fix(become): only one variable neeed for become

2022-01-02 21:52:09 +00:00 · 2022-01-02 21:52:09 +00:00 · 7e9292c01b
parent a88d27d2ae
commit 7e9292c01b
22 changed files with 80 additions and 131 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,26 @@
 ---
 -->
 ## 2022-01-02, v3.0.0
 ### Notable changes
  - feat: Flattened task filesystem
  - feat: Moved some tasks into `vars/` as templated variables
  - feat: Airgap installation method added #165
 ### Breaking changes
  - Minimum `python` version on targets is 3.6
  - `k3s_become_for_all` renamed to `k3s_become`
  - `k3s_become_for_*` removed.
 ### Contributors
  - [crutonjohn](https://github.com/crutonjohn)
 ---
 ## 2021-12-23, v2.12.1
 ### Notable changes
--- a/README.md
+++ b/README.md
@ -1,10 +1,17 @@
-# Ansible Role: k3s (v2.x)
+# Ansible Role: k3s (v3.x)
 Ansible role for installing [K3S](https://k3s.io/) ("Lightweight
 Kubernetes") as either a standalone server or cluster.
 [![CI](https://github.com/PyratLabs/ansible-role-k3s/workflows/CI/badge.svg?event=push)](https://github.com/PyratLabs/ansible-role-k3s/actions?query=workflow%3ACI)
 ## Help Wanted!
 Hi! :wave: [@xanmanning](https://github.com/xanmanning) is looking for a new
 maintainer to work on this Ansible role. This is because I don't have as much
 free time any more and I no longer write Ansible regularly as part of my day
 job. If you're interested, get in touch.
 ## Release notes
 Please see [Releases](https://github.com/PyratLabs/ansible-role-k3s/releases)
@ -14,6 +21,7 @@ and [CHANGELOG.md](CHANGELOG.md).
 The host you're running Ansible from requires the following Python dependencies:
  - `python >= 3.6.0`
  - `ansible >= 2.9.16` or `ansible-base >= 2.10.4`
 You can install dependencies using the requirements.txt file in this repository:
@ -24,8 +32,7 @@ This role has been tested against the following Linux Distributions:
  - Amazon Linux 2
  - Archlinux
  - CentOS 8
-  - CentOS 7
+  - Debian 11
  - Debian 10
  - Fedora 31
  - Fedora 32
  - Fedora 33
@ -33,7 +40,7 @@ This role has been tested against the following Linux Distributions:
  - RockyLinux 8
  - Ubuntu 20.04 LTS
-:warning: The v2 releases of this role only supports `k3s >= v1.19`, for
+:warning: The v3 releases of this role only supports `k3s >= v1.19`, for
 `k3s < v1.19` please consider updating or use the v1.x releases of this role.
 Before upgrading, see [CHANGELOG](CHANGELOG.md) for notifications of breaking
@ -180,18 +187,11 @@ configuration.
 The below variables are used to change the way the role executes in Ansible,
 particularly with regards to privilege escalation.
-| Variable                            | Description                                                         | Default Value |
+| Variable              | Description                                                    | Default Value |
-|-------------------------------------|---------------------------------------------------------------------|---------------|
+|-----------------------|----------------------------------------------------------------|---------------|
-| `k3s_skip_validation`               | Skip all tasks that validate configuration.                         | `false`       |
+| `k3s_skip_validation` | Skip all tasks that validate configuration.                    | `false`       |
-| `k3s_skip_env_checks`               | Skip all tasks that check environment configuration.                | `false`       |
+| `k3s_skip_env_checks` | Skip all tasks that check environment configuration.           | `false`       |
-| `k3s_become_for_all`                | Escalate user privileges for all tasks. Overrides all of the below. | `false`       |
+| `k3s_become`          | Escalate user privileges for tasks that need root permissions. | `false`       |
 | `k3s_become_for_systemd`            | Escalate user privileges for systemd tasks.                         | NULL          |
 | `k3s_become_for_install_dir`        | Escalate user privileges for creating installation directories.     | NULL          |
 | `k3s_become_for_directory_creation` | Escalate user privileges for creating application directories.      | NULL          |
 | `k3s_become_for_usr_local_bin`      | Escalate user privileges for writing to `/usr/local/bin`.           | NULL          |
 | `k3s_become_for_package_install`    | Escalate user privileges for installing k3s.                        | NULL          |
 | `k3s_become_for_kubectl`            | Escalate user privileges for running `kubectl`.                     | NULL          |
 | `k3s_become_for_uninstall`          | Escalate user privileges for uninstalling k3s.                      | NULL          |
 #### Important note about `k3s_release_version`
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -127,15 +127,8 @@ k3s_agent: {}
 # Ansible Controller configuration
 ##
-# Use become privileges for
+# Use become privileges?
-k3s_become_for_all: false
+k3s_become: false
 k3s_become_for_systemd: null
 k3s_become_for_install_dir: null
 k3s_become_for_directory_creation: null
 k3s_become_for_usr_local_bin: null
 k3s_become_for_package_install: null
 k3s_become_for_kubectl: null
 k3s_become_for_uninstall: null
 # Private registry configuration.
 # Rancher k3s documentation: https://rancher.com/docs/k3s/latest/en/installation/private-registry/
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -4,7 +4,7 @@
  ansible.builtin.systemd:
    daemon_reload: true
    scope: "{{ k3s_systemd_context }}"
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: restart k3s
  ansible.builtin.systemd:
@ -18,4 +18,4 @@
  failed_when:
    - k3s_systemd_restart_k3s is not success
    - not ansible_check_mode
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_cluster.yml
+++ b/tasks/ensure_cluster.yml
@ -8,7 +8,7 @@
  when:
    - k3s_control_token is not defined
    - not ansible_check_mode
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure cluster token is formatted correctly for use in templates
  ansible.builtin.set_fact:
@ -26,14 +26,14 @@
    path: "{{ k3s_token_location | dirname }}"
    state: directory
    mode: 0755
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure k3s cluster token file is present
  ansible.builtin.template:
    src: cluster-token.j2
    dest: "{{ k3s_token_location }}"
    mode: 0600
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  notify:
    - restart k3s
@ -42,7 +42,7 @@
    src: k3s.service.j2
    dest: "{{ k3s_systemd_unit_dir }}/k3s.service"
    mode: 0644
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  notify:
    - reload systemd
    - restart k3s
@ -55,7 +55,7 @@
  notify:
    - reload systemd
    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure secondary controllers are started
  ansible.builtin.systemd:
@ -72,7 +72,7 @@
  when:
    - k3s_control_node
    - not k3s_primary_control_node
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - import_tasks: post_checks_control_plane.yml
  when: not k3s_skip_validation
--- a/tasks/ensure_containerd_registries.yml
+++ b/tasks/ensure_containerd_registries.yml
@ -8,4 +8,4 @@
  notify:
    - reload systemd
    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_directories.yml
+++ b/tasks/ensure_directories.yml
@ -5,7 +5,7 @@
    path: "{{ directory.path }}"
    state: directory
    mode: "{{ directory.mode | default(755) }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when:
    - directory.path is defined
    - directory.path | length > 0
--- a/tasks/ensure_downloads.yml
+++ b/tasks/ensure_downloads.yml
@ -48,4 +48,4 @@
    dest: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
    checksum: "sha256:{{ k3s_hash_sum }}"
    mode: 0755
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all)  }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_drain_and_remove_nodes.yml
+++ b/tasks/ensure_drain_and_remove_nodes.yml
@ -4,7 +4,7 @@
  ansible.builtin.stat:
    path: "{{ k3s_install_dir }}/kubectl"
  register: k3s_check_kubectl
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Clean up nodes that are in an uninstalled state
  block:
@ -17,7 +17,7 @@
      delegate_to: "{{ k3s_control_delegate }}"
      run_once: true
      register: kubectl_get_nodes_result
-      become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+      become: "{{ k3s_become }}"
    - name: Ensure uninstalled nodes are drained
      ansible.builtin.command:
@ -34,7 +34,7 @@
        - hostvars[item].k3s_state is defined
        - hostvars[item].k3s_state == 'uninstalled'
      loop: "{{ ansible_play_hosts }}"
-      become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+      become: "{{ k3s_become }}"
    - name: Ensure uninstalled nodes are removed
      ansible.builtin.command:
@ -47,7 +47,7 @@
        - hostvars[item].k3s_state is defined
        - hostvars[item].k3s_state == 'uninstalled'
      loop: "{{ ansible_play_hosts }}"
-      become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+      become: "{{ k3s_become }}"
  when:
    - k3s_check_kubectl.stat.exists is defined
--- a/tasks/ensure_installed.yml
+++ b/tasks/ensure_installed.yml
@ -35,4 +35,4 @@
  when: (k3s_control_node and k3s_controller_list | length == 1)
        or (k3s_primary_control_node and k3s_controller_list | length > 1)
        or k3s_token_cluster_check.stat.exists
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_installed_node.yml
+++ b/tasks/ensure_installed_node.yml
@ -15,7 +15,7 @@
  when: not ansible_check_mode
  notify:
    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure k3s config file exists
  ansible.builtin.template:
@ -25,7 +25,7 @@
  notify:
    - reload systemd
    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure k3s service unit file is present
  ansible.builtin.template:
@ -35,14 +35,14 @@
  notify:
    - reload systemd
    - restart k3s
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure k3s killall script is present
  ansible.builtin.template:
    src: k3s-killall.sh.j2
    dest: "/usr/local/bin/k3s-killall.sh"
    mode: 0700
-  become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when:
    - k3s_runtime_config is defined
    - ("rootless" not in k3s_runtime_config or not k3s_runtime_config.rootless)
@ -52,7 +52,7 @@
    src: k3s-uninstall.sh.j2
    dest: "/usr/local/bin/k3s-uninstall.sh"
    mode: 0700
-  become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when:
    - k3s_runtime_config is defined
    - ("rootless" not in k3s_runtime_config or not k3s_runtime_config.rootless)
--- a/tasks/ensure_k3s_auto_deploy.yml
+++ b/tasks/ensure_k3s_auto_deploy.yml
@ -8,7 +8,7 @@
  when: >-
    k3s_server_manifests_templates | length > 0
    or k3s_server_manifests_urls | length > 0
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure that the pod-manifests directory exists
  ansible.builtin.file:
@ -18,7 +18,7 @@
  when: >-
    k3s_server_pod_manifests_templates | length > 0
    or k3s_server_pod_manifests_urls | length > 0
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 # https://rancher.com/docs/k3s/latest/en/advanced/#auto-deploying-manifests
 - name: Ensure auto-deploying manifests are copied to the primary controller
@ -27,7 +27,7 @@
    dest: "{{ k3s_server_manifests_dir }}/{{ item | basename | replace('.j2','') }}"
    mode: 0644
  loop: "{{ k3s_server_manifests_templates }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when:
    - k3s_server_manifests_templates | length > 0
@ -37,7 +37,7 @@
    dest: "{{ k3s_server_manifests_dir }}/{{ item.filename }}"
    mode: 0644
  loop: "{{ k3s_server_manifests_urls }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when:
    - not ansible_check_mode
    - k3s_server_manifests_urls | length > 0
@ -49,7 +49,7 @@
    dest: "{{ k3s_server_pod_manifests_dir }}/{{ item | basename | replace('.j2','') }}"
    mode: 0644
  loop: "{{ k3s_server_pod_manifests_templates }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 # https://rancher.com/docs/k3s/latest/en/advanced/#auto-deploying-manifests
 - name: Ensure auto-deploying manifests are downloaded to the primary controller
@ -58,5 +58,5 @@
    dest: "{{ k3s_server_pod_manifests_dir }}/{{ item.filename }}"
    mode: 0644
  loop: "{{ k3s_server_pod_manifests_urls }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when: not ansible_check_mode
--- a/tasks/ensure_k3s_config_files.yml
+++ b/tasks/ensure_k3s_config_files.yml
@ -8,7 +8,7 @@
  when: >-
    k3s_server_config_yaml_d_files | length > 0
    or k3s_agent_config_yaml_d_files | length > 0
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 # https://github.com/k3s-io/k3s/pull/3162
 - name: Ensure configuration files are copied to controllers
@ -17,7 +17,7 @@
    dest: "{{ k3s_config_yaml_d_dir }}/{{ item | basename | replace('.j2','') }}"
    mode: 0644
  loop: "{{ k3s_server_config_yaml_d_files }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when: k3s_control_node
 # https://github.com/k3s-io/k3s/pull/3162
@ -27,5 +27,5 @@
    dest: "{{ k3s_config_yaml_d_dir }}/{{ item | basename | replace('.j2','') }}"
    mode: 0644
  loop: "{{ k3s_agent_config_yaml_d_files }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
  when: not k3s_control_node
--- a/tasks/ensure_started.yml
+++ b/tasks/ensure_started.yml
@ -6,7 +6,7 @@
    state: started
    enabled: "{{ k3s_start_on_boot }}"
  when: k3s_non_root is not defined or not k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure k3s service is started
  ansible.builtin.systemd:
@ -17,4 +17,4 @@
  when:
    - k3s_non_root is defined
    - k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_stopped.yml
+++ b/tasks/ensure_stopped.yml
@ -6,7 +6,7 @@
    state: stopped
    enabled: "{{ k3s_start_on_boot }}"
  when: k3s_non_root is not defined or not k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure k3s service is started
  ansible.builtin.systemd:
@ -17,4 +17,4 @@
  when:
    - k3s_non_root is defined
    - k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_uninstalled.yml
+++ b/tasks/ensure_uninstalled.yml
@ -16,7 +16,7 @@
  register: k3s_killall
  changed_when: k3s_killall.rc == 0
  when: check_k3s_killall_script.stat.exists
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Run k3s-uninstall.sh
  ansible.builtin.command:
@ -26,7 +26,7 @@
  register: k3s_uninstall
  changed_when: k3s_uninstall.rc == 0
  when: check_k3s_uninstall_script.stat.exists
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 - name: Ensure hard links are removed
  ansible.builtin.file:
@ -39,4 +39,4 @@
  when:
    - k3s_install_hard_links
    - not ansible_check_mode
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/ensure_uploads.yml
+++ b/tasks/ensure_uploads.yml
@ -12,4 +12,4 @@
    # TODO: allow airgap to bypass version post-fix
    dest: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
    mode: 0755
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all)  }}"
+  become: "{{ k3s_become }}"
--- a/tasks/post_checks_nodes.yml
+++ b/tasks/post_checks_nodes.yml
@ -17,4 +17,4 @@
    - ("flannel-backend" not in k3s_runtime_config
       or k3s_runtime_config["flannel-backend"] != "none")
    - not ansible_check_mode
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/pre_checks.yml
+++ b/tasks/pre_checks.yml
@ -81,6 +81,8 @@
    - k3s_runtime_config.rootless
    - not k3s_skip_validation
 - import_tasks: ensure_pre_configuration.yml
 - import_tasks: pre_checks_control_node_count.yml
  when:
    - k3s_build_cluster is defined
--- a/tasks/pre_checks_cluster.yml
+++ b/tasks/pre_checks_cluster.yml
@ -16,4 +16,4 @@
  failed_when:
    - not k3s_check_cluster_token.stat.exists
    - not ansible_check_mode
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
--- a/tasks/state_installed.yml
+++ b/tasks/state_installed.yml
@ -1,7 +1,5 @@
 ---
 - import_tasks: ensure_pre_configuration.yml
 - import_tasks: ensure_drain_and_remove_nodes.yml
 - import_tasks: determine_systemd_context.yml
--- a/test_versions.sh
+++ b/test_versions.sh
@ -1,64 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 ANSIBLE_RELEASE_FEED="$(curl -Ssl https://api.github.com/repos/ansible/ansible/tags?per_page=50)"
 TMPDIR="$(mktemp -d /tmp/molecule.XXXXX)"
 function ansible_releases {
    local RELEASE_LIST_ALL
    RELEASE_LIST_ALL="$(echo "${ANSIBLE_RELEASE_FEED}" | grep -E "\"name\": \"v[0-9]+\.[0-9]+\.[0-9]+\"")"
    for RELEASE in ${RELEASE_LIST_ALL} ; do
        echo "${RELEASE}" | grep -v "name" | sed -E 's/"v([0-9]+\.[0-9]+\.[0-9]+)",/\1/g' || true
    done
 }
 function build_requirements {
    local TEST_REQUIREMENTS
    local REQUIREMENTS
    local ANSIBLE_VERSION
    ANSIBLE_VERSION="${1:-true}"
    if [ "${ANSIBLE_VERSION}" == "true" ] ; then
        echo "Something went wrong!"
        exit 1
    fi
    TEST_REQUIREMENTS=$(<molecule/requirements.txt)
    REQUIREMENTS=$(echo "${TEST_REQUIREMENTS}" | grep -v "requirements.txt" || true)
    if [[ "${ANSIBLE_VERSION}" =~ "^v2\.10" ]] ; then
        echo -e "ansible==${ANSIBLE_VERSION}\nansible-base==${ANSIBLE_VERSION}\n${REQUIREMENTS}"
    else
        echo -e "ansible==${ANSIBLE_VERSION}\n${REQUIREMENTS}"
    fi
 }
 function make_venv {
    local MOLECULE_RESULT
    python3 -m venv "${TMPDIR}/${1:-ansible}"
    source "${TMPDIR}/${1:-ansible}/bin/activate"
    pip3 install -r "${TMPDIR}/version_requirements.txt" || true
    MOLECULE_RESULT=$(molecule test | grep -E "CRITICAL|fatal:" || echo ":heavy_check_mark:")
    if [ "${MOLECULE_RESULT}" != ":heavy_check_mark:" ] ; then
        MOLECULE_RESULT=":x:"
    fi
    deactivate
    echo -n "${MOLECULE_RESULT}" | tee -a /tmp/molecule_tests.md
 }
 function main {
    echo "| Version   | Result             |" | tee /tmp/molecule_tests.md
    echo "| --------- | ------------------ |" | tee -a /tmp/molecule_tests.md
    for TEST_ANSIBLE in $(ansible_releases) ; do
        echo -n "| ${TEST_ANSIBLE} | " | tee -a /tmp/molecule_tests.md
        build_requirements "${TEST_ANSIBLE}" > "${TMPDIR}/version_requirements.txt"
        make_venv "${TEST_ANSIBLE}"
        echo " |" | tee -a /tmp/molecule_tests.md
    done
 }
 main