Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update fqcn #161

Merged
merged 9 commits into from
Oct 3, 2023
Merged

Update fqcn #161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0bdb18e
Convert all collections to full FQCN
Aug 24, 2023
afe7207
Resolve tag var-naming[no-role-prefix]
Aug 25, 2023
eed170b
Resolve tag warning[outdated-tag]
Aug 25, 2023
c090781
Roll back and var changes
Sep 27, 2023
a6f2a0b
Merge branch 'main' into update-fqcn
Oct 2, 2023
9de6b30
Fix FQCN lint
Oct 2, 2023
96747e4
Rolling back some bad/unnecessary changes
Oct 2, 2023
b6b1fde
Add missing newline at end of file for yamllint
Oct 2, 2023
c29b213
Add CIS task fix from #154 and #153. Prevent etcd user home creation
Oct 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .ansible-lint
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,4 @@ warn_list:
- var-spacing
- var-naming
skip_list:
- experimental
- fqcn-builtins
- experimental
2 changes: 1 addition & 1 deletion ansible.cfg
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ pipelining = True
host_key_checking = False
deprecation_warnings = False
callback_whitelist = profile_roles, timer
display_skipped_hosts = no
display_skipped_hosts = no
12 changes: 6 additions & 6 deletions roles/rke2_agent/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

- name: RKE2 agent and server tasks
vars:
caller_role_name: agent

Check warning on line 5 in roles/rke2_agent/tasks/main.yml

View workflow job for this annotation

GitHub Actions / Lint for push

var-naming[no-role-prefix] 

Variables names from within roles should use rke2_common_ as a prefix. (vars: caller_role_name)

Check warning on line 5 in roles/rke2_agent/tasks/main.yml

View workflow job for this annotation

GitHub Actions / Lint

var-naming[no-role-prefix] 

Variables names from within roles should use rke2_common_ as a prefix. (vars: caller_role_name)

Check warning on line 5 in roles/rke2_agent/tasks/main.yml

View workflow job for this annotation

GitHub Actions / Lint

var-naming[no-role-prefix] 

Variables names from within roles should use rke2_common_ as a prefix. (vars: caller_role_name)
include_role:
ansible.builtin.include_role:
name: rke2_common
tasks_from: main

- name: Does config file already have server token? # noqa command-instead-of-shell
command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml'
ansible.builtin.command: 'grep -i "^token:" /etc/rancher/rke2/config.yaml'
register: server_token_check
failed_when: server_token_check.rc >= 2
changed_when: false

- name: Add token to config.yaml
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/rancher/rke2/config.yaml
line: "token: {{ hostvars[groups['rke2_servers'][0]].rke2_config_token }}"
state: present
Expand All @@ -23,13 +23,13 @@
- '"token:" not in server_token_check.stdout'

- name: Does config file already have server url? # noqa command-instead-of-shell
command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml'
ansible.builtin.command: 'grep -i "^server:" /etc/rancher/rke2/config.yaml'
register: server_url_check
failed_when: server_url_check.rc >= 2
changed_when: false

- name: Add server url to config file
lineinfile:
ansible.builtin.lineinfile:
dest: /etc/rancher/rke2/config.yaml
line: "server: https://{{ kubernetes_api_server_host }}:9345"
state: present
Expand All @@ -38,7 +38,7 @@
- '"server:" not in server_url_check.stdout'

- name: Start rke2-agent
systemd:
ansible.builtin.systemd:
name: rke2-agent.service
state: started
enabled: yes
Expand Down
6 changes: 3 additions & 3 deletions roles/rke2_common/handlers/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
---

- name: Restart systemd-sysctl
service:
ansible.builtin.service:
state: restarted
name: systemd-sysctl

- name: Restart rke2-server
service:
ansible.builtin.service:
state: restarted
name: rke2-server

- name: Restart rke2-agent
service:
ansible.builtin.service:
state: restarted
name: rke2-agent
4 changes: 2 additions & 2 deletions roles/rke2_common/tasks/add-audit-policy-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
- name: Create the /etc/rancher/rke2 config dir
file:
ansible.builtin.file:
path: /etc/rancher/rke2
state: directory
recurse: yes

- name: Add audit policy configuration file
copy:
ansible.builtin.copy:
src: "{{ audit_policy_config_file_path }}"
dest: "/etc/rancher/rke2/audit-policy.yaml"
mode: '0640'
Expand Down
2 changes: 1 addition & 1 deletion roles/rke2_common/tasks/add-manifest-addons.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---

- name: Add manifest addons files
copy:
ansible.builtin.copy:
src: "{{ manifest_config_file_path }}"
dest: "/var/lib/rancher/rke2/server/manifests/"
mode: '0640'
Expand Down
6 changes: 3 additions & 3 deletions roles/rke2_common/tasks/add-registry-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
- name: Create the /etc/rancher/rke2 config dir
file:
ansible.builtin.file:
path: /etc/rancher/rke2
state: directory
recurse: yes

- name: Add registry configuration file
copy:
ansible.builtin.copy:
src: "{{ registry_config_file_path }}"
dest: "/etc/rancher/rke2/registries.yaml"
mode: '0640'
Expand All @@ -16,7 +16,7 @@
notify: Restart rke2-server

- name: Add registry configuration file
copy:
ansible.builtin.copy:
src: "{{ registry_config_file_path }}"
dest: "/etc/rancher/rke2/registries.yaml"
mode: '0640'
Expand Down
25 changes: 14 additions & 11 deletions roles/rke2_common/tasks/calculate_rke2_version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,63 +4,66 @@
when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 )
block:
- name: Stop if the provided is not valid
fail:
ansible.builtin.fail:
msg: "Provided channel is not valid"
when: rke2_channel not in channels

- name: Get full version name url
uri:
ansible.builtin.uri:
url: https://update.rke2.io/v1-release/channels/{{ rke2_channel }}
follow_redirects: safe
remote_src: true
register: rke2_version_url

- name: Set full version name
shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||'
ansible.builtin.shell: set -o pipefail && echo {{ rke2_version_url.url }} | sed -e 's|.*/||'
register: rke2_full_version
changed_when: false
args:
executable: /usr/bin/bash

- name: Set rke2_full_version fact
set_fact:
ansible.builtin.set_fact:
rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or (install_rke2_version|length == 0)) else install_rke2_version }}" # yamllint disable-line rule:line-length

- name: Set dot version
shell: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1
ansible.builtin.shell:
cmd: set -o pipefail && echo {{ rke2_full_version }} | /usr/bin/cut -d'+' -f1
register: rke2_version_dot_tmp
changed_when: false
args:
executable: /usr/bin/bash

- name: Set rke2_version_dot fact
set_fact:
ansible.builtin.set_fact:
rke2_version_dot: "{{ rke2_version_dot_tmp.stdout }}"

- name: Set Maj.Min version
shell: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g"
ansible.builtin.shell:
cmd: set -o pipefail && echo {{ rke2_full_version }} | /bin/awk -F'.' '{ print $1"."$2 }' | sed "s|^v||g"
register: rke2_version_majmin_tmp
changed_when: false
args:
executable: /usr/bin/bash

- name: Set rke2_version_majmin fact
set_fact:
ansible.builtin.set_fact:
rke2_version_majmin: "{{ rke2_version_majmin_tmp.stdout }}"

- name: Set RPM version
shell: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/"
ansible.builtin.shell:
cmd: set -o pipefail && echo {{ rke2_full_version }} | sed -E -e "s/[\+-]/~/g" | sed -E -e "s/v(.*)/\1/"
register: rke2_version_rpm_tmp
changed_when: false
args:
executable: /usr/bin/bash

- name: Set rke2_version_rpm fact
set_fact:
ansible.builtin.set_fact:
rke2_version_rpm: "{{ rke2_version_rpm_tmp.stdout }}"

- name: Describe versions
debug:
ansible.builtin.debug:
msg:
- "Full version, with revision indication: {{ rke2_full_version }}"
- "Version without revision indication: {{ rke2_version_dot }}"
Expand Down
15 changes: 8 additions & 7 deletions roles/rke2_common/tasks/cis-hardening.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,30 +5,31 @@
block:

- name: Create etcd group
group:
ansible.builtin.group:
name: etcd
state: present

- name: Create etcd user
user:
ansible.builtin.user:
name: etcd
comment: etcd user
shell: /bin/nologin
group: etcd
create_home: false

- name: Copy systemctl file for kernel hardening for yum installs
copy:
ansible.builtin.copy:
src: /usr/share/rke2/rke2-cis-sysctl.conf
dest: /etc/sysctl.d/60-rke2-cis.conf
remote_src: yes
remote_src: true
mode: 0600
register: sysctl_operation_yum
when:
- ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky'
- not rke2_binary_tarball_check.stat.exists

- name: Copy systemctl file for kernel hardening for non-yum installs
copy:
ansible.builtin.copy:
src: /usr/local/share/rke2/rke2-cis-sysctl.conf
dest: /etc/sysctl.d/60-rke2-cis.conf
remote_src: yes
Expand All @@ -40,12 +41,12 @@
rke2_binary_tarball_check.stat.exists

- name: Restart systemd-sysctl
service:
ansible.builtin.service:
state: restarted
name: systemd-sysctl
when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed

- name: Reboot the machine (Wait for 5 min)
reboot:
ansible.builtin.reboot:
reboot_timeout: 300
when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed
Loading
Loading