adding remove functionality and header

rancherfederal · May 21, 2024 · 9c4122f · 9c4122f
1 parent 4ae0e59
commit 9c4122f
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 20 deletions.
diff --git a/ansible_header.j2 b/ansible_header.j2
@@ -0,0 +1,3 @@
+## This is an Ansible managed file, contents will be overwritten ##
+
+{{ file_contents }}
diff --git a/roles/rke2_common/tasks/add-pod-security-admission-config.yml b/roles/rke2_common/tasks/add-pod-security-admission-config.yml
diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml
@@ -74,10 +74,6 @@
   ansible.builtin.include_tasks: add-registry-config.yml
   when: registry_config_file_path | length > 0
 
-- name: Include task file add-pod-security-admission-config.yml
-  ansible.builtin.include_tasks: add-pod-security-admission-config.yml
-  when: pod_security_admission_config_file_path | length > 0
-
 - name: Run CIS-Hardening Tasks
   ansible.builtin.include_role:
     name: rke2_common

diff --git a/roles/rke2_server/tasks/add-pod-security-admission-config.yml b/roles/rke2_server/tasks/add-pod-security-admission-config.yml
@@ -0,0 +1,45 @@
+---
+- name: Create the /etc/rancher/rke2 config dir
+  ansible.builtin.file:
+    path: /etc/rancher/rke2
+    state: directory
+    recurse: yes
+
+- name: Add pod security admission config file
+  vars:
+        file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}"
+  ansible.builtin.template:
+    src: ansible_header.j2
+    dest: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+    mode: '0640'
+    owner: root
+    group: root
+  when: 
+  - pod_security_admission_config_file_path is defined
+  - pod_security_admission_config_file_path|length != 0
+  notify: Restart rke2-server
+
+- name: Remove pod security admission config file
+  block:
+    - name: Check that the PSA config file exists
+      ansible.builtin.stat:
+        path: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+      register: stat_result
+
+    - name: "Check that the PSA config file has ansible managed comments"
+      lineinfile:
+        name: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists
+
+    - name: Remove the PSA config file if exists and has ansible managed comments
+      ansible.builtin.file:
+        path: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+        state: absent
+      when:
+      - ansible_managed_check.changed == false
+  when:
+    - pod_security_admission_config_file_path is not defined or pod_security_admission_config_file_path|length == 0
diff --git a/roles/rke2_server/tasks/main.yml b/roles/rke2_server/tasks/main.yml
@@ -7,6 +7,9 @@
     name: rke2_common
     tasks_from: main
 
+- name: Include task file add-pod-security-admission-config.yml
+  ansible.builtin.include_tasks: add-pod-security-admission-config.yml
+
 - name: Setup initial server
   ansible.builtin.include_tasks: first_server.yml
   when: inventory_hostname in groups['rke2_servers'][0]