Refactor 2 (#54)

* Refactor 2

* add assertion for ansible version

Added an assertion to check for Ansible version prior to running other tasks. This is due to the Ubuntu AMI failing with the standard Ansible install (apt install ansible) as the version in apt is 2.9.6 - which fails due to a missing critical update packaged into 2.9.8. If the user runs the script with anything earlier than 2.9.8, it will fail and request that they upgrade Ansible.

* Revert "add assertion for ansible version"

This reverts commit 486df1e.

* Add changes from review

Co-authored-by: Michael DAmato <[email protected]>
Co-authored-by: Tucker Blue <[email protected]>

.gitignore

@@ -7,5 +7,7 @@ test_inventory*
 
 rke2-images.linux-amd64.tar.gz
 rke2.linux-amd64.tar.gz
-tarball_install/rke2-images.linux-amd64.tar.gz
-tarball_install/rke2.linux-amd64.tar.gz
+
+
+tarball_install/*
+!tarball_install/README.md

.yamllint

@@ -10,3 +10,5 @@ rules:
 
 ignore: |
   .github/
+  inventory/sample/group_vars/rke2_servers.yml
+  inventory/sample/group_vars/rke2_agents.yml

README.md

@@ -132,3 +132,5 @@ Author Information
 [Brandon Gulla](https://github.com/bgulla)
 
 [Rancher Federal](https://rancherfederal.com/)
+
+[Mike D'Amato](https://github.com/mdamato)

ansible.cfg

@@ -6,7 +6,7 @@ inventory  = ./inventory/my-cluster/hosts.ini
 remote_tmp = $HOME/.ansible/tmp
 local_tmp  = $HOME/.ansible/tmp
 pipelining = True
-become = True
+#become = True
 host_key_checking = False
 deprecation_warnings = False
 callback_whitelist = profile_roles, timer

inventory/sample/group_vars/rke2_agents.yml

@@ -1,18 +1,10 @@
 ---
-# Primary RKE2 agent configuration parameters.
-# See https://docs.rke2.io/install/install_options/agent_config/ for more information.
 
-rke2_config:
-  selinux: true
-  profile: cis-1.5
-
-# node-label
-rke2_node_labels:
-  - "ansible-provisioned-agent=true"
-
-# kubelet-arg
-rke2_kubelet_args:
-  - "feature-gates=DynamicKubeletConfig=false"
+# Primary RKE2 agent configuration parameters. Remove the curly braces ( {} ) and add your configuration.
+# See https://docs.rke2.io/install/install_options/linux_agent_config/ for all configuration options.
+rke2_config: {}
+  # debug: false
 
 # See https://docs.rke2.io/install/containerd_registry_configuration/
+# Add a registry configuration file by specifying the file path on the control host
 # registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"

inventory/sample/group_vars/rke2_servers.yml

@@ -1,34 +1,17 @@
 ---
-# Primary RKE2 server configuration parameters.
-# See https://docs.rke2.io/install/install_options/server_config/ for more information.
-
-rke2_config:
-  selinux: true
-  write-kubeconfig-mode: "0640"
-  profile: cis-1.5
-
-# node-label
-rke2_node_labels:
-  - "ansible-provisioned-server=true"
-
-# kube-apiserver-arg
-rke2_kube_api_server_args:
-  - "tls-min-version=VersionTLS12"
-
-# kube-scheduler-arg
-rke2_kube_scheduler_args:
-  - "tls-min-version=VersionTLS12"
-
-# kube-controller-manager-arg
-rke2_kube_controller_manager_args:
-  - "tls-min-version=VersionTLS12"
-
-# kubelet-arg
-rke2_kubelet_args:
-  - "feature-gates=DynamicKubeletConfig=false"
+# Primary RKE2 server configuration parameters. Remove the curly braces ( {} ) and add your configuration.
+# See https://docs.rke2.io/install/install_options/server_config/ for all configuration options.
+rke2_config: {}
+  # debug: false
 
 # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
+# Add a policy configuration file by specifying the file path on the control host
 # audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"
 
 # See https://docs.rke2.io/install/containerd_registry_configuration/
+# Add a registry configuration file by specifying the file path on the control host
 # registry_config_file_path: "{{ playbook_dir }}/sample_files/registries.yaml"
+
+# See https://docs.rke2.io/helm/#automatically-deploying-manifests-and-helm-charts
+# Add manifest files by specifying the directory path on the control host
+# manifest_config_file_path: "{{ playbook_dir }}/sample_files/manifest/"

inventory/sample/hosts.ini

@@ -1,6 +1,6 @@
 [rke2_servers]
-; host0
-; host1
+; host0 extra_node_labels='["extraLabel0=true", "extraLabel1=true"]' 
+; host1 extra_node_labels='["extraLabel2=true", "extraLabel3=true"]'
 ; host2
 
 [rke2_agents]

roles/rke2_agent/tasks/main.yml

@@ -1,21 +1,9 @@
 ---
-- name: YUM-Based | Install rke2-agent
-  yum:
-    name: rke2-agent
-    state: latest  # noqa package-latest
-  when:
-    - ansible_facts['os_family'] == 'RedHat'
-    - not got_rke2_install_ball.stat.exists
 
-- name: TARBALL | Moving Systemd units to /etc/systemd/system
-  ansible.builtin.copy:
-    src: /usr/local/lib/systemd/system/rke2-agent.service
-    dest: /etc/systemd/system/rke2-agent.service
-    mode: '0644'
-    owner: root
-    group: root
-    remote_src: yes
-  when: ansible_facts['os_family'] != 'RedHat' or got_rke2_install_ball.stat.exists
+- name: RKE2 agent and server tasks
+  include_role:
+    name: rke2_common
+    tasks_from: main
 
 - name: Add server url to config file
   lineinfile:
@@ -27,11 +15,6 @@
     dest: /etc/rancher/rke2/config.yaml
     line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}"
 
-- name: Run CIS-Hardening Tasks
-  include_role:
-    name: rke2_common
-    tasks_from: cis-hardening
-
 - name: Start rke2-agent
   ansible.builtin.systemd:
     name: rke2-agent

roles/rke2_common/defaults/main.yml

@@ -3,3 +3,5 @@ tarball_dir: "/usr/local"
 rke2_channel: stable
 audit_policy_config_file_path: ""
 registry_config_file_path: ""
+add_iptables_rules: false
+rke2_config: {}

roles/rke2_common/tasks/add-manifest-addons.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Add manifest addons files
+  copy:
+    src: "{{ manifest_config_file_path }}"
+    dest: "/var/lib/rancher/rke2/server/manifests/"
+    mode: '0640'
+    owner: root
+    group: root

roles/rke2_common/tasks/cis-hardening.yml

@@ -27,18 +27,20 @@
         src: /usr/share/rke2/rke2-cis-sysctl.conf
         dest: /etc/sysctl.d/60-rke2-cis.conf
         remote_src: yes
+        mode: 0600
       register: sysctl_operation_yum
       when:
         - ansible_os_family == 'RedHat'
-        - not got_rke2_install_ball.stat.exists
+        - not rke2_binary_tarball_check.stat.exists
 
     - name: Copy systemctl file for kernel hardening for non-yum installs
       ansible.builtin.copy:
         src: /usr/local/share/rke2/rke2-cis-sysctl.conf
         dest: /etc/sysctl.d/60-rke2-cis.conf
         remote_src: yes
+        mode: 0600
       register: sysctl_operation_tarball
-      when: ansible_facts['os_family'] != 'RedHat' or got_rke2_install_ball.stat.exists
+      when: ansible_facts['os_family'] != 'RedHat' or rke2_binary_tarball_check.stat.exists
 
     - name: restart systemd-sysctl
       service:

roles/rke2_common/tasks/config.yml

@@ -14,45 +14,21 @@
     owner: root
     group: root
 
+- name: Set a fact
+  ansible.builtin.set_fact:
+    all_node_labels: "{{ rke2_config['node-label'] | default([]) }} + {{ extra_node_labels | default([]) }}"
+
+- name: Add node labels to rke2_config
+  ansible.utils.update_fact:
+    updates:
+      - path: rke2_config["node-label"]
+        value: "{{ all_node_labels }}"
+  register: updated_rke2_config
+
 - name: Add primary configuration items
   copy:
-    content: "{{ rke2_config | to_nice_yaml(indent=0) }}"
+    content: "{{ updated_rke2_config.rke2_config | to_nice_yaml(indent=0) }}"
     dest: /etc/rancher/rke2/config.yaml
     mode: "0640"
     owner: root
     group: root
-
-- name: Add rke2_kube_api_server_args
-  lineinfile:
-    path: /etc/rancher/rke2/config.yaml
-    line: "kube-apiserver-arg: {{ item }}"
-  with_items:
-    - "{{ rke2_kube_api_server_args | default([]) }}"
-
-- name: Add rke2_kube_scheduler_args
-  lineinfile:
-    path: /etc/rancher/rke2/config.yaml
-    line: "kube-scheduler-arg: {{ item }}"
-  with_items:
-    - "{{ rke2_kube_scheduler_args | default([]) }}"
-
-- name: Add rke2_kube_controller_manager_args
-  lineinfile:
-    path: /etc/rancher/rke2/config.yaml
-    line: "kube-controller-manager-arg: {{ item }}"
-  with_items:
-    - "{{ rke2_kube_controller_manager_args | default([]) }}"
-
-- name: Add rke2_kubelet_args
-  lineinfile:
-    path: /etc/rancher/rke2/config.yaml
-    line: "kubelet-arg: {{ item }}"
-  with_items:
-    - "{{ rke2_kubelet_args | default([]) }}"
-
-- name: Add node-labels
-  lineinfile:
-    path: /etc/rancher/rke2/config.yaml
-    line: "node-label: {{ item }}"
-  with_items:
-    - "{{ rke2_node_labels | default([]) }}"

roles/rke2_common/tasks/images_tarball_install.yml

@@ -0,0 +1,28 @@
+---
+- name: "Check for images tar.gz in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz"
+  stat:
+    path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz"
+  register: got_images_gz
+  delegate_to: 127.0.0.1
+  become: no
+
+- name: "Check for images tar.zst in {{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst"
+  stat:
+    path: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst"
+  register: got_images_zst
+  delegate_to: 127.0.0.1
+  become: no
+
+- name: Add images tar.gz to needed directory if provided
+  copy:
+    src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.gz"
+    dest: /var/lib/rancher/rke2/agent/images/
+    mode: '0644'
+  when: got_images_gz.stat.exists
+
+- name: Add images tar.zst to needed directory if provided
+  copy:
+    src: "{{ playbook_dir }}/tarball_install/rke2-images.linux-amd64.tar.zst"
+    dest: /var/lib/rancher/rke2/agent/images/
+    mode: '0644'
+  when: got_images_zst.stat.exists