +++ b/inventory/sample/group_vars/rke2_agents.yml @@ -7,4 +7,4 @@ rke2_config: {} # See https://docs.rke2.io/install/containerd_registry_configuration/ # Add a registry configuration file by specifying the file path on the control host -# registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" +# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml index d451b625..40d7117e 100644 --- a/inventory/sample/group_vars/rke2_servers.yml +++ b/inventory/sample/group_vars/rke2_servers.yml @@ -36,11 +36,11 @@ rke2_config: {} # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ # Add a policy configuration file by specifying the file path on the control host -# audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" +# rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" # See https://docs.rke2.io/install/containerd_registry_configuration/ # Add a registry configuration file by specifying the file path on the control host -# registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" +# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts # Add manifest files by specifying the directory path on the control host @@ -50,4 +50,4 @@ rke2_config: {} # Available in RKE2 1.25+ # Add a pod security admission config file by specifying the file path on the control host # Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored -# pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" +# rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 517838fd..343a7fab 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -49,10 +49,10 @@ rke2_cluster: # write-kubeconfig-mode: "0640" # # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ # # Add a policy configuration file by specifying the file path on the control host - # audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" + # rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" # # See https://docs.rke2.io/install/containerd_registry_configuration/ # # Add a registry configuration file by specifying the file path on the control host - # registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" + # rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" # # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts # # Add manifest files by specifying the directory path on the control host # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 4d4bd72b..75a020dd 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,16 +1,17 @@ --- -kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" +rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" tarball_dir: "/usr/local" rke2_local_tarball_path: "" rke2_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] rke2_channel: stable -audit_policy_config_file_path: "" -registry_config_file_path: "" -pod_security_admission_config_file_path: "" -add_iptables_rules: false -cluster_manifest_config_file_path: "" +rke2_audit_policy_config_file_path: "" +rke2_registry_config_file_path: "" +rke2_pod_security_admission_config_file_path: "" +rke2_add_iptables_rules: false +rke2_initial_manifest_config_file_path: "" +rke2_cluster_manifest_config_file_path: "" rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml index ac452639..10b66c4a 100644 --- a/roles/rke2/tasks/add-audit-policy-config.yml +++ b/roles/rke2/tasks/add-audit-policy-config.yml @@ -1,7 +1,7 @@ --- - name: Add audit policy configuration file vars: - file_contents: "{{ lookup('file', audit_policy_config_file_path) }}" + file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/audit-policy.yaml" @@ -9,12 +9,12 @@ owner: root group: root when: - - audit_policy_config_file_path|length != 0 + - rke2_audit_policy_config_file_path|length != 0 notify: "Restart {{ service_name }}" - name: Remove audit policy configuration file when: - - audit_policy_config_file_path|length == 0 + - rke2_audit_policy_config_file_path|length == 0 block: - name: Check that the audit policy config file exists ansible.builtin.stat: diff --git a/roles/rke2/tasks/add-manifest-addons.yml b/roles/rke2/tasks/add-manifest-addons.yml index a7524f1b..0b55cc88 100644 --- a/roles/rke2/tasks/add-manifest-addons.yml +++ b/roles/rke2/tasks/add-manifest-addons.yml @@ -2,7 +2,7 @@ - name: Add manifest addons files ansible.builtin.copy: - src: "{{ manifest_config_file_path }}" + src: "{{ src }}" dest: "/var/lib/rancher/rke2/server/manifests/" mode: '0640' owner: root diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml index b7f537a2..3237502a 100644 --- a/roles/rke2/tasks/add-pod-security-admission-config.yml +++ b/roles/rke2/tasks/add-pod-security-admission-config.yml @@ -1,7 +1,7 @@ --- - name: Add pod security admission config file vars: - file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}" + file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" @@ -9,12 +9,12 @@ owner: root group: root when: - - pod_security_admission_config_file_path|length != 0 + - rke2_pod_security_admission_config_file_path|length != 0 notify: "Restart {{ service_name }}" - name: Remove pod security admission config file when: - - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0 + - rke2_pod_security_admission_config_file_path|length == 0 block: - name: Check that the PSA config file exists ansible.builtin.stat: diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml index 367ab9bf..205e2253 100644 --- a/roles/rke2/tasks/add-registry-config.yml +++ b/roles/rke2/tasks/add-registry-config.yml @@ -1,7 +1,7 @@ --- - name: Add registry configuration file vars: - file_contents: "{{ lookup('file', registry_config_file_path) }}" + file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}" ansible.builtin.template: src: ansible_header.j2 dest: "/etc/rancher/rke2/registries.yaml" @@ -9,12 +9,12 @@ owner: root group: root when: - - registry_config_file_path|length != 0 + - rke2_registry_config_file_path|length != 0 notify: "Restart {{ service_name }}" - name: Remove registry configuration file when: - - registry_config_file_path|length == 0 + - rke2_registry_config_file_path|length == 0 block: - name: Check that the registry config file exists ansible.builtin.stat: diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml index 754d423c..ec779eaf 100644 --- a/roles/rke2/tasks/cis-hardening.yml +++ b/roles/rke2/tasks/cis-hardening.yml @@ -50,7 +50,7 @@ # always rebooting, even if the node was brand new and RKE2 not running yet. - name: Reboot the machine (Wait for 5 min) ansible.builtin.set_fact: - reboot: true + rke2_reboot: true when: - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed) - rke2_running is defined diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 06774a94..ab437335 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -24,7 +24,8 @@ - name: Configure first server manifests ansible.builtin.include_tasks: add-manifest-addons.yml + vars: + src: "{{ rke2_initial_manifest_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'][0] - - manifest_config_file_path is defined - - manifest_config_file_path | length > 0 + - rke2_initial_manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index de76df23..a84d9efd 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -76,13 +76,9 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Add cluster manifest addons files - ansible.builtin.copy: - src: "{{ cluster_manifest_config_file_path }}" - dest: "/var/lib/rancher/rke2/server/manifests/" - mode: '0640' - owner: root - group: root +- name: Configure cluster manifests + ansible.builtin.include_tasks: add-manifest-addons.yml + vars: + src: "{{ rke2_cluster_manifest_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'][0] - - cluster_manifest_config_file_path | length > 0 diff --git a/roles/rke2/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml index 8b1fea1e..95037c33 100644 --- a/roles/rke2/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -34,7 +34,7 @@ enabled: no state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined - notify: + notify: - Reload NetworkManager - "Restart {{ service_name }}" @@ -44,8 +44,6 @@ state: stopped enabled: no when: ansible_facts.services["nm-cloud-setup.service"] is defined - notify: + notify: - Reload NetworkManager - "Restart {{ service_name }}" - - diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index a4fe2fe4..7f7a0234 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -28,7 +28,7 @@ - name: Add server url to config file ansible.builtin.lineinfile: dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ kubernetes_api_server_host }}:9345" + line: "server: https://{{ rke2_kubernetes_api_server_host }}:9345" state: present insertbefore: BOF when: diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index fdf366bf..ad60ab98 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -19,4 +19,4 @@ ansible.builtin.include_tasks: iptables_rules.yml when: - ansible_facts.services["iptables.service"] is defined - - add_iptables_rules | bool + - rek2_add_iptables_rules | bool diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index 03e59253..e8f4c744 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -2,7 +2,7 @@ - name: Set fact if rke2-server was previously installed ansible.builtin.set_fact: - installed: true + rke2_installed: true when: - ansible_facts.services["rke2-server.service"] is defined - not ansible_facts.services["rke2-server.service"].status == 'disabled' @@ -18,7 +18,7 @@ - name: Set fact if rke2-agent was previously installed ansible.builtin.set_fact: - installed: true + rke2_installed: true when: - ansible_facts.services["rke2-agent.service"] is defined - not ansible_facts.services["rke2-agent.service"].status == 'disabled' diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index d0c8f9d7..f4aa2bb8 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -34,7 +34,7 @@ ansible_facts['distribution_major_version'] == "9" - name: YUM-Based Install - ansible.builtin.yum: + ansible.builtin.dnf: name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 27f61efa..27e6719a 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -36,7 +36,6 @@ - not rke2_binary_tarball_check.stat.exists - rke2_tarball_url != "" - - name: Determine if current version differs what what is being installed ansible.builtin.set_fact: rke2_version_changed: true diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index 35b98c6c..b1a3e96e 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -11,7 +11,7 @@ - name: Wait for k8s apiserver ansible.builtin.wait_for: - host: "{{ kubernetes_api_server_host }}" + host: "{{ rke2_kubernetes_api_server_host }}" port: "6443" state: present timeout: 300 @@ -27,16 +27,14 @@ - name: Extract the hostname-override parameter from the kubelet process ansible.builtin.set_fact: - kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \ - regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\ - '\\1') }}" + kubelet_hostname: "{{ kubelet_check.stdout | regex_search('\\s--hostname-override=([^\\s]+)', '\\1') }}" when: - inventory_hostname in groups['rke2_servers'] - name: Wait for node to show Ready status ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }} + --server https://127.0.0.1:6443 get no {{ kubelet_hostname }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' register: status_result until: status_result.stdout.find("True") != -1 diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 6224d1e3..0f544b40 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,6 +1,5 @@ --- -tmp_sha1: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 -installed: false +rke2_installed: false rke2_version_changed: false -reboot: false \ No newline at end of file +rke2_reboot: false diff --git a/site.yml b/site.yml index 71c6d684..7fd240e6 100644 --- a/site.yml +++ b/site.yml @@ -6,4 +6,3 @@ become: true roles: - role: rke2 - # serial: 5 From 61422e44988dd02f7441629672849b81868e03ed Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 17 Jun 2024 20:49:49 -0400 Subject: [PATCH 04/36] initial pass at tarball --- inventory/sample/hosts.yml | 2 +- roles/rke2/defaults/main.yml | 7 +- roles/rke2/handlers/main.yml | 22 +++---- roles/rke2/tasks/main.yml | 13 ++-- roles/rke2/tasks/previous_install.yml | 8 +-- roles/rke2/tasks/rpm_install.yml | 3 - roles/rke2/tasks/tarball_install.yml | 95 ++++++++++++++------------- roles/rke2/tasks/wait_for_rke2.yml | 2 +- 8 files changed, 80 insertions(+), 72 deletions(-) diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 343a7fab..8beb932f 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -3,7 +3,7 @@ all: vars: install_rke2_version: v1.27.10+rke2r1 # # In air-gapped envs, it might be convenient to download the tar files from custom URLs - # rke2_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz + # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz # rke2_image_tar_urls: # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 75a020dd..a44e12dc 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,8 +1,8 @@ --- rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" -tarball_dir: "/usr/local" -rke2_local_tarball_path: "" -rke2_tarball_url: "" +rke2_tarball_install_dir: "/usr/local" +rke2_local_install_tarball_path: "" +rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] rke2_channel: stable @@ -12,6 +12,7 @@ rke2_pod_security_admission_config_file_path: "" rke2_add_iptables_rules: false rke2_initial_manifest_config_file_path: "" rke2_cluster_manifest_config_file_path: "" +rke2_force_tarball_install: false rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index c4211f6b..728c71be 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -5,7 +5,7 @@ state: restarted name: systemd-sysctl when: - - not reboot + - not rke2_reboot - name: Restart rke2-server ansible.builtin.service: @@ -13,7 +13,7 @@ name: rke2-server throttle: 1 when: - - not reboot + - not rke2_reboot - name: Restart rke2-agent ansible.builtin.service: @@ -21,18 +21,18 @@ name: rke2-agent throttle: 1 when: - - not reboot - -- name: Reboot the machine - ansible.builtin.reboot: - reboot_timeout: 300 - throttle: 1 - when: - - reboot + - not rke2_reboot - name: Reload NetworkManager ansible.builtin.systemd: name: NetworkManager state: reloaded when: - - not reboot + - not rke2_reboot + +- name: Reboot the machine + ansible.builtin.reboot: + reboot_timeout: 300 + throttle: 1 + when: + - rke2_reboot diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index a84d9efd..c5a49e04 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -12,16 +12,18 @@ install_method: tarball when: |- ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or - rke2_tarball_url != "" or - rke2_local_tarball_path != "") + rke2_install_tarball_url != "" or + rke2_local_install_tarball_path != "" or + rke2_force_tarball_install|bool) - name: Set for install method of rpm ansible.builtin.set_fact: install_method: rpm when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - rke2_local_tarball_path == "" - - rke2_tarball_url == "" + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" + - not rke2_force_tarball_install|bool - name: Set as server ansible.builtin.set_fact: @@ -47,6 +49,9 @@ - rke2_images_urls != [] or rke2_images_local_tarball_path != [] +- name: Determine rke2_version to install + ansible.builtin.include_tasks: calculate_rke2_version.yml + - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml when: diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index e8f4c744..dbad69a8 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -40,7 +40,7 @@ - name: Get current RKE2 version if already installed ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' - register: installed_rke2_version_tmp + register: rke2_installed_version_tmp changed_when: false args: executable: /usr/bin/bash @@ -48,12 +48,12 @@ - install_method == "tarball" - rke2_binary.stat.exists failed_when: > - (installed_rke2_version_tmp.rc != 141) and - (installed_rke2_version_tmp.rc != 0) + (rke2_installed_version_tmp.rc != 141) and + (rke2_installed_version_tmp.rc != 0) - name: Determine if current version differs what what is being installed ansible.builtin.set_fact: - installed_rke2_version: "{{ installed_rke2_version_tmp.stdout }}" + rke2_installed_version: "{{ rke2_installed_version_tmp.stdout }}" when: - install_method == "tarball" - rke2_binary.stat.exists diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index f4aa2bb8..9b79a414 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -1,8 +1,5 @@ --- -- name: Determine rke2_version to install - ansible.builtin.include_tasks: calculate_rke2_version.yml - # Add RKE2 Common repo - name: Add the rke2-common repo RHEL/CentOS/Rocky ansible.builtin.yum_repository: diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 27e6719a..a2ef7c55 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -14,47 +14,49 @@ - name: TARBALL | Make temp dir ansible.builtin.tempfile: state: directory - suffix: rke2-install.XXXXXXXXXX + suffix: .rke2-install.XXXXXXXXXX path: "{{ tarball_tmp_dir | default(omit) }}" register: temp_dir - name: Send provided tarball if available ansible.builtin.copy: - src: "{{ rke2_local_tarball_path }}" - dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + src: "{{ inventory_dir}}/{{ rke2_local_install_tarball_path }}" + dest: "{{ temp_dir.path }}/" mode: '0644' when: - - rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" + - rke2_local_install_tarball_path != "" - name: Download Tar from provided URL ansible.builtin.get_url: - url: "{{ rke2_tarball_url }}" - dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + url: "{{ rke2_install_tarball_url }}" + dest: "{{ temp_dir.path }}/" mode: "0644" when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url != "" + - rke2_install_tarball_url != "" -- name: Determine if current version differs what what is being installed +- name: Determine if current version differs from what is being installed ansible.builtin.set_fact: rke2_version_changed: true when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" - - not installed or installed_rke2_version != rke2_full_version + # - rke2_local_install_tarball_path == "" + # - rke2_install_tarball_url == "" + - not rke2_installed or rke2_installed_version != rke2_full_version + +- name: Set architecture specific variables + set_fact: + arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - name: TARBALL | Download the tarball ansible.builtin.get_url: - url: https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-amd64.tar.gz - dest: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + url: "https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-{{ arch }}.tar.gz" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - - not rke2_binary_tarball_check.stat.exists - - rke2_tarball_url == "" + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" - rke2_version_changed -- name: TARBALL | Install tar package +- name: TARBALL | Install tar binary ansible.builtin.package: name: tar state: present @@ -62,53 +64,54 @@ - name: Get version of provided tarball when: - - (rke2_binary_tarball_check.stat.exists or rke2_tarball_url != "") + - (rke2_local_install_tarball_path != "" or rke2_install_tarball_url != "") block: - name: Unarchive tarball into temp location ansible.builtin.unarchive: - src: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" + src: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" dest: "{{ temp_dir.path }}" remote_src: true + changed_when: false - name: Get tarball RKE2 version from temp location ansible.builtin.shell: set -o pipefail && {{ temp_dir.path }}/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' - register: tarball_rke2_version_tmp + register: rke2_tarball_version_tmp changed_when: false args: executable: /usr/bin/bash - name: Set tarball RKE2 version var ansible.builtin.set_fact: - tarball_rke2_version: "{{ tarball_rke2_version_tmp.stdout }}" + rke2_tarball_version: "{{ rke2_tarball_version_tmp.stdout }}" - - name: Determine if current version differs what what is being installed + - name: Determine if current version differs from what is being installed ansible.builtin.set_fact: rke2_version_changed: true when: - - not installed or installed_rke2_version != tarball_rke2_version + - not rke2_installed or rke2_installed_version != rke2_tarball_version - name: TARBALL | Check Target Mountpoint - ansible.builtin.command: mountpoint -q {{ tarball_dir }} - register: tarball_dir_stat + ansible.builtin.command: mountpoint -q {{ rke2_tarball_install_dir }} + register: rke2_tarball_install_dir_stat failed_when: false changed_when: false -- name: TARBALL | tarball_dir is a mountpoint setting dir to /opt/rke2 +- name: TARBALL | rke2_tarball_install_dir is a mountpoint setting dir to /opt/rke2 ansible.builtin.set_fact: - tarball_dir: "/opt/rke2" - when: tarball_dir_stat.rc == 0 + rke2_tarball_install_dir: "/opt/rke2" + when: rke2_tarball_install_dir_stat.rc == 0 - name: TARBALL | Using /opt/rke2 ansible.builtin.debug: msg: "Using /opt/rke2 for install directory" - when: tarball_dir_stat.rc == 0 + when: rke2_tarball_install_dir_stat.rc == 0 -- name: TARBALL | Create {{ tarball_dir }} +- name: TARBALL | Create {{ rke2_tarball_install_dir }} ansible.builtin.file: - path: "{{ tarball_dir }}" + path: "{{ rke2_tarball_install_dir }}" state: directory recurse: true - when: tarball_dir is defined + when: rke2_tarball_install_dir is defined - name: Final extraction/installation of RKE2 Tar when: @@ -117,31 +120,33 @@ - name: Unarchive rke2 tar ansible.builtin.unarchive: - src: "{{ temp_dir.path }}/rke2.linux-amd64.tar.gz" - dest: "{{ tarball_dir }}" + src: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" + dest: "{{ rke2_tarball_install_dir }}" remote_src: true - name: TARBALL | Updating rke2-server.service ansible.builtin.replace: - path: "{{ tarball_dir }}/lib/systemd/system/rke2-server.service" + path: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-server.service" regexp: '/usr/local' - replace: '{{ tarball_dir }}' + replace: '{{ rke2_tarball_install_dir }}' + notify: Restart rke2-server - name: TARBALL | Updating rke2-agent.service ansible.builtin.replace: - path: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.service" + path: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-agent.service" regexp: '/usr/local' - replace: '{{ tarball_dir }}' + replace: '{{ rke2_tarball_install_dir }}' + notify: Restart rke2-agent - name: TARBALL | Updating rke2-uninstall.sh ansible.builtin.replace: - path: "{{ tarball_dir }}/bin/rke2-uninstall.sh" + path: "{{ rke2_tarball_install_dir }}/bin/rke2-uninstall.sh" regexp: '/usr/local' - replace: '{{ tarball_dir }}' + replace: '{{ rke2_tarball_install_dir }}' - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.service" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-server.service" dest: /etc/systemd/system/rke2-server.service mode: '0644' owner: root @@ -152,7 +157,7 @@ - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-server.env" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-server.env" dest: /etc/systemd/system/rke2-server.env mode: '0644' owner: root @@ -163,7 +168,7 @@ - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.service" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-agent.service" dest: /etc/systemd/system/rke2-agent.service mode: '0644' owner: root @@ -174,7 +179,7 @@ - name: TARBALL | Moving Systemd units to /etc/systemd/system ansible.builtin.copy: - src: "{{ tarball_dir }}/lib/systemd/system/rke2-agent.env" + src: "{{ rke2_tarball_install_dir }}/lib/systemd/system/rke2-agent.env" dest: /etc/systemd/system/rke2-agent.env mode: '0644' owner: root diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index b1a3e96e..a669fabe 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -34,7 +34,7 @@ - name: Wait for node to show Ready status ansible.builtin.command: >- /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml - --server https://127.0.0.1:6443 get no {{ kubelet_hostname }} + --server https://127.0.0.1:6443 get no {{ kubelet_hostname[0] }} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' register: status_result until: status_result.stdout.find("True") != -1 From 57f7344c4acf1552cba6b5fde4b412578152cb85 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 18 Jun 2024 10:02:02 -0400 Subject: [PATCH 05/36] cleanup --- roles/rke2/tasks/calculate_rke2_version.yml | 15 +++++++-------- roles/rke2/tasks/main.yml | 3 +++ roles/rke2/tasks/previous_install.yml | 4 ++-- roles/rke2/tasks/tarball_install.yml | 8 ++++---- roles/rke2/tasks/wait_for_rke2.yml | 4 ++-- 5 files changed, 18 insertions(+), 16 deletions(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index e64e5b70..d7f0c883 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -1,21 +1,20 @@ --- -- name: "Calculate rke2 full version" - when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) +- name: "Determine latest version from internet" + when: + - ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" block: - # - name: Stop if the provided is not valid - # ansible.builtin.fail: - # msg: "Provided channel is not valid" - # when: rke2_channel not in channels - - name: Get full version name url + - name: Get versions from update.rke2.io ansible.builtin.uri: url: https://update.rke2.io/v1-release/channels/{{ rke2_channel }} follow_redirects: safe remote_src: true register: rke2_version_url - - name: Set full version name + - name: Save version ansible.builtin.shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||' register: rke2_full_version changed_when: false diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index c5a49e04..ea7f1092 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -51,6 +51,9 @@ - name: Determine rke2_version to install ansible.builtin.include_tasks: calculate_rke2_version.yml + when: + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index dbad69a8..44edcbcc 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -38,7 +38,7 @@ register: rke2_binary when: install_method == "tarball" -- name: Get current RKE2 version if already installed +- name: Get current rke2 version if already installed ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }' register: rke2_installed_version_tmp changed_when: false @@ -51,7 +51,7 @@ (rke2_installed_version_tmp.rc != 141) and (rke2_installed_version_tmp.rc != 0) -- name: Determine if current version differs what what is being installed +- name: Set fact for current rke2 version ansible.builtin.set_fact: rke2_installed_version: "{{ rke2_installed_version_tmp.stdout }}" when: diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index a2ef7c55..a0da6302 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -20,7 +20,7 @@ - name: Send provided tarball if available ansible.builtin.copy: - src: "{{ inventory_dir}}/{{ rke2_local_install_tarball_path }}" + src: "{{ inventory_dir }}/{{ rke2_local_install_tarball_path }}" dest: "{{ temp_dir.path }}/" mode: '0644' when: @@ -38,12 +38,12 @@ ansible.builtin.set_fact: rke2_version_changed: true when: - # - rke2_local_install_tarball_path == "" - # - rke2_install_tarball_url == "" + - rke2_local_install_tarball_path == "" + - rke2_install_tarball_url == "" - not rke2_installed or rke2_installed_version != rke2_full_version - name: Set architecture specific variables - set_fact: + ansible.builtin.set_fact: arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - name: TARBALL | Download the tarball diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index a669fabe..04ec0d94 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -1,9 +1,9 @@ --- -- name: Start {{ service_name }} +- name: Start rke2 ansible.builtin.meta: flush_handlers -- name: Enable {{ service_name }} +- name: Enable service ansible.builtin.systemd: name: "{{ service_name }}" state: started From 00943bc9b990839d6aca3a6378ce431d39424560 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 21 Jun 2024 16:05:05 -0400 Subject: [PATCH 06/36] adding logic to determine join token and which node is up --- roles/rke2/defaults/main.yml | 4 +- roles/rke2/handlers/main.yml | 7 ++ roles/rke2/tasks/add-audit-policy-config.yml | 39 ----------- .../add-pod-security-admission-config.yml | 39 ----------- roles/rke2/tasks/add-registry-config.yml | 39 ----------- .../rke2/tasks/add_ansible_managed_config.yml | 37 ++++++++++ ...est-addons.yml => add_manifest_addons.yml} | 0 .../{cis-hardening.yml => cis_hardening.yml} | 0 roles/rke2/tasks/cluster_state.yml | 67 +++++++++++++++++++ roles/rke2/tasks/configure_rke2.yml | 31 ++++++--- roles/rke2/tasks/first_server.yml | 6 +- roles/rke2/tasks/main.yml | 13 +++- roles/rke2/tasks/pre_reqs.yml | 21 +++++- roles/rke2/tasks/previous_install.yml | 2 + roles/rke2/tasks/rpm_install.yml | 4 ++ .../rke2/templates/ansible_managed_yaml.j2 | 2 +- 16 files changed, 178 insertions(+), 133 deletions(-) delete mode 100644 roles/rke2/tasks/add-audit-policy-config.yml delete mode 100644 roles/rke2/tasks/add-pod-security-admission-config.yml delete mode 100644 roles/rke2/tasks/add-registry-config.yml create mode 100644 roles/rke2/tasks/add_ansible_managed_config.yml rename roles/rke2/tasks/{add-manifest-addons.yml => add_manifest_addons.yml} (100%) rename roles/rke2/tasks/{cis-hardening.yml => cis_hardening.yml} (100%) create mode 100644 roles/rke2/tasks/cluster_state.yml rename ansible_header.j2 => roles/rke2/templates/ansible_managed_yaml.j2 (77%) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index a44e12dc..d853ec3b 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,11 +1,11 @@ --- -rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" +rke2_kubernetes_api_server_host: "" rke2_tarball_install_dir: "/usr/local" rke2_local_install_tarball_path: "" rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] -rke2_channel: stable +rke2_channel: "stable" rke2_audit_policy_config_file_path: "" rke2_registry_config_file_path: "" rke2_pod_security_admission_config_file_path: "" diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 728c71be..0c0a6258 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -7,6 +7,13 @@ when: - not rke2_reboot +- name: Restart fapolicyd + ansible.builtin.service: + state: restarted + name: fapolicyd + when: + - not rke2_reboot + - name: Restart rke2-server ansible.builtin.service: state: restarted diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml deleted file mode 100644 index 10b66c4a..00000000 --- a/roles/rke2/tasks/add-audit-policy-config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Add audit policy configuration file - vars: - file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/audit-policy.yaml" - mode: '0640' - owner: root - group: root - when: - - rke2_audit_policy_config_file_path|length != 0 - notify: "Restart {{ service_name }}" - -- name: Remove audit policy configuration file - when: - - rke2_audit_policy_config_file_path|length == 0 - block: - - name: Check that the audit policy config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/audit-policy.yaml" - register: stat_result - - - name: "Check that the audit policy config file has ansible managed comments" - ansible.builtin.lineinfile: - name: "/etc/rancher/rke2/audit-policy.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists | bool is true - - - name: Remove the audit policy config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/audit-policy.yaml" - state: absent - when: - - ansible_managed_check.changed | bool is false - notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml deleted file mode 100644 index 3237502a..00000000 --- a/roles/rke2/tasks/add-pod-security-admission-config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Add pod security admission config file - vars: - file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/pod-security-admission-config.yaml" - mode: '0640' - owner: root - group: root - when: - - rke2_pod_security_admission_config_file_path|length != 0 - notify: "Restart {{ service_name }}" - -- name: Remove pod security admission config file - when: - - rke2_pod_security_admission_config_file_path|length == 0 - block: - - name: Check that the PSA config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - register: stat_result - - - name: "Check that the PSA config file has ansible managed comments" - ansible.builtin.lineinfile: - name: "/etc/rancher/rke2/pod-security-admission-config.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists | bool is true - - - name: Remove the PSA config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/pod-security-admission-config.yaml" - state: absent - when: - - ansible_managed_check.changed | bool is false - notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml deleted file mode 100644 index 205e2253..00000000 --- a/roles/rke2/tasks/add-registry-config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Add registry configuration file - vars: - file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}" - ansible.builtin.template: - src: ansible_header.j2 - dest: "/etc/rancher/rke2/registries.yaml" - mode: '0640' - owner: root - group: root - when: - - rke2_registry_config_file_path|length != 0 - notify: "Restart {{ service_name }}" - -- name: Remove registry configuration file - when: - - rke2_registry_config_file_path|length == 0 - block: - - name: Check that the registry config file exists - ansible.builtin.stat: - path: "/etc/rancher/rke2/registries.yaml" - register: stat_result - - - name: "Check that the registry config file has ansible managed comments" - ansible.builtin.lineinfile: - name: "/etc/rancher/rke2/registries.yaml" - line: '## This is an Ansible managed file, contents will be overwritten ##' - state: present - check_mode: yes - register: ansible_managed_check - when: stat_result.stat.exists | bool is true - - - name: Remove the registry config file if exists and has ansible managed comments - ansible.builtin.file: - path: "/etc/rancher/rke2/registries.yaml" - state: absent - when: - - ansible_managed_check.changed | bool is false - notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml new file mode 100644 index 00000000..2da4adc3 --- /dev/null +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -0,0 +1,37 @@ +--- +- name: "Add {{ file_description }} file" + ansible.builtin.template: + src: ansible_managed_yaml.j2 + dest: "{{ file_destination }}" + mode: '0640' + owner: root + group: root + when: + - file_path | default("") | length != 0 + notify: "Restart {{ service_name }}" + +- name: "Remove {{ file_description }} file" + when: + - file_path | default("") | length == 0 + block: + - name: "Check that the {{ file_description }} file exists" + ansible.builtin.stat: + path: "{{ file_destination }}" + register: stat_result + + - name: "Check that the {{ file_description }} config file has ansible managed comments" + ansible.builtin.lineinfile: + name: "{{ file_destination }}" + line: '## This is an Ansible managed file, contents will be overwritten ##' + state: present + check_mode: yes + register: ansible_managed_check + when: stat_result.stat.exists | bool is true + + - name: "Remove the {{ file_description }} file if exists and has ansible managed comments" + ansible.builtin.file: + path: "{{ file_destination }}" + state: absent + when: + - ansible_managed_check.changed | bool is false + notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add-manifest-addons.yml b/roles/rke2/tasks/add_manifest_addons.yml similarity index 100% rename from roles/rke2/tasks/add-manifest-addons.yml rename to roles/rke2/tasks/add_manifest_addons.yml diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis_hardening.yml similarity index 100% rename from roles/rke2/tasks/cis-hardening.yml rename to roles/rke2/tasks/cis_hardening.yml diff --git a/roles/rke2/tasks/cluster_state.yml b/roles/rke2/tasks/cluster_state.yml new file mode 100644 index 00000000..4f860e3b --- /dev/null +++ b/roles/rke2/tasks/cluster_state.yml @@ -0,0 +1,67 @@ +--- + +- name: Check for existing cluster + block: + - name: Check for node-token (existing cluster) + ansible.builtin.stat: + path: /var/lib/rancher/rke2/server/node-token + register: node_token_tmp + + - name: Read node-token (existing cluster) + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: rke2_config_token_tmp + when: + - node_token_tmp.stat.exists + + - name: Set node-token fact (existing cluster) + ansible.builtin.set_fact: + rke2_config_token: "{{ rke2_config_token_tmp.content | b64decode | regex_replace('\n', '') }}" + when: + - rke2_config_token_tmp.stat.exists + + - name: Set node-token fact on all hosts (existing cluster) + ansible.builtin.set_fact: + rke2_config_token: "{{ hostvars[item]['rke2_config_token'] }}" + delegate_to: localhost + run_once: true + loop: "{{ groups['all'] }}" + when: "hostvars[item]['rke2_config_token'] is defined" + vars: + rke2_config_token: "{{ rke2_config_token | default('') }}" + + - name: Debug found token + ansible.builtin.debug: + msg: "rke2_config_token: {{ rke2_config_token }}" + when: rke2_config_token != "" + + - name: Read host with token (existing cluster) + ansible.builtin.set_fact: + existing_join_host: "{{ ansible_hostname }}" + when: + - node_token_tmp.stat.exists + + - name: Set join server fact on all hosts (existing cluster) + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[item]['existing_join_host'] }}" + delegate_to: localhost + run_once: true + loop: "{{ groups['all'] }}" + when: + - "hostvars[item]['existing_join_host'] is defined" + - hostvars[item]['rke2_kubernetes_api_server_host'] == "" + vars: + rke2_kubernetes_api_server_host: "{{ existing_join_host | default('') }}" + when: + - rke2_running is defined + - rke2_running + +- name: No existing cluster found and api server not set + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}" + when: + - rke2_kubernetes_api_server_host == "" + +- name: Debug found join_server + ansible.builtin.debug: + msg: "Join Server: {{ rke2_kubernetes_api_server_host }}" diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index ab437335..3b6cf634 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -7,23 +7,38 @@ recurse: yes - name: Run CIS-Hardening Tasks - ansible.builtin.include_tasks: cis-hardening.yml + ansible.builtin.include_tasks: cis_hardening.yml -- name: Configure registries.yaml - ansible.builtin.include_tasks: add-registry-config.yml +- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}" + file_destination: "/etc/rancher/rke2/registries.yaml" + file_description: "registry configuration" + file_path: "{{ rke2_registry_config_file_path }}" -- name: Configure audit policy - ansible.builtin.include_tasks: add-audit-policy-config.yml +- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}" + file_destination: "/etc/rancher/rke2/audit-policy.yaml" + file_description: "audit policy configuration" + file_path: "{{ rke2_audit_policy_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'] -- name: Configure psa policy - ansible.builtin.include_tasks: add-pod-security-admission-config.yml +- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}" + file_destination: "/etc/rancher/rke2/pod-security-admission-config.yaml" + file_description: "pod security admission config" + file_path: "{{ rke2_pod_security_admission_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'] - name: Configure first server manifests - ansible.builtin.include_tasks: add-manifest-addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml vars: src: "{{ rke2_initial_manifest_config_file_path }}" when: diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 2ea88adb..4904fcba 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -6,17 +6,17 @@ - name: Wait for rke2 ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Add generated Token if none provided +- name: Determine generated token block: - name: Wait for node-token ansible.builtin.wait_for: path: /var/lib/rancher/rke2/server/node-token - - name: Read node-token from master + - name: Read node-token from first server ansible.builtin.slurp: src: /var/lib/rancher/rke2/server/node-token register: node_token - - name: Store Master node-token + - name: Store join node-token ansible.builtin.set_fact: rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index ea7f1092..ce04e3bb 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -43,6 +43,9 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml +- name: Determine cluster state + ansible.builtin.include_tasks: cluster_state.yml + - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml when: @@ -71,6 +74,7 @@ - name: RKE2 on first node ansible.builtin.include_tasks: first_server.yml when: + - "rke2_config_token is not defined" - inventory_hostname in groups['rke2_servers'][0] - name: RKE2 on all other nodes @@ -78,6 +82,13 @@ when: - inventory_hostname in groups['rke2_servers'][1:] or inventory_hostname in groups.get('rke2_agents', []) + when: + - "rke2_config_token is not defined" + +- name: Confirm configuration on cluster + when: + - "existing_join_host is defined" + ansible.builtin.include_tasks: other_nodes.yml - name: Configure kubectl,crictl,ctr ansible.builtin.include_tasks: utilities.yml @@ -85,7 +96,7 @@ - inventory_hostname in groups['rke2_servers'] - name: Configure cluster manifests - ansible.builtin.include_tasks: add-manifest-addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml vars: src: "{{ rke2_cluster_manifest_config_file_path }}" when: diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index ad60ab98..2a82ad9d 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -19,4 +19,23 @@ ansible.builtin.include_tasks: iptables_rules.yml when: - ansible_facts.services["iptables.service"] is defined - - rek2_add_iptables_rules | bool + - rke2_add_iptables_rules | bool + +- name: Add fapolicyd rules + ansible.builtin.copy: + content: "{{ fapolicyd_rules }}" + dest: /etc/fapolicyd/rules.d/80-rke2.rules + mode: '0644' + owner: root + group: fapolicyd + when: + - ansible_facts.services["fapolicyd.service"] is defined + - ansible_facts.services["fapolicyd.service"].state == "running" + vars: + fapolicyd_rules: | + allow perm=any all : dir=/var/lib/rancher/ + allow perm=any all : dir=/opt/cni/ + allow perm=any all : dir=/run/k3s/ + allow perm=any all : dir=/var/lib/kubelet/ + notify: Restart fapolicyd + diff --git a/roles/rke2/tasks/previous_install.yml b/roles/rke2/tasks/previous_install.yml index 44edcbcc..3e264a15 100644 --- a/roles/rke2/tasks/previous_install.yml +++ b/roles/rke2/tasks/previous_install.yml @@ -7,6 +7,7 @@ - ansible_facts.services["rke2-server.service"] is defined - not ansible_facts.services["rke2-server.service"].status == 'disabled' - inventory_hostname in groups['rke2_servers'] + - install_method == "tarball" - name: Set fact if rke2-server is running ansible.builtin.set_fact: @@ -23,6 +24,7 @@ - ansible_facts.services["rke2-agent.service"] is defined - not ansible_facts.services["rke2-agent.service"].status == 'disabled' - inventory_hostname in groups.get('rke2_agents', []) + - install_method == "tarball" - name: Set fact if rke2-agent is running ansible.builtin.set_fact: diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 9b79a414..5edf20af 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -34,4 +34,8 @@ ansible.builtin.dnf: name: "{{ service_name }}-{{ rke2_version_rpm }}" state: latest # noqa package-latest + register: result + retries: 10 + until: result is succeeded + delay: 30 notify: "Restart {{ service_name }}" diff --git a/ansible_header.j2 b/roles/rke2/templates/ansible_managed_yaml.j2 similarity index 77% rename from ansible_header.j2 rename to roles/rke2/templates/ansible_managed_yaml.j2 index 0377d97b..3691a008 100644 --- a/ansible_header.j2 +++ b/roles/rke2/templates/ansible_managed_yaml.j2 @@ -1,3 +1,3 @@ ## This is an Ansible managed file, contents will be overwritten ## -{{ file_contents }} +{{ file_contents }} \ No newline at end of file From cadd44bea448a3269a3ea1f12ebab379dde624d4 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 21 Jun 2024 16:24:26 -0400 Subject: [PATCH 07/36] fixing some linting --- roles/rke2/tasks/cluster_state.yml | 11 +++++------ roles/rke2/tasks/main.yml | 2 -- roles/rke2/tasks/pre_reqs.yml | 1 - 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/roles/rke2/tasks/cluster_state.yml b/roles/rke2/tasks/cluster_state.yml index 4f860e3b..130fe3d2 100644 --- a/roles/rke2/tasks/cluster_state.yml +++ b/roles/rke2/tasks/cluster_state.yml @@ -1,6 +1,9 @@ --- - name: Check for existing cluster + when: + - rke2_running is defined + - rke2_running block: - name: Check for node-token (existing cluster) ansible.builtin.stat: @@ -18,7 +21,8 @@ ansible.builtin.set_fact: rke2_config_token: "{{ rke2_config_token_tmp.content | b64decode | regex_replace('\n', '') }}" when: - - rke2_config_token_tmp.stat.exists + - "rke2_config_token_tmp.content is defined" + - rke2_config_token_tmp.content | length != 0 - name: Set node-token fact on all hosts (existing cluster) ansible.builtin.set_fact: @@ -27,8 +31,6 @@ run_once: true loop: "{{ groups['all'] }}" when: "hostvars[item]['rke2_config_token'] is defined" - vars: - rke2_config_token: "{{ rke2_config_token | default('') }}" - name: Debug found token ansible.builtin.debug: @@ -52,9 +54,6 @@ - hostvars[item]['rke2_kubernetes_api_server_host'] == "" vars: rke2_kubernetes_api_server_host: "{{ existing_join_host | default('') }}" - when: - - rke2_running is defined - - rke2_running - name: No existing cluster found and api server not set ansible.builtin.set_fact: diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index ce04e3bb..407dfb54 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -82,8 +82,6 @@ when: - inventory_hostname in groups['rke2_servers'][1:] or inventory_hostname in groups.get('rke2_agents', []) - when: - - "rke2_config_token is not defined" - name: Confirm configuration on cluster when: diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index 2a82ad9d..93fd03eb 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -38,4 +38,3 @@ allow perm=any all : dir=/run/k3s/ allow perm=any all : dir=/var/lib/kubelet/ notify: Restart fapolicyd - From 0c36930eca4f2e6bddeaaf357850fd400cf22be0 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Mon, 24 Jun 2024 16:25:31 -0400 Subject: [PATCH 08/36] fixing some linting --- roles/rke2/tasks/add_ansible_managed_config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml index 2da4adc3..09e8e2fc 100644 --- a/roles/rke2/tasks/add_ansible_managed_config.yml +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -1,5 +1,5 @@ --- -- name: "Add {{ file_description }} file" +- name: "Add {{ file_description }} file" # noqa name[template] ansible.builtin.template: src: ansible_managed_yaml.j2 dest: "{{ file_destination }}" @@ -10,16 +10,16 @@ - file_path | default("") | length != 0 notify: "Restart {{ service_name }}" -- name: "Remove {{ file_description }} file" +- name: "Remove {{ file_description }} file" # noqa name[template] when: - file_path | default("") | length == 0 block: - - name: "Check that the {{ file_description }} file exists" + - name: "Check that the {{ file_description }} file exists" # noqa name[template] ansible.builtin.stat: path: "{{ file_destination }}" register: stat_result - - name: "Check that the {{ file_description }} config file has ansible managed comments" + - name: "Check that the {{ file_description }} config file has ansible managed comments" # noqa name[template] ansible.builtin.lineinfile: name: "{{ file_destination }}" line: '## This is an Ansible managed file, contents will be overwritten ##' @@ -28,7 +28,7 @@ register: ansible_managed_check when: stat_result.stat.exists | bool is true - - name: "Remove the {{ file_description }} file if exists and has ansible managed comments" + - name: "Remove the {{ file_description }} file if exists and has ansible managed comments" # noqa name[template] ansible.builtin.file: path: "{{ file_destination }}" state: absent From aa42bf518e204b0714bdffaa7fa2772b92d5504f Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 12 Jul 2024 10:03:37 -0400 Subject: [PATCH 09/36] allowing rpm downgrade and forcing handlers on failure --- ansible.cfg | 1 + roles/rke2/tasks/rpm_install.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 43a4415d..a351711f 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -12,3 +12,4 @@ host_key_checking = False deprecation_warnings = False callback_whitelist = profile_roles, timer display_skipped_hosts = no +force_handlers = True diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 5edf20af..cb5e747d 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -33,7 +33,8 @@ - name: YUM-Based Install ansible.builtin.dnf: name: "{{ service_name }}-{{ rke2_version_rpm }}" - state: latest # noqa package-latest + state: installed + allow_downgrade: true register: result retries: 10 until: result is succeeded From ca258907722821677ac5ef0b3103aed9510241cb Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Tue, 23 Jul 2024 09:19:18 -0400 Subject: [PATCH 10/36] rpm install logic change --- roles/rke2/defaults/main.yml | 5 +- roles/rke2/tasks/calculate_rke2_version.yml | 118 +++++++++++++------- roles/rke2/tasks/rpm_install.yml | 12 +- 3 files changed, 79 insertions(+), 56 deletions(-) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index d853ec3b..b6371180 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -13,10 +13,11 @@ rke2_add_iptables_rules: false rke2_initial_manifest_config_file_path: "" rke2_cluster_manifest_config_file_path: "" rke2_force_tarball_install: false +rke2_install_version: "" rke2_common_yum_repo: name: rancher-rke2-common description: "Rancher RKE2 Common Latest" - baseurl: "https://rpm.rancher.io/rke2/stable/common/centos/$releasever/noarch" + baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/common/centos/$releasever/noarch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes @@ -24,7 +25,7 @@ rke2_common_yum_repo: rke2_versioned_yum_repo: name: "rancher-rke2-v{{ rke2_version_majmin }}" # noqa jinja[spacing] description: "Rancher RKE2 Version" - baseurl: "https://rpm.rancher.io/rke2/stable/{{ rke2_version_majmin }}/centos/$releasever/$basearch" + baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/{{ rke2_version_majmin }}/centos/$releasever/$basearch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index d7f0c883..6670ee65 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -2,7 +2,8 @@ - name: "Determine latest version from internet" when: - - ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 ) + - rke2_install_version | length == 0 + - rke2_versioned_yum_repo.baseurl | search ("rpm.rancher.io") - rke2_local_install_tarball_path == "" - rke2_install_tarball_url == "" block: @@ -23,49 +24,80 @@ - name: Set rke2_full_version fact ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or - (install_rke2_version | length == 0)) else install_rke2_version }}" - -- name: Set dot version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 - register: rke2_version_dot_tmp - changed_when: false - args: - executable: /usr/bin/bash - -- name: Set rke2_version_dot fact - ansible.builtin.set_fact: - rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" + rke2_full_version: "{{ rke2_full_version.stdout if (rke2_install_version | length == 0) else rke2_install_version }}" -- name: Set Maj.Min version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" - register: rke2_version_majmin_tmp - changed_when: false - args: - executable: /usr/bin/bash +- name: "Set install version for RPM" + when: + - install_method == "rpm" + block: -- name: Set rke2_version_majmin fact - ansible.builtin.set_fact: - rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" + - name: Set dot version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 + register: rke2_version_dot_tmp + changed_when: false + args: + executable: /usr/bin/bash -- name: Set RPM version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" - register: rke2_version_rpm_tmp - changed_when: false - args: - executable: /usr/bin/bash + - name: Set rke2_version_dot fact + ansible.builtin.set_fact: + rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" -- name: Set rke2_version_rpm fact - ansible.builtin.set_fact: - rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" - -- name: Describe versions - ansible.builtin.debug: - msg: - - "Full version, with revision indication: {{ rke2_full_version }}" - - "Version without revision indication: {{ rke2_version_dot }}" - - "Major and Minor Only: {{ rke2_version_majmin }}" - - "RPM Version (tilde): {{ rke2_version_rpm }}" + - name: Set Maj.Min version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" + register: rke2_version_majmin_tmp + changed_when: false + args: + executable: /usr/bin/bash + + - name: Set rke2_version_majmin fact + ansible.builtin.set_fact: + rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" + + - name: Set RPM version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + register: rke2_version_rpm_tmp + changed_when: false + args: + executable: /usr/bin/bash + + - name: Set rke2_version_rpm fact + ansible.builtin.set_fact: + rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" + + # - name: Describe versions + # ansible.builtin.debug: + # msg: + # - "Full version, with revision indication: {{ rke2_full_version }}" + # - "Version without revision indication: {{ rke2_version_dot }}" + # - "Major and Minor Only: {{ rke2_version_majmin }}" + # - "RPM Version (tilde): {{ rke2_version_rpm }}" + +- name: "Set install version for RPM" + when: + - install_method == "rpm" + block: + + - name: Set RPM version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_install_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + register: rke2_version_rpm_tmp + changed_when: false + args: + executable: /usr/bin/bash + when: + - rke2_install_version | length > 0 + + - name: Set rke2_version_rpm fact + ansible.builtin.set_fact: + rke2_version_rpm_no_dash: "{{ rke2_version_rpm_tmp.stdout }}" + when: + - rke2_version_rpm_tmp is defined + + - name: Prepend 'dash' to version string + ansible.builtin.set_fact: + rke2_version_rpm: "{{ '-' + rke2_version_rpm_no_dash }}" + when: + - rke2_version_rpm_no_dash is defined diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index cb5e747d..82f3a268 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -9,11 +9,6 @@ gpgcheck: "{{ rke2_common_yum_repo.gpgcheck }}" gpgkey: "{{ rke2_common_yum_repo.gpgkey }}" enabled: "{{ rke2_common_yum_repo.enabled }}" - when: - - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Rocky" - - ansible_facts['distribution_major_version'] == "7" or - ansible_facts['distribution_major_version'] == "8" or - ansible_facts['distribution_major_version'] == "9" # Add RKE2 versioned repo - name: Add the rke2 versioned repo CentOS/RHEL/Rocky @@ -24,15 +19,10 @@ gpgcheck: "{{ rke2_versioned_yum_repo.gpgcheck }}" gpgkey: "{{ rke2_versioned_yum_repo.gpgkey }}" enabled: "{{ rke2_versioned_yum_repo.enabled }}" - when: - - ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Rocky" - - ansible_facts['distribution_major_version'] == "7" or - ansible_facts['distribution_major_version'] == "8" or - ansible_facts['distribution_major_version'] == "9" - name: YUM-Based Install ansible.builtin.dnf: - name: "{{ service_name }}-{{ rke2_version_rpm }}" + name: "{{ service_name }}{{ rke2_version_rpm }}" state: installed allow_downgrade: true register: result From 163cf74f4627cfe709f78320232b8a6f4b6642f1 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Tue, 23 Jul 2024 14:29:04 -0400 Subject: [PATCH 11/36] large number of changes 01 --- .gitignore | 8 +- roles/rke2/defaults/main.yml | 12 +- roles/rke2/handlers/main.yml | 4 +- roles/rke2/tasks/add_manifest_addons.yml | 32 ++- roles/rke2/tasks/check_node_ready.yml | 80 ++++++ roles/rke2/tasks/cis_hardening.yml | 5 +- roles/rke2/tasks/config.yml | 265 +----------------- roles/rke2/tasks/configure_rke2.yml | 8 +- roles/rke2/tasks/first_server.yml | 30 +- roles/rke2/tasks/main.yml | 74 +++-- roles/rke2/tasks/other_nodes.yml | 42 +-- roles/rke2/tasks/pre_reqs.yml | 2 +- roles/rke2/tasks/save_generated_token.yml | 44 +++ roles/rke2/tasks/tarball_install.yml | 56 ++-- .../manifest-example.yaml | 0 .../tarball_install}/README.md | 0 16 files changed, 286 insertions(+), 376 deletions(-) create mode 100644 roles/rke2/tasks/check_node_ready.yml create mode 100644 roles/rke2/tasks/save_generated_token.yml rename sample_files/{manifest => manifests}/manifest-example.yaml (100%) rename {tarball_install => sample_files/tarball_install}/README.md (100%) diff --git a/.gitignore b/.gitignore index 782a0c73..0e9ac3cb 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,5 @@ venv/ test_inventory* -rke2-images.linux-amd64.tar.gz -rke2.linux-amd64.tar.gz - - -tarball_install/* -!tarball_install/README.md \ No newline at end of file +sample_files/tarball_install/* +!sample_files/tarball_install/README.md \ No newline at end of file diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index b6371180..15700aea 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -1,7 +1,7 @@ --- rke2_kubernetes_api_server_host: "" rke2_tarball_install_dir: "/usr/local" -rke2_local_install_tarball_path: "" +rke2_install_local_tarball_path: "" rke2_install_tarball_url: "" rke2_images_urls: [] rke2_images_local_tarball_path: [] @@ -10,8 +10,8 @@ rke2_audit_policy_config_file_path: "" rke2_registry_config_file_path: "" rke2_pod_security_admission_config_file_path: "" rke2_add_iptables_rules: false -rke2_initial_manifest_config_file_path: "" -rke2_cluster_manifest_config_file_path: "" +rke2_manifest_config_directory: "" +rke2_manifest_config_post_run_directory: "" rke2_force_tarball_install: false rke2_install_version: "" rke2_common_yum_repo: @@ -29,5 +29,9 @@ rke2_versioned_yum_repo: gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes - +kubelet_node_name: + - "nodeNameNotFound" rke2_config: {} +metrics_running: false +node_ready: "false" +api_server_running: false \ No newline at end of file diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index 0c0a6258..bfd8f5e6 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -17,16 +17,16 @@ - name: Restart rke2-server ansible.builtin.service: state: restarted + enabled: true name: rke2-server - throttle: 1 when: - not rke2_reboot - name: Restart rke2-agent ansible.builtin.service: state: restarted + enabled: true name: rke2-agent - throttle: 1 when: - not rke2_reboot diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 0b55cc88..909693c7 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -1,9 +1,35 @@ --- -- name: Add manifest addons files +- name: look up manifest files on localhost + find: + paths: "{{ source_directory }}" + register: local_files_find_return + delegate_to: localhost + +- name: create array of managed files + ansible.builtin.set_fact: + managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" + +- name: Add manifest addons files from localhost ansible.builtin.copy: - src: "{{ src }}" - dest: "/var/lib/rancher/rke2/server/manifests/" + src: "{{ source_directory | regex_replace('\\/$', '') }}/" + dest: "{{ destination_directory }}" mode: '0640' owner: root group: root + +- name: look up manifest files on remote + find: + paths: "{{ destination_directory }}" + register: remote_files_find_return + +- name: create array of remote files + ansible.builtin.set_fact: + current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" + +- name: remove remote files not in managed files list + ansible.builtin.file: + path: "{{ destination_directory }}/{{ item }}" + state: absent + with_items: "{{current_files}}" + when: item not in managed_files diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml new file mode 100644 index 00000000..a69e5831 --- /dev/null +++ b/roles/rke2/tasks/check_node_ready.yml @@ -0,0 +1,80 @@ +- name: Wait for k8s apiserver + ansible.builtin.wait_for: + host: localhost + port: "6443" + state: present + timeout: "{{ check_node_ready_timeout }}" + changed_when: false + register: api_serve_status + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: set fact + ansible.builtin.set_fact: + api_server_running: true + when: + - api_serve_status.state is not undefined + - api_serve_status.state == "present" + +- name: set fact + ansible.builtin.set_fact: + api_server_running: "{{api_server_running}}" + +- name: Get node_metrics + ansible.builtin.uri: + url: https://localhost:10250/metrics + return_content: true + ca_path: /var/lib/rancher/rke2/server/tls/server-ca.crt + client_cert: /var/lib/rancher/rke2/server/tls/client-admin.crt + client_key: /var/lib/rancher/rke2/server/tls/client-admin.key + register: node_metrics + retries: "{{ check_node_ready_retries }}" + delay: "{{ check_node_ready_delay }}" + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: Check that node_metrics collection was successful + ansible.builtin.set_fact: + metrics_running: true + when: + - 200 | string in node_metrics.status | string + +- name: set fact for metrics_running + ansible.builtin.set_fact: + metrics_running: "{{metrics_running}}" + +- name: Extract the kubelet_node_name from node metrics + ansible.builtin.set_fact: + kubelet_node_name: "{{ node_metrics.content | \ + regex_search('kubelet_node_name{node=\"(.*)\"}',\ + '\\1') }}" + when: + - 200 | string in node_metrics.status | string + +- name: Wait for node to show Ready status + ansible.builtin.command: >- + /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml + --server https://127.0.0.1:6443 get no {{ kubelet_node_name[0] }} + -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' + register: status_result + until: status_result.stdout.find("True") != -1 + retries: "{{ check_node_ready_retries }}" + delay: "{{ check_node_ready_delay }}" + changed_when: false + ignore_errors: "{{check_node_ready_ignore_errors}}" + +- name: set fact + ansible.builtin.set_fact: + node_ready: "true" + when: + - status_result.rc is not undefined + - status_result.rc | string == "0" + +- name: set fact + ansible.builtin.set_fact: + node_ready: "{{node_ready}}" + +- name: node status + debug: + msg: | + "node_ready: {{node_ready}}" + "metrics_running: {{metrics_running}}" + "api_server_running: {{api_server_running}}" \ No newline at end of file diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index ec779eaf..53acff52 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -2,7 +2,10 @@ - name: CIS MODE become: yes - when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$') + when: + - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) block: - name: Create etcd group ansible.builtin.group: diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index cf277334..602652c7 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -1,258 +1,19 @@ --- -- name: Create the /etc/rancher/rke2 config dir - ansible.builtin.file: - path: /etc/rancher/rke2 - state: directory - mode: "0750" -- name: Does the /etc/rancher/rke2/config.yaml file exist? - ansible.builtin.stat: - path: /etc/rancher/rke2/config.yaml - register: previous_rke2_config - -- name: Read previous_rke2_config - ansible.builtin.slurp: - src: /etc/rancher/rke2/config.yaml - register: full_orig_rke2_config - when: previous_rke2_config.stat.exists - -- name: Decode contents of slurp - ansible.builtin.set_fact: - orig_rke2_config: "{{ full_orig_rke2_config['content'] | b64decode }}" - when: previous_rke2_config.stat.exists - -- name: Create the /etc/rancher/rke2/config.yaml file - ansible.builtin.file: - path: /etc/rancher/rke2/config.yaml - state: touch - mode: "0640" - owner: root - group: root - when: not previous_rke2_config.stat.exists - -# https://github.com/ansible-collections/ansible.utils/issues/135 -- name: Ensure Ansible renders any templated variables in rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ rke2_config | default({}) }}" - -# --node-label value (agent/node) Registering and starting kubelet with set of labels -- name: Get rke2_config node-labels - ansible.builtin.set_fact: - rke2_config_node_labels: "{{ rke2_config['node-label'] | default([]) }}" - -- name: Get host var node-labels - ansible.builtin.set_fact: - host_var_node_labels: "{{ node_labels | default([]) }}" - -- name: Combine rke2_config node labels and hostvar node labels - ansible.builtin.set_fact: - all_node_labels: "{{ rke2_config_node_labels + host_var_node_labels }}" - changed_when: false - -- name: Add node labels to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-label"] - value: "{{ all_node_labels }}" - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - changed_when: false - -# --node-taint value (agent/node) Registering kubelet with set of taints -- name: Get rke2_config node-taints - ansible.builtin.set_fact: - rke2_config_node_taints: "{{ rke2_config['node-taint'] | default([]) }}" - -- name: Get host var node-taints - ansible.builtin.set_fact: - host_var_node_taints: "{{ node_taints | default([]) }}" - -- name: Combine rke2_config node taints and hostvar node taints - ansible.builtin.set_fact: - all_node_taints: "{{ rke2_config_node_taints + host_var_node_taints }}" - changed_when: false - -- name: Add node labels to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-taint"] - value: "{{ all_node_taints }}" - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - changed_when: false - -# --node-ip value, -i value (agent/networking) IPv4/IPv6 addresses to advertise for node -- name: Add node-ip to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-ip"] - value: "{{ node_ip }}" - when: (node_ip is defined) and (node_ip|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_ip is defined) and (node_ip|length > 0) - changed_when: false - -# --node-name value (agent/node) Node name [$RKE2_NODE_NAME] -- name: Add node-name to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-name"] - value: "{{ node_name }}" - when: (node_name is defined) and (node_name|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_name is defined) and (node_name|length > 0) - changed_when: false - -# --bind-address value (listener) rke2 bind address (default: 0.0.0.0) -- name: Add bind-address to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["bind-address"] - value: "{{ bind_address }}" - when: (bind_address is defined) and (bind_address|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler +# combine host and group vars to form primary rke2_config +- name: combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (bind_address is defined) and (bind_address|length > 0) - changed_when: false - -# --advertise-address value (listener) IPv4 address that apiserver uses -# to advertise to members of the cluster (default: node-external-ip/node-ip) -- name: Add advertise-address to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["advertise-address"] - value: "{{ advertise_address }}" - when: (advertise_address is defined) and (advertise_address|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (advertise_address is defined) and (advertise_address|length > 0) - changed_when: false - -# --node-external-ip value (agent/networking) IPv4/IPv6 external IP addresses to advertise for node -- name: Add node-external-ip to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["node-external-ip"] - value: "{{ node_external_ip }}" - when: (node_external_ip is defined) and (node_external_ip|length > 0) - register: updated_rke2_config - changed_when: false - -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler - ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (node_external_ip is defined) and (node_external_ip|length > 0) - changed_when: false - -# --cloud-provider-name value (agent/node) Cloud provider name -- name: Add cloud-provider-name to rke2_config - ansible.utils.update_fact: - updates: - - path: rke2_config["cloud-provider-name"] - value: "{{ cloud_provider_name }}" - when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) - register: updated_rke2_config + temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Update rke2_config to take value of updated_rke2_config # noqa no-handler +# combine host and group vars to form primary rke2_config +- name: combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{ updated_rke2_config.rke2_config }}" - when: (cloud_provider_name is defined) and (cloud_provider_name|length > 0) + rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Remove tmp config file - ansible.builtin.file: - path: /tmp/ansible-config.txt - state: absent - changed_when: false - -- name: Create tmp config.yaml - ansible.builtin.copy: - content: "{{ rke2_config | to_nice_yaml(indent=0) }}" - dest: /tmp/ansible-config.txt - mode: "0600" - owner: root - group: root - changed_when: false - -- name: Get original token - ansible.builtin.set_fact: - original_token: "{{ orig_rke2_config | regex_search('token: (.+)') }}" - when: previous_rke2_config.stat.exists - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /tmp/ansible-config.txt - line: "{{ original_token }}" - state: present - insertbefore: BOF - when: previous_rke2_config.stat.exists and original_token | length > 0 - changed_when: false - -- name: Get original server - ansible.builtin.set_fact: - original_server: "{{ orig_rke2_config | regex_search('server: https://(.*):9345') }}" - when: previous_rke2_config.stat.exists - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /tmp/ansible-config.txt - line: "{{ original_server }}" - state: present - insertbefore: BOF - when: previous_rke2_config.stat.exists and original_server | length > 0 - changed_when: false - -- name: Stat tmp config - ansible.builtin.stat: - path: /tmp/ansible-config.txt - register: tmp_config - changed_when: false - -- name: Get cksum of tmp config - ansible.builtin.set_fact: - tmp_sha1: "{{ tmp_config.stat.checksum }}" - changed_when: false - -- name: Drop in final /etc/rancher/rke2/config.yaml - ansible.builtin.copy: - src: /tmp/ansible-config.txt - remote_src: yes - dest: /etc/rancher/rke2/config.yaml - mode: "0640" - owner: root - group: root - backup: yes - when: not previous_rke2_config.stat.exists or (tmp_sha1 != previous_rke2_config.stat.checksum) - -- name: Remove tmp config file - ansible.builtin.file: - path: /tmp/ansible-config.txt - state: absent - changed_when: false +# write final config +- name: Create config.yaml + ansible.builtin.blockinfile: + path: /etc/rancher/rke2/config.yaml + block: "{{ rke2_config | to_nice_yaml(indent=0) }}" + create: true + notify: Restart {{service_name}} diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 3b6cf634..a9993651 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -37,10 +37,4 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Configure first server manifests - ansible.builtin.include_tasks: add_manifest_addons.yml - vars: - src: "{{ rke2_initial_manifest_config_file_path }}" - when: - - inventory_hostname in groups['rke2_servers'][0] - - rke2_initial_manifest_config_file_path | length > 0 + diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 4904fcba..080d18e5 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -1,22 +1,18 @@ --- -- name: Generate config.yml on first server - ansible.builtin.include_tasks: config.yml - -- name: Wait for rke2 - ansible.builtin.include_tasks: wait_for_rke2.yml -- name: Determine generated token - block: - - name: Wait for node-token - ansible.builtin.wait_for: - path: /var/lib/rancher/rke2/server/node-token +- name: Include task file config.yml + ansible.builtin.include_tasks: config.yml - - name: Read node-token from first server - ansible.builtin.slurp: - src: /var/lib/rancher/rke2/server/node-token - register: node_token +- name: flush_handlers + ansible.builtin.meta: flush_handlers - - name: Store join node-token - ansible.builtin.set_fact: - rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" +- block: + - name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 300 + check_node_ready_retries: 30 + check_node_ready_delay: 10 + check_node_ready_ignore_errors: false + any_errors_fatal: true \ No newline at end of file diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 407dfb54..72b3fd1e 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -13,7 +13,7 @@ when: |- ((ansible_facts['os_family'] != 'RedHat' and ansible_facts['os_family'] != 'Rocky') or rke2_install_tarball_url != "" or - rke2_local_install_tarball_path != "" or + rke2_install_local_tarball_path != "" or rke2_force_tarball_install|bool) - name: Set for install method of rpm @@ -21,7 +21,7 @@ install_method: rpm when: - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky' - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" - not rke2_force_tarball_install|bool @@ -43,8 +43,7 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml -- name: Determine cluster state - ansible.builtin.include_tasks: cluster_state.yml + - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml @@ -55,9 +54,29 @@ - name: Determine rke2_version to install ansible.builtin.include_tasks: calculate_rke2_version.yml when: - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" +- name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 2 + check_node_ready_retries: 2 + check_node_ready_delay: 2 + check_node_ready_ignore_errors: true + when: + - inventory_hostname in groups['rke2_servers'] + +- name: Create a list of ready servers + set_fact: + ready_servers: "{{ groups.rke2_servers| + map('extract', hostvars)| + selectattr('node_ready', 'equalto', true)| + map(attribute='inventory_hostname')| + list }}" + delegate_to: localhost + run_once: true + - name: Tarball Install ansible.builtin.include_tasks: tarball_install.yml when: @@ -71,21 +90,41 @@ - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml -- name: RKE2 on first node - ansible.builtin.include_tasks: first_server.yml + + +- name: Include task file add_manifest_addons.yml + ansible.builtin.include_tasks: add_manifest_addons.yml + vars: + source_directory: "{{ rke2_manifest_config_directory }}" + destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_0 when: - - "rke2_config_token is not defined" + - rke2_manifest_config_directory is defined + - rke2_manifest_config_directory | length > 0 - inventory_hostname in groups['rke2_servers'][0] -- name: RKE2 on all other nodes - ansible.builtin.include_tasks: other_nodes.yml +# is the ready_servers array is empty, we assume it's a new cluster and use the first server in groups['rke2_servers'] +- name: Start the first rke2 node + ansible.builtin.include_tasks: first_server.yml + when: + - inventory_hostname in groups['rke2_servers'][0] + - ready_servers | length == 0 + +- name: save_generated_token.yml + ansible.builtin.include_tasks: save_generated_token.yml + vars: + token_source_node: "{{groups['rke2_servers'][0]}}" when: - - inventory_hostname in groups['rke2_servers'][1:] or - inventory_hostname in groups.get('rke2_agents', []) + - ready_servers | length == 0 -- name: Confirm configuration on cluster +# is the ready_servers array is > 0, we assume it's an established cluster and treat all nodes equally (no need for initial server procedure) +- name: save_generated_token.yml + ansible.builtin.include_tasks: save_generated_token.yml + vars: + token_source_node: "{{ready_servers[0]}}" when: - - "existing_join_host is defined" + - ready_servers | length > 0 + +- name: Start all other rke2 nodes ansible.builtin.include_tasks: other_nodes.yml - name: Configure kubectl,crictl,ctr @@ -93,9 +132,12 @@ when: - inventory_hostname in groups['rke2_servers'] -- name: Configure cluster manifests +- name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: - src: "{{ rke2_cluster_manifest_config_file_path }}" + source_directory: "{{rke2_manifest_config_post_run_directory}}" + destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_1 when: + - rke2_manifest_config_post_run_directory is defined + - rke2_manifest_config_post_run_directory | length > 0 - inventory_hostname in groups['rke2_servers'][0] diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 7f7a0234..80825e32 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,39 +1,13 @@ --- -- name: Generate config.yml on other nodes - ansible.builtin.include_tasks: config.yml - -- name: Does config file already have server token? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml' - register: server_token_check - failed_when: server_token_check.rc >= 2 - changed_when: false - -- name: Add token to config.yaml - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}" - state: present - insertbefore: BOF +- name: Include task file add-manifest-addons.yml + ansible.builtin.include_tasks: add-manifest-addons.yml when: - - '"token:" not in server_token_check.stdout' - notify: "Restart {{ service_name }}" + - manifest_config_file_path is defined + - manifest_config_file_path | length > 0 -- name: Does config file already have server url? # noqa command-instead-of-shell - ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml' - register: server_url_check - failed_when: server_url_check.rc >= 2 - changed_when: false - -- name: Add server url to config file - ansible.builtin.lineinfile: - dest: /etc/rancher/rke2/config.yaml - line: "server: https://{{ rke2_kubernetes_api_server_host }}:9345" - state: present - insertbefore: BOF - when: - - '"server:" not in server_url_check.stdout' - notify: "Restart {{ service_name }}" +- name: Generate config.yml on other nodes + ansible.builtin.include_tasks: config.yml -- name: Wait for rke2 - ansible.builtin.include_tasks: wait_for_rke2.yml +- name: flush_handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index 93fd03eb..e6aa81b6 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -18,7 +18,7 @@ - name: Add server iptables rules ansible.builtin.include_tasks: iptables_rules.yml when: - - ansible_facts.services["iptables.service"] is defined + # - ansible_facts.services["iptables.service"] is defined - rke2_add_iptables_rules | bool - name: Add fapolicyd rules diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml new file mode 100644 index 00000000..c2742ea5 --- /dev/null +++ b/roles/rke2/tasks/save_generated_token.yml @@ -0,0 +1,44 @@ + + +- name: Wait for node-token + ansible.builtin.wait_for: + path: /var/lib/rancher/rke2/server/node-token + delegate_to: "{{token_source_node}}" + +- name: Read node-token from master + ansible.builtin.slurp: + src: /var/lib/rancher/rke2/server/node-token + register: node_token + delegate_to: "{{token_source_node}}" + +- name: Store Master node-token + ansible.builtin.set_fact: + rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" + delegate_to: "{{token_source_node}}" + +- name: Set temp fact to store token config line + ansible.builtin.set_fact: + temp_token: + token: "{{ rke2_config_token }}" + +- name: Update host_rke2_config fact to contain server line + ansible.builtin.set_fact: + host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + +- name: Set temp fact to store server config line with custom join server URL + ansible.builtin.set_fact: + temp_host_rke2_config: + server: "https://{{ rke2_kubernetes_api_server_host }}:9345" + when: + - rke2_kubernetes_api_server_host != "" + +- name: Set temp fact to store server config line with server URL + ansible.builtin.set_fact: + temp_host_rke2_config: + server: "https://{{ token_source_node }}:9345" + when: + - rke2_kubernetes_api_server_host == "" + +- name: Update host_rke2_config fact to contain server line + ansible.builtin.set_fact: + host_rke2_config: "{{temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index a0da6302..0aa960a2 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -1,16 +1,4 @@ --- -# Based off of https://get.rke2.io 's do_install_tar functon - -# do_install_tar() { -# setup_tmp -# get_release_version -# info "using ${INSTALL_RKE2_VERSION:-commit $INSTALL_RKE2_COMMIT} as release" -# download_checksums -# download_tarball -# verify_tarball -# unpack_tarball -# } - - name: TARBALL | Make temp dir ansible.builtin.tempfile: state: directory @@ -18,45 +6,47 @@ path: "{{ tarball_tmp_dir | default(omit) }}" register: temp_dir -- name: Send provided tarball if available +- name: Set architecture specific variables + ansible.builtin.set_fact: + arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" + +- name: Determine if current version differs from what is being installed + ansible.builtin.set_fact: + rke2_version_changed: true + when: + - rke2_install_local_tarball_path == "" + - rke2_install_tarball_url == "" + - not rke2_installed or rke2_installed_version != rke2_full_version + + + +- name: Send provided tarball from local control machine if available ansible.builtin.copy: - src: "{{ inventory_dir }}/{{ rke2_local_install_tarball_path }}" - dest: "{{ temp_dir.path }}/" + src: "{{ rke2_install_local_tarball_path }}" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: '0644' when: - - rke2_local_install_tarball_path != "" + - rke2_install_local_tarball_path != "" - name: Download Tar from provided URL ansible.builtin.get_url: url: "{{ rke2_install_tarball_url }}" - dest: "{{ temp_dir.path }}/" + dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - rke2_install_tarball_url != "" -- name: Determine if current version differs from what is being installed - ansible.builtin.set_fact: - rke2_version_changed: true - when: - - rke2_local_install_tarball_path == "" - - rke2_install_tarball_url == "" - - not rke2_installed or rke2_installed_version != rke2_full_version - -- name: Set architecture specific variables - ansible.builtin.set_fact: - arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" - -- name: TARBALL | Download the tarball +- name: Download the tar from github releases ansible.builtin.get_url: url: "https://github.com/rancher/rke2/releases/download/{{ rke2_full_version }}/rke2.linux-{{ arch }}.tar.gz" dest: "{{ temp_dir.path }}/rke2.linux-{{ arch }}.tar.gz" mode: "0644" when: - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" - rke2_version_changed -- name: TARBALL | Install tar binary +- name: Ensure Tar utility installed on system ansible.builtin.package: name: tar state: present @@ -64,7 +54,7 @@ - name: Get version of provided tarball when: - - (rke2_local_install_tarball_path != "" or rke2_install_tarball_url != "") + - (rke2_install_local_tarball_path != "" or rke2_install_tarball_url != "") block: - name: Unarchive tarball into temp location ansible.builtin.unarchive: diff --git a/sample_files/manifest/manifest-example.yaml b/sample_files/manifests/manifest-example.yaml similarity index 100% rename from sample_files/manifest/manifest-example.yaml rename to sample_files/manifests/manifest-example.yaml diff --git a/tarball_install/README.md b/sample_files/tarball_install/README.md similarity index 100% rename from tarball_install/README.md rename to sample_files/tarball_install/README.md From aac6e1ba67725218251b23c3d4fc9431b93cf0a7 Mon Sep 17 00:00:00 2001 From: Mike DAmato Date: Tue, 23 Jul 2024 14:53:23 -0400 Subject: [PATCH 12/36] large number of changes 02 --- roles/rke2/tasks/calculate_rke2_version.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 6670ee65..5eaf09aa 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -4,7 +4,7 @@ when: - rke2_install_version | length == 0 - rke2_versioned_yum_repo.baseurl | search ("rpm.rancher.io") - - rke2_local_install_tarball_path == "" + - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" block: From 892f75f4df33c67b7d67ada0b9c37a59e9dace32 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Thu, 25 Jul 2024 09:19:08 -0400 Subject: [PATCH 13/36] readding throttles --- roles/rke2/handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml index bfd8f5e6..ac0f71cb 100644 --- a/roles/rke2/handlers/main.yml +++ b/roles/rke2/handlers/main.yml @@ -19,6 +19,7 @@ state: restarted enabled: true name: rke2-server + throttle: 1 when: - not rke2_reboot @@ -27,6 +28,7 @@ state: restarted enabled: true name: rke2-agent + throttle: 1 when: - not rke2_reboot From 2c04fa439bfecf7c44cdd7074fcfbb14becc4747 Mon Sep 17 00:00:00 2001 From: Daemonslayer2048 Date: Thu, 25 Jul 2024 09:48:50 -0500 Subject: [PATCH 14/36] Add first molecule scenario --- .gitignore | 1 + roles/rke2/molecule/README.md | 30 ++ roles/rke2/molecule/default/converge.yml | 11 + roles/rke2/molecule/default/create.yml | 333 +++++++++++++++++++ roles/rke2/molecule/default/destroy.yml | 143 ++++++++ roles/rke2/molecule/default/molecule.yml | 61 ++++ roles/rke2/molecule/default/requirements.yml | 5 + roles/rke2/molecule/requirements.txt | 28 ++ 8 files changed, 612 insertions(+) create mode 100644 roles/rke2/molecule/README.md create mode 100644 roles/rke2/molecule/default/converge.yml create mode 100644 roles/rke2/molecule/default/create.yml create mode 100644 roles/rke2/molecule/default/destroy.yml create mode 100644 roles/rke2/molecule/default/molecule.yml create mode 100644 roles/rke2/molecule/default/requirements.yml create mode 100644 roles/rke2/molecule/requirements.txt diff --git a/.gitignore b/.gitignore index 0e9ac3cb..66226d30 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ .cache/ venv/ +.venv/ test_inventory* diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md new file mode 100644 index 00000000..f4c7f605 --- /dev/null +++ b/roles/rke2/molecule/README.md @@ -0,0 +1,30 @@ +# Molecule Scenarios +The molecule test scenarios are based on the cookie cutter ec2 instance and require the molecule plugin here: [molecule-plugin](https://github.com/ansible-community/molecule-plugins), the pip3 `requirements.txt` can be found in this directory while the ansible specfic requirements will be installed automatically when running molecule as a part of the `requirements` stage. +As this is an ec2 based scenario an AWS account is needed, you will need to define the following variables either as environment variables or in your aws cli config file (`~/.aws/config`) + +``` +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +``` + +or +``` +[default] +aws_access_key_id= +aws_secret_access_key= +``` + +It is worth noting that the EC2 driver does not provide a way to login to EC2 instances, this needs to be done manually, your ssh key can be found in `~/.cache/molecule/rke2/default/id_rsa` and the default user is `ansible`, you will be able to login like so: +`ssh ansible@000.000.000.000 -i ~/.cache/molecule/rke2/default/id_rsa` note that the keys location is dependant on the scenario name. + +# Available Scenarios +## default +The default scenario is the simplest possible scenario, with a single Ubuntu 20.04 master node and a single Ubuntu 20.04 worker node. + +# To Do + - Add tests + - Ensure node labels are applied + - Ensure setting CIS profile works as expected + - Add scenrios for all supported platforms + - Rocky + - SLES \ No newline at end of file diff --git a/roles/rke2/molecule/default/converge.yml b/roles/rke2/molecule/default/converge.yml new file mode 100644 index 00000000..1966131f --- /dev/null +++ b/roles/rke2/molecule/default/converge.yml @@ -0,0 +1,11 @@ +--- +- name: Converge + hosts: all + gather_facts: true + pre_tasks: + - name: Set api_server_host + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" + roles: + - role: rke2 + become: true \ No newline at end of file diff --git a/roles/rke2/molecule/default/create.yml b/roles/rke2/molecule/default/create.yml new file mode 100644 index 00000000..c128de68 --- /dev/null +++ b/roles/rke2/molecule/default/create.yml @@ -0,0 +1,333 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_assign_public_ip: true + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_boot_wait_seconds: 120 + default_instance_type: t2.medium + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" + default_public_key_path: "{{ default_private_key_path }}.pub" + default_ssh_user: ansible + default_ssh_port: 22 + default_user_data: '' + + default_security_group_name: "molecule-{{ run_config.run_id }}" + default_security_group_description: Ephemeral security group for Molecule instances + default_security_group_rules: + - proto: tcp + from_port: "{{ default_ssh_port }}" + to_port: "{{ default_ssh_port }}" + cidr_ip: "0.0.0.0/0" + - proto: icmp + from_port: 8 + to_port: -1 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 9345 + to_port: 9345 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 6443 + to_port: 6443 + cidr_ip: "0.0.0.0/0" + default_security_group_rules_egress: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ip: "0.0.0.0/0" + + platform_defaults: + assign_public_ip: "{{ default_assign_public_ip }}" + aws_profile: "{{ default_aws_profile }}" + boot_wait_seconds: "{{ default_boot_wait_seconds }}" + instance_type: "{{ default_instance_type }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + private_key_path: "{{ default_private_key_path }}" + public_key_path: "{{ default_public_key_path }}" + security_group_name: "{{ default_security_group_name }}" + security_group_description: "{{ default_security_group_description }}" + security_group_rules: "{{ default_security_group_rules }}" + security_group_rules_egress: "{{ default_security_group_rules_egress }}" + ssh_user: "{{ default_ssh_user }}" + ssh_port: "{{ default_ssh_port }}" + cloud_config: {} + image: "" + image_name: "" + image_owner: [self] + name: "" + region: "" + security_groups: [] + tags: {} + volumes: [] + vpc_id: "" + vpc_subnet_id: "" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.assign_public_ip is boolean + - platform.aws_profile is string + - platform.boot_wait_seconds is integer and platform.boot_wait_seconds >= 0 + - platform.cloud_config is mapping + - platform.image is string + - platform.image_name is string + - platform.image_owner is sequence or (platform.image_owner is string and platform.image_owner | length > 0) + - platform.instance_type is string and platform.instance_type | length > 0 + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.private_key_path is string and platform.private_key_path | length > 0 + - platform.public_key_path is string and platform.public_key_path | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_group_description is string and platform.security_group_description | length > 0 + - platform.security_group_rules is sequence + - platform.security_group_rules_egress is sequence + - platform.security_groups is sequence + - platform.ssh_user is string and platform.ssh_user | length > 0 + - platform.ssh_port is integer and platform.ssh_port in range(1, 65536) + - platform.tags is mapping + - platform.volumes is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Write run config to file + ansible.builtin.copy: + dest: "{{ run_config_path }}" + content: "{{ run_config | to_yaml }}" + mode: "0600" + + - name: Generate local key pairs + community.crypto.openssh_keypair: + path: "{{ item.private_key_path }}" + type: rsa + size: 2048 + regenerate: never + backend: cryptography + private_key_format: pkcs1 + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: local_keypairs + + - name: Look up EC2 AMI(s) by owner and name (if image not set) + amazon.aws.ec2_ami_info: + owners: "{{ item.image_owner }}" + filters: "{{ item.image_filters | default({}) | combine(image_name_map) }}" + vars: + image_name_map: "{% if item.image_name is defined and item.image_name | length > 0 %}{{ {'name': item.image_name} }}{% else %}{}{% endif %}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.image + register: ami_info + + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: + - platform.image or (ami_info.results[index].images | length > 0) + - platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Create ephemeral EC2 keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + key_material: "{{ local_keypair.public_key }}" + vars: + local_keypair: "{{ local_keypairs.results[index] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" + register: ec2_keys + + - name: Create ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + iam_instance_profile: "{{ item.iam_instance_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + description: "{{ item.security_group_description }}" + rules: "{{ item.security_group_rules }}" + rules_egress: "{{ item.security_group_rules_egress }}" + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Create ephemeral EC2 instance(s) + amazon.aws.ec2_instance: + name: "{{ item.name }}" + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + filters: "{{ platform_filters }}" + instance_type: "{{ item.instance_type }}" + image_id: "{{ platform_image_id }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + security_groups: "{{ platform_security_groups }}" + network: + assign_public_ip: "{{ item.assign_public_ip }}" + volumes: "{{ item.volumes }}" + key_name: "{{ (item.key_inject_method == 'ec2') | ternary(item.key_name, omit) }}" + tags: "{{ platform_tags }}" + user_data: "{{ platform_user_data }}" + state: "running" + wait: true + vars: + platform_security_groups: "{{ item.security_groups or [item.security_group_name] }}" + platform_generated_image_id: "{{ (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" + platform_image_id: "{{ item.image or platform_generated_image_id }}" + + platform_generated_cloud_config: + users: + - name: "{{ item.ssh_user }}" + ssh_authorized_keys: + - "{{ local_keypairs.results[index].public_key }}" + sudo: "ALL=(ALL) NOPASSWD:ALL" + platform_cloud_config: >- + {{ (item.key_inject_method == 'cloud-init') + | ternary((item.cloud_config | combine(platform_generated_cloud_config)), item.cloud_config) }} + platform_user_data: |- + #cloud-config + {{ platform_cloud_config | to_yaml }} + + platform_generated_tags: + instance: "{{ item.name }}" + molecule-run-id: "{{ run_config.run_id }}" + platform_tags: "{{ (item.tags or {}) | combine(platform_generated_tags) }}" + platform_filter_keys: "{{ platform_generated_tags.keys() | map('regex_replace', '^(.+)$', 'tag:\\1') }}" + platform_filters: "{{ dict(platform_filter_keys | zip(platform_generated_tags.values())) }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Instance boot block + when: ec2_instances_async is changed + block: + - name: Wait for instance creation to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Collect instance configs + ansible.builtin.set_fact: + instance_config: + instance: "{{ item.name }}" + address: "{{ item.assign_public_ip | ternary(instance.public_ip_address, instance.private_ip_address) }}" + user: "{{ item.ssh_user }}" + port: "{{ item.ssh_port }}" + identity_file: "{{ item.private_key_path }}" + instance_ids: + - "{{ instance.instance_id }}" + vars: + instance: "{{ ec2_instances.results[index].instances[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: instance_configs + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: >- + {{ instance_configs.results + | map(attribute='ansible_facts.instance_config') + | list + | to_json + | from_json + | to_yaml }} + mode: "0600" + + - name: Start SSH pollers + ansible.builtin.wait_for: + host: "{{ item.address }}" + port: "{{ item.port }}" + search_regex: SSH + delay: 10 + timeout: 320 + loop: "{{ instance_configs.results | map(attribute='ansible_facts.instance_config') | list }}" + loop_control: + label: "{{ item.instance }}" + register: ssh_wait_async + async: 300 + poll: 0 + + - name: Wait for SSH + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ssh_wait_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ssh_wait + until: ssh_wait is finished + retries: 300 + delay: 1 + + - name: Wait for boot process to finish + ansible.builtin.pause: + seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file diff --git a/roles/rke2/molecule/default/destroy.yml b/roles/rke2/molecule/default/destroy.yml new file mode 100644 index 00000000..54ca53bd --- /dev/null +++ b/roles/rke2/molecule/default/destroy.yml @@ -0,0 +1,143 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_security_group_name: "molecule-{{ run_config.run_id }}" + + platform_defaults: + aws_profile: "{{ default_aws_profile }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + region: "" + security_group_name: "{{ default_security_group_name }}" + security_groups: [] + vpc_id: "" + vpc_subnet_id: "" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + + # Stored instance config + instance_config: "{{ (lookup('file', molecule_instance_config, errors='ignore') or '{}') | from_yaml }}" + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.aws_profile is string + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_groups is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Destroy resources + when: instance_config | length != 0 + block: + - name: Destroy ephemeral EC2 instances + amazon.aws.ec2_instance: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + instance_ids: "{{ instance_config | map(attribute='instance_ids') | flatten }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + state: absent + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Wait for instance destruction to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: "{{ {} | to_yaml }}" + + - name: Destroy ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + state: absent + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Destroy ephemeral keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + state: absent + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" \ No newline at end of file diff --git a/roles/rke2/molecule/default/molecule.yml b/roles/rke2/molecule/default/molecule.yml new file mode 100644 index 00000000..f6834eaa --- /dev/null +++ b/roles/rke2/molecule/default/molecule.yml @@ -0,0 +1,61 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-0862be96e41dcbf74 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + vpc_subnet_id: subnet-095d88c4efe5abf6a + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-0862be96e41dcbf74 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + vpc_subnet_id: subnet-095d88c4efe5abf6a + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: converge.yml + inventory: + hosts: + rke2_cluster: + vars: + rke2_install_version: v1.27.15+rke2r1 + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/default/requirements.yml b/roles/rke2/molecule/default/requirements.yml new file mode 100644 index 00000000..4ece6bc1 --- /dev/null +++ b/roles/rke2/molecule/default/requirements.yml @@ -0,0 +1,5 @@ +--- +collections: + - name: ansible.utils + - name: amazon.aws + - name: community.crypto \ No newline at end of file diff --git a/roles/rke2/molecule/requirements.txt b/roles/rke2/molecule/requirements.txt new file mode 100644 index 00000000..60a88857 --- /dev/null +++ b/roles/rke2/molecule/requirements.txt @@ -0,0 +1,28 @@ +ansible-compat==24.7.0 +ansible-core==2.17.2 +attrs==23.2.0 +bracex==2.4 +cffi==1.16.0 +click==8.1.7 +click-help-colors==0.9.4 +cryptography==42.0.8 +enrich==1.2.7 +Jinja2==3.1.4 +jsonschema==4.23.0 +jsonschema-specifications==2023.12.1 +markdown-it-py==3.0.0 +MarkupSafe==2.1.5 +mdurl==0.1.2 +molecule==24.7.0 +molecule-plugins==23.5.3 +packaging==24.1 +pluggy==1.5.0 +pycparser==2.22 +Pygments==2.18.0 +PyYAML==6.0.1 +referencing==0.35.1 +resolvelib==1.0.1 +rich==13.7.1 +rpds-py==0.19.0 +subprocess-tee==0.4.2 +wcmatch==8.5.2 From 329548d1c090cfd9f5e593df2d9329b637c66d6e Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Thu, 25 Jul 2024 10:14:11 -0500 Subject: [PATCH 15/36] Move VPC subnet to env var --- roles/rke2/molecule/README.md | 2 ++ roles/rke2/molecule/default/create.yml | 2 +- roles/rke2/molecule/default/destroy.yml | 2 +- roles/rke2/molecule/default/molecule.yml | 2 -- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md index f4c7f605..0847c961 100644 --- a/roles/rke2/molecule/README.md +++ b/roles/rke2/molecule/README.md @@ -17,6 +17,8 @@ aws_secret_access_key= It is worth noting that the EC2 driver does not provide a way to login to EC2 instances, this needs to be done manually, your ssh key can be found in `~/.cache/molecule/rke2/default/id_rsa` and the default user is `ansible`, you will be able to login like so: `ssh ansible@000.000.000.000 -i ~/.cache/molecule/rke2/default/id_rsa` note that the keys location is dependant on the scenario name. +The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. + # Available Scenarios ## default The default scenario is the simplest possible scenario, with a single Ubuntu 20.04 master node and a single Ubuntu 20.04 worker node. diff --git a/roles/rke2/molecule/default/create.yml b/roles/rke2/molecule/default/create.yml index c128de68..50ffe4a9 100644 --- a/roles/rke2/molecule/default/create.yml +++ b/roles/rke2/molecule/default/create.yml @@ -77,7 +77,7 @@ tags: {} volumes: [] vpc_id: "" - vpc_subnet_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" # Merging defaults into a list of dicts is, it turns out, not straightforward platforms: >- diff --git a/roles/rke2/molecule/default/destroy.yml b/roles/rke2/molecule/default/destroy.yml index 54ca53bd..ea993823 100644 --- a/roles/rke2/molecule/default/destroy.yml +++ b/roles/rke2/molecule/default/destroy.yml @@ -28,7 +28,7 @@ security_group_name: "{{ default_security_group_name }}" security_groups: [] vpc_id: "" - vpc_subnet_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" # Merging defaults into a list of dicts is, it turns out, not straightforward platforms: >- diff --git a/roles/rke2/molecule/default/molecule.yml b/roles/rke2/molecule/default/molecule.yml index f6834eaa..73833d34 100644 --- a/roles/rke2/molecule/default/molecule.yml +++ b/roles/rke2/molecule/default/molecule.yml @@ -8,7 +8,6 @@ platforms: instance_type: t2.medium region: us-east-2 assign_public_ip: true - vpc_subnet_id: subnet-095d88c4efe5abf6a tags: deployed-with: "molecule" molecule-scenario: "default" @@ -19,7 +18,6 @@ platforms: instance_type: t2.medium region: us-east-2 assign_public_ip: true - vpc_subnet_id: subnet-095d88c4efe5abf6a tags: deployed-with: "molecule" molecule-scenario: "default" From c65fa36715ac96032690ef826fee4425a2987dac Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Thu, 25 Jul 2024 12:20:28 -0500 Subject: [PATCH 16/36] Convert default scenario to a template and ubuntu-2404 --- roles/rke2/molecule/README.md | 8 +- .../{default => template}/converge.yml | 0 .../molecule/{default => template}/create.yml | 0 .../{default => template}/destroy.yml | 0 .../{default => template}/requirements.yml | 0 roles/rke2/molecule/ubuntu-2404/converge.yml | 11 + roles/rke2/molecule/ubuntu-2404/create.yml | 333 ++++++++++++++++++ roles/rke2/molecule/ubuntu-2404/destroy.yml | 143 ++++++++ .../{default => ubuntu-2404}/molecule.yml | 5 +- .../molecule/ubuntu-2404/requirements.yml | 5 + 10 files changed, 502 insertions(+), 3 deletions(-) rename roles/rke2/molecule/{default => template}/converge.yml (100%) rename roles/rke2/molecule/{default => template}/create.yml (100%) rename roles/rke2/molecule/{default => template}/destroy.yml (100%) rename roles/rke2/molecule/{default => template}/requirements.yml (100%) create mode 100644 roles/rke2/molecule/ubuntu-2404/converge.yml create mode 100644 roles/rke2/molecule/ubuntu-2404/create.yml create mode 100644 roles/rke2/molecule/ubuntu-2404/destroy.yml rename roles/rke2/molecule/{default => ubuntu-2404}/molecule.yml (89%) create mode 100644 roles/rke2/molecule/ubuntu-2404/requirements.yml diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md index 0847c961..0f5a9743 100644 --- a/roles/rke2/molecule/README.md +++ b/roles/rke2/molecule/README.md @@ -20,8 +20,12 @@ It is worth noting that the EC2 driver does not provide a way to login to EC2 in The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. # Available Scenarios -## default -The default scenario is the simplest possible scenario, with a single Ubuntu 20.04 master node and a single Ubuntu 20.04 worker node. +## template +As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template. + +## ubuntu-2404 +The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 20.04 worker node. + # To Do - Add tests diff --git a/roles/rke2/molecule/default/converge.yml b/roles/rke2/molecule/template/converge.yml similarity index 100% rename from roles/rke2/molecule/default/converge.yml rename to roles/rke2/molecule/template/converge.yml diff --git a/roles/rke2/molecule/default/create.yml b/roles/rke2/molecule/template/create.yml similarity index 100% rename from roles/rke2/molecule/default/create.yml rename to roles/rke2/molecule/template/create.yml diff --git a/roles/rke2/molecule/default/destroy.yml b/roles/rke2/molecule/template/destroy.yml similarity index 100% rename from roles/rke2/molecule/default/destroy.yml rename to roles/rke2/molecule/template/destroy.yml diff --git a/roles/rke2/molecule/default/requirements.yml b/roles/rke2/molecule/template/requirements.yml similarity index 100% rename from roles/rke2/molecule/default/requirements.yml rename to roles/rke2/molecule/template/requirements.yml diff --git a/roles/rke2/molecule/ubuntu-2404/converge.yml b/roles/rke2/molecule/ubuntu-2404/converge.yml new file mode 100644 index 00000000..1966131f --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/converge.yml @@ -0,0 +1,11 @@ +--- +- name: Converge + hosts: all + gather_facts: true + pre_tasks: + - name: Set api_server_host + ansible.builtin.set_fact: + rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" + roles: + - role: rke2 + become: true \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/create.yml b/roles/rke2/molecule/ubuntu-2404/create.yml new file mode 100644 index 00000000..50ffe4a9 --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/create.yml @@ -0,0 +1,333 @@ +--- +- name: Create + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_assign_public_ip: true + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_boot_wait_seconds: 120 + default_instance_type: t2.medium + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" + default_public_key_path: "{{ default_private_key_path }}.pub" + default_ssh_user: ansible + default_ssh_port: 22 + default_user_data: '' + + default_security_group_name: "molecule-{{ run_config.run_id }}" + default_security_group_description: Ephemeral security group for Molecule instances + default_security_group_rules: + - proto: tcp + from_port: "{{ default_ssh_port }}" + to_port: "{{ default_ssh_port }}" + cidr_ip: "0.0.0.0/0" + - proto: icmp + from_port: 8 + to_port: -1 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 9345 + to_port: 9345 + cidr_ip: "0.0.0.0/0" + - proto: tcp + from_port: 6443 + to_port: 6443 + cidr_ip: "0.0.0.0/0" + default_security_group_rules_egress: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ip: "0.0.0.0/0" + + platform_defaults: + assign_public_ip: "{{ default_assign_public_ip }}" + aws_profile: "{{ default_aws_profile }}" + boot_wait_seconds: "{{ default_boot_wait_seconds }}" + instance_type: "{{ default_instance_type }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + private_key_path: "{{ default_private_key_path }}" + public_key_path: "{{ default_public_key_path }}" + security_group_name: "{{ default_security_group_name }}" + security_group_description: "{{ default_security_group_description }}" + security_group_rules: "{{ default_security_group_rules }}" + security_group_rules_egress: "{{ default_security_group_rules_egress }}" + ssh_user: "{{ default_ssh_user }}" + ssh_port: "{{ default_ssh_port }}" + cloud_config: {} + image: "" + image_name: "" + image_owner: [self] + name: "" + region: "" + security_groups: [] + tags: {} + volumes: [] + vpc_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.assign_public_ip is boolean + - platform.aws_profile is string + - platform.boot_wait_seconds is integer and platform.boot_wait_seconds >= 0 + - platform.cloud_config is mapping + - platform.image is string + - platform.image_name is string + - platform.image_owner is sequence or (platform.image_owner is string and platform.image_owner | length > 0) + - platform.instance_type is string and platform.instance_type | length > 0 + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.private_key_path is string and platform.private_key_path | length > 0 + - platform.public_key_path is string and platform.public_key_path | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_group_description is string and platform.security_group_description | length > 0 + - platform.security_group_rules is sequence + - platform.security_group_rules_egress is sequence + - platform.security_groups is sequence + - platform.ssh_user is string and platform.ssh_user | length > 0 + - platform.ssh_port is integer and platform.ssh_port in range(1, 65536) + - platform.tags is mapping + - platform.volumes is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Write run config to file + ansible.builtin.copy: + dest: "{{ run_config_path }}" + content: "{{ run_config | to_yaml }}" + mode: "0600" + + - name: Generate local key pairs + community.crypto.openssh_keypair: + path: "{{ item.private_key_path }}" + type: rsa + size: 2048 + regenerate: never + backend: cryptography + private_key_format: pkcs1 + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: local_keypairs + + - name: Look up EC2 AMI(s) by owner and name (if image not set) + amazon.aws.ec2_ami_info: + owners: "{{ item.image_owner }}" + filters: "{{ item.image_filters | default({}) | combine(image_name_map) }}" + vars: + image_name_map: "{% if item.image_name is defined and item.image_name | length > 0 %}{{ {'name': item.image_name} }}{% else %}{}{% endif %}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.image + register: ami_info + + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: + - platform.image or (ami_info.results[index].images | length > 0) + - platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Create ephemeral EC2 keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + key_material: "{{ local_keypair.public_key }}" + vars: + local_keypair: "{{ local_keypairs.results[index] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" + register: ec2_keys + + - name: Create ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + iam_instance_profile: "{{ item.iam_instance_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + description: "{{ item.security_group_description }}" + rules: "{{ item.security_group_rules }}" + rules_egress: "{{ item.security_group_rules_egress }}" + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Create ephemeral EC2 instance(s) + amazon.aws.ec2_instance: + name: "{{ item.name }}" + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + filters: "{{ platform_filters }}" + instance_type: "{{ item.instance_type }}" + image_id: "{{ platform_image_id }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + security_groups: "{{ platform_security_groups }}" + network: + assign_public_ip: "{{ item.assign_public_ip }}" + volumes: "{{ item.volumes }}" + key_name: "{{ (item.key_inject_method == 'ec2') | ternary(item.key_name, omit) }}" + tags: "{{ platform_tags }}" + user_data: "{{ platform_user_data }}" + state: "running" + wait: true + vars: + platform_security_groups: "{{ item.security_groups or [item.security_group_name] }}" + platform_generated_image_id: "{{ (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" + platform_image_id: "{{ item.image or platform_generated_image_id }}" + + platform_generated_cloud_config: + users: + - name: "{{ item.ssh_user }}" + ssh_authorized_keys: + - "{{ local_keypairs.results[index].public_key }}" + sudo: "ALL=(ALL) NOPASSWD:ALL" + platform_cloud_config: >- + {{ (item.key_inject_method == 'cloud-init') + | ternary((item.cloud_config | combine(platform_generated_cloud_config)), item.cloud_config) }} + platform_user_data: |- + #cloud-config + {{ platform_cloud_config | to_yaml }} + + platform_generated_tags: + instance: "{{ item.name }}" + molecule-run-id: "{{ run_config.run_id }}" + platform_tags: "{{ (item.tags or {}) | combine(platform_generated_tags) }}" + platform_filter_keys: "{{ platform_generated_tags.keys() | map('regex_replace', '^(.+)$', 'tag:\\1') }}" + platform_filters: "{{ dict(platform_filter_keys | zip(platform_generated_tags.values())) }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Instance boot block + when: ec2_instances_async is changed + block: + - name: Wait for instance creation to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Collect instance configs + ansible.builtin.set_fact: + instance_config: + instance: "{{ item.name }}" + address: "{{ item.assign_public_ip | ternary(instance.public_ip_address, instance.private_ip_address) }}" + user: "{{ item.ssh_user }}" + port: "{{ item.ssh_port }}" + identity_file: "{{ item.private_key_path }}" + instance_ids: + - "{{ instance.instance_id }}" + vars: + instance: "{{ ec2_instances.results[index].instances[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + register: instance_configs + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: >- + {{ instance_configs.results + | map(attribute='ansible_facts.instance_config') + | list + | to_json + | from_json + | to_yaml }} + mode: "0600" + + - name: Start SSH pollers + ansible.builtin.wait_for: + host: "{{ item.address }}" + port: "{{ item.port }}" + search_regex: SSH + delay: 10 + timeout: 320 + loop: "{{ instance_configs.results | map(attribute='ansible_facts.instance_config') | list }}" + loop_control: + label: "{{ item.instance }}" + register: ssh_wait_async + async: 300 + poll: 0 + + - name: Wait for SSH + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ssh_wait_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ssh_wait + until: ssh_wait is finished + retries: 300 + delay: 1 + + - name: Wait for boot process to finish + ansible.builtin.pause: + seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/destroy.yml b/roles/rke2/molecule/ubuntu-2404/destroy.yml new file mode 100644 index 00000000..ea993823 --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/destroy.yml @@ -0,0 +1,143 @@ +--- +- name: Destroy + hosts: localhost + connection: local + gather_facts: false + no_log: "{{ molecule_no_log }}" + vars: + # Run config handling + default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" + default_run_config: + run_id: "{{ default_run_id }}" + + run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" + run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" + run_config: '{{ default_run_config | combine(run_config_from_file) }}' + + # Platform settings handling + default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_name: "molecule-{{ run_config.run_id }}" + default_security_group_name: "molecule-{{ run_config.run_id }}" + + platform_defaults: + aws_profile: "{{ default_aws_profile }}" + key_inject_method: "{{ default_key_inject_method }}" + key_name: "{{ default_key_name }}" + region: "" + security_group_name: "{{ default_security_group_name }}" + security_groups: [] + vpc_id: "" + vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" + + # Merging defaults into a list of dicts is, it turns out, not straightforward + platforms: >- + {{ [platform_defaults | dict2items] + | product(molecule_yml.platforms | map('dict2items') | list) + | map('flatten', levels=1) + | list + | map('items2dict') + | list }} + + # Stored instance config + instance_config: "{{ (lookup('file', molecule_instance_config, errors='ignore') or '{}') | from_yaml }}" + pre_tasks: + - name: Validate platform configurations + ansible.builtin.assert: + that: + - platforms | length > 0 + - platform.name is string and platform.name | length > 0 + - platform.aws_profile is string + - platform.key_inject_method is in ["cloud-init", "ec2"] + - platform.key_name is string and platform.key_name | length > 0 + - platform.region is string + - platform.security_group_name is string and platform.security_group_name | length > 0 + - platform.security_groups is sequence + - platform.vpc_id is string + - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 + quiet: true + loop: '{{ platforms }}' + loop_control: + loop_var: platform + label: "{{ platform.name }}" + tasks: + - name: Look up subnets to determine VPCs (if needed) + amazon.aws.ec2_vpc_subnet_info: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + subnet_ids: "{{ item.vpc_subnet_id }}" + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + when: not item.vpc_id + register: subnet_info + + - name: Validate discovered information + ansible.builtin.assert: + that: platform.vpc_id or (subnet_info.results[index].subnets | length > 0) + quiet: true + loop: "{{ platforms }}" + loop_control: + loop_var: platform + index_var: index + label: "{{ platform.name }}" + + - name: Destroy resources + when: instance_config | length != 0 + block: + - name: Destroy ephemeral EC2 instances + amazon.aws.ec2_instance: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + instance_ids: "{{ instance_config | map(attribute='instance_ids') | flatten }}" + vpc_subnet_id: "{{ item.vpc_subnet_id }}" + state: absent + loop: "{{ platforms }}" + loop_control: + label: "{{ item.name }}" + register: ec2_instances_async + async: 7200 + poll: 0 + + - name: Wait for instance destruction to complete + ansible.builtin.async_status: + jid: "{{ item.ansible_job_id }}" + loop: "{{ ec2_instances_async.results }}" + loop_control: + index_var: index + label: "{{ platforms[index].name }}" + register: ec2_instances + until: ec2_instances is finished + retries: 300 + + - name: Write Molecule instance configs + ansible.builtin.copy: + dest: "{{ molecule_instance_config }}" + content: "{{ {} | to_yaml }}" + + - name: Destroy ephemeral security groups (if needed) + amazon.aws.ec2_security_group: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" + name: "{{ item.security_group_name }}" + state: absent + vars: + vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.security_groups | length == 0 + + - name: Destroy ephemeral keys (if needed) + amazon.aws.ec2_key: + profile: "{{ item.aws_profile | default(omit) }}" + region: "{{ item.region | default(omit) }}" + name: "{{ item.key_name }}" + state: absent + loop: "{{ platforms }}" + loop_control: + index_var: index + label: "{{ item.name }}" + when: item.key_inject_method == "ec2" \ No newline at end of file diff --git a/roles/rke2/molecule/default/molecule.yml b/roles/rke2/molecule/ubuntu-2404/molecule.yml similarity index 89% rename from roles/rke2/molecule/default/molecule.yml rename to roles/rke2/molecule/ubuntu-2404/molecule.yml index 73833d34..9c34b870 100644 --- a/roles/rke2/molecule/default/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2404/molecule.yml @@ -27,7 +27,10 @@ platforms: provisioner: name: ansible playbooks: - converge: converge.yml + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml inventory: hosts: rke2_cluster: diff --git a/roles/rke2/molecule/ubuntu-2404/requirements.yml b/roles/rke2/molecule/ubuntu-2404/requirements.yml new file mode 100644 index 00000000..4ece6bc1 --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2404/requirements.yml @@ -0,0 +1,5 @@ +--- +collections: + - name: ansible.utils + - name: amazon.aws + - name: community.crypto \ No newline at end of file From 2dc929fd3e028af4a67c2b5c29b4309de37b17c1 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Thu, 25 Jul 2024 12:43:27 -0500 Subject: [PATCH 17/36] Remove unused scenario files --- roles/rke2/molecule/ubuntu-2404/converge.yml | 11 - roles/rke2/molecule/ubuntu-2404/create.yml | 333 ------------------ roles/rke2/molecule/ubuntu-2404/destroy.yml | 143 -------- .../molecule/ubuntu-2404/requirements.yml | 5 - 4 files changed, 492 deletions(-) delete mode 100644 roles/rke2/molecule/ubuntu-2404/converge.yml delete mode 100644 roles/rke2/molecule/ubuntu-2404/create.yml delete mode 100644 roles/rke2/molecule/ubuntu-2404/destroy.yml delete mode 100644 roles/rke2/molecule/ubuntu-2404/requirements.yml diff --git a/roles/rke2/molecule/ubuntu-2404/converge.yml b/roles/rke2/molecule/ubuntu-2404/converge.yml deleted file mode 100644 index 1966131f..00000000 --- a/roles/rke2/molecule/ubuntu-2404/converge.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Converge - hosts: all - gather_facts: true - pre_tasks: - - name: Set api_server_host - ansible.builtin.set_fact: - rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" - roles: - - role: rke2 - become: true \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/create.yml b/roles/rke2/molecule/ubuntu-2404/create.yml deleted file mode 100644 index 50ffe4a9..00000000 --- a/roles/rke2/molecule/ubuntu-2404/create.yml +++ /dev/null @@ -1,333 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - # Run config handling - default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" - default_run_config: - run_id: "{{ default_run_id }}" - - run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" - run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" - run_config: '{{ default_run_config | combine(run_config_from_file) }}' - - # Platform settings handling - default_assign_public_ip: true - default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" - default_boot_wait_seconds: 120 - default_instance_type: t2.medium - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] - default_key_name: "molecule-{{ run_config.run_id }}" - default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" - default_public_key_path: "{{ default_private_key_path }}.pub" - default_ssh_user: ansible - default_ssh_port: 22 - default_user_data: '' - - default_security_group_name: "molecule-{{ run_config.run_id }}" - default_security_group_description: Ephemeral security group for Molecule instances - default_security_group_rules: - - proto: tcp - from_port: "{{ default_ssh_port }}" - to_port: "{{ default_ssh_port }}" - cidr_ip: "0.0.0.0/0" - - proto: icmp - from_port: 8 - to_port: -1 - cidr_ip: "0.0.0.0/0" - - proto: tcp - from_port: 9345 - to_port: 9345 - cidr_ip: "0.0.0.0/0" - - proto: tcp - from_port: 6443 - to_port: 6443 - cidr_ip: "0.0.0.0/0" - default_security_group_rules_egress: - - proto: -1 - from_port: 0 - to_port: 0 - cidr_ip: "0.0.0.0/0" - - platform_defaults: - assign_public_ip: "{{ default_assign_public_ip }}" - aws_profile: "{{ default_aws_profile }}" - boot_wait_seconds: "{{ default_boot_wait_seconds }}" - instance_type: "{{ default_instance_type }}" - key_inject_method: "{{ default_key_inject_method }}" - key_name: "{{ default_key_name }}" - private_key_path: "{{ default_private_key_path }}" - public_key_path: "{{ default_public_key_path }}" - security_group_name: "{{ default_security_group_name }}" - security_group_description: "{{ default_security_group_description }}" - security_group_rules: "{{ default_security_group_rules }}" - security_group_rules_egress: "{{ default_security_group_rules_egress }}" - ssh_user: "{{ default_ssh_user }}" - ssh_port: "{{ default_ssh_port }}" - cloud_config: {} - image: "" - image_name: "" - image_owner: [self] - name: "" - region: "" - security_groups: [] - tags: {} - volumes: [] - vpc_id: "" - vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" - - # Merging defaults into a list of dicts is, it turns out, not straightforward - platforms: >- - {{ [platform_defaults | dict2items] - | product(molecule_yml.platforms | map('dict2items') | list) - | map('flatten', levels=1) - | list - | map('items2dict') - | list }} - pre_tasks: - - name: Validate platform configurations - ansible.builtin.assert: - that: - - platforms | length > 0 - - platform.name is string and platform.name | length > 0 - - platform.assign_public_ip is boolean - - platform.aws_profile is string - - platform.boot_wait_seconds is integer and platform.boot_wait_seconds >= 0 - - platform.cloud_config is mapping - - platform.image is string - - platform.image_name is string - - platform.image_owner is sequence or (platform.image_owner is string and platform.image_owner | length > 0) - - platform.instance_type is string and platform.instance_type | length > 0 - - platform.key_inject_method is in ["cloud-init", "ec2"] - - platform.key_name is string and platform.key_name | length > 0 - - platform.private_key_path is string and platform.private_key_path | length > 0 - - platform.public_key_path is string and platform.public_key_path | length > 0 - - platform.region is string - - platform.security_group_name is string and platform.security_group_name | length > 0 - - platform.security_group_description is string and platform.security_group_description | length > 0 - - platform.security_group_rules is sequence - - platform.security_group_rules_egress is sequence - - platform.security_groups is sequence - - platform.ssh_user is string and platform.ssh_user | length > 0 - - platform.ssh_port is integer and platform.ssh_port in range(1, 65536) - - platform.tags is mapping - - platform.volumes is sequence - - platform.vpc_id is string - - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 - quiet: true - loop: '{{ platforms }}' - loop_control: - loop_var: platform - label: "{{ platform.name }}" - tasks: - - name: Write run config to file - ansible.builtin.copy: - dest: "{{ run_config_path }}" - content: "{{ run_config | to_yaml }}" - mode: "0600" - - - name: Generate local key pairs - community.crypto.openssh_keypair: - path: "{{ item.private_key_path }}" - type: rsa - size: 2048 - regenerate: never - backend: cryptography - private_key_format: pkcs1 - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - register: local_keypairs - - - name: Look up EC2 AMI(s) by owner and name (if image not set) - amazon.aws.ec2_ami_info: - owners: "{{ item.image_owner }}" - filters: "{{ item.image_filters | default({}) | combine(image_name_map) }}" - vars: - image_name_map: "{% if item.image_name is defined and item.image_name | length > 0 %}{{ {'name': item.image_name} }}{% else %}{}{% endif %}" - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - when: not item.image - register: ami_info - - - name: Look up subnets to determine VPCs (if needed) - amazon.aws.ec2_vpc_subnet_info: - subnet_ids: "{{ item.vpc_subnet_id }}" - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - when: not item.vpc_id - register: subnet_info - - - name: Validate discovered information - ansible.builtin.assert: - that: - - platform.image or (ami_info.results[index].images | length > 0) - - platform.vpc_id or (subnet_info.results[index].subnets | length > 0) - quiet: true - loop: "{{ platforms }}" - loop_control: - loop_var: platform - index_var: index - label: "{{ platform.name }}" - - - name: Create ephemeral EC2 keys (if needed) - amazon.aws.ec2_key: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - name: "{{ item.key_name }}" - key_material: "{{ local_keypair.public_key }}" - vars: - local_keypair: "{{ local_keypairs.results[index] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.key_inject_method == "ec2" - register: ec2_keys - - - name: Create ephemeral security groups (if needed) - amazon.aws.ec2_security_group: - profile: "{{ item.aws_profile | default(omit) }}" - iam_instance_profile: "{{ item.iam_instance_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" - name: "{{ item.security_group_name }}" - description: "{{ item.security_group_description }}" - rules: "{{ item.security_group_rules }}" - rules_egress: "{{ item.security_group_rules_egress }}" - vars: - vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.security_groups | length == 0 - - - name: Create ephemeral EC2 instance(s) - amazon.aws.ec2_instance: - name: "{{ item.name }}" - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - filters: "{{ platform_filters }}" - instance_type: "{{ item.instance_type }}" - image_id: "{{ platform_image_id }}" - vpc_subnet_id: "{{ item.vpc_subnet_id }}" - security_groups: "{{ platform_security_groups }}" - network: - assign_public_ip: "{{ item.assign_public_ip }}" - volumes: "{{ item.volumes }}" - key_name: "{{ (item.key_inject_method == 'ec2') | ternary(item.key_name, omit) }}" - tags: "{{ platform_tags }}" - user_data: "{{ platform_user_data }}" - state: "running" - wait: true - vars: - platform_security_groups: "{{ item.security_groups or [item.security_group_name] }}" - platform_generated_image_id: "{{ (ami_info.results[index].images | sort(attribute='creation_date', reverse=True))[0].image_id }}" - platform_image_id: "{{ item.image or platform_generated_image_id }}" - - platform_generated_cloud_config: - users: - - name: "{{ item.ssh_user }}" - ssh_authorized_keys: - - "{{ local_keypairs.results[index].public_key }}" - sudo: "ALL=(ALL) NOPASSWD:ALL" - platform_cloud_config: >- - {{ (item.key_inject_method == 'cloud-init') - | ternary((item.cloud_config | combine(platform_generated_cloud_config)), item.cloud_config) }} - platform_user_data: |- - #cloud-config - {{ platform_cloud_config | to_yaml }} - - platform_generated_tags: - instance: "{{ item.name }}" - molecule-run-id: "{{ run_config.run_id }}" - platform_tags: "{{ (item.tags or {}) | combine(platform_generated_tags) }}" - platform_filter_keys: "{{ platform_generated_tags.keys() | map('regex_replace', '^(.+)$', 'tag:\\1') }}" - platform_filters: "{{ dict(platform_filter_keys | zip(platform_generated_tags.values())) }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - register: ec2_instances_async - async: 7200 - poll: 0 - - - name: Instance boot block - when: ec2_instances_async is changed - block: - - name: Wait for instance creation to complete - ansible.builtin.async_status: - jid: "{{ item.ansible_job_id }}" - loop: "{{ ec2_instances_async.results }}" - loop_control: - index_var: index - label: "{{ platforms[index].name }}" - register: ec2_instances - until: ec2_instances is finished - retries: 300 - - - name: Collect instance configs - ansible.builtin.set_fact: - instance_config: - instance: "{{ item.name }}" - address: "{{ item.assign_public_ip | ternary(instance.public_ip_address, instance.private_ip_address) }}" - user: "{{ item.ssh_user }}" - port: "{{ item.ssh_port }}" - identity_file: "{{ item.private_key_path }}" - instance_ids: - - "{{ instance.instance_id }}" - vars: - instance: "{{ ec2_instances.results[index].instances[0] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - register: instance_configs - - - name: Write Molecule instance configs - ansible.builtin.copy: - dest: "{{ molecule_instance_config }}" - content: >- - {{ instance_configs.results - | map(attribute='ansible_facts.instance_config') - | list - | to_json - | from_json - | to_yaml }} - mode: "0600" - - - name: Start SSH pollers - ansible.builtin.wait_for: - host: "{{ item.address }}" - port: "{{ item.port }}" - search_regex: SSH - delay: 10 - timeout: 320 - loop: "{{ instance_configs.results | map(attribute='ansible_facts.instance_config') | list }}" - loop_control: - label: "{{ item.instance }}" - register: ssh_wait_async - async: 300 - poll: 0 - - - name: Wait for SSH - ansible.builtin.async_status: - jid: "{{ item.ansible_job_id }}" - loop: "{{ ssh_wait_async.results }}" - loop_control: - index_var: index - label: "{{ platforms[index].name }}" - register: ssh_wait - until: ssh_wait is finished - retries: 300 - delay: 1 - - - name: Wait for boot process to finish - ansible.builtin.pause: - seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/destroy.yml b/roles/rke2/molecule/ubuntu-2404/destroy.yml deleted file mode 100644 index ea993823..00000000 --- a/roles/rke2/molecule/ubuntu-2404/destroy.yml +++ /dev/null @@ -1,143 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: "{{ molecule_no_log }}" - vars: - # Run config handling - default_run_id: "{{ lookup('password', '/dev/null chars=ascii_lowercase length=5') }}" - default_run_config: - run_id: "{{ default_run_id }}" - - run_config_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/run-config.yml" - run_config_from_file: "{{ (lookup('file', run_config_path, errors='ignore') or '{}') | from_yaml }}" - run_config: '{{ default_run_config | combine(run_config_from_file) }}' - - # Platform settings handling - default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] - default_key_name: "molecule-{{ run_config.run_id }}" - default_security_group_name: "molecule-{{ run_config.run_id }}" - - platform_defaults: - aws_profile: "{{ default_aws_profile }}" - key_inject_method: "{{ default_key_inject_method }}" - key_name: "{{ default_key_name }}" - region: "" - security_group_name: "{{ default_security_group_name }}" - security_groups: [] - vpc_id: "" - vpc_subnet_id: "{{ lookup('env', 'VPC_SUBNET_ID') }}" - - # Merging defaults into a list of dicts is, it turns out, not straightforward - platforms: >- - {{ [platform_defaults | dict2items] - | product(molecule_yml.platforms | map('dict2items') | list) - | map('flatten', levels=1) - | list - | map('items2dict') - | list }} - - # Stored instance config - instance_config: "{{ (lookup('file', molecule_instance_config, errors='ignore') or '{}') | from_yaml }}" - pre_tasks: - - name: Validate platform configurations - ansible.builtin.assert: - that: - - platforms | length > 0 - - platform.name is string and platform.name | length > 0 - - platform.aws_profile is string - - platform.key_inject_method is in ["cloud-init", "ec2"] - - platform.key_name is string and platform.key_name | length > 0 - - platform.region is string - - platform.security_group_name is string and platform.security_group_name | length > 0 - - platform.security_groups is sequence - - platform.vpc_id is string - - platform.vpc_subnet_id is string and platform.vpc_subnet_id | length > 0 - quiet: true - loop: '{{ platforms }}' - loop_control: - loop_var: platform - label: "{{ platform.name }}" - tasks: - - name: Look up subnets to determine VPCs (if needed) - amazon.aws.ec2_vpc_subnet_info: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - subnet_ids: "{{ item.vpc_subnet_id }}" - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - when: not item.vpc_id - register: subnet_info - - - name: Validate discovered information - ansible.builtin.assert: - that: platform.vpc_id or (subnet_info.results[index].subnets | length > 0) - quiet: true - loop: "{{ platforms }}" - loop_control: - loop_var: platform - index_var: index - label: "{{ platform.name }}" - - - name: Destroy resources - when: instance_config | length != 0 - block: - - name: Destroy ephemeral EC2 instances - amazon.aws.ec2_instance: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - instance_ids: "{{ instance_config | map(attribute='instance_ids') | flatten }}" - vpc_subnet_id: "{{ item.vpc_subnet_id }}" - state: absent - loop: "{{ platforms }}" - loop_control: - label: "{{ item.name }}" - register: ec2_instances_async - async: 7200 - poll: 0 - - - name: Wait for instance destruction to complete - ansible.builtin.async_status: - jid: "{{ item.ansible_job_id }}" - loop: "{{ ec2_instances_async.results }}" - loop_control: - index_var: index - label: "{{ platforms[index].name }}" - register: ec2_instances - until: ec2_instances is finished - retries: 300 - - - name: Write Molecule instance configs - ansible.builtin.copy: - dest: "{{ molecule_instance_config }}" - content: "{{ {} | to_yaml }}" - - - name: Destroy ephemeral security groups (if needed) - amazon.aws.ec2_security_group: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - vpc_id: "{{ item.vpc_id or vpc_subnet.vpc_id }}" - name: "{{ item.security_group_name }}" - state: absent - vars: - vpc_subnet: "{{ subnet_info.results[index].subnets[0] }}" - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.security_groups | length == 0 - - - name: Destroy ephemeral keys (if needed) - amazon.aws.ec2_key: - profile: "{{ item.aws_profile | default(omit) }}" - region: "{{ item.region | default(omit) }}" - name: "{{ item.key_name }}" - state: absent - loop: "{{ platforms }}" - loop_control: - index_var: index - label: "{{ item.name }}" - when: item.key_inject_method == "ec2" \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/requirements.yml b/roles/rke2/molecule/ubuntu-2404/requirements.yml deleted file mode 100644 index 4ece6bc1..00000000 --- a/roles/rke2/molecule/ubuntu-2404/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -collections: - - name: ansible.utils - - name: amazon.aws - - name: community.crypto \ No newline at end of file From a10877e4e905ab9ba9c1817f38a16766d2d85c85 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 12:51:57 -0400 Subject: [PATCH 18/36] updating full rpm logic --- roles/rke2/defaults/main.yml | 2 +- roles/rke2/tasks/calculate_rke2_version.yml | 72 +++++++++------------ roles/rke2/tasks/rpm_install.yml | 6 +- roles/rke2/vars/main.yml | 3 + 4 files changed, 38 insertions(+), 45 deletions(-) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 15700aea..89059c18 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -34,4 +34,4 @@ kubelet_node_name: rke2_config: {} metrics_running: false node_ready: "false" -api_server_running: false \ No newline at end of file +api_server_running: false diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 5eaf09aa..5e62124a 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -3,7 +3,7 @@ - name: "Determine latest version from internet" when: - rke2_install_version | length == 0 - - rke2_versioned_yum_repo.baseurl | search ("rpm.rancher.io") + - '"rpm.rancher.io" in rke2_versioned_yum_repo.baseurl' - rke2_install_local_tarball_path == "" - rke2_install_tarball_url == "" block: @@ -22,27 +22,34 @@ args: executable: /usr/bin/bash -- name: Set rke2_full_version fact + - name: Set rke2_full_version fact from internet source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_full_version.stdout }}" + +- name: Unset rke2_full_version if skipped + ansible.builtin.set_fact: + rke2_full_version: "" + when: + rke2_full_version is skipped + +- name: Set rke2_full_version fact from variable source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_install_version }}" + when: + - rke2_install_version | length > 0 + +- name: Set rke2_package_state to latest ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout if (rke2_install_version | length == 0) else rke2_install_version }}" + rke2_package_state: "latest" + when: + - rke2_full_version | length == 0 - name: "Set install version for RPM" when: - install_method == "rpm" + - rke2_full_version | length > 0 block: - - name: Set dot version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1 - register: rke2_version_dot_tmp - changed_when: false - args: - executable: /usr/bin/bash - - - name: Set rke2_version_dot fact - ansible.builtin.set_fact: - rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}" - - name: Set Maj.Min version ansible.builtin.shell: cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" @@ -67,37 +74,16 @@ ansible.builtin.set_fact: rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" + - name: Prepend 'dash' to version string + ansible.builtin.set_fact: + rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" + when: + - rke2_version_rpm | length > 0 + # - name: Describe versions # ansible.builtin.debug: # msg: # - "Full version, with revision indication: {{ rke2_full_version }}" - # - "Version without revision indication: {{ rke2_version_dot }}" + # # - "Version without revision indication: {{ rke2_version_dot }}" # - "Major and Minor Only: {{ rke2_version_majmin }}" # - "RPM Version (tilde): {{ rke2_version_rpm }}" - -- name: "Set install version for RPM" - when: - - install_method == "rpm" - block: - - - name: Set RPM version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_install_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" - register: rke2_version_rpm_tmp - changed_when: false - args: - executable: /usr/bin/bash - when: - - rke2_install_version | length > 0 - - - name: Set rke2_version_rpm fact - ansible.builtin.set_fact: - rke2_version_rpm_no_dash: "{{ rke2_version_rpm_tmp.stdout }}" - when: - - rke2_version_rpm_tmp is defined - - - name: Prepend 'dash' to version string - ansible.builtin.set_fact: - rke2_version_rpm: "{{ '-' + rke2_version_rpm_no_dash }}" - when: - - rke2_version_rpm_no_dash is defined diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 82f3a268..3f9b601e 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -20,10 +20,14 @@ gpgkey: "{{ rke2_versioned_yum_repo.gpgkey }}" enabled: "{{ rke2_versioned_yum_repo.enabled }}" +- name: debug install + debug: + msg: installing {{ service_name }}{{ rke2_version_rpm }} + - name: YUM-Based Install ansible.builtin.dnf: name: "{{ service_name }}{{ rke2_version_rpm }}" - state: installed + state: "{{ rke2_package_state}}" allow_downgrade: true register: result retries: 10 diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 0f544b40..d2944ee3 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -3,3 +3,6 @@ rke2_installed: false rke2_version_changed: false rke2_reboot: false +rke2_version_majmin: "" +rke2_version_rpm: "" +rke2_package_state: "installed" \ No newline at end of file From 41525c21f2f1087de04bc5b441527bb1f5c17c36 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 13:15:23 -0400 Subject: [PATCH 19/36] fixed rpm logic --- roles/rke2/tasks/calculate_rke2_version.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 5e62124a..0a47cfc7 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -22,9 +22,9 @@ args: executable: /usr/bin/bash - - name: Set rke2_full_version fact from internet source - ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout }}" + # - name: Set rke2_full_version fact from internet source + # ansible.builtin.set_fact: + # rke2_full_version: "{{ rke2_full_version.stdout }}" - name: Unset rke2_full_version if skipped ansible.builtin.set_fact: @@ -32,11 +32,16 @@ when: rke2_full_version is skipped -- name: Set rke2_full_version fact from variable source +- name: Set rke2_full_version fact ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_install_version }}" - when: - - rke2_install_version | length > 0 + rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or + (install_rke2_version | length == 0)) else install_rke2_version }}" + +# - name: Set rke2_full_version fact from variable source +# ansible.builtin.set_fact: +# rke2_full_version: "{{ rke2_install_version }}" +# when: +# - rke2_install_version | length > 0 - name: Set rke2_package_state to latest ansible.builtin.set_fact: From bd13dc8ca0e8039a42eaa233c388579e190309ee Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 15:22:24 -0400 Subject: [PATCH 20/36] linting round 1 --- roles/rke2/tasks/add_manifest_addons.yml | 12 ++++---- roles/rke2/tasks/calculate_rke2_version.yml | 25 ++++++++------- roles/rke2/tasks/check_node_ready.yml | 34 +++++++++++---------- roles/rke2/tasks/cis_hardening.yml | 8 ++--- roles/rke2/tasks/config.yml | 4 +-- roles/rke2/tasks/configure_rke2.yml | 2 -- roles/rke2/tasks/first_server.yml | 5 +-- roles/rke2/tasks/main.yml | 20 +++++------- roles/rke2/tasks/other_nodes.yml | 2 +- roles/rke2/tasks/rpm_install.yml | 6 ++-- roles/rke2/tasks/save_generated_token.yml | 6 ++-- roles/rke2/tasks/tarball_install.yml | 2 -- roles/rke2/vars/main.yml | 2 +- 13 files changed, 61 insertions(+), 67 deletions(-) diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 909693c7..8397da87 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -1,12 +1,12 @@ --- -- name: look up manifest files on localhost - find: +- name: Look up manifest files on localhost + ansible.builtin.find: paths: "{{ source_directory }}" register: local_files_find_return delegate_to: localhost -- name: create array of managed files +- name: Create array of managed files ansible.builtin.set_fact: managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" @@ -18,16 +18,16 @@ owner: root group: root -- name: look up manifest files on remote +- name: Look up manifest files on remote find: paths: "{{ destination_directory }}" register: remote_files_find_return -- name: create array of remote files +- name: Create array of remote files ansible.builtin.set_fact: current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" -- name: remove remote files not in managed files list +- name: Remove remote files not in managed files list ansible.builtin.file: path: "{{ destination_directory }}/{{ item }}" state: absent diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 0a47cfc7..a8994a0d 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -22,9 +22,9 @@ args: executable: /usr/bin/bash - # - name: Set rke2_full_version fact from internet source - # ansible.builtin.set_fact: - # rke2_full_version: "{{ rke2_full_version.stdout }}" + - name: Set rke2_full_version fact from internet source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_full_version.stdout }}" - name: Unset rke2_full_version if skipped ansible.builtin.set_fact: @@ -32,16 +32,15 @@ when: rke2_full_version is skipped -- name: Set rke2_full_version fact - ansible.builtin.set_fact: - rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or - (install_rke2_version | length == 0)) else install_rke2_version }}" - -# - name: Set rke2_full_version fact from variable source +# - name: Set rke2_full_version fact # ansible.builtin.set_fact: -# rke2_full_version: "{{ rke2_install_version }}" -# when: -# - rke2_install_version | length > 0 + # rke2_full_version: "{{ rke2_full_version.stdout if (install_rke2_version | length == 0) else install_rke2_version }}" + +- name: Set rke2_full_version fact from variable source + ansible.builtin.set_fact: + rke2_full_version: "{{ rke2_install_version }}" + when: + - rke2_install_version | length > 0 - name: Set rke2_package_state to latest ansible.builtin.set_fact: @@ -83,7 +82,7 @@ ansible.builtin.set_fact: rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" when: - - rke2_version_rpm | length > 0 + - rke2_version_rpm | length > 0 # - name: Describe versions # ansible.builtin.debug: diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml index a69e5831..1ce68e30 100644 --- a/roles/rke2/tasks/check_node_ready.yml +++ b/roles/rke2/tasks/check_node_ready.yml @@ -1,3 +1,5 @@ +--- + - name: Wait for k8s apiserver ansible.builtin.wait_for: host: localhost @@ -8,14 +10,14 @@ register: api_serve_status ignore_errors: "{{check_node_ready_ignore_errors}}" -- name: set fact +- name: Set fact ansible.builtin.set_fact: api_server_running: true - when: - - api_serve_status.state is not undefined - - api_serve_status.state == "present" + when: + - api_serve_status.state is not undefined + - api_serve_status.state == "present" -- name: set fact +- name: Set fact ansible.builtin.set_fact: api_server_running: "{{api_server_running}}" @@ -35,9 +37,9 @@ ansible.builtin.set_fact: metrics_running: true when: - - 200 | string in node_metrics.status | string + - 200 | string in node_metrics.status | string -- name: set fact for metrics_running +- name: Set fact for metrics_running ansible.builtin.set_fact: metrics_running: "{{metrics_running}}" @@ -46,8 +48,8 @@ kubelet_node_name: "{{ node_metrics.content | \ regex_search('kubelet_node_name{node=\"(.*)\"}',\ '\\1') }}" - when: - - 200 | string in node_metrics.status | string + when: + - 200 | string in node_metrics.status | string - name: Wait for node to show Ready status ansible.builtin.command: >- @@ -61,20 +63,20 @@ changed_when: false ignore_errors: "{{check_node_ready_ignore_errors}}" -- name: set fact +- name: Set fact ansible.builtin.set_fact: node_ready: "true" when: - - status_result.rc is not undefined - - status_result.rc | string == "0" + - status_result.rc is not undefined + - status_result.rc | string == "0" -- name: set fact +- name: Set fact ansible.builtin.set_fact: node_ready: "{{node_ready}}" -- name: node status - debug: +- name: Node status + ansible.builtin.debug: msg: | "node_ready: {{node_ready}}" "metrics_running: {{metrics_running}}" - "api_server_running: {{api_server_running}}" \ No newline at end of file + "api_server_running: {{api_server_running}}" diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index 53acff52..dec33eb2 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -2,10 +2,10 @@ - name: CIS MODE become: yes - when: - - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or - (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or - (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) + when: + - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or + (host_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) block: - name: Create etcd group ansible.builtin.group: diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index 602652c7..edff3b99 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -1,12 +1,12 @@ --- # combine host and group vars to form primary rke2_config -- name: combine host and group config vars +- name: Combine host and group config vars ansible.builtin.set_fact: temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" # combine host and group vars to form primary rke2_config -- name: combine host and group config vars +- name: Combine host and group config vars ansible.builtin.set_fact: rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index a9993651..6036a23a 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -36,5 +36,3 @@ file_path: "{{ rke2_pod_security_admission_config_file_path }}" when: - inventory_hostname in groups['rke2_servers'] - - diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index 080d18e5..d84b658b 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -4,7 +4,7 @@ - name: Include task file config.yml ansible.builtin.include_tasks: config.yml -- name: flush_handlers +- name: Flush_handlers ansible.builtin.meta: flush_handlers - block: @@ -15,4 +15,5 @@ check_node_ready_retries: 30 check_node_ready_delay: 10 check_node_ready_ignore_errors: false - any_errors_fatal: true \ No newline at end of file + any_errors_fatal: true + \ No newline at end of file diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index 72b3fd1e..f4323928 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -43,8 +43,6 @@ - name: Has rke2 been installed already ansible.builtin.include_tasks: previous_install.yml - - - name: Check for images bundle ansible.builtin.include_tasks: images_bundle.yml when: @@ -65,10 +63,10 @@ check_node_ready_delay: 2 check_node_ready_ignore_errors: true when: - - inventory_hostname in groups['rke2_servers'] + - inventory_hostname in groups['rke2_servers'] - name: Create a list of ready servers - set_fact: + ansible.builtin.set_fact: ready_servers: "{{ groups.rke2_servers| map('extract', hostvars)| selectattr('node_ready', 'equalto', true)| @@ -90,8 +88,6 @@ - name: Set rke2 configuration files ansible.builtin.include_tasks: configure_rke2.yml - - - name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: @@ -106,23 +102,23 @@ - name: Start the first rke2 node ansible.builtin.include_tasks: first_server.yml when: - - inventory_hostname in groups['rke2_servers'][0] - - ready_servers | length == 0 + - inventory_hostname in groups['rke2_servers'][0] + - ready_servers | length == 0 -- name: save_generated_token.yml +- name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: token_source_node: "{{groups['rke2_servers'][0]}}" when: - - ready_servers | length == 0 + - ready_servers | length == 0 # is the ready_servers array is > 0, we assume it's an established cluster and treat all nodes equally (no need for initial server procedure) -- name: save_generated_token.yml +- name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: token_source_node: "{{ready_servers[0]}}" when: - - ready_servers | length > 0 + - ready_servers | length > 0 - name: Start all other rke2 nodes ansible.builtin.include_tasks: other_nodes.yml diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 80825e32..59ae3c11 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -9,5 +9,5 @@ - name: Generate config.yml on other nodes ansible.builtin.include_tasks: config.yml -- name: flush_handlers +- name: Flush_handlers ansible.builtin.meta: flush_handlers diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index 3f9b601e..e9a4fd50 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -20,9 +20,9 @@ gpgkey: "{{ rke2_versioned_yum_repo.gpgkey }}" enabled: "{{ rke2_versioned_yum_repo.enabled }}" -- name: debug install - debug: - msg: installing {{ service_name }}{{ rke2_version_rpm }} +# - name: Debug install +# ansible.builtin.debug: +# msg: installing {{ service_name }}{{ rke2_version_rpm }} - name: YUM-Based Install ansible.builtin.dnf: diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml index c2742ea5..4717fd75 100644 --- a/roles/rke2/tasks/save_generated_token.yml +++ b/roles/rke2/tasks/save_generated_token.yml @@ -1,4 +1,4 @@ - +--- - name: Wait for node-token ansible.builtin.wait_for: @@ -30,14 +30,14 @@ temp_host_rke2_config: server: "https://{{ rke2_kubernetes_api_server_host }}:9345" when: - - rke2_kubernetes_api_server_host != "" + - rke2_kubernetes_api_server_host != "" - name: Set temp fact to store server config line with server URL ansible.builtin.set_fact: temp_host_rke2_config: server: "https://{{ token_source_node }}:9345" when: - - rke2_kubernetes_api_server_host == "" + - rke2_kubernetes_api_server_host == "" - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 0aa960a2..3247d6ba 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -18,8 +18,6 @@ - rke2_install_tarball_url == "" - not rke2_installed or rke2_installed_version != rke2_full_version - - - name: Send provided tarball from local control machine if available ansible.builtin.copy: src: "{{ rke2_install_local_tarball_path }}" diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index d2944ee3..879b4f8c 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -5,4 +5,4 @@ rke2_version_changed: false rke2_reboot: false rke2_version_majmin: "" rke2_version_rpm: "" -rke2_package_state: "installed" \ No newline at end of file +rke2_package_state: "installed" From 0e77adc8c87f5e2f8d69f72b286f180e49690a29 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Fri, 26 Jul 2024 14:56:03 -0500 Subject: [PATCH 21/36] Add supported platforms --- roles/rke2/molecule/README.md | 47 +++++++++++---- roles/rke2/molecule/rocky-89/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/rocky-94/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/sles-15/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/ubuntu-2204/molecule.yml | 60 ++++++++++++++++++++ roles/rke2/molecule/ubuntu-2404/molecule.yml | 2 - 6 files changed, 275 insertions(+), 14 deletions(-) create mode 100644 roles/rke2/molecule/rocky-89/molecule.yml create mode 100644 roles/rke2/molecule/rocky-94/molecule.yml create mode 100644 roles/rke2/molecule/sles-15/molecule.yml create mode 100644 roles/rke2/molecule/ubuntu-2204/molecule.yml diff --git a/roles/rke2/molecule/README.md b/roles/rke2/molecule/README.md index 0f5a9743..72bad79b 100644 --- a/roles/rke2/molecule/README.md +++ b/roles/rke2/molecule/README.md @@ -1,4 +1,38 @@ -# Molecule Scenarios +# Molecule Scenarios +| Scenario | Passing | +| ----------- | ------- | +| rocky-89 | False | +| rocky-94 | True | +| ubuntu-2404 | True | +| ubuntu-2204 | True | +| sles-15 | False | + +## template +As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template. + +## rocky-94 +The rocky-94 scenario is the simplest possible scenario, with a single Rocky 9.4 master node and a single Rocky 9.4 worker node. + +## rocky-89 +The rocky-89 scenario is the simplest possible scenario, with a single Rocky 8.9 master node and a single Rocky 8.9 worker node. + +## ubuntu-2404 +The ubuntu-2204 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 24.04 worker node. + +## ubuntu-2204 +The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 22.04 master node and a single Ubuntu 22.04 worker node. + + +--- +# Development +## Required ENV Vars +| Name | Purpose | +| --------------------- | ------- | +| AWS_ACCESS_KEY_ID | Access to AWS | +| AWS_SECRET_ACCESS_KEY | Access to AWS | +| VPC_SUBNET_ID | Subnet to assign EC2s to | + +## Summary The molecule test scenarios are based on the cookie cutter ec2 instance and require the molecule plugin here: [molecule-plugin](https://github.com/ansible-community/molecule-plugins), the pip3 `requirements.txt` can be found in this directory while the ansible specfic requirements will be installed automatically when running molecule as a part of the `requirements` stage. As this is an ec2 based scenario an AWS account is needed, you will need to define the following variables either as environment variables or in your aws cli config file (`~/.aws/config`) @@ -19,18 +53,7 @@ It is worth noting that the EC2 driver does not provide a way to login to EC2 in The `vpc_subnet_id` key has been removed as a defined variable and is pulled from the environment variable `VPC_SUBNET_ID`. Other than the AWS keys needed this is the only environment variable required. -# Available Scenarios -## template -As the name would imply this is a template scenario, no one is supposed to run this and it will not ever work. The purpose is to prevent other scenarios from having to rewrite or copy from one another, this also allows changes to be shared across all scenarios that are descendants of the template. - -## ubuntu-2404 -The ubuntu-2404 scenario is the simplest possible scenario, with a single Ubuntu 24.04 master node and a single Ubuntu 20.04 worker node. - - # To Do - Add tests - Ensure node labels are applied - Ensure setting CIS profile works as expected - - Add scenrios for all supported platforms - - Rocky - - SLES \ No newline at end of file diff --git a/roles/rke2/molecule/rocky-89/molecule.yml b/roles/rke2/molecule/rocky-89/molecule.yml new file mode 100644 index 00000000..31539f3d --- /dev/null +++ b/roles/rke2/molecule/rocky-89/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-02391db2758465a87 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-02391db2758465a87 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/rocky-94/molecule.yml b/roles/rke2/molecule/rocky-94/molecule.yml new file mode 100644 index 00000000..33c405eb --- /dev/null +++ b/roles/rke2/molecule/rocky-94/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-051a0f669bb174783 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-051a0f669bb174783 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/sles-15/molecule.yml b/roles/rke2/molecule/sles-15/molecule.yml new file mode 100644 index 00000000..d911f3cd --- /dev/null +++ b/roles/rke2/molecule/sles-15/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-05e760b0ec1a5588a + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-05e760b0ec1a5588a + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2204/molecule.yml b/roles/rke2/molecule/ubuntu-2204/molecule.yml new file mode 100644 index 00000000..5977f8db --- /dev/null +++ b/roles/rke2/molecule/ubuntu-2204/molecule.yml @@ -0,0 +1,60 @@ +--- +driver: + name: ec2 + +platforms: + - name: master-01 + image: ami-0677b91957321ed76 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_servers + - name: worker-01 + image: ami-0677b91957321ed76 + instance_type: t2.medium + region: us-east-2 + assign_public_ip: true + tags: + deployed-with: "molecule" + molecule-scenario: "default" + groups: + - rke2_agents + +provisioner: + name: ansible + playbooks: + converge: ../template/converge.yml + create: ../template/create.yml + destroy: ../template/destroy.yml + requirements: ../template/requirements.yml + inventory: + hosts: + rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + node-label: + - serverGroupLabel=true + hosts: + master-01: + host_rke2_config: + node-label: + - host0Label=true + rke2_agents: + vars: + group_rke2_config: + node-label: + - agentGroupLabel=true + hosts: + worker-01: + host_rke2_config: + node-label: + - host1Label=true + +verifier: + name: ansible \ No newline at end of file diff --git a/roles/rke2/molecule/ubuntu-2404/molecule.yml b/roles/rke2/molecule/ubuntu-2404/molecule.yml index 9c34b870..dbdc8b2c 100644 --- a/roles/rke2/molecule/ubuntu-2404/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2404/molecule.yml @@ -34,8 +34,6 @@ provisioner: inventory: hosts: rke2_cluster: - vars: - rke2_install_version: v1.27.15+rke2r1 children: rke2_servers: vars: From ed3ff7e4641f6e306371b3a839134e930b58fe57 Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 16:32:30 -0400 Subject: [PATCH 22/36] fixing VIP join logic --- ...luster_state.yml => NOT_USED_cluster_state.yml} | 0 roles/rke2/tasks/first_server.yml | 7 ++++++- roles/rke2/tasks/other_nodes.yml | 14 ++++++++++++++ roles/rke2/tasks/save_generated_token.yml | 13 +++++-------- site.yml | 2 +- 5 files changed, 26 insertions(+), 10 deletions(-) rename roles/rke2/tasks/{cluster_state.yml => NOT_USED_cluster_state.yml} (100%) diff --git a/roles/rke2/tasks/cluster_state.yml b/roles/rke2/tasks/NOT_USED_cluster_state.yml similarity index 100% rename from roles/rke2/tasks/cluster_state.yml rename to roles/rke2/tasks/NOT_USED_cluster_state.yml diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index d84b658b..facf649b 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -1,12 +1,17 @@ --- - - name: Include task file config.yml ansible.builtin.include_tasks: config.yml - name: Flush_handlers ansible.builtin.meta: flush_handlers +- name: Ensure rke2 is running + ansible.builtin.service: + state: started + enabled: true + name: "{{ service_name }}" + - block: - name: Start check_node_ready.yml ansible.builtin.include_tasks: check_node_ready.yml diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 59ae3c11..9fdd3ad6 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -1,5 +1,13 @@ --- +- name: Wait for remote k8s apiserver + ansible.builtin.wait_for: + host: "{{ rke2_kubernetes_api_server_host }}" + port: "6443" + state: present + timeout: "300" + changed_when: false + - name: Include task file add-manifest-addons.yml ansible.builtin.include_tasks: add-manifest-addons.yml when: @@ -11,3 +19,9 @@ - name: Flush_handlers ansible.builtin.meta: flush_handlers + +- name: Ensure rke2 is running + ansible.builtin.service: + state: started + enabled: true + name: "{{ service_name }}" \ No newline at end of file diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml index 4717fd75..fe5df4b6 100644 --- a/roles/rke2/tasks/save_generated_token.yml +++ b/roles/rke2/tasks/save_generated_token.yml @@ -25,19 +25,16 @@ ansible.builtin.set_fact: host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" -- name: Set temp fact to store server config line with custom join server URL +- name: Set temp fact for api host ansible.builtin.set_fact: - temp_host_rke2_config: - server: "https://{{ rke2_kubernetes_api_server_host }}:9345" + rke2_kubernetes_api_server_host: "{{ token_source_node }}" when: - - rke2_kubernetes_api_server_host != "" + - rke2_kubernetes_api_server_host == "" -- name: Set temp fact to store server config line with server URL +- name: Set temp fact to store server config line with custom join server URL ansible.builtin.set_fact: temp_host_rke2_config: - server: "https://{{ token_source_node }}:9345" - when: - - rke2_kubernetes_api_server_host == "" + server: "https://{{ rke2_kubernetes_api_server_host }}:9345" - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: diff --git a/site.yml b/site.yml index 7fd240e6..9d204c83 100644 --- a/site.yml +++ b/site.yml @@ -3,6 +3,6 @@ - name: RKE2 play hosts: all any_errors_fatal: true - become: true + # become: true roles: - role: rke2 From ee61292c97b185d66e1224c2e725afc4dc7c90ce Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 16:53:23 -0400 Subject: [PATCH 23/36] fix --- roles/rke2/tasks/calculate_rke2_version.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index a8994a0d..0010e920 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -30,7 +30,8 @@ ansible.builtin.set_fact: rke2_full_version: "" when: - rke2_full_version is skipped + - rke2_full_version.skipped is defined + - rke2_full_version is skipped # - name: Set rke2_full_version fact # ansible.builtin.set_fact: From 7c3e47b5e22daa70fd9d93bbd9c8ffca1dc4938c Mon Sep 17 00:00:00 2001 From: Adam Leiner Date: Fri, 26 Jul 2024 17:42:44 -0400 Subject: [PATCH 24/36] linting 2 --- .ansible-lint | 3 +- roles/rke2/defaults/main.yml | 8 +-- .../rke2/tasks/add_ansible_managed_config.yml | 2 +- roles/rke2/tasks/add_manifest_addons.yml | 8 +-- roles/rke2/tasks/calculate_rke2_version.yml | 66 +++++++++---------- roles/rke2/tasks/check_node_ready.yml | 30 ++++----- roles/rke2/tasks/config.yml | 7 +- roles/rke2/tasks/first_server.yml | 18 ++--- roles/rke2/tasks/main.yml | 12 ++-- roles/rke2/tasks/other_nodes.yml | 12 ++-- roles/rke2/tasks/rpm_install.yml | 2 +- roles/rke2/tasks/save_generated_token.yml | 10 +-- 12 files changed, 87 insertions(+), 91 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index ba0c6d31..a90f5bf2 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -8,4 +8,5 @@ warn_list: - var-naming - yaml[comments-indentation] skip_list: - - experimental \ No newline at end of file + - experimental + - yaml[line-length] \ No newline at end of file diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index 89059c18..e47a1402 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -29,9 +29,9 @@ rke2_versioned_yum_repo: gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" enabled: yes -kubelet_node_name: +rke2_kubelet_node_name: - "nodeNameNotFound" rke2_config: {} -metrics_running: false -node_ready: "false" -api_server_running: false +rke2_metrics_running: false +rke2_node_ready: "false" +rke2_api_server_running: false diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml index 09e8e2fc..29103cd1 100644 --- a/roles/rke2/tasks/add_ansible_managed_config.yml +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -33,5 +33,5 @@ path: "{{ file_destination }}" state: absent when: - - ansible_managed_check.changed | bool is false + - ansible_managed_check.changed | bool is false # noqa no-handler notify: "Restart {{ service_name }}" diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index 8397da87..e8421971 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -8,7 +8,7 @@ - name: Create array of managed files ansible.builtin.set_fact: - managed_files: "{{local_files_find_return.files | map(attribute='path') | map('basename') }}" + managed_files: "{{ local_files_find_return.files | map(attribute='path') | map('basename') }}" - name: Add manifest addons files from localhost ansible.builtin.copy: @@ -19,17 +19,17 @@ group: root - name: Look up manifest files on remote - find: + ansible.builtin.find: paths: "{{ destination_directory }}" register: remote_files_find_return - name: Create array of remote files ansible.builtin.set_fact: - current_files: "{{remote_files_find_return.files | map(attribute='path') | map('basename') }}" + current_files: "{{ remote_files_find_return.files | map(attribute='path') | map('basename') }}" - name: Remove remote files not in managed files list ansible.builtin.file: path: "{{ destination_directory }}/{{ item }}" state: absent - with_items: "{{current_files}}" + with_items: "{{ current_files }}" when: item not in managed_files diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 0010e920..12c0712e 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -35,7 +35,7 @@ # - name: Set rke2_full_version fact # ansible.builtin.set_fact: - # rke2_full_version: "{{ rke2_full_version.stdout if (install_rke2_version | length == 0) else install_rke2_version }}" +# rke2_full_version: "{{ rke2_full_version.stdout if (install_rke2_version | length == 0) else install_rke2_version }}" - name: Set rke2_full_version fact from variable source ansible.builtin.set_fact: @@ -55,40 +55,40 @@ - rke2_full_version | length > 0 block: - - name: Set Maj.Min version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" - register: rke2_version_majmin_tmp - changed_when: false - args: - executable: /usr/bin/bash + - name: Set Maj.Min version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g" + register: rke2_version_majmin_tmp + changed_when: false + args: + executable: /usr/bin/bash - - name: Set rke2_version_majmin fact - ansible.builtin.set_fact: - rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" + - name: Set rke2_version_majmin fact + ansible.builtin.set_fact: + rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}" - - name: Set RPM version - ansible.builtin.shell: - cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" - register: rke2_version_rpm_tmp - changed_when: false - args: - executable: /usr/bin/bash + - name: Set RPM version + ansible.builtin.shell: + cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/" + register: rke2_version_rpm_tmp + changed_when: false + args: + executable: /usr/bin/bash - - name: Set rke2_version_rpm fact - ansible.builtin.set_fact: - rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" + - name: Set rke2_version_rpm fact + ansible.builtin.set_fact: + rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}" - - name: Prepend 'dash' to version string - ansible.builtin.set_fact: - rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" - when: - - rke2_version_rpm | length > 0 + - name: Prepend 'dash' to version string + ansible.builtin.set_fact: + rke2_version_rpm: "{{ '-' + rke2_version_rpm }}" + when: + - rke2_version_rpm | length > 0 - # - name: Describe versions - # ansible.builtin.debug: - # msg: - # - "Full version, with revision indication: {{ rke2_full_version }}" - # # - "Version without revision indication: {{ rke2_version_dot }}" - # - "Major and Minor Only: {{ rke2_version_majmin }}" - # - "RPM Version (tilde): {{ rke2_version_rpm }}" + # - name: Describe versions + # ansible.builtin.debug: + # msg: + # - "Full version, with revision indication: {{ rke2_full_version }}" + # # - "Version without revision indication: {{ rke2_version_dot }}" + # - "Major and Minor Only: {{ rke2_version_majmin }}" + # - "RPM Version (tilde): {{ rke2_version_rpm }}" diff --git a/roles/rke2/tasks/check_node_ready.yml b/roles/rke2/tasks/check_node_ready.yml index 1ce68e30..e543852d 100644 --- a/roles/rke2/tasks/check_node_ready.yml +++ b/roles/rke2/tasks/check_node_ready.yml @@ -8,18 +8,18 @@ timeout: "{{ check_node_ready_timeout }}" changed_when: false register: api_serve_status - ignore_errors: "{{check_node_ready_ignore_errors}}" + ignore_errors: "{{ check_node_ready_ignore_errors }}" - name: Set fact ansible.builtin.set_fact: - api_server_running: true + rke2_api_server_running: true when: - api_serve_status.state is not undefined - api_serve_status.state == "present" - name: Set fact ansible.builtin.set_fact: - api_server_running: "{{api_server_running}}" + rke2_api_server_running: "{{ rke2_api_server_running }}" - name: Get node_metrics ansible.builtin.uri: @@ -31,23 +31,21 @@ register: node_metrics retries: "{{ check_node_ready_retries }}" delay: "{{ check_node_ready_delay }}" - ignore_errors: "{{check_node_ready_ignore_errors}}" + ignore_errors: "{{ check_node_ready_ignore_errors }}" - name: Check that node_metrics collection was successful ansible.builtin.set_fact: - metrics_running: true + rke2_metrics_running: true when: - 200 | string in node_metrics.status | string -- name: Set fact for metrics_running +- name: Set fact for rke2_metrics_running ansible.builtin.set_fact: - metrics_running: "{{metrics_running}}" + rke2_metrics_running: "{{ rke2_metrics_running }}" - name: Extract the kubelet_node_name from node metrics ansible.builtin.set_fact: - kubelet_node_name: "{{ node_metrics.content | \ - regex_search('kubelet_node_name{node=\"(.*)\"}',\ - '\\1') }}" + kubelet_node_name: "{{ node_metrics.content | regex_search('kubelet_node_name{node=\"(.*)\"}', '\\1') }}" when: - 200 | string in node_metrics.status | string @@ -61,22 +59,22 @@ retries: "{{ check_node_ready_retries }}" delay: "{{ check_node_ready_delay }}" changed_when: false - ignore_errors: "{{check_node_ready_ignore_errors}}" + ignore_errors: "{{ check_node_ready_ignore_errors }}" - name: Set fact ansible.builtin.set_fact: - node_ready: "true" + rke2_node_ready: "true" when: - status_result.rc is not undefined - status_result.rc | string == "0" - name: Set fact ansible.builtin.set_fact: - node_ready: "{{node_ready}}" + rke2_node_ready: "{{ rke2_node_ready }}" - name: Node status ansible.builtin.debug: msg: | - "node_ready: {{node_ready}}" - "metrics_running: {{metrics_running}}" - "api_server_running: {{api_server_running}}" + "rke2_node_ready: {{ rke2_node_ready }}" + "rke2_metrics_running: {{ rke2_metrics_running }}" + "rke2_api_server_running: {{ rke2_api_server_running }}" diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml index edff3b99..ace77c77 100644 --- a/roles/rke2/tasks/config.yml +++ b/roles/rke2/tasks/config.yml @@ -3,12 +3,12 @@ # combine host and group vars to form primary rke2_config - name: Combine host and group config vars ansible.builtin.set_fact: - temp_group_rke2_config: "{{cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" + temp_group_rke2_config: "{{ cluster_rke2_config | default({}) | ansible.builtin.combine((group_rke2_config | default({})), list_merge='prepend_rp') }}" # combine host and group vars to form primary rke2_config - name: Combine host and group config vars ansible.builtin.set_fact: - rke2_config: "{{temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + rke2_config: "{{ temp_group_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" # write final config - name: Create config.yaml @@ -16,4 +16,5 @@ path: /etc/rancher/rke2/config.yaml block: "{{ rke2_config | to_nice_yaml(indent=0) }}" create: true - notify: Restart {{service_name}} + mode: "0640" + notify: Restart {{ service_name }} diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml index facf649b..c126799f 100644 --- a/roles/rke2/tasks/first_server.yml +++ b/roles/rke2/tasks/first_server.yml @@ -12,13 +12,13 @@ enabled: true name: "{{ service_name }}" -- block: - - name: Start check_node_ready.yml - ansible.builtin.include_tasks: check_node_ready.yml - vars: - check_node_ready_timeout: 300 - check_node_ready_retries: 30 - check_node_ready_delay: 10 - check_node_ready_ignore_errors: false +- name: Check_node_ready any_errors_fatal: true - \ No newline at end of file + block: + - name: Start check_node_ready.yml + ansible.builtin.include_tasks: check_node_ready.yml + vars: + check_node_ready_timeout: 300 + check_node_ready_retries: 30 + check_node_ready_delay: 10 + check_node_ready_ignore_errors: false diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml index f4323928..07cdbc18 100644 --- a/roles/rke2/tasks/main.yml +++ b/roles/rke2/tasks/main.yml @@ -67,11 +67,7 @@ - name: Create a list of ready servers ansible.builtin.set_fact: - ready_servers: "{{ groups.rke2_servers| - map('extract', hostvars)| - selectattr('node_ready', 'equalto', true)| - map(attribute='inventory_hostname')| - list }}" + ready_servers: "{{ groups.rke2_servers | map('extract', hostvars) | selectattr('rke2_node_ready', 'equalto', true) | map(attribute='inventory_hostname') | list }}" delegate_to: localhost run_once: true @@ -108,7 +104,7 @@ - name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: - token_source_node: "{{groups['rke2_servers'][0]}}" + token_source_node: "{{ groups['rke2_servers'][0] }}" when: - ready_servers | length == 0 @@ -116,7 +112,7 @@ - name: Save_generated_token.yml ansible.builtin.include_tasks: save_generated_token.yml vars: - token_source_node: "{{ready_servers[0]}}" + token_source_node: "{{ ready_servers[0] }}" when: - ready_servers | length > 0 @@ -131,7 +127,7 @@ - name: Include task file add_manifest_addons.yml ansible.builtin.include_tasks: add_manifest_addons.yml vars: - source_directory: "{{rke2_manifest_config_post_run_directory}}" + source_directory: "{{ rke2_manifest_config_post_run_directory }}" destination_directory: /var/lib/rancher/rke2/server/manifests/ansible_managed_1 when: - rke2_manifest_config_post_run_directory is defined diff --git a/roles/rke2/tasks/other_nodes.yml b/roles/rke2/tasks/other_nodes.yml index 9fdd3ad6..1d004b02 100644 --- a/roles/rke2/tasks/other_nodes.yml +++ b/roles/rke2/tasks/other_nodes.yml @@ -8,11 +8,11 @@ timeout: "300" changed_when: false -- name: Include task file add-manifest-addons.yml - ansible.builtin.include_tasks: add-manifest-addons.yml - when: - - manifest_config_file_path is defined - - manifest_config_file_path | length > 0 +# - name: Include task file add-manifest-addons.yml +# ansible.builtin.include_tasks: add-manifest-addons.yml +# when: +# - manifest_config_file_path is defined +# - manifest_config_file_path | length > 0 - name: Generate config.yml on other nodes ansible.builtin.include_tasks: config.yml @@ -24,4 +24,4 @@ ansible.builtin.service: state: started enabled: true - name: "{{ service_name }}" \ No newline at end of file + name: "{{ service_name }}" diff --git a/roles/rke2/tasks/rpm_install.yml b/roles/rke2/tasks/rpm_install.yml index e9a4fd50..189d60dd 100644 --- a/roles/rke2/tasks/rpm_install.yml +++ b/roles/rke2/tasks/rpm_install.yml @@ -27,7 +27,7 @@ - name: YUM-Based Install ansible.builtin.dnf: name: "{{ service_name }}{{ rke2_version_rpm }}" - state: "{{ rke2_package_state}}" + state: "{{ rke2_package_state }}" allow_downgrade: true register: result retries: 10 diff --git a/roles/rke2/tasks/save_generated_token.yml b/roles/rke2/tasks/save_generated_token.yml index fe5df4b6..92400b4a 100644 --- a/roles/rke2/tasks/save_generated_token.yml +++ b/roles/rke2/tasks/save_generated_token.yml @@ -3,18 +3,18 @@ - name: Wait for node-token ansible.builtin.wait_for: path: /var/lib/rancher/rke2/server/node-token - delegate_to: "{{token_source_node}}" + delegate_to: "{{ token_source_node }}" - name: Read node-token from master ansible.builtin.slurp: src: /var/lib/rancher/rke2/server/node-token register: node_token - delegate_to: "{{token_source_node}}" + delegate_to: "{{ token_source_node }}" - name: Store Master node-token ansible.builtin.set_fact: rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" - delegate_to: "{{token_source_node}}" + delegate_to: "{{ token_source_node }}" - name: Set temp fact to store token config line ansible.builtin.set_fact: @@ -23,7 +23,7 @@ - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: - host_rke2_config: "{{temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + host_rke2_config: "{{ temp_token | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" - name: Set temp fact for api host ansible.builtin.set_fact: @@ -38,4 +38,4 @@ - name: Update host_rke2_config fact to contain server line ansible.builtin.set_fact: - host_rke2_config: "{{temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" + host_rke2_config: "{{ temp_host_rke2_config | default({}) | ansible.builtin.combine((host_rke2_config | default({})), list_merge='prepend_rp') }}" From f84d647d70e5ca395d11e1bc0e6baa3650f0f56e Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Fri, 26 Jul 2024 16:55:31 -0500 Subject: [PATCH 25/36] Easy win yamllints --- roles/rke2/molecule/rocky-89/molecule.yml | 4 ++-- roles/rke2/molecule/rocky-94/molecule.yml | 4 ++-- roles/rke2/molecule/sles-15/molecule.yml | 4 ++-- roles/rke2/molecule/template/converge.yml | 4 ++-- roles/rke2/molecule/template/create.yml | 4 ++-- roles/rke2/molecule/template/destroy.yml | 4 ++-- roles/rke2/molecule/template/requirements.yml | 2 +- roles/rke2/molecule/ubuntu-2204/molecule.yml | 4 ++-- roles/rke2/molecule/ubuntu-2404/molecule.yml | 4 ++-- 9 files changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/rke2/molecule/rocky-89/molecule.yml b/roles/rke2/molecule/rocky-89/molecule.yml index 31539f3d..aacfede6 100644 --- a/roles/rke2/molecule/rocky-89/molecule.yml +++ b/roles/rke2/molecule/rocky-89/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/rocky-94/molecule.yml b/roles/rke2/molecule/rocky-94/molecule.yml index 33c405eb..8b0808e3 100644 --- a/roles/rke2/molecule/rocky-94/molecule.yml +++ b/roles/rke2/molecule/rocky-94/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/sles-15/molecule.yml b/roles/rke2/molecule/sles-15/molecule.yml index d911f3cd..8fd4ca6a 100644 --- a/roles/rke2/molecule/sles-15/molecule.yml +++ b/roles/rke2/molecule/sles-15/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/template/converge.yml b/roles/rke2/molecule/template/converge.yml index 1966131f..2c5f85ba 100644 --- a/roles/rke2/molecule/template/converge.yml +++ b/roles/rke2/molecule/template/converge.yml @@ -3,9 +3,9 @@ hosts: all gather_facts: true pre_tasks: - - name: Set api_server_host + - name: Set api_server_host ansible.builtin.set_fact: rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].ansible_host }}" roles: - role: rke2 - become: true \ No newline at end of file + become: true diff --git a/roles/rke2/molecule/template/create.yml b/roles/rke2/molecule/template/create.yml index 50ffe4a9..3008c936 100644 --- a/roles/rke2/molecule/template/create.yml +++ b/roles/rke2/molecule/template/create.yml @@ -19,7 +19,7 @@ default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" default_boot_wait_seconds: 120 default_instance_type: t2.medium - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] default_key_name: "molecule-{{ run_config.run_id }}" default_private_key_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/id_rsa" default_public_key_path: "{{ default_private_key_path }}.pub" @@ -330,4 +330,4 @@ - name: Wait for boot process to finish ansible.builtin.pause: - seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" \ No newline at end of file + seconds: "{{ platforms | map(attribute='boot_wait_seconds') | max }}" diff --git a/roles/rke2/molecule/template/destroy.yml b/roles/rke2/molecule/template/destroy.yml index ea993823..5ec0eaf4 100644 --- a/roles/rke2/molecule/template/destroy.yml +++ b/roles/rke2/molecule/template/destroy.yml @@ -16,7 +16,7 @@ # Platform settings handling default_aws_profile: "{{ lookup('env', 'AWS_PROFILE') }}" - default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] + default_key_inject_method: cloud-init # valid values: [cloud-init, ec2] default_key_name: "molecule-{{ run_config.run_id }}" default_security_group_name: "molecule-{{ run_config.run_id }}" @@ -140,4 +140,4 @@ loop_control: index_var: index label: "{{ item.name }}" - when: item.key_inject_method == "ec2" \ No newline at end of file + when: item.key_inject_method == "ec2" diff --git a/roles/rke2/molecule/template/requirements.yml b/roles/rke2/molecule/template/requirements.yml index 4ece6bc1..35a10503 100644 --- a/roles/rke2/molecule/template/requirements.yml +++ b/roles/rke2/molecule/template/requirements.yml @@ -2,4 +2,4 @@ collections: - name: ansible.utils - name: amazon.aws - - name: community.crypto \ No newline at end of file + - name: community.crypto diff --git a/roles/rke2/molecule/ubuntu-2204/molecule.yml b/roles/rke2/molecule/ubuntu-2204/molecule.yml index 5977f8db..96dddaa1 100644 --- a/roles/rke2/molecule/ubuntu-2204/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2204/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible diff --git a/roles/rke2/molecule/ubuntu-2404/molecule.yml b/roles/rke2/molecule/ubuntu-2404/molecule.yml index dbdc8b2c..dea82735 100644 --- a/roles/rke2/molecule/ubuntu-2404/molecule.yml +++ b/roles/rke2/molecule/ubuntu-2404/molecule.yml @@ -34,7 +34,7 @@ provisioner: inventory: hosts: rke2_cluster: - children: + children: rke2_servers: vars: group_rke2_config: @@ -57,4 +57,4 @@ provisioner: - host1Label=true verifier: - name: ansible \ No newline at end of file + name: ansible From b8b580c38d2276baf56e2c325059cd359c63940b Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Fri, 2 Aug 2024 10:47:01 -0500 Subject: [PATCH 26/36] yes/no are not bools --- .yamllint | 2 -- roles/rke2/defaults/main.yml | 4 ++-- roles/rke2/tasks/add_ansible_managed_config.yml | 2 +- roles/rke2/tasks/calculate_rke2_version.yml | 13 ++++++------- roles/rke2/tasks/cis_hardening.yml | 4 ++-- roles/rke2/tasks/configure_rke2.yml | 2 +- roles/rke2/tasks/network_manager_fix.yaml | 6 +++--- roles/rke2/tasks/pre_reqs.yml | 4 ++-- roles/rke2/tasks/tarball_install.yml | 10 +++++----- roles/rke2/tasks/wait_for_rke2.yml | 2 +- roles/testing/tasks/basic_tests.yml | 2 +- testing.yml | 2 +- 12 files changed, 25 insertions(+), 28 deletions(-) diff --git a/.yamllint b/.yamllint index c2321b0f..b2e05b7f 100644 --- a/.yamllint +++ b/.yamllint @@ -5,8 +5,6 @@ rules: line-length: max: 120 level: warning - truthy: - allowed-values: ['true', 'false', 'yes', 'no'] ignore: | .github/ diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index e47a1402..ed16321c 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -20,7 +20,7 @@ rke2_common_yum_repo: baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/common/centos/$releasever/noarch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" - enabled: yes + enabled: true rke2_versioned_yum_repo: name: "rancher-rke2-v{{ rke2_version_majmin }}" # noqa jinja[spacing] @@ -28,7 +28,7 @@ rke2_versioned_yum_repo: baseurl: "https://rpm.rancher.io/rke2/{{ rke2_channel }}/{{ rke2_version_majmin }}/centos/$releasever/$basearch" gpgcheck: true gpgkey: "https://rpm.rancher.io/public.key" - enabled: yes + enabled: true rke2_kubelet_node_name: - "nodeNameNotFound" rke2_config: {} diff --git a/roles/rke2/tasks/add_ansible_managed_config.yml b/roles/rke2/tasks/add_ansible_managed_config.yml index 29103cd1..cb07f931 100644 --- a/roles/rke2/tasks/add_ansible_managed_config.yml +++ b/roles/rke2/tasks/add_ansible_managed_config.yml @@ -24,7 +24,7 @@ name: "{{ file_destination }}" line: '## This is an Ansible managed file, contents will be overwritten ##' state: present - check_mode: yes + check_mode: true register: ansible_managed_check when: stat_result.stat.exists | bool is true diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml index 12c0712e..7c0a939d 100644 --- a/roles/rke2/tasks/calculate_rke2_version.yml +++ b/roles/rke2/tasks/calculate_rke2_version.yml @@ -85,10 +85,9 @@ when: - rke2_version_rpm | length > 0 - # - name: Describe versions - # ansible.builtin.debug: - # msg: - # - "Full version, with revision indication: {{ rke2_full_version }}" - # # - "Version without revision indication: {{ rke2_version_dot }}" - # - "Major and Minor Only: {{ rke2_version_majmin }}" - # - "RPM Version (tilde): {{ rke2_version_rpm }}" +# - name: Describe versions +# ansible.builtin.debug: +# msg: +# - "Full version, with revision indication: {{ rke2_full_version }}" +# - "Major and Minor Only: {{ rke2_version_majmin }}" +# - "RPM Version (tilde): {{ rke2_version_rpm }}" diff --git a/roles/rke2/tasks/cis_hardening.yml b/roles/rke2/tasks/cis_hardening.yml index dec33eb2..b2d194b2 100644 --- a/roles/rke2/tasks/cis_hardening.yml +++ b/roles/rke2/tasks/cis_hardening.yml @@ -1,7 +1,7 @@ --- - name: CIS MODE - become: yes + become: true when: - (cluster_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or (group_rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')) or @@ -38,7 +38,7 @@ ansible.builtin.copy: src: /usr/local/share/rke2/rke2-cis-sysctl.conf dest: /etc/sysctl.d/60-rke2-cis.conf - remote_src: yes + remote_src: true mode: 0600 register: sysctl_operation_tarball when: diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 6036a23a..5673884c 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -4,7 +4,7 @@ ansible.builtin.file: path: /etc/rancher/rke2 state: directory - recurse: yes + recurse: true - name: Run CIS-Hardening Tasks ansible.builtin.include_tasks: cis_hardening.yml diff --git a/roles/rke2/tasks/network_manager_fix.yaml b/roles/rke2/tasks/network_manager_fix.yaml index 95037c33..4e61c1eb 100644 --- a/roles/rke2/tasks/network_manager_fix.yaml +++ b/roles/rke2/tasks/network_manager_fix.yaml @@ -10,7 +10,7 @@ block: | [keyfile] unmanaged-devices=interface-name:cali*;interface-name:flannel* - create: yes + create: true mode: 0600 when: ansible_facts.services["NetworkManager.service"] is defined @@ -31,7 +31,7 @@ - name: Disable service nm-cloud-setup ansible.builtin.systemd: name: nm-cloud-setup.service - enabled: no + enabled: false state: stopped when: ansible_facts.services["nm-cloud-setup.service"] is defined notify: @@ -42,7 +42,7 @@ ansible.builtin.systemd: name: nm-cloud-setup.timer state: stopped - enabled: no + enabled: false when: ansible_facts.services["nm-cloud-setup.service"] is defined notify: - Reload NetworkManager diff --git a/roles/rke2/tasks/pre_reqs.yml b/roles/rke2/tasks/pre_reqs.yml index e6aa81b6..3a47e02e 100644 --- a/roles/rke2/tasks/pre_reqs.yml +++ b/roles/rke2/tasks/pre_reqs.yml @@ -6,7 +6,7 @@ ansible.builtin.systemd: name: firewalld state: stopped - enabled: no + enabled: false when: - ansible_facts.services["firewalld.service"] is defined - ansible_facts.services["firewalld.service"].status != "not-found" @@ -18,7 +18,7 @@ - name: Add server iptables rules ansible.builtin.include_tasks: iptables_rules.yml when: - # - ansible_facts.services["iptables.service"] is defined + # - ansible_facts.services["iptables.service"] is defined - rke2_add_iptables_rules | bool - name: Add fapolicyd rules diff --git a/roles/rke2/tasks/tarball_install.yml b/roles/rke2/tasks/tarball_install.yml index 3247d6ba..8f857bd2 100644 --- a/roles/rke2/tasks/tarball_install.yml +++ b/roles/rke2/tasks/tarball_install.yml @@ -139,7 +139,7 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups['rke2_servers'] @@ -150,7 +150,7 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups['rke2_servers'] @@ -161,7 +161,7 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups.get('rke2_agents', []) @@ -172,13 +172,13 @@ mode: '0644' owner: root group: root - remote_src: yes + remote_src: true when: - inventory_hostname in groups.get('rke2_agents', []) - name: TARBALL | Refreshing systemd unit files ansible.builtin.systemd: - daemon-reload: yes + daemon-reload: true - name: Remove the temp_dir ansible.builtin.file: diff --git a/roles/rke2/tasks/wait_for_rke2.yml b/roles/rke2/tasks/wait_for_rke2.yml index 04ec0d94..ea027d97 100644 --- a/roles/rke2/tasks/wait_for_rke2.yml +++ b/roles/rke2/tasks/wait_for_rke2.yml @@ -7,7 +7,7 @@ ansible.builtin.systemd: name: "{{ service_name }}" state: started - enabled: yes + enabled: true - name: Wait for k8s apiserver ansible.builtin.wait_for: diff --git a/roles/testing/tasks/basic_tests.yml b/roles/testing/tasks/basic_tests.yml index 5eb79a40..d4ff5c5a 100644 --- a/roles/testing/tasks/basic_tests.yml +++ b/roles/testing/tasks/basic_tests.yml @@ -9,7 +9,7 @@ ansible.builtin.lineinfile: path: /etc/rancher/rke2/config.yaml line: "selinux: true" - check_mode: yes + check_mode: true register: test_is_selinux_true - name: Assertions diff --git a/testing.yml b/testing.yml index 8e6c89be..57be9470 100644 --- a/testing.yml +++ b/testing.yml @@ -1,6 +1,6 @@ --- - name: Testing play hosts: all - become: yes + become: true roles: - role: testing From 3c3eaab2af84dc90b3f06358f9ecc11e421d1453 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin <43078293+Daemonslayer2048@users.noreply.github.com> Date: Tue, 1 Oct 2024 15:03:21 -0500 Subject: [PATCH 27/36] Create galaxy.yml --- galaxy.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 galaxy.yml diff --git a/galaxy.yml b/galaxy.yml new file mode 100644 index 00000000..4e52df6b --- /dev/null +++ b/galaxy.yml @@ -0,0 +1,22 @@ +--- +namespace: rancherfederal +name: rke2_ansible +version: 1.0.0 +readme: README.md +authors: + - Rancher Government +description: Collection for rancherfederal/rke2-ansible + +license_file: 'LICENSE' + +tags: [infrastructure, linux, kubernetes, rancher, rke2] + +repository: https://github.com/rancherfederal/rke2-ansible +documentation: https://github.com/rancherfederal/rke2-ansible +homepage: https://github.com/rancherfederal/rke2-ansible +issues: https://github.com/rancherfederal/rke2-ansible/issues + +build_ignore: + - tarball_install/* + - testing + - .github From b31aa884ad442d4f017739e9ba124e4555231137 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin <43078293+Daemonslayer2048@users.noreply.github.com> Date: Wed, 16 Oct 2024 10:27:21 -0500 Subject: [PATCH 28/36] Update variable in example hosts.yml install_rke2_version was renamed to rke2_install_version --- inventory/sample/hosts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml index 8beb932f..82aeab26 100644 --- a/inventory/sample/hosts.yml +++ b/inventory/sample/hosts.yml @@ -1,7 +1,7 @@ --- all: vars: - install_rke2_version: v1.27.10+rke2r1 + rke2_install_version: v1.27.10+rke2r1 # # In air-gapped envs, it might be convenient to download the tar files from custom URLs # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz # rke2_image_tar_urls: From 757852e0e4477004477f7e5fabe500d28a50d0a1 Mon Sep 17 00:00:00 2001 From: Adam Leiner <104371562+aleiner@users.noreply.github.com> Date: Thu, 9 Jan 2025 13:47:32 -0500 Subject: [PATCH 29/36] set become: false on local file lookup --- roles/rke2/tasks/add_manifest_addons.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rke2/tasks/add_manifest_addons.yml b/roles/rke2/tasks/add_manifest_addons.yml index e8421971..e018a476 100644 --- a/roles/rke2/tasks/add_manifest_addons.yml +++ b/roles/rke2/tasks/add_manifest_addons.yml @@ -5,6 +5,7 @@ paths: "{{ source_directory }}" register: local_files_find_return delegate_to: localhost + become: false - name: Create array of managed files ansible.builtin.set_fact: From 50f9fc2a8640c85a5f2fa2b96f2a1c3e1c38acf2 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin <43078293+Daemonslayer2048@users.noreply.github.com> Date: Thu, 9 Jan 2025 13:51:57 -0600 Subject: [PATCH 30/36] Docs update (#266) * Add network attached instructions * Update tarball docs * Github does not support titled admons * Clear some lint issues * Clear some galaxy errors * Clear some new lint issues * Fix ansible semver string * Use a supported ansible version * Update file and folder names * Update README instruction o inventory use * Add vale linting, normalized file extensions, and doc tweaks * Revert become change, remove superfluous docs in main readme * adjusting config verbiage --------- Co-authored-by: Adam Leiner <104371562+aleiner@users.noreply.github.com> --- .../vale/Readability/AutomatedReadability.yml | 8 + .github/vale/Readability/ColemanLiau.yml | 8 + .github/vale/Readability/FleschKincaid.yml | 8 + .../vale/Readability/FleschReadingEase.yml | 8 + .github/vale/Readability/GunningFog.yml | 8 + .github/vale/Readability/LIX.yml | 17 ++ .github/vale/Readability/SMOG.yml | 8 + .github/vale/Readability/meta.json | 4 + .../vale/config/vocabularies/RGS/accept.txt | 18 ++ .gitignore | 1 + .vale.ini | 10 + README.md | 78 ++---- ansible.cfg | 2 +- changelogs/changelog.yml | 2 + docs/README.md | 263 ++++++++++++++++++ .../files}/audit-policy.yaml | 0 .../files}/pod-security-admission-config.yaml | 5 - .../group_vars/all.yml | 4 + .../group_vars/rke2_servers.yml | 18 ++ docs/advanced_sample_inventory/hosts.yml | 9 + .../post-deploy-manifests/cert-manager.yaml | 15 + .../pre-deploy-manifests/cilium.yaml | 16 ++ docs/basic_sample_inventory/hosts.yml | 9 + docs/development.md | 10 + .../sample_files}/registries.yaml | 0 docs/tarball_install.md | 54 ++++ .../group_vars/all.yml | 4 + docs/tarball_sample_inventory/hosts.yml | 9 + galaxy.yml | 2 +- inventory/.gitignore | 4 - inventory/sample/group_vars/rke2_agents.yml | 10 - inventory/sample/group_vars/rke2_servers.yml | 53 ---- inventory/sample/hosts.yml | 85 ------ meta/runtime.yml | 2 + requirements.yml | 3 - sample_files/manifests/manifest-example.yaml | 28 -- sample_files/tarball_install/README.md | 32 --- 37 files changed, 534 insertions(+), 281 deletions(-) create mode 100644 .github/vale/Readability/AutomatedReadability.yml create mode 100644 .github/vale/Readability/ColemanLiau.yml create mode 100644 .github/vale/Readability/FleschKincaid.yml create mode 100644 .github/vale/Readability/FleschReadingEase.yml create mode 100644 .github/vale/Readability/GunningFog.yml create mode 100644 .github/vale/Readability/LIX.yml create mode 100644 .github/vale/Readability/SMOG.yml create mode 100644 .github/vale/Readability/meta.json create mode 100644 .github/vale/config/vocabularies/RGS/accept.txt create mode 100644 .vale.ini create mode 100644 changelogs/changelog.yml create mode 100644 docs/README.md rename {sample_files => docs/advanced_sample_inventory/files}/audit-policy.yaml (100%) rename {sample_files => docs/advanced_sample_inventory/files}/pod-security-admission-config.yaml (84%) create mode 100644 docs/advanced_sample_inventory/group_vars/all.yml create mode 100644 docs/advanced_sample_inventory/group_vars/rke2_servers.yml create mode 100644 docs/advanced_sample_inventory/hosts.yml create mode 100644 docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml create mode 100644 docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml create mode 100644 docs/basic_sample_inventory/hosts.yml create mode 100644 docs/development.md rename {sample_files => docs/sample_files}/registries.yaml (100%) create mode 100644 docs/tarball_install.md create mode 100644 docs/tarball_sample_inventory/group_vars/all.yml create mode 100644 docs/tarball_sample_inventory/hosts.yml delete mode 100644 inventory/.gitignore delete mode 100644 inventory/sample/group_vars/rke2_agents.yml delete mode 100644 inventory/sample/group_vars/rke2_servers.yml delete mode 100644 inventory/sample/hosts.yml create mode 100644 meta/runtime.yml delete mode 100644 requirements.yml delete mode 100644 sample_files/manifests/manifest-example.yaml delete mode 100644 sample_files/tarball_install/README.md diff --git a/.github/vale/Readability/AutomatedReadability.yml b/.github/vale/Readability/AutomatedReadability.yml new file mode 100644 index 00000000..dd9fe669 --- /dev/null +++ b/.github/vale/Readability/AutomatedReadability.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Automated Readability Index (%s) below 8." +link: https://en.wikipedia.org/wiki/Automated_readability_index + +formula: | + (4.71 * (characters / words)) + (0.5 * (words / sentences)) - 21.43 + +condition: "> 8" diff --git a/.github/vale/Readability/ColemanLiau.yml b/.github/vale/Readability/ColemanLiau.yml new file mode 100644 index 00000000..d478303c --- /dev/null +++ b/.github/vale/Readability/ColemanLiau.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Coleman–Liau Index grade (%s) below 9." +link: https://en.wikipedia.org/wiki/Coleman%E2%80%93Liau_index + +formula: | + (0.0588 * (characters / words) * 100) - (0.296 * (sentences / words) * 100) - 15.8 + +condition: "> 9" diff --git a/.github/vale/Readability/FleschKincaid.yml b/.github/vale/Readability/FleschKincaid.yml new file mode 100644 index 00000000..3f60f205 --- /dev/null +++ b/.github/vale/Readability/FleschKincaid.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Flesch–Kincaid grade level (%s) below 8." +link: https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests + +formula: | + (0.39 * (words / sentences)) + (11.8 * (syllables / words)) - 15.59 + +condition: "> 8" diff --git a/.github/vale/Readability/FleschReadingEase.yml b/.github/vale/Readability/FleschReadingEase.yml new file mode 100644 index 00000000..61797667 --- /dev/null +++ b/.github/vale/Readability/FleschReadingEase.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Flesch reading ease score (%s) above 70." +link: https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests + +formula: | + 206.835 - (1.015 * (words / sentences)) - (84.6 * (syllables / words)) + +condition: "< 70" diff --git a/.github/vale/Readability/GunningFog.yml b/.github/vale/Readability/GunningFog.yml new file mode 100644 index 00000000..302c0eeb --- /dev/null +++ b/.github/vale/Readability/GunningFog.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the Gunning-Fog index (%s) below 10." +link: https://en.wikipedia.org/wiki/Gunning_fog_index + +formula: | + 0.4 * ((words / sentences) + 100 * (complex_words / words)) + +condition: "> 10" diff --git a/.github/vale/Readability/LIX.yml b/.github/vale/Readability/LIX.yml new file mode 100644 index 00000000..f5b0f4e8 --- /dev/null +++ b/.github/vale/Readability/LIX.yml @@ -0,0 +1,17 @@ +extends: metric +message: "Try to keep the LIX score (%s) below 35." + +link: https://en.wikipedia.org/wiki/Lix_(readability_test) +# Very Easy: 20 - 25 +# +# Easy: 30 - 35 +# +# Medium: 40 - 45 +# +# Difficult: 50 - 55 +# +# Very Difficult: 60+ +formula: | + (words / sentences) + ((long_words * 100) / words) + +condition: "> 35" diff --git a/.github/vale/Readability/SMOG.yml b/.github/vale/Readability/SMOG.yml new file mode 100644 index 00000000..e7f5913b --- /dev/null +++ b/.github/vale/Readability/SMOG.yml @@ -0,0 +1,8 @@ +extends: metric +message: "Try to keep the SMOG grade (%s) below 10." +link: https://en.wikipedia.org/wiki/SMOG + +formula: | + 1.0430 * math.sqrt((polysyllabic_words * 30.0) / sentences) + 3.1291 + +condition: "> 10" diff --git a/.github/vale/Readability/meta.json b/.github/vale/Readability/meta.json new file mode 100644 index 00000000..0ff71c30 --- /dev/null +++ b/.github/vale/Readability/meta.json @@ -0,0 +1,4 @@ +{ + "feed": "https://github.com/errata-ai/Readability/releases.atom", + "vale_version": ">=2.13.0" +} \ No newline at end of file diff --git a/.github/vale/config/vocabularies/RGS/accept.txt b/.github/vale/config/vocabularies/RGS/accept.txt new file mode 100644 index 00000000..315ffad8 --- /dev/null +++ b/.github/vale/config/vocabularies/RGS/accept.txt @@ -0,0 +1,18 @@ +# Common/valid Slang +[C|c]onfig +airgap + +# Acronyms +STIG + +# Tools +[A|a]nsible + +# Kubernetes +Kubernetes +[K|k]ubeconfig + +# Linux +[F|f]apolicyd +containerd +SELinux \ No newline at end of file diff --git a/.gitignore b/.gitignore index 66226d30..dc23ec9e 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ venv/ .venv/ test_inventory* +inventory* sample_files/tarball_install/* !sample_files/tarball_install/README.md \ No newline at end of file diff --git a/.vale.ini b/.vale.ini new file mode 100644 index 00000000..61de8510 --- /dev/null +++ b/.vale.ini @@ -0,0 +1,10 @@ +StylesPath = ./.github/vale + +MinAlertLevel = suggestion +Vocab = RGS + +Packages = Readability + +[*.md] +BasedOnStyles = Vale, Readability + diff --git a/README.md b/README.md index d1789905..1eb3cace 100644 --- a/README.md +++ b/README.md @@ -29,9 +29,13 @@ Thank you for your understanding and cooperation. Ansible RKE2 (RKE Government) Playbook --------- -[![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ci.yml) +[![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml?query=branch%3Amain) -RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. +[![Rocky 8](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky8.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky8.yml?query=branch%3Amain) + +[![Ubuntu 20](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu20.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu20.yml?query=branch%3Amain) + +RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. See the [docs](https://docs.rke2.io/) more information about [RKE Government](https://docs.rke2.io/). @@ -49,79 +53,35 @@ Supported Operating Systems: System requirements ------------------- - Deployment environment must have Ansible 2.9.0+ -Server and agent nodes must have passwordless SSH access - Usage ----- +Create an Ansible inventory file (or folder), you can check the docs folder for examples (`basic_sample_inventory` or `advanced_sample_inventory`). -This playbook requires ansible.utils to run properly. Please see https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-a-collection-from-galaxy for more information about how to install this. - -``` -ansible-galaxy collection install -r requirements.yml -``` - -Create a new directory based on the `sample` directory within the `inventory` directory: - -```bash -cp -R inventory/sample inventory/my-cluster -``` - -Second, edit `inventory/my-cluster/hosts.yaml` to match the system information gathered above. For example: - -```yaml -rke2_cluster: - children: - rke2_servers: - hosts: - server1.example.com: - rke2_agents: - hosts: - agent1.example.com: - agent2.example.com: - node_labels: - - agent2Label=true" -all: - vars: - install_rke2_version: v1.27.10+rke2r1 -``` - -If needed, you can also edit `inventory/my-cluster/group_vars/rke2_agents.yml` and `inventory/my-cluster/group_vars/rke2_servers.yml` to match your environment. - -Start provisioning of the cluster using the following command: +> [!NOTE] +> More detailed information can be found [here](./docs/README.md) +Start provisioning the cluster using the following command: ```bash -ansible-playbook site.yml -i inventory/my-cluster/hosts.yml -``` +ansible-playbook site.yml -i inventory/hosts.yml -b +``` -Tarball Install/Air-Gap Install -------------------------------- -Added the neeed files to the [tarball_install](tarball_install/) directory. -Further info can be found [here](tarball_install/README.md) +Tarball Install/Air-Gap Install +------------------------------- +Air-Gap/Tarball install information can be found [here](./docs/tarball_install.md) Kubeconfig ---------- - -To get access to your **Kubernetes** cluster just - -```bash -ssh ec2-user@rke2_kubernetes_api_server_host "sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get nodes" -``` - -Available configurations ------------------------- - -Variables should be set in `inventory/cluster/group_vars/rke2_agents.yml` and `inventory/cluster/group_vars/rke2_servers.yml`. See sample variables in `inventory/sample/group_vars` for reference. +The root user will have the `kubeconfig` and `kubectl` made available, to access your cluster login into any server node and `kubectl` will be available for use immediately. -Uninstall RKE2 ---------------- +Uninstall RKE2 +--------------- Note: Uninstalling RKE2 deletes the cluster data and all of the scripts. -The offical documentation for fully uninstalling the RKE2 cluster can be found in the [RKE2 Documentation](https://docs.rke2.io/install/uninstall/). +The official documentation for fully uninstalling the RKE2 cluster can be found in the [RKE2 Documentation](https://docs.rke2.io/install/uninstall/). If you used this module to created the cluster and RKE2 was installed via yum, then you can attempt to run this command to remove all cluster data and all RKE2 scripts. diff --git a/ansible.cfg b/ansible.cfg index a351711f..963f3c12 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,7 +1,7 @@ [defaults] nocows = True roles_path = ./roles -inventory = ./inventory/my-cluster/hosts.yml +inventory = ./inventory/hosts.yml remote_tmp = $HOME/.ansible/tmp local_tmp = $HOME/.ansible/tmp diff --git a/changelogs/changelog.yml b/changelogs/changelog.yml new file mode 100644 index 00000000..52e7f388 --- /dev/null +++ b/changelogs/changelog.yml @@ -0,0 +1,2 @@ +--- +releases: {} diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 00000000..ba613cb1 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,263 @@ +# Table of Contents +- [Table of Contents](#table-of-contents) +- [Basic Usage](#basic-usage) + - [Cloning](#cloning) + - [Importing](#importing) +- [Defining Your Cluster](#defining-your-cluster) + - [Minimal Cluster Inventory](#minimal-cluster-inventory) + - [Structuring Your Variable Files](#structuring-your-variable-files) + - [Enabling SELinux](#enabling-selinux) + - [Enabling CIS Modes](#enabling-cis-modes) + - [Special Variables](#special-variables) + - [RKE2 Config Variables](#rke2-config-variables) + - [Defining the RKE2 Version](#defining-the-rke2-version) + - [Example](#example) + - [Defining a PSA Config](#defining-a-psa-config) + - [Example](#example-1) + - [Defining an Audit Policy](#defining-an-audit-policy) + - [Example](#example-2) + - [Adding Additional Cluster Manifests](#adding-additional-cluster-manifests) + - [Pre-Deploy Example](#pre-deploy-example) + - [Post-Deploy Example](#post-deploy-example) +- [Examples](#examples) + +# Basic Usage +There are two methods for consuming this repository, one is to simply clone the repository and edit it as necessary, the other is to import it as a collection, both options are detailed below. + +> [!NOTE] +> If you are looking for airgap or tarball installation instructions, please go [here](./tarball_install.md) + +## Cloning +The simplest method for using this repository (as detailed in the main README.md) is to simply clone the repository and copy the sample inventory. + + +## Importing +The second method for using this project is to import it as a collection in your own `requirements.yml` as this repository does contain a `galaxy.yml`. To import it add the following to your `galaxy.yml`: +```yaml +collections: + - name: rancherfederal.rke2-ansible + source: git@github.com:rancherfederal/rke2-ansible.git + type: git + version: main +``` +Then you can call the RKE2 role in a play like so: +```yaml +--- +- name: RKE2 play + hosts: all + any_errors_fatal: True + roles: + - role: rancherfederal.rke2_ansible.rke2 +``` + + +# Defining Your Cluster +This repository is not intended to be opinionated and as a result it is important you to have read and understand the [RKE2 docs](https://docs.rke2.io/) before moving forward, this documentation is not intended to be an exhaustive explanation of all possible RKE2 configuration options, it is up to the end user to ensure their options are valid. + + +## Minimal Cluster Inventory +The most basic inventory file contains nothing more than your hosts, see below: +```yaml +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: +``` +This is the simplest possible inventory file and will deploy the latest available version of RKE2 with only default settings. + + +## Structuring Your Variable Files +Configurations and variables can become lengthy and unwieldy, as a general note of advice it is best to move variables into a `group_vars` folder. +``` +./inventory +├── Cluser_A +│   ├── group_vars +│   │   ├── all.yml +│   │   ├── rke2_agents.yml +│   │   └── rke2_servers.yml +│   └── hosts.yml +└── Cluser_B + ├── group_vars + │   ├── all.yml + │   ├── rke2_agents.yml + │   └── rke2_servers.yml + └── hosts.yml + +5 directories, 8 files +``` + + +## Enabling SELinux +Enabling SELinux in the playbook requires `selinux: true` be set in either the cluster, group, or host level config profiles (Please see [Special Variables](#special-variables) for more info). Though generally this should be set at the cluster and can be done like so: +__hosts.yml:__ +```yaml +--- +all: + vars: + cluster_rke2_config: + selinux: true +``` +For more information please see the RKE2 documentation, [here](https://docs.rke2.io/security/selinux). + + +## Enabling CIS Modes +Enabling the CIS tasks in the playbook requires a CIS profile be added to the ansible variables file. This can be placed in either the cluster, or group level config profiles (Please see [Special Variables](#special-variables) for more info). Below is an example, in the example the CIS profile is set at the group level, this ensures all server nodes run the CIS hardening profile tasks. +__hosts.yml:__ +```yaml +rke2_cluster: + children: + rke2_servers: + vars: + group_rke2_config: + profile: cis +``` +For more information please see the RKE2 documentation, [here](https://docs.rke2.io/security/hardening_guide). + + +## Special Variables +In general this repository has attempted to move away from special or "magic" variables, however some are unavoidable, the (non-exhaustive) list of variables is below: + - `all.vars.rke2_install_version`: This defines what version of RKE2 to install + - `rke2_cluster.children.rke2_servers.vars.hosts..node_labels`: Defines a list of node labels for a specific server node + - `rke2_cluster.children.rke2_agents.vars.hosts..node_labels`: Defines a list of node labels for a specific agent node + + +### RKE2 Config Variables +There are three levels an RKE2 config variables can be placed in, that is `cluster_rke2_config`, `group_rke2_config`, and `host_rke2_config`. + - `all.vars.cluster_rke2_config`: Defines common RKE2 config options for the whole cluster + - `rke2_cluster.children.rke2_servers.vars.group_rke2_config`: Defines common RKE2 config options for the `rke2_servers` group + - `rke2_cluster.children.rke2_agents.vars.group_rke2_config`: Defines common RKE2 config options for the `rke2_agents` group + - `rke2_cluster.children.rke2_servers.vars.hosts..host_rke2_config`: Defines RKE2 config options for a specific server node + - `rke2_cluster.children.rke2_agents.vars.hosts..host_rke2_config`: Defines RKE2 config options for a specific agent node + +> [!NOTE] +> Through the rest of these docs you may see references to `rke2_servers.yml`, this is the group vars file for rke2_servers. This is functionally equivalent to `rke2_cluster.children.rke2_servers.vars`. References to `rke2_agents.yml` is functionally equivalent to `rke2_cluster.children.rke2_agents.vars` + +It is important to understand these variables here are not special in the sense that they enable or disable certain functions in the RKE2 role, with one notable exception being the `profile` key. These variables are special in the sense that they will be condensed into a single config file on each node. Each node will end up with a merged config file comprised of `cluster_rke2_config`, `group_rke2_config`, and `host_rke2_config`. + + +### Defining the RKE2 Version +A version of RKE2 can be selected to be installed via the `all.vars.rke2_install_version` variable, please see the RKE2 repository for available [releases](releases). + +#### Example +__group_vars/all.yml:__ +```yaml +--- +all: + vars: + rke2_install_version: v1.29.12+rke2r1 +``` + +### Defining a PSA Config +In order to define a PSA (Pod Security Admission) config, server nodes will need to have the `rke2_pod_security_admission_config_file_path` variable defined, then the `pod-security-admission-config-file` will need to be defined in the rke2_config variable at the relevant level (please see [RKE Config Variables](#rke2-config-variables)). + +#### Example +Below is an example of how this can be defined at the server group level (`rke2_cluster.children.rke2_servers.vars`): + +__group_vars/rke2_servers.yml:__ +```yaml +--- +rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml" +group_rke2_config: + pod-security-admission-config-file: /etc/rancher/rke2/pod-security-admission-config.yaml +``` + + +### Defining an Audit Policy +In order to define a audit policy config, server nodes will need to have the `rke2_audit_policy_config_file_path` variable defined, then the `audit-policy-file` will need to be defined in the rke2_config variable at the relevant level (please see [RKE Config Variables](#rke2-config-variables)). + +#### Example +Below is an example of how this can be defined at the server group level (`rke2_cluster.children.rke2_servers.vars`): + +__group_vars/rke2_servers.yml:__ +```yaml +rke2_audit_policy_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/audit-policy.yaml" +group_rke2_config: + audit-policy-file: /etc/rancher/rke2/audit-policy.yaml + kube-apiserver-arg: + - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml + - audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log +``` + + +### Adding Additional Cluster Manifests +If you have a cluster that needs extra manifests to be deployed or the cluster needs a critical component to be configured RKE2's "HelmChartConfig" is an available option (among others). The Ansible repository supports the use of these configuration files. Simply place the Helm chart configs in a folder, give Ansible the path to the folder, and Ansible will enumerate the files and place them on the first server node. + +There are two variables that control the deployment of manifests to the server nodes: + - `rke2_manifest_config_directory` + - `rke2_manifest_config_post_run_directory` + +The first variable is used to deploy manifest to the server nodes before starting the RKE2 server process, this ensures critical components (like the CNI) can be configured when the RKE2 server process starts. The second, ensures applications are deployed after the RKE2 server process starts. There are examples of both below. + +#### Pre-Deploy Example +The example used is configuring Cilium with the kube-proxy replacement enabled (a fairly common use case): + +> [!WARNING] +> If this option is used you must provide a `become` password and this must be the password for the local host running the Ansible playbook. The playbook is looking for this directory on the localhost, and will run as root. This imposes some limitations, if you are using an SSH password to login to remote systems (typical for STIG'd clusters) the `become` password must be the same for the cluster nodes AND localhost. + +__group_vars/rke2_servers.yml:__ +For this example to work kube-proxy needs to be disabled, and the Cilium CNI needs to be enabled. +```yaml +rke2_manifest_config_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/" +group_rke2_config: + # Use Cilium as the CNI + cni: + - cilium + # Cilium will replace this + disable-kube-proxy: true +``` + +__cilium.yaml:__ +This file should be placed in the directory you intend to upload to the server node, in the example above that is `{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/`. +```yaml +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-cilium + namespace: kube-system +spec: + valuesContent: |- + kubeProxyReplacement: true + k8sServiceHost: 127.0.0.1 + k8sServicePort: 6443 + bpf: + masquerade: true + preallocateMaps: true + tproxy: true + bpfClockProbe: true +``` + +#### Post-Deploy Example +In the example below cert-manager is auto deployed after the RKE2 server process is started. +__group_vars/rke2_servers.yml:__ +```yaml +rke2_manifest_config_post_run_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/post-deploy-manifests/" +``` + +This file should be placed in the directory you intend to upload to the server node, in the example above that is `{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/`. +__cert-manager.yaml__ +```yaml +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: jetstack + namespace: kube-system +spec: + repo: https://charts.jetstack.io + chart: cert-manager + version: v1.16.2 + targetNamespace: cert-manager + createNamespace: true + valuesContent: |- + crds: + enabled: true +``` + +# Examples +There are two examples provided in this folder, `basic_sample_inventory`, and `advanced_sample_inventory`. The basic example is the simplest possible example, the advanced example is all of the options explained above in one example. diff --git a/sample_files/audit-policy.yaml b/docs/advanced_sample_inventory/files/audit-policy.yaml similarity index 100% rename from sample_files/audit-policy.yaml rename to docs/advanced_sample_inventory/files/audit-policy.yaml diff --git a/sample_files/pod-security-admission-config.yaml b/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml similarity index 84% rename from sample_files/pod-security-admission-config.yaml rename to docs/advanced_sample_inventory/files/pod-security-admission-config.yaml index 6aaaa5a8..fbde7fa1 100644 --- a/sample_files/pod-security-admission-config.yaml +++ b/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml @@ -1,8 +1,3 @@ -# This sample list was generated from: -# https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces -# For security reasons, this list should be as concise as possible -# only include active namespaces that need to be except from a restricted profile. - --- apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration diff --git a/docs/advanced_sample_inventory/group_vars/all.yml b/docs/advanced_sample_inventory/group_vars/all.yml new file mode 100644 index 00000000..1ee2ec2a --- /dev/null +++ b/docs/advanced_sample_inventory/group_vars/all.yml @@ -0,0 +1,4 @@ +--- +rke2_install_version: v1.29.12+rke2r1 +cluster_rke2_config: + selinux: true diff --git a/docs/advanced_sample_inventory/group_vars/rke2_servers.yml b/docs/advanced_sample_inventory/group_vars/rke2_servers.yml new file mode 100644 index 00000000..b4928a8a --- /dev/null +++ b/docs/advanced_sample_inventory/group_vars/rke2_servers.yml @@ -0,0 +1,18 @@ +--- +rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/pod-security-admission-config.yaml" +rke2_audit_policy_config_file_path: "{{ playbook_dir }}/docs/advanced_sample_inventory/files/audit-policy.yaml" +rke2_manifest_config_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/pre-deploy-manifests/" +rke2_manifest_config_post_run_directory: "{{ playbook_dir }}/docs/advanced_sample_inventory/post-deploy-manifests/" + +group_rke2_config: + # Use Cilium as the CNI + cni: + - cilium + # Cilium will replace this + disable-kube-proxy: true + profile: cis + pod-security-admission-config-file: /etc/rancher/rke2/pod-security-admission-config.yaml + audit-policy-file: /etc/rancher/rke2/audit-policy.yaml + kube-apiserver-arg: + - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml + - audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log diff --git a/docs/advanced_sample_inventory/hosts.yml b/docs/advanced_sample_inventory/hosts.yml new file mode 100644 index 00000000..e6bd01c4 --- /dev/null +++ b/docs/advanced_sample_inventory/hosts.yml @@ -0,0 +1,9 @@ +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: diff --git a/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml b/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml new file mode 100644 index 00000000..332c0a29 --- /dev/null +++ b/docs/advanced_sample_inventory/post-deploy-manifests/cert-manager.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: jetstack + namespace: kube-system +spec: + repo: https://charts.jetstack.io + chart: cert-manager + version: v1.16.2 + targetNamespace: cert-manager + createNamespace: true + valuesContent: |- + crds: + enabled: true diff --git a/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml b/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml new file mode 100644 index 00000000..7295e61a --- /dev/null +++ b/docs/advanced_sample_inventory/pre-deploy-manifests/cilium.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-cilium + namespace: kube-system +spec: + valuesContent: |- + kubeProxyReplacement: true + k8sServiceHost: 127.0.0.1 + k8sServicePort: 6443 + bpf: + masquerade: true + preallocateMaps: true + tproxy: true + bpfClockProbe: true diff --git a/docs/basic_sample_inventory/hosts.yml b/docs/basic_sample_inventory/hosts.yml new file mode 100644 index 00000000..e6bd01c4 --- /dev/null +++ b/docs/basic_sample_inventory/hosts.yml @@ -0,0 +1,9 @@ +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: diff --git a/docs/development.md b/docs/development.md new file mode 100644 index 00000000..2bc1f224 --- /dev/null +++ b/docs/development.md @@ -0,0 +1,10 @@ +# Table of Contents +- [Table of Contents](#table-of-contents) +- [Dependencies](#dependencies) + +# Dependencies +This playbook requires ansible.utils to run properly. Please see https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-a-collection-from-galaxy for more information about how to install this. + +``` +ansible-galaxy collection install -r requirements.yml +``` \ No newline at end of file diff --git a/sample_files/registries.yaml b/docs/sample_files/registries.yaml similarity index 100% rename from sample_files/registries.yaml rename to docs/sample_files/registries.yaml diff --git a/docs/tarball_install.md b/docs/tarball_install.md new file mode 100644 index 00000000..1d890b4c --- /dev/null +++ b/docs/tarball_install.md @@ -0,0 +1,54 @@ +# Table of Contents +- [Table of Contents](#table-of-contents) +- [Air-Gap Install](#air-gap-install) +- [Collecting Your Resources](#collecting-your-resources) + - [Relevant Variables](#relevant-variables) + - [Tarball Install Variables](#tarball-install-variables) + - [Example](#example) + - [Image Variables](#image-variables) + - [Example](#example-1) + + +# Air-Gap Install +RKE2 can be installed in an air-gapped environment with two different methods. You can either deploy via the rke2-airgap-images tarball release artifact, or by using a private registry. + +> [!WARNING] +> If running on an SELinux enforcing air-gapped node, you must first install the necessary SELinux policy RPM before performing these steps. See our [RPM Documentation](https://docs.rke2.io/install/methods/#rpm) to determine what you need. + +# Collecting Your Resources +All files mentioned in the steps can be obtained from the assets of the desired released rke2 version [here](https://github.com/rancher/rke2/releases). + +## Relevant Variables + +### Tarball Install Variables +The Ansible role looks for three variables to determine if/how the tarball installation method should run: + - `all.vars.rke2_install_tarball_url` + - `all.vars.rke2_install_local_tarball_path` + - `all.vars.rke2_force_tarball_install` + +The `rke2_install_tarball_url` looks for a tarball at the specified URL, `rke2_install_local_tarball_path` looks for a tarball at the specified local path, and `rke2_force_tarball_install` if set to True (while the previous two are set to empty strings) will force the download of the tarballs from GitHub. + +> [!WARNING] +> Currently there is no logic to prevent a user from defining both `rke2_install_tarball_url`, and `rke2_install_local_tarball_path`, you should only use one or the other, not both. + +Both of these variables should contain the `rke2.linux-amd64.tar.gz` tarball available from the release page referenced in [Collecting Your Resources](#collecting-your-resources). + +#### Example +In this example the full local path is given to the RKE2 tarball like so: +__all.yaml__ +```yaml +rke2_install_local_tarball_path: "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" +``` + +### Image Variables +The image variables need to be given as a list, as most user will need to include more than just the RKE2 image tarball. + - `all.vars.rke2_images_urls` + - `all.vars.rke2_images_local_tarball_path` + +#### Example +The example below provides only a single local item to the list, but is enough to start the cluster: +__all.yaml__ +```yaml +rke2_images_local_tarball_path: + - "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" +``` \ No newline at end of file diff --git a/docs/tarball_sample_inventory/group_vars/all.yml b/docs/tarball_sample_inventory/group_vars/all.yml new file mode 100644 index 00000000..cee14398 --- /dev/null +++ b/docs/tarball_sample_inventory/group_vars/all.yml @@ -0,0 +1,4 @@ +--- +rke2_install_local_tarball_path: "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" +rke2_images_local_tarball_path: + - "{{ playbook_dir }}/docs/tarball_install_sample/files/rke2.linux-amd64.tar.gz" diff --git a/docs/tarball_sample_inventory/hosts.yml b/docs/tarball_sample_inventory/hosts.yml new file mode 100644 index 00000000..e6bd01c4 --- /dev/null +++ b/docs/tarball_sample_inventory/hosts.yml @@ -0,0 +1,9 @@ +--- +rke2_cluster: + children: + rke2_servers: + hosts: + server0.example.com: + rke2_agents: + hosts: + agent0.example.com: diff --git a/galaxy.yml b/galaxy.yml index 4e52df6b..f490b4b3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,7 +1,7 @@ --- namespace: rancherfederal name: rke2_ansible -version: 1.0.0 +version: 2.0.0 readme: README.md authors: - Rancher Government diff --git a/inventory/.gitignore b/inventory/.gitignore deleted file mode 100644 index 520c0f44..00000000 --- a/inventory/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -* -!.gitignore -!sample/ -!sample/hosts.yml diff --git a/inventory/sample/group_vars/rke2_agents.yml b/inventory/sample/group_vars/rke2_agents.yml deleted file mode 100644 index dd8c405d..00000000 --- a/inventory/sample/group_vars/rke2_agents.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -# Primary RKE2 agent configuration parameters. Remove the curly braces ( {} ) and add your configuration. -# See https://docs.rke2.io/install/install_options/linux_agent_config/ for all configuration options. -rke2_config: {} - # debug: false - -# See https://docs.rke2.io/install/containerd_registry_configuration/ -# Add a registry configuration file by specifying the file path on the control host -# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" diff --git a/inventory/sample/group_vars/rke2_servers.yml b/inventory/sample/group_vars/rke2_servers.yml deleted file mode 100644 index 40d7117e..00000000 --- a/inventory/sample/group_vars/rke2_servers.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# Primary RKE2 server configuration parameters. Remove the curly braces ( {} ) and add your configuration. -# See https://docs.rke2.io/install/install_options/server_config/ for all configuration options. -rke2_config: {} - -# Example of possible rke2_config. -#rke2_config: -# selinux: true -# profile: cis-1.6 -# kube-controller-manager-arg: -# - "tls-min-version=VersionTLS12" -# - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -# kube-scheduler-arg: -# - "tls-min-version=VersionTLS12" -# - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -# kube-apiserver-arg: -# - "tls-min-version=VersionTLS12" -# - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" -# - "enable-admission-plugins=ValidatingAdmissionWebhook,NodeRestriction,PodSecurityPolicy" -# - "request-timeout=300s" -# # Enable only when auditing is enabled, blocks API when audit fails -# #- "audit-log-mode=blocking-strict" -# -# kubelet-arg: -# - "feature-gates=DynamicKubeletConfig=false" -# - "protect-kernel-defaults=true" -# - "streaming-connection-idle-timeout=5m" -# -# # Available in RKE2 1.21 -# #etcd-extra-env: -# #- "ETCD_AUTO_TLS=false" -# #- "ETCD_PEER_AUTO_TLS=false" -# -# write-kubeconfig-mode: "0640" - - -# See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ -# Add a policy configuration file by specifying the file path on the control host -# rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" - -# See https://docs.rke2.io/install/containerd_registry_configuration/ -# Add a registry configuration file by specifying the file path on the control host -# rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" - -# See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts -# Add manifest files by specifying the directory path on the control host -# manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" - -# See https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/psa-config-templates#exempting-required-rancher-namespaces -# Available in RKE2 1.25+ -# Add a pod security admission config file by specifying the file path on the control host -# Requires config.yaml to include `- admission-control-config-file=/etc/rancher/rke2/pod-security-admission-config.yaml` in order for this to be honored -# rke2_pod_security_admission_config_file_path: "{{ playbook_dir }}/sample_files/pod-security-admission-config.yaml" diff --git a/inventory/sample/hosts.yml b/inventory/sample/hosts.yml deleted file mode 100644 index 82aeab26..00000000 --- a/inventory/sample/hosts.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -all: - vars: - rke2_install_version: v1.27.10+rke2r1 - # # In air-gapped envs, it might be convenient to download the tar files from custom URLs - # rke2_install_tarball_url: https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2.linux-amd64.tar.gz - # rke2_image_tar_urls: - # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst - # - https://github.com/rancher/rke2/releases/download/v1.26.15%2Brke2r1/rke2-images-core.linux-amd64.tar.zst - - # Or specify a tarball that's been prestaged on the ansible control host - # rke2_binary_tarball: {{ inventory_dir }}/tarball/rke2.linux-amd64.tar.gz - -rke2_cluster: - children: - rke2_servers: - vars: - # # Set generic rke2_config at the group level. - # # Every host in this group will inherit these rke2 configurations - # # See https://docs.rke2.io/reference/server_config for more options - # # These options can also be set in the group_vars folder - rke2_config: - node-label: - - serverGroupLabel=true - # profile: cis-1.6 - # kube-controller-manager-arg: - # - "tls-min-version=VersionTLS12" - # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - # kube-scheduler-arg: - # - "tls-min-version=VersionTLS12" - # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - # kube-apiserver-arg: - # - "tls-min-version=VersionTLS12" - # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" - # - "enable-admission-plugins=ValidatingAdmissionWebhook,NodeRestriction,PodSecurityPolicy" - # - "request-timeout=300s" - # # Enable only when auditing is enabled, blocks API when audit fails - # #- "audit-log-mode=blocking-strict" - # - # kubelet-arg: - # - "feature-gates=DynamicKubeletConfig=false" - # - "protect-kernel-defaults=true" - # - "streaming-connection-idle-timeout=5m" - # - # etcd-extra-env: - # - "ETCD_AUTO_TLS=false" - # - "ETCD_PEER_AUTO_TLS=false" - # - # write-kubeconfig-mode: "0640" - # # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/ - # # Add a policy configuration file by specifying the file path on the control host - # rke2_audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml" - # # See https://docs.rke2.io/install/containerd_registry_configuration/ - # # Add a registry configuration file by specifying the file path on the control host - # rke2_registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml" - # # See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts - # # Add manifest files by specifying the directory path on the control host - # manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/" - hosts: - # # Optional hostvars that can be pased in to individual nodes include - # # node_ip, node_name, bind_address, advertise_address, node_taints=[], - # # node_labels=[], and node_external_ip - server0.example.com: - node_labels: - - server0Label=true - # node_ip: "10.10.10.10" - # node_name: "server0.example.com" - # bind_address: "10.10.10.10" - # advertise_address: "10.10.10.10" - # node_external_ip: "52.52.52.52" - # node_taints: - # - CriticalAddonsOnly=true:NoSchedule - # cloud_provider_name: "aws" - rke2_agents: - vars: - rke2_config: - node-label: - - agentGroupLabel=true - hosts: - agent0.example.com: - node_labels: - - agent0Label=true - agent1.example.com: - node_labels: - - agent1Label=true diff --git a/meta/runtime.yml b/meta/runtime.yml new file mode 100644 index 00000000..a764a086 --- /dev/null +++ b/meta/runtime.yml @@ -0,0 +1,2 @@ +--- +requires_ansible: ">=2.17.0" diff --git a/requirements.yml b/requirements.yml deleted file mode 100644 index 4a0d0c30..00000000 --- a/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -collections: - - name: ansible.utils diff --git a/sample_files/manifests/manifest-example.yaml b/sample_files/manifests/manifest-example.yaml deleted file mode 100644 index 64a1db69..00000000 --- a/sample_files/manifests/manifest-example.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# See https://docs.rke2.io/helm/ -# In this directory "manifest" you can add every kubernetes .yaml file that you will add to your rke2 cluster. -# "kubectl apply" every file on this directory - -# See https://docs.rke2.io/install/network_options/#canal-options -# You can also override pre-install helm chart like canal, nginx-ingress, etc. - -# Example from https://docs.rke2.io/helm/#using-the-helm-crd - -# apiVersion: helm.cattle.io/v1 -# kind: HelmChart -# metadata: -# name: grafana -# namespace: kube-system -# spec: -# chart: stable/grafana -# targetNamespace: monitoring -# set: -# adminPassword: "NotVerySafePassword" -# valuesContent: |- -# image: -# tag: master -# env: -# GF_EXPLORE_ENABLED: true -# adminUser: admin -# sidecar: -# datasources: -# enabled: true diff --git a/sample_files/tarball_install/README.md b/sample_files/tarball_install/README.md deleted file mode 100644 index b567f9ff..00000000 --- a/sample_files/tarball_install/README.md +++ /dev/null @@ -1,32 +0,0 @@ - -``` - , , _______________________________ - ,-----------|'------'| | | - /. '-' |-' |_____________________________| - |/| | | - | .________.'----' _______________________________ - | || | || | | - \__|' \__|' |_____________________________| - -|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -|________________________________________________________| - -|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -|________________________________________________________| -``` -# Air-Gap Install - -RKE2 can be installed in an air-gapped environment with two different methods. You can either deploy via the rke2-airgap-images tarball release artifact, or by using a private registry. - -All files mentioned in the steps can be obtained from the assets of the desired released rke2 version [here](https://github.com/rancher/rke2/releases). - -If running on an SELinux enforcing air-gapped node, you must first install the necessary SELinux policy RPM before performing these steps. See our [RPM Documentation](https://docs.rke2.io/install/methods/#rpm) to determine what you need. - -# Tarball Method -This ansible playbook will detect if the `rke2-images.linux-amd64.tar.zst` and `rke2.linux-amd64.tar.gz` files are in the tarball_install/ directory. If the files are in the directory then the install process will skip both the yum install and the need to download the tarball. - -## Images Install -If either the `rke2-images.linux-amd64.tar.zst` or `rke2-images.linux-amd64.tar.gz` files are found in the tarbarll_install/ directory then this playbook will use the images inside the tarball and not docker.io or a private registry. - -## Tarball Install -If the `rke2.linux-amd64.tar.gz` file is found in the tarball_install/ directory then this playbook will install RKE2 using that version. This will use the default docker.io registry unless the images tarball is present or unless the `system-default-registry` variable is set. From 699bca87961b929285a9e7f3ee8555d511b5f529 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin <43078293+Daemonslayer2048@users.noreply.github.com> Date: Tue, 14 Jan 2025 09:23:31 -0600 Subject: [PATCH 31/36] Ci review (#269) * Add network attached instructions * Update tarball docs * Github does not support titled admons * Clear some lint issues * Clear some galaxy errors * Clear some new lint issues * Fix ansible semver string * Use a supported ansible version * Update file and folder names * Import linting, split linting tasks * Update README instruction o inventory use * Add vale linting, normalized file extensions, and doc tweaks * Tweak workflow lints * Merge workflows back into one file * Test sudo access * Rename Rocky tests, install Terraform * Fix rocky task dep * Install Terraform attempt #2 * Test reusable workflows * Add OS option * Add OS option 2 * Inherit secrets * Install yq * Install yq #2 * Install yq #3 * Install yq #4 * Use YQ for inventory generation * Fix missing close bracket * Print hosts file for debugging * You should cat hosts file for debugging not exec it * Runn test * Fix inventory file location * Fix inventory and add ssh_user * Fix second inventory * Add rocky 9 * Update CI to reference JOBID * Attempt move to AWS commercial * Attempt move to AWS commercial 2 * Attempt move to AWS commercial 3 * Fix destroy command and defaults * Fix AWS Region * Tweak TF and simplify for debuggin * Fix new var * Remove new var * Remove new var 2 * Fix bad EOF * Fix delete job * Reduce EC2 counts * Add Rocky 9 back * Name sec groups * Add Ubuntu * Fix using wrong OS * Add SLES * Fix issue where too in SLES does not have .bashrc * Fix bad permission * Update README, Remove SLES, Test Lint requirements * Remove broken lint check * Updat edocs * increase yaml lint line-length * removing sles tests until they are reimplemented --------- Co-authored-by: Adam Leiner <104371562+aleiner@users.noreply.github.com> Co-authored-by: Adam Leiner --- .github/workflows/lint.yml | 60 +++-- .../reusable_integration_testing.yml | 172 ++++++++++++++ .github/workflows/rocky.yml | 22 ++ .github/workflows/rocky8.yml | 210 ------------------ .github/workflows/ubuntu.yml | 22 ++ .github/workflows/ubuntu20.yml | 203 ----------------- .yamllint | 2 +- README.md | 19 +- roles/rke2/tasks/utilities.yml | 2 + site.yml | 2 +- testing/main.tf | 14 +- testing/variables.tf | 64 ++---- 12 files changed, 305 insertions(+), 487 deletions(-) create mode 100644 .github/workflows/reusable_integration_testing.yml create mode 100644 .github/workflows/rocky.yml delete mode 100644 .github/workflows/rocky8.yml create mode 100644 .github/workflows/ubuntu.yml delete mode 100644 .github/workflows/ubuntu20.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9d9d6528..e7af823d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,22 +1,17 @@ --- -name: Lint Test +name: Lint on: push: -env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - jobs: - lint-test: - name: Lint for push + ansible-lint: + name: Ansible runs-on: ubuntu-latest steps: - - name: Check out the codebase. + - name: Check out the codebase uses: actions/checkout@v3 - name: Set up Python. @@ -24,17 +19,54 @@ jobs: with: python-version: '3.x' - - name: Install test dependencies. - run: pip3 install yamllint ansible-lint ansible + - name: Install ansible-lint + run: pip3 install ansible-lint ansible - name: Version check run: | ansible --version ansible-lint --version + + - name: Run ansible-lint + run: ansible-lint + + yaml-lint: + name: YAML + runs-on: ubuntu-latest + + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + + - name: Set up Python. + uses: actions/setup-python@v4 + with: + python-version: '3.x' + + - name: Install yamllint + run: pip3 install yamllint + + - name: Version check + run: | yamllint --version - - name: Run yamllint. + - name: Run yamllint run: yamllint . - - name: Run ansible-lint. - run: ansible-lint \ No newline at end of file + vale-lint: + name: Vale + runs-on: ubuntu-latest + + steps: + - name: Check out the codebase + uses: actions/checkout@v3 + + - name: Install vale + run: sudo snap install vale + + - name: Version check + run: | + vale --version + + - name: Run yamllint + run: vale --glob='*.md' ./docs ./README.md \ No newline at end of file diff --git a/.github/workflows/reusable_integration_testing.yml b/.github/workflows/reusable_integration_testing.yml new file mode 100644 index 00000000..0d23c6f3 --- /dev/null +++ b/.github/workflows/reusable_integration_testing.yml @@ -0,0 +1,172 @@ +--- +name: Reusable Cluster Testing + +on: + workflow_call: + inputs: + os: + required: true + type: string + ssh_user: + required: true + type: string + +jobs: + + cluster-test: + runs-on: ubuntu-latest + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + + - name: Add terraform repository + run: | + wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list + + - name: Set up Python + id: setup_python + uses: actions/setup-python@v2 + with: + python-version: 3.9 + + - name: Install dependencies + run: | + sudo apt update -y + sudo apt install terraform -y + sudo snap install yq + python -m pip install --upgrade pip + pip3 install ansible pytest-testinfra + + - name: Ansible version check + run: ansible --version + + - name: Terraform version check + run: terraform --version + + - name: yq version check + run: yq --version + + - name: Terraform Init + id: init + run: | + cd testing/ + terraform init + + - run: 'echo "$SSH_KEY" > .key' + shell: bash + env: + SSH_KEY: ${{secrets.SSH_PRIVATE_KEY}} + + - run: chmod 400 .key + + - name: Terraform private key + run: cp .key testing/.key + + - name: Terraform Validate + id: validate + run: | + cd testing/ + terraform validate -no-color + + - name: Terraform Plan + id: plan + run: | + cd testing/ + terraform plan -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=${{ inputs.os }}" -no-color + continue-on-error: true + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-2 + + - name: Terraform Plan Status + if: steps.plan.outcome == 'failure' + run: exit 1 + + - name: Terraform Apply + run: | + cd testing/ + terraform apply -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=${{ inputs.os }}" -auto-approve + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-2 + + - name: Create inventory + run: | + mkdir ./${{ inputs.os }} + export RKE2_SERVER=$(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" "Name=tag:os_test,Values=${{ inputs.os }}" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1) + export RKE2_AGENT=$(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" "Name=tag:os_test,Values=${{ inputs.os }}" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1) + yq --null-input '.rke2_cluster.children.rke2_servers.hosts.master-01.ansible_host = strenv(RKE2_SERVER)' > ./${{ inputs.os }}/hosts.yml + yq -i '.all.vars.rke2_kubernetes_api_server_host = strenv(RKE2_SERVER)' ./${{ inputs.os }}/hosts.yml + yq -i '.rke2_cluster.children.rke2_agents.hosts.worker-01.ansible_host = strenv(RKE2_AGENT)' ./${{ inputs.os }}/hosts.yml + echo "remote_user=${{ inputs.ssh_user }}" >> ansible.cfg + echo "private_key_file=.key" >> ansible.cfg + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-2 + + - name: Check hosts.yml and ansible.cfg + run: | + cat ./${{ inputs.os }}/hosts.yml + cat ansible.cfg + + - name: Run playbook + run: | + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./${{ inputs.os }}/hosts.yml -u ${{ inputs.ssh_user }} -vv --private-key .key site.yml + + - name: Run playbook again for idempotency + run: | + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./${{ inputs.os }}/hosts.yml -u ${{ inputs.ssh_user }} -vv --private-key .key site.yml + + - name: Run Ansible Tests + run: | + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./${{ inputs.os }}/hosts.yml -u ${{ inputs.ssh_user }} --verbose --skip-tags "troubleshooting" --private-key .key testing.yml + + - name: Run Python Tests + run: | + export DEFAULT_PRIVATE_KEY_FILE=.key + pytest --hosts=rke2_servers --ansible-inventory=./${{ inputs.os }}/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_server_tests.py + pytest --hosts=rke2_agents --ansible-inventory=./${{ inputs.os }}/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_agent_tests.py + + - name: Update inventory hosts.yml with added host + run: | + export RKE2_AGENT2=$(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" "Name=tag:os_test,Values=${{ inputs.os }}" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1) + yq -i '.rke2_cluster.children.rke2_agents.hosts.worker-02.ansible_host = strenv(RKE2_AGENT2)' ./${{ inputs.os }}/hosts.yml + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-2 + + - name: Run playbook again with added host + run: | + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./${{ inputs.os }}/hosts.yml -u ${{ inputs.ssh_user }} --verbose --private-key .key site.yml + + - name: Run Ansible Tests with added host + run: | + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./${{ inputs.os }}/hosts.yml -u ${{ inputs.ssh_user }} --verbose --skip-tags "troubleshooting" --private-key .key testing.yml + + - name: Run Python Tests with added host + run: | + export DEFAULT_PRIVATE_KEY_FILE=.key + pytest --hosts=rke2_servers --ansible-inventory=./${{ inputs.os }}/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_server_tests.py + pytest --hosts=rke2_agents --ansible-inventory=./${{ inputs.os }}/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_agent_tests.py + + - name: Run troubleshoot tasks + if: ${{ failure() }} + run: | + ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ./${{ inputs.os }}/hosts.yml -u ${{ inputs.ssh_user }} -vvv --tags "troubleshooting" --private-key .key testing.yml + + - name: Delete Stack + if: ${{ always() }} + run: | + cd testing/ + terraform destroy -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=${{ inputs.os }}" -auto-approve + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-east-2 + \ No newline at end of file diff --git a/.github/workflows/rocky.yml b/.github/workflows/rocky.yml new file mode 100644 index 00000000..7f5da7a5 --- /dev/null +++ b/.github/workflows/rocky.yml @@ -0,0 +1,22 @@ +--- +name: Rocky + +on: + pull_request: + workflow_dispatch: + +jobs: + + "_8_": + uses: ./.github/workflows/reusable_integration_testing.yml + with: + os: rocky8 + ssh_user: rocky + secrets: inherit + + "_9_": + uses: ./.github/workflows/reusable_integration_testing.yml + with: + os: rocky9 + ssh_user: rocky + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/rocky8.yml b/.github/workflows/rocky8.yml deleted file mode 100644 index f21a42c7..00000000 --- a/.github/workflows/rocky8.yml +++ /dev/null @@ -1,210 +0,0 @@ ---- -name: Ansible build test for Rocky 8 - -on: - pull_request: - workflow_dispatch: - - - -jobs: - - lint-test: - name: Lint for PR - runs-on: ubuntu-latest - - steps: - - name: Check out the codebase. - uses: actions/checkout@v3 - - - name: Set up Python. - uses: actions/setup-python@v4 - with: - python-version: '3.x' - - - name: Install test dependencies. - run: pip3 install yamllint ansible-lint ansible - - - name: Version check - run: | - ansible --version - ansible-lint --version - yamllint --version - - - name: Run yamllint. - run: yamllint . - - - name: Run ansible-lint. - run: ansible-lint - - rocky8-test: - name: Ansible build test for Rocky 8 - runs-on: ubuntu-latest - needs: ['lint-test'] - - steps: - - name: Check out the codebase. - uses: actions/checkout@v2 - - - name: Terraform Init - id: init - run: | - cd testing/ - terraform init - - - run: 'echo "$SSH_KEY" > .key' - shell: bash - env: - SSH_KEY: ${{secrets.SSH_PRIVATE_KEY}} - - - run: chmod 400 .key - - - name: Terraform private key - run: cp .key testing/.key - - - name: Terraform Validate - id: validate - run: | - cd testing/ - terraform validate -no-color - - - name: Terraform Plan - id: plan - run: | - cd testing/ - terraform plan -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=rocky8" -no-color - continue-on-error: true - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Terraform Plan Status - if: steps.plan.outcome == 'failure' - run: exit 1 - - - name: Terraform Apply - run: | - cd testing/ - terraform apply -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=rocky8" -auto-approve - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Set up Python - id: setup_python - uses: actions/setup-python@v2 - with: - python-version: 3.9 - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip3 install ansible pytest-testinfra - - - name: Ansible Version check - run: ansible --version - - - name: Create inventory hosts.yml - run: | - touch hosts.yml - echo "rke2_cluster:" > hosts.yml - echo " children:" >> hosts.yml - echo " rke2_servers:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo " rke2_agents:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo "all:" >> hosts.yml - echo " vars:" >> hosts.yml - echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml - echo "" >> ansible.cfg - echo "" >> ansible.cfg - echo "remote_user=centos" >> ansible.cfg - echo "private_key_file=.key" >> ansible.cfg - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Check hosts.yml and ansible.cfg - run: | - cat hosts.yml - cat ansible.cfg - - - name: Prep inventory - run: | - cp -R inventory/sample inventory/rocky8 - cp hosts.yml inventory/rocky8/hosts.yml - - - name: Run playbook - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/rocky8/hosts.yml -u centos -vv --private-key .key site.yml - - - name: Run playbook again for idempotency - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/rocky8/hosts.yml -u centos -vv --private-key .key site.yml - - - name: Run Ansible Tests - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/rocky8/hosts.yml -u centos --verbose --skip-tags "troubleshooting" --private-key .key testing.yml - - - name: Run Python Tests - run: | - export DEFAULT_PRIVATE_KEY_FILE=.key - pytest --hosts=rke2_servers --ansible-inventory=inventory/rocky8/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_server_tests.py - pytest --hosts=rke2_agents --ansible-inventory=inventory/rocky8/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_agent_tests.py - - - name: Create new inventory hosts.yml with added hosts - run: | - rm hosts.yml - touch hosts.yml - echo "rke2_cluster:" > hosts.yml - echo " children:" >> hosts.yml - echo " rke2_servers:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo " rke2_agents:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo "all:" >> hosts.yml - echo " vars:" >> hosts.yml - echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml - cp hosts.yml inventory/rocky8/hosts.yml - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Run playbook again with added hosts - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/rocky8/hosts.yml -u centos --verbose --private-key .key site.yml - - - name: Run Ansible Tests with added hosts - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/rocky8/hosts.yml -u centos --verbose --skip-tags "troubleshooting" --private-key .key testing.yml - - - name: Run Python Tests with added hosts - run: | - export DEFAULT_PRIVATE_KEY_FILE=.key - pytest --hosts=rke2_servers --ansible-inventory=inventory/rocky8/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_server_tests.py - pytest --hosts=rke2_agents --ansible-inventory=inventory/rocky8/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_agent_tests.py - - - name: Run troubleshoot tasks - if: ${{ failure() }} - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/rocky8/hosts.yml -u centos -vvv --tags "troubleshooting" --private-key .key testing.yml - - - name: Delete Stack - if: ${{ always() }} - run: | - cd testing/ - terraform destroy -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -auto-approve - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - \ No newline at end of file diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml new file mode 100644 index 00000000..5e893d04 --- /dev/null +++ b/.github/workflows/ubuntu.yml @@ -0,0 +1,22 @@ +--- +name: Ubuntu + +on: + pull_request: + workflow_dispatch: + +jobs: + + "_22_": + uses: ./.github/workflows/reusable_integration_testing.yml + with: + os: ubuntu22 + ssh_user: ubuntu + secrets: inherit + + "_24_": + uses: ./.github/workflows/reusable_integration_testing.yml + with: + os: ubuntu24 + ssh_user: ubuntu + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/ubuntu20.yml b/.github/workflows/ubuntu20.yml deleted file mode 100644 index f87e40e0..00000000 --- a/.github/workflows/ubuntu20.yml +++ /dev/null @@ -1,203 +0,0 @@ ---- -name: Ansible build test for Ubuntu - -on: - pull_request: - workflow_dispatch: - -jobs: - - lint-test: - name: Lint for PR - runs-on: ubuntu-latest - - steps: - - name: Check out the codebase. - uses: actions/checkout@v3 - - - name: Set up Python. - uses: actions/setup-python@v4 - with: - python-version: '3.x' - - - name: Install test dependencies. - run: pip3 install yamllint ansible-lint ansible - - - name: Version check - run: | - ansible --version - ansible-lint --version - yamllint --version - - - name: Run yamllint. - run: yamllint . - - - name: Run ansible-lint. - run: ansible-lint - - ubuntu20-test: - name: Ansible build test for Ubuntu - runs-on: ubuntu-latest - needs: ['lint-test'] - - steps: - - name: Check out the codebase. - uses: actions/checkout@v2 - - - name: Terraform Init - id: init - run: | - cd testing/ - terraform init - - - run: 'echo "$SSH_KEY" > .key' - shell: bash - env: - SSH_KEY: ${{secrets.SSH_PRIVATE_KEY}} - - - run: chmod 400 .key - - - name: Terraform private key - run: cp .key testing/.key - - - name: Terraform Validate - id: validate - run: | - cd testing/ - terraform validate -no-color - - - name: Terraform Plan - id: plan - run: | - cd testing/ - terraform plan -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=ubuntu20" -no-color - continue-on-error: true - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Terraform Plan Status - if: steps.plan.outcome == 'failure' - run: exit 1 - - - name: Terraform Apply - run: | - cd testing/ - terraform apply -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -var "os=ubuntu20" -auto-approve - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Set up Python - id: setup_python - uses: actions/setup-python@v2 - with: - python-version: 3.9 - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip3 install ansible pytest-testinfra - - - name: Ansible Version check - run: ansible --version - - - name: Create inventory hosts.yml - run: | - touch hosts.yml - echo "rke2_cluster:" > hosts.yml - echo " children:" >> hosts.yml - echo " rke2_servers:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo " rke2_agents:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo "all:" >> hosts.yml - echo " vars:" >> hosts.yml - echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml - echo "" >> ansible.cfg - echo "" >> ansible.cfg - echo "remote_user=ubuntu" >> ansible.cfg - echo "private_key_file=.key" >> ansible.cfg - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Check hosts.yml and ansible.cfg - run: | - cat hosts.yml - cat ansible.cfg - - - name: Prep inventory - run: | - cp -R inventory/sample inventory/ubuntu20 - cp hosts.yml inventory/ubuntu20/hosts.yml - - - name: Run playbook - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/ubuntu20/hosts.yml -u ubuntu --verbose --private-key .key site.yml - - - name: Run playbook again for idempotency - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/ubuntu20/hosts.yml -u ubuntu --verbose --private-key .key site.yml - - - name: Run Ansible Tests - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/ubuntu20/hosts.yml -u ubuntu --verbose --private-key .key testing.yml - - - name: Run Python Tests - run: | - export DEFAULT_PRIVATE_KEY_FILE=.key - pytest --hosts=rke2_servers --ansible-inventory=inventory/ubuntu20/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_server_tests.py - pytest --hosts=rke2_agents --ansible-inventory=inventory/ubuntu20/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_agent_tests.py - - - name: Create new inventory hosts.yml with added hosts - run: | - rm -f hosts.yml - touch hosts.yml - echo "rke2_cluster:" > hosts.yml - echo " children:" >> hosts.yml - echo " rke2_servers:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo " rke2_agents:" >> hosts.yml - echo " hosts:" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Agent" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo " $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=ExtraNode" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PublicIpAddress" --output text | head -1):" >> hosts.yml - echo "all:" >> hosts.yml - echo " vars:" >> hosts.yml - echo " rke2_kubernetes_api_server_host: $(aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" "Name=tag:Owner,Values=rke2-ansible-github-actions" "Name=tag:NodeType,Values=Server" "Name=tag:github_run,Values=$GITHUB_RUN_ID" --query "Reservations[*].Instances[*].PrivateIpAddress" --output text | head -1)" >> hosts.yml - cp hosts.yml inventory/ubuntu20/hosts.yml - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - - - name: Run playbook again with added hosts - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/ubuntu20/hosts.yml -u ubuntu --verbose --private-key .key site.yml - - - name: Run Ansible Tests with added hosts - run: | - ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/ubuntu20/hosts.yml -u ubuntu --verbose --private-key .key testing.yml - - - name: Run Python Tests with added hosts - run: | - export DEFAULT_PRIVATE_KEY_FILE=.key - pytest --hosts=rke2_servers --ansible-inventory=inventory/ubuntu20/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_server_tests.py - pytest --hosts=rke2_agents --ansible-inventory=inventory/ubuntu20/hosts.yml --force-ansible --connection=ansible --sudo testing/basic_agent_tests.py - - - name: Delete Stack - if: ${{ always() }} - run: | - cd testing/ - terraform destroy -var "GITHUB_RUN_ID=$GITHUB_RUN_ID" -auto-approve - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: us-gov-west-1 - \ No newline at end of file diff --git a/.yamllint b/.yamllint index b2e05b7f..d740b1ad 100644 --- a/.yamllint +++ b/.yamllint @@ -3,7 +3,7 @@ extends: default rules: line-length: - max: 120 + max: 200 level: warning ignore: | diff --git a/README.md b/README.md index 1eb3cace..394fba05 100644 --- a/README.md +++ b/README.md @@ -29,11 +29,6 @@ Thank you for your understanding and cooperation. Ansible RKE2 (RKE Government) Playbook --------- -[![LINT](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml?query=branch%3Amain) - -[![Rocky 8](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky8.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky8.yml?query=branch%3Amain) - -[![Ubuntu 20](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu20.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu20.yml?query=branch%3Amain) RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution. This Ansible playbook installs RKE2 for both the control plane and workers. @@ -41,14 +36,14 @@ See the [docs](https://docs.rke2.io/) more information about [RKE Government](ht Platforms ---------- -The RKE2 Ansible playbook supports all [RKE2 Supported Operating Systems](https://docs.rke2.io/install/requirements/#operating-systems) +--------- + +[![Lint](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/lint.yml) [![Rocky](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/rocky.yml) [![Ubuntu](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu.yml/badge.svg)](https://github.com/rancherfederal/rke2-ansible/actions/workflows/ubuntu.yml) -Supported Operating Systems: -- SLES 15 -- Rocky 8 and 9 -- RedHat: 8 and 9 -- Ubuntu: 18, 20, and 22 +The RKE2 Ansible playbook supports: +- Rocky 8, and 9 +- RedHat: 8, and 9 +- Ubuntu: 22, and 24 System requirements diff --git a/roles/rke2/tasks/utilities.yml b/roles/rke2/tasks/utilities.yml index a1a0bb70..798870a6 100644 --- a/roles/rke2/tasks/utilities.yml +++ b/roles/rke2/tasks/utilities.yml @@ -5,6 +5,8 @@ dest: "/root/.bashrc" line: 'PATH=$PATH:/var/lib/rancher/rke2/bin' insertafter: EOF + create: true + mode: 0600 - name: Symlink crictl config to /etc/crictl.yaml ansible.builtin.file: diff --git a/site.yml b/site.yml index 9d204c83..7fd240e6 100644 --- a/site.yml +++ b/site.yml @@ -3,6 +3,6 @@ - name: RKE2 play hosts: all any_errors_fatal: true - # become: true + become: true roles: - role: rke2 diff --git a/testing/main.tf b/testing/main.tf index a8be67ca..6585fac7 100644 --- a/testing/main.tf +++ b/testing/main.tf @@ -8,8 +8,8 @@ provider "aws" { ### SECURITY GROUPS ### resource "aws_security_group" "allow-all" { - name = "${var.tf_user}-allow-all-${var.GITHUB_RUN_ID}" - vpc_id = "vpc-07402b459d3b18976" + name = "${var.tf_user}-allow-all-${var.os}-${var.GITHUB_RUN_ID}" + vpc_id = "vpc-01c7511c87c5291ad" ingress { from_port = 0 @@ -30,6 +30,7 @@ resource "aws_security_group" "allow-all" { Name = "allow-all" Owner = var.tf_user github_run = "${var.GITHUB_RUN_ID}" + os_test = "${var.os}" } } @@ -43,7 +44,7 @@ resource "aws_instance" "control_node" { ami = var.amis[var.aws_region][var.os].ami instance_type = var.instance_type subnet_id = var.aws_subnet - key_name = "rke2-ansible-ci" + key_name = "rke2-ansible-github" root_block_device { volume_type = "standard" volume_size = 30 @@ -56,6 +57,7 @@ resource "aws_instance" "control_node" { Owner = var.tf_user NodeType = "Server" github_run = "${var.GITHUB_RUN_ID}" + os_test = "${var.os}" } provisioner "remote-exec" { @@ -78,7 +80,7 @@ resource "aws_instance" "worker_node" { ami = var.amis[var.aws_region][var.os].ami instance_type = var.instance_type subnet_id = var.aws_subnet - key_name = "rke2-ansible-ci" + key_name = "rke2-ansible-github" associate_public_ip_address = true vpc_security_group_ids = [aws_security_group.allow-all.id] @@ -93,6 +95,7 @@ resource "aws_instance" "worker_node" { Owner = var.tf_user NodeType = "Agent" github_run = "${var.GITHUB_RUN_ID}" + os_test = "${var.os}" } provisioner "remote-exec" { @@ -115,7 +118,7 @@ resource "aws_instance" "extra_worker_node" { ami = var.amis[var.aws_region][var.os].ami instance_type = var.instance_type subnet_id = var.aws_subnet - key_name = "rke2-ansible-ci" + key_name = "rke2-ansible-github" associate_public_ip_address = true vpc_security_group_ids = [aws_security_group.allow-all.id] @@ -130,6 +133,7 @@ resource "aws_instance" "extra_worker_node" { Owner = var.tf_user NodeType = "ExtraNode" github_run = "${var.GITHUB_RUN_ID}" + os_test = "${var.os}" } provisioner "remote-exec" { diff --git a/testing/variables.tf b/testing/variables.tf index 6975af0b..9ae03be4 100644 --- a/testing/variables.tf +++ b/testing/variables.tf @@ -1,13 +1,13 @@ variable "aws_region" { type = string description = "AWS Region the instance is launched in" - default = "us-gov-west-1" + default = "us-east-2" } variable "aws_subnet" { description = "List of vectors of subnets and Availability Zones" type = string - default = "subnet-0523d8467cf8e5cec" + default = "subnet-0e478ddd6ae2ed0b4" } variable "tf_user" { @@ -23,59 +23,41 @@ variable "instance_type" { } # OS Options -# rhel8 -# rhel7 -# sles15sp2 -# ubuntu20 -# ubuntu18 -# centos8 -# centos7 # rocky8 +# rocky9 variable "os" { type = string description = "AWS AMI OS" - default = "ubuntu20" + default = "rocky8" } variable "amis" { - description = "List of RHEL OS images based on regions" + description = "List of AMIs based on regions" type = map(map(object({ ami = string user = string }))) default = { - "us-gov-west-1" = { - "rhel8" = { - ami = "ami-0ac4e06a69870e5be" - user = "ec2-user" - } - "rhel7" = { - ami = "ami-e9d5ec88" - user = "ec2-user" + "us-east-2" = { + "rocky8" = { + ami = "ami-02391db2758465a87" + user = "rocky" } - "sles15sp2" = { - ami = "ami-04e3d865" - user = "ec2-user" + "rocky9" = { + ami = "ami-05150ea4d8a533099" + user = "rocky" } - "ubuntu20" = { - ami = "ami-84556de5" + "ubuntu22" = { + ami = "ami-00eb69d236edcfaf8" user = "ubuntu" } - "ubuntu18" = { - ami = "ami-bce9d3dd" + "ubuntu24" = { + ami = "ami-036841078a4b68e14" user = "ubuntu" } - "centos8" = { - ami = "ami-967158f7" - user = "centos" - } - "centos7" = { - ami = "ami-bbba86da" - user = "centos" - } - "rocky8" = { - ami = "ami-01c3e8e014e8b0c7a" - user = "centos" + "sles15" = { + ami = "ami-0371c70ae504994fd" + user = "ec2-user" } } } @@ -84,19 +66,19 @@ variable "amis" { variable "control_nodes" { type = number description = "Number of RKE2 manager nodes" - default = 3 + default = 1 } variable "worker_nodes" { type = number description = "Number of RKE2 worker nodes" - default = 2 + default = 1 } variable "extra_worker_nodes" { type = number description = "Number of RKE2 worker nodes to add for idempotency tests" - default = 2 + default = 1 } variable "ansible_user" { @@ -105,4 +87,4 @@ variable "ansible_user" { default = "ubuntu" } -variable "GITHUB_RUN_ID" {} +variable "GITHUB_RUN_ID" {} \ No newline at end of file From 879b9326ca89472fd93fce55890e26d8a32fd34a Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Tue, 14 Jan 2025 11:13:00 -0600 Subject: [PATCH 32/36] Fix vars --- roles/rke2/defaults/main.yml | 6 ++++++ roles/rke2/vars/main.yml | 7 ------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index ed16321c..f55fd335 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -35,3 +35,9 @@ rke2_config: {} rke2_metrics_running: false rke2_node_ready: "false" rke2_api_server_running: false +rke2_installed: false +rke2_version_changed: false +rke2_reboot: false +rke2_version_majmin: "" +rke2_version_rpm: "" +rke2_package_state: "installed" diff --git a/roles/rke2/vars/main.yml b/roles/rke2/vars/main.yml index 879b4f8c..ed97d539 100644 --- a/roles/rke2/vars/main.yml +++ b/roles/rke2/vars/main.yml @@ -1,8 +1 @@ --- - -rke2_installed: false -rke2_version_changed: false -rke2_reboot: false -rke2_version_majmin: "" -rke2_version_rpm: "" -rke2_package_state: "installed" From d307500a152dd0323869275e28949266d6ea9fc6 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Tue, 14 Jan 2025 11:52:32 -0600 Subject: [PATCH 33/36] Fix CI reading .ansible directory --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e7af823d..5894280e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -28,7 +28,7 @@ jobs: ansible-lint --version - name: Run ansible-lint - run: ansible-lint + run: ansible-lint ./roles yaml-lint: name: YAML From de54a3170aea3262a99672437d6595e01121d1c7 Mon Sep 17 00:00:00 2001 From: Adam Leiner <104371562+aleiner@users.noreply.github.com> Date: Wed, 15 Jan 2025 09:50:03 -0500 Subject: [PATCH 34/36] #169 (#274) Co-authored-by: Adam Leiner --- roles/rke2/defaults/main.yml | 1 + roles/rke2/tasks/configure_rke2.yml | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml index f55fd335..8828a7fa 100644 --- a/roles/rke2/defaults/main.yml +++ b/roles/rke2/defaults/main.yml @@ -41,3 +41,4 @@ rke2_reboot: false rke2_version_majmin: "" rke2_version_rpm: "" rke2_package_state: "installed" +rke2_systemd_env_config_file_path: "" diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml index 5673884c..d46da081 100644 --- a/roles/rke2/tasks/configure_rke2.yml +++ b/roles/rke2/tasks/configure_rke2.yml @@ -9,6 +9,14 @@ - name: Run CIS-Hardening Tasks ansible.builtin.include_tasks: cis_hardening.yml +- name: Include task file add-systemd-env.yml + ansible.builtin.include_tasks: add_ansible_managed_config.yml + vars: + file_contents: "{{ lookup('file', rke2_systemd_env_config_file_path) }}" + file_destination: "/etc/default/{{ service_name }}" + file_description: "systemd env options" + file_path: "{{ rke2_systemd_env_config_file_path }}" + - name: "Include task file add_ansible_managed_config.yml for {{ file_description }}" ansible.builtin.include_tasks: add_ansible_managed_config.yml vars: From 709b878847c972f3012104dc0985b69f33d8493b Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Wed, 15 Jan 2025 15:17:13 -0600 Subject: [PATCH 35/36] Add a non-vague warning banner for v2 release --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 394fba05..973809d6 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,10 @@ Build a Kubernetes cluster using RKE2 via Ansible |‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| |________________________________________________________| -``` +``` + +> [!CAUTION] +> The RKE2-Ansible repository has been significantly refactored. Note that configurations/inventories written for the v1.0.0 release and earlier are not compatible with v2.0.0 and on. Please see the documentation and make any adjustments necessary. Unofficial Rancher Government Repository --------- From e55d4f82c38335c21cb34c61da13dc7ef09da880 Mon Sep 17 00:00:00 2001 From: Jacob Hanafin Date: Wed, 15 Jan 2025 15:38:01 -0600 Subject: [PATCH 36/36] Update RGS branding --- README.md | 21 +++++---------------- docs/assets/RGS_Logo.png | Bin 0 -> 14530 bytes 2 files changed, 5 insertions(+), 16 deletions(-) create mode 100644 docs/assets/RGS_Logo.png diff --git a/README.md b/README.md index 973809d6..af2d4e22 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,9 @@ Build a Kubernetes cluster using RKE2 via Ansible -========= -``` - , , _______________________________ - ,-----------|'------'| | | - /. '-' |-' |_____________________________| - |/| | | - | .________.'----' _______________________________ - | || | || | | - \__|' \__|' |_____________________________| - -|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -|________________________________________________________| - -|‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾| -|________________________________________________________| -``` +========= +

+ +

+ > [!CAUTION] > The RKE2-Ansible repository has been significantly refactored. Note that configurations/inventories written for the v1.0.0 release and earlier are not compatible with v2.0.0 and on. Please see the documentation and make any adjustments necessary. diff --git a/docs/assets/RGS_Logo.png b/docs/assets/RGS_Logo.png new file mode 100644 index 0000000000000000000000000000000000000000..3c5406c361ba1413efaafa1e661f99822458d1b5 GIT binary patch literal 14530 zcmeIZWmME(6fR6lNJ)%HiZsH|NFyO2sg%SFNH<7#3Wy@zFo4q1-6h>f!wfJ;*APQU z-$DQPetg&c@~-z?cij(snBR$g&OUoTd++BQA~e(#2=SlbqoJV@Dk;jnMMFbBNBxoG z;-J0=0g!k2HvKx3j=C4XPWK)otE_lGHF@EFbMinsmE z%S_i4N0SonF8uBW$CSxe7f7ChNFJ~`6N~5sz|<6t@9S7{9{RW)uauZkOxX5#n9Ka@ zk0yA%UwF@kM@LCbd>@&*Jb(51s6vu;T?|swZk^92aB(ew9gQ&W?)U#~XiXV_xbvd9 zgH~0qnTiZoyi`ucmN(%i5UZBrbCDr`u9QkC)N8V$c#T^y6k^i*E@n6VMQ@|tn-*Tm z;~N=rQN2l-z8Bgw*`G)^kG}W4OW36s?5)aBlwZ_oEC$ z#Z%mChDYhE3??6+std3>dh)l4Of>R+(D$ZG|I+$`G@X@nPQ?TYT@XWm*uMO0_lU)L z4a8Woy4sdOJ6G!;-kMsw+LquPm~VnM;5WSAti(?xto5{Um$;{n$= z<};oLwiOR7ogO$Ih8yFCSSbdkG6cHz<4}=z_`bvF(ZIJgmeA_dnImd`Pfrub@&dmA zPGcBs>qLN%1)ThJc^v4$^N|4;@7psKIf7pbDkPlUbSn&*pQIjrmSemi=q%p#UM| zE9H0jEsmN;r7zFFf8Am~dE`y7FO!uM@}h%%<=qR+48f=nWKZbIqYp(ds2rY_Vd(}H zcTTVBJJ~l-H*muUU<%@-W8Kw9GoBv4B$7D5j#QA;o=|kYh4UT zwrmAs1F7dnPnjp*0yR_$8TOcHSTdMlj3@ziUBxCMyUP=C5c8x~aTW@w*E$tsv(;-h(N3yxU>Ac-7vMeGlbWBJ{ zc$jFI$e7Um`b#25;u$AIcSq+^Q8Pzx!q-|!K*XNH9I3QYA1c~n(>&95(}_QPw196q%G2jX^~JgR_fbbWNGI{RrOrr9{(OXCT$1hxU(w`f z5AeP30E0=iBF>6j)8ANSjWT;3-J= zNgWd^=WVxsSp$D(rf*l*U=g7&s+Vt|V*sv|Da|PD)=4iFWg%s0REtyjkve6qTD_sa zX)vqj0j;o;u}@kMm~Y9j6Bqe#yf9!N-@YI^Z!wRkXmu>G0NB+}mGvNMTk~2w+7@o} zF&Ce9ypNTw?&4J7RES-r>=RQ{DJW7Kg6KoqUNpZL%GiZmfg(Y1AfZNA=P8kujKmBi z${Xls<;xU6QcWVw>y5NdS3`>n5|e(>KFj3Q?BChN@=rV;dml>FdAWL3NyJM8ob4U+ z9sc&2_LMjiI;QkKIPo8>g_*PKecv1;mvklOc$}FT(etv7zE1uuuK0 zMwr>;uoGgqQA7#7+yx$);TJv&Ah6WZ^-!Pv;}oQ|BTe6?K#GrSFH5nJYO z7rm2xY1i2)^23G6g?p?vquB&8`7`jR(ZE`J!{x~agn9HrU?#Vw- z4^1z3JX(6&uI*vFJ)tF>y6`|q>seRcP4gw<6jQh8r(ACf25z8AN* zvq0N;rBbSFzfT8|DBc|x^#a{3<+jeAUF_SI)t4>Lbl9*h5?`%fW!$=^-&R;vGPx^G|3+RBN zxBGG{5uNc9@j$ga$c{B++WXG+dOO{cakM6jP{ilfu%mI(9#%)TDKSdl3U^=WmmlrP zR~}7%0u%#D`u1!OuDEZW^%isMrk6K@ZMRbs9S ztL*GGJ!_ft5Z*-;`&^udA%OnUo*Ks*>+gG>K@@m+_wqF4b+X_O7DN9-J8Y2;Jx%xNIZ80eS*{+%|6KT@1+vc-^^qG5BYn zC+9y z345=t@MrTH_{;nu82;=!9u19aKuPYUmM8lDB3=U1so&g@k;m9DVwjHK=jYNMH=nRo zvT`;WPEa=~Mywfuga}`h(s7K5NE{ifwXMT7ZIPOeHIJhO`Swc9^AC?OC3&k>@< ztifYDAE0d?bD4OoMmWuM&@ZPw2V%8RYDMB>kHn&*V~M`WPHMl4)Jv_FXQgAVoYup9 zJp1X%?+>5$vl*Xak$fTiZ#C*UD5+p2Rjwo}*uMZ~?sB$~QQm293l0hdI$hN9Dd;Edr+A1o%f_ zxsUwD_~=;r@(j8>n+vz|e20)LrusPe6312E$Y5;ZuUOs-qh;TpczgPP=*5rYeAnuR z%#MBs#Wh(uZSRSRURLQ*yhO*op{_$q*X^BuXs6R;ln$Jux zxD_-T5pwek+8&?*_BKzK&3?2nd31Q^GoLy$MAw|jpEG)A#%UrGYq=E3oT_3{v4I>Idj$ogr z=!hm84>L=h6$np=J{OYewEO(uNMS6%|VzPP=yVr=2o9Kdh6*zmvTF}S*x zA;%nw?P4`^ogzG0`pHqo(CTJjWA>X@-|^@yosP)wHTVJ4&)@DaSNv{*(h~gq?pOHc zXUrqm>%$0XOM*ED`aF_*0r*S?4}UlH8G;yNSxz~Ri zH)jbN6Q)1dhka{UK6x4~L=Ahi%ll;PgU3m~5>>R~PVK3f*$bPO>0WOPQL2^-k|uZ1 zSZQSdbNg}0tbTdJeIAu@(6jpKliArUQ0O3*7g+Tr4`6hL~i{QDdKB1Mv8<5l===%P#HBjezDd+KPx-FsEsTv>uK17J~$yUVU zN33`#G|LtW3Ty9vh1uL2$BV=%4|xzZP*zVYq7F{qdXH!pURn4q6g^cg5wP@JugNp& zMCE`8_M~!pbO>Jgo-Bb#ggAKKr}@dl+E7VPyKb0*zp};1o*=+3AA9-LmE+7FSdS+l z|KY>oxUvi%H`85nTcd*lmr9Kq4OX8cr{8}H_ZD2<>6A<6E#=M=p)j{lIeVp3!n6ri zzYha0|C!M|?w+Jx&-P-o_4S1fkEFs)z**Lk`;&8S(}7=Y9;Jx*r5U;&*)*=6ahmOm z=_c8wC)S_S#rj=EhiyR1&Q;Uh2m7Qh0+>wG@~|gMX4PBKtil~lRr$;9X;S!Qxm%qQ zVV;vu8uz|WPb}I;bv_QWn{f{{Q#C&K5eQRISmQz(|E5UJB9-N43PJ?}E#P(pENGxrW0Mf0^G9LCbh<8wwhI3~Q00?(D=;}xS;Imxqw^4LZf3$N2+$L=)m&OBWDvYQwR7udi04zgalng4dr}FFHf)ZcL`CsqlOB(|RCNi+>h4ZUL z?yOS+TP@3$(gP|LZvSK|tZl^}O1vk0#j3E#`Wxbdc+&7C#HDk?_mr!Fc*N7db?nMq z()CXY>}rH{ow)s^f`)$Tpy0}_#;x?0pR=p$%%oqn?*nI=-LkoZtk*J6p``YV94c<+ zGs3fu^5b5AFsOHV8!x~rLWY+au)^iF)jXyoL_M6pCTF7-Tn7~nV~pu$!mzP#HS+c< zF5w3nRE9_bjy7gmmpp1A2X^T%vW#Xav>j^7o;T+ay%(i&!ma9H-OFN+cdGN6AkH*!EQPw#DhBr zjb{8!>k#_RtxmrV_M{F20ywVDwo7pc+j=h3c<*GURkk!*O2OAoo2hqgwQlV#RqxY< zOP`(nR_a?8>bqNcme!WPpI?p)+1(OA0U`rQL0~{#1h2M4#M0gD9n+Zjm3L%OoK^;g zLpDD;muY)FxAWds%-(|A^O&#DI8|i^{2AGhnkRPNF6AxPJMR42S6RVJ?w6Tf{_n%B zArF8w7=at+(p}#{$omvWnjhOnDo2|QBGI|+Xb^yej`bIMp($@}Yfe8bWgUl#fs(i& zyL-u$Dj=q%S4HOQ_T>4ERnCu{4bPEbfReZ|QW9*EeR_Rn6|AFpzNuWf(W z@6f(-k9rTXxZT#hdo{voPVeIixjqN_>k`q3n^-(a?~n}@a)OS5^4Ae|)QU6pgu`a! zD2(`|#Lx?OpljhX1U)p9tJOt2kCy)-Pzr3B~qwqVrKYbMrv$BM^z6}#VKngLDun`-4cy&3ir`( z!8$bNQv39IUKfMkLE-)zzVh6jyiO-`c&ny#nFi-cd%_1_W&ynBd?HBIVBUcZ)v++8 zF|SJXf$5-8Xp?Ey!>^G9or@gE2sDhZl%Kd7=y?~9jBctG%r+5S4)qq<=~cfH8E!7I zl7LiB%M%v*5Lwx0Rb97WABMxw=FQ!qg7rH5sqz}T@R9S|gNw_Y4ZKTuNa#lXN9!i2 zf`TuZ3+HQqRW-PMB6S+!1sU&bP5cJH^*N`H4|xzhxJQLtl)na`RBTnzkw907^ky76 z_ijhR$JUB0!NNg{=}`Fhcwa7zPMt!Bf=T6Mpi?~0k=622ml}z)1s3myS|M|q5t};6UU`lm8Zgsn&%OF z45$B7NwS8(an_AxPgC8s%Tr(Mauu23S15QA4`RpmP?gV$x{H_c85XBCDl`AR-lIr> zH!MUv!6o7rrOW8|#kkBO&rh^0em| zn)rx?s>$SO@!R3ct)E-1s+K8lg??G{d%VUV0E{LzVj{X+o9F?+OlIWf$jQX;uE)>M zAyO8b-B;E?#^0*77ey2;M&SgTknO<%>jLe|dEHydpC&3#13R>^^Idg580jDrQf6Jl zar{2dQQ@C?Nl>rJ7W2ji2JYJ!y$I;IuJg*$#2_pq*f<{wwbd1wyd-OBB6joV$0+C0 z#Gt9Pur`{c-rLq_pG+E!B>=vovjsDS-N&m(g-;u<(Dl`O7ih~5qM~=AfaEYMN2zpD z1`h2w^R_?)L2E&qNssULb|t`wvC&Y?!RLyqkI-~wV-QGE~uo^ zt?d!ua4;20Tkm)1+-Fd)I21bEy}*wumGqUe!{CVWALug8t67&vVJ0AqAq;gRYvDWq zgMQHrt$q?*e&*WCA=x+PcN~E(Dn0)YKb)DzTuJ!E^TqQ9$<_BkE&haRr6*Z< zhu)p8LnF59IrMF?lC33}h9-vZ+*fv#=Nol6HciLW-6re`x8Ecn5uP6W&>v%I0I#_Z z9uWWr8^tVbY6jzA)o+h;PcLmf`|o}vC8sw&z8Wt#WURJOPj>X(Rj5ML(vGH2|8Ce^ zf7rOuSF4@ag>u5Fxy*}~OnJfe(*&3xp`UVJA!cR(J(QV-rePj0tO z%(zfi&K>gPyRSes0ZwDgqs3+!WR~mX#kh#u0i}@Owlw5Gft^Q7dc!DC;^m}h(Zj5@ zw~NBSmIm$2ivbp|gWAnd{lq%MOM#oOvqtdiYGnTLh46;op3gZQA@jGsf~C8$wABJ; z9L*$DrZRZ2czT<}MihEqV*3WQAd^%!nNt?{(##H@d31k%QWMfORPK=In3Cm8OXWtN zQjHGt$C)*6>B0I;>@^RVqM;J!4mixC@2{4E!p4Jl#OCM&oO56|QUPqTT{-^Xo?|S! zUx&%eyp)nt@oX=(y>yO*LE54vAJH)OpTWgPO>h6~Uo@x1=~^{5ORd0l@RF_ZRY zQ6cfHy)83MIKmQjd+@b`GAm2wTkAWVjNm^3xSHIvTA0n0*_&auc~{5EGUjh2{Rf}Q z{lvm3A|G#e^9xgzaw*8r*QRZSJE)(LsmX0Hoey5xJ0JL|_aFAZJHqH_S(9rgu;<3z z!-L+OU^Z_cmefms(3B*^1QJ>;n3vt{x$gJy0^Bc6**ALRFa0rn#H~e_JO}LQZkke{ zP)#3)uX8^+3pA}HT27fIzxEfM2~<~)P&D7VaA$S_mTC)nDN%Hcd(ffY&sRGprEbT6 z;4w(VpZ%VK49HAF-2`UPBIEj(^EZ(Ay2jCdukFz4%3b8V9lA%mb(xUGe4vgf$Y;PV zo5)wHE#;F-2{~r7%k^A0rurdNPsz_a+$I}shQ&tDSkO{Ht9&AqSFO3#l$S;EEiS`2 z4#rBDiy$_U0>~xoT;1%_jV1PKWb!Cl;x-M%8*6tJUs25gTPc#$-2lV8@yIdI8^gS_ z;0tSh%B(|>|Oi^-MU+RbF*1*I~=vbIc>p9 z?=9xCntl7W3kDaBu0O$!fwLcVO@Gv4=g-B}0UqW($Uu@94TOdehMiILloHBrqZp>3 zTx^+@1@=gZ=vRr)YwGI1izw4eSb%kqr}P&<+F$WVCf0z(+a1o)IH{ZC_E_6;5rro2 zlcF{a$~Wf5;6bdGRknBK@JiDt=2kQ(ZWe>}eD{iy$Y&_Hu;+$LXcU|ts@3IR+_tv+ zyu3X+(j74*99_ro`H-rYGuE=bS4Z5YEO}J9Yqo;nci5*2{K46&*B>CNCLPiynQL)y zGxr6}qs{)@gNA_OJ_MTpaIrmns-_w4GQ3W=wm#h%l>K5gKBwzoC$Jo3mGp1*ox?ic zp7hC(v3c?k!VU*9C21{7uw1YHq|>C~WY+jw@o19cVxPlj?I=gnx0yf)EIV~LAfs7D z@}^mM09Bf;2dod+S+~gv^n9=M(#P7Xe5;?;auNH~=cQg#r1d>n7j%jJ+Tl}ky!X%6 z)nzcdF6cx4q_$%`ab1OXlZ!L*tL<8*)NP^R1)`cYGxtm7;$l7%bvi><5&0+lxlYy% z`@Ec)>Y+dP6%R?FQMTO_$aP2j;<~^w5jm!Z$a7Hd<+oHxj=l-EU5~!)3pbnI(QH|N z^9&*6aPBwdypd-l9e`2G886sQqU&pKG7yh^6C`!RF-3BpWo1au!^`wC-Fi(ft}PuB z*M~N|n8%Nn?|wd5*KBtSIUzntbZsN+mSB5DgWlRO3HRR}u{GbnC`k39AQqYWOE{X4 z6#C{1j!A;tx3`ZQ@4UZcIOuPA8{K3!OL5S*oSJO&EgqAF4-TjrW{Fsn;x1L;%_wae z`JB!l&o8%XZ;b3m`|1YY@TSAv|5^d=6!6{*Sl>hU%ZQuAjHHClM^0xh+z!OlXWCps zPfpJITY{+69B%o?PAx~1wn;1c)GA&rEVfy_Z}VKIjIn4tmBdYV~R`$zJ19@VKO1`;k%`6c@rv)NZBt3A*$zb{;* zv(13pulv<(UG~gO6hDr6d%1`UCze-kE_k$OVp`2BmO|R#TrFTZ`s2At z09zwo4~QzguXkG2vw=!@w0#Ly^LMcPg-k;~JI0Q>@QP?7n39 zkHnpJ>Ic6NW_JpYxv%q8dDmW$QX!F@qs9TuW$((3{X370Q-3hyIylx3PzLnPU5Mz@ z0>OqSu9jv!pRwI*XKo%ECcHQ$z`B~@5@41^RioJ7NA1@q4hrF5^=!5W$-Nh~G%vJg zrAStQtyZ-Uhxa(^W|01zZA_J~_E@DTEmYfB-cklQyKhfiRGq={n3=6YluCm&Rs6e) z2+t_x<+8UiXvtvq9af5HwwDfHq-1wZAa+D~lkWagmXfPG_>MkD%cb@4r)Cs^FJ?^AcEPHPcG5MSS_N(}HQo4E zbtK~BReX{AjzW4r91nceL@n}j_=QvJZ(X=SA4@Z5l=_}NHKh2!QX}2e_Kh1+X zxmohc|Kj>U!VKg3sgx(6c_74VhHNgU&I71*-BETr3H}K5Md;|Ycrr974MjzZUl-D} z9{^P@P8JsJtHb*Y>bA%qqGAOpo1(i;`*710v0PGP{UbvEleBvPprYar1!mR{V!4-s`fxl75;;~UrW50rmcTAmcI^;a%ZSs* z9~M5c{GpTbm+3uT{U#041`Ac}O1Q;G5slrR5PI!JoH`Gw+O{%fBq7r%j;Db)Y2tT3 z)71i(Til{)M6H@Kk&70sm%&Md@U%7}(b6E$9hcz?%~4U)O2ZEqRL+@Rfn^1KbeE;{ zbG6*JE)VmmM;mY6JD6J0LI~n7TLeHTvfPRooz=p+zU888w*BgLse5UxL|3iCzRC0T z3=#e{qs59>Wi2}@sZu=ry$Mi$_IklBobHftob`bM;Q?YgFC`+H7dk$n0u7V~M++S7 zSD6ZC7ZZ(D8^Mz@)+1>mpt80dyNh+svAADvTzKE(P-n|>rr}A%VAiiHQv%9Ols9l# zPwTw7laYvWTgfv#qF6~$j_!)gmpERQyvp{y<*y$! zPcAvbC>hb7Ju;YZcQBQLvR4S}1W%#T?yng8zgVeqt|Qy5kHy;k;#)R%s`2(n%NCwY z>6F$vm$x0$T&Uk2d8aOkT?iUCQr4%-gJxhnTwTP*}<^f)SrptEqEEFlxjy3wBHL379W}u7R4^pRsAu&UWr2j(qr+ zJWfTN+j+0H$Nb+|hJr1F-turDG>d&;FD_yPAlFI&u-sDzp2! zxApB!_0NzYn&T*rLxTLW_s0^@1>AS5Zw; zV+0x4=e9PtaXWn{7@f_ExONr?SyvwCm;|iUZea1Xvb8-~_cb$<=L%>+L}a)M%~QHd z_80RuGZgRkdabW&9-r~&UwQ#>nYZVYtEMQD_d`D^O|m--n{%^s#NSJV;<>(aa%{el z4MH({_j=U}goF91sQ-o4@dXU5^O+^7g!`)qROXn5jf)VBuSEYBR!h00ogDXX{^sHT zza5%J0!xpPm#ZZRJ#HrlTkFZarIk`V zqvsZy)5-e1W{Y!PfatS(8U0N7u0%7+P65%A{e}ER6suI+JItUn0PfA=gCAtHt1yc1 zV>3Zti|O4$JS#|CHir`sWo27T!+1?^JHHEaNC_wC$dOD;8VjW-1_iYpM^xmpk+d-w z)KnNbH^Ss-T}bnSB%n1ox!{xt*L8e854FwxzQT8Oq6k*R(+$+I;$xj0h_7}F-oeD@ zt%ZBx2o?(Qc|*^Y*CP8hUUc?6hr7cQ){Z?XuY$KZyW^N$)+WBF3;PZ8n#U}d{S5Ds zM{zRD1;d#d(BO!@CvzdAWICUH!UmkycQnmMyoOfQ8uKPKH;sWUH)6Iw{FDjayug~^ z%nsPZo=o9L;q>*Pt9V~x7(<-ZV_K(IX(sKD%+VbfrkaE#?BlU-*!_52R$i}gyI5|- zRZy<~_}y|lKK`&-jU1e|SUnaRaFd)@U*0G8xc;=HcjJF%siVI>v+>MS+%<_%O}c*nC`7S z%l}RF3!e9&MxxNC*##9+F&dF)#p^fqU^~8Fev2=!MrbAx#yfVIQsYuvExdy}^gbW( z=uupNLr}zi;qhi?q)3F&ADD5|BNdvtx~ssJCWnHSo3l3sJ}=ePo{TA%%j7rN+NJ52 z+T|-JJ>N;L9@AqQq8xL~- zAU8JQe+XgErqKvm4x{+q|1VE>Z9=8#lhJ59(f65mj40~W$&Nca#ow%b%N6yjfF6B{ z{vK->+)&6fwf~j_MQx$7vTf8aH7Sfjsrz}QcTnkl5j0N=_r7QLBnp%u{#Y6Te<5lL zmFsKPD;JUc?O8xT0u#Hz&A$CBzv%wWibL|-r+<5@0T>!QE=i?t{vzL7R%s{oMeaPA zzda$`(oP2_&jK&+Yb)GbHPn-qCeZ89zx9JC2vt99E1;b!+ykZ}1g%rTtvLbz>3z@t zmo~_Ob1w63d|UFLZqS12$Wk7|FptFJ2Wmi}Y&`c{MZ?&B)UV7SpsQUQ(b@WVtP5|w z_;qCB-xZ_O=@3*hwJ=45eQqpG%u24$g?JlJ_iq?(0vS)I$ecUz5+8BzK78X_A??Gh zbs=1b;lI@!YEuI5IZQTK-vDD8rsL0OMC&&+jT zTtY<2W}0@+T#N(Y|JRD5CRxTQ^x)sfoR1ybfuSHD=By#bnU8nAjYA>*SShHRoxjWf zfVZX+?fb1A)z&G;W&vvI=tWhzf?3ea3gP7;bL2X!{}Yi|c=TGRDV94f5Y^ zyuCDW0@BY3ei>9Q(7+Xv|62m01(~6YWS}9Q^WW@*sG}E-O#1jQ$|=4=9cZLjhp3Bo*i?-Y`doYo={bsouY>K_Uf4Td6D??)Q zu@G5Wo+;Ipm;V?ZxwQBa*O@9P;=>S)yDBT|(>IAL6OZUp{sBm+J8rD;N;4hn6 zI}2`pjrV~?)WVZq zos6rilt0C0ee>V2Pn100^bO!-7``V9qO-(^g{*SOC9`aUyirxm|5`y|;OwCgdZTe> zXmwZjC;Q|SPY0pnq+Q%jSl@e8X?JgA?&OCCi2M_*Gj~{M0@eMuY)veT{iDy?C?EZ7 zTXj!|-EZd+Md2BQAM0GsgDmwg7BP^tqX5TW^X*>(PMYBj%67kBoBijB*C?F)qpC#u zPly}}86%G4MgF&G_84n2ch624Tk0Q=M({-rp78L#isEKm9O6aQ{Gt zg%w1wiORJ;n;$N0k`1n*DA>4bIIoEREWq5g>s7qs8b{|e)!&GKI$az*a(u6N=T}uX zH+)x|MhUPuW;M0Cc8PI;^VcM_jYuylXrn=|$KJ7y*?lo{f6#GcY!7J?e;yX<1{P*J z0Fvw{0aa9ZZqrb%e^e`K)(w0!n7j9p=|oFc=VIN_h=sR2TtY?H-X`9n5C7jeGH6sw zKV9uMLp}}C012f!IRUL#Z5jX93(%IpvwX2T8TnsVM`YosMm>b!T*NUm-(O-G6=rFI zjB(w4rWOMcb?}@n&lA{2LbBmMw~{t~gkJt_zjQMU@fxy=Vml=!p`3mmFmBTa zXSS??+Zf|_8wFb2Lie{1C_yOdpKmf>$^F)_-e}3z!`3cy4lj!rbU5w0JZto%?jNL} z1?A&=t}LCbC7bQlPbnuSl=L(Ga|c`j4TdSA*=%toV-%*kw}giU*Y`8=DRF!wO#O?! zC<%YCK7X~R{w!#i{Bduhg|T^EFbQej@RlS0KWI^tHoaovUF0;(_Ckz2tGFVM{D-^a zk1(cj+_~(`oE#(cHE{pg7V7yMsvHGSQ~%ee>AoCY6i)aLM4M0{-mS8d^xx`AIZ@^4 zqMz)*KaKux4Sl1JEmQ8PV#{0vK&5$L6zpAsRIrOlD_*uHWoebLfM)JrM8}c*xpRSA Xev|4ki9`KwBASxCnp~NTaq#~Dd~F&V literal 0 HcmV?d00001