diff --git a/README.md b/README.md index fcf0520..880e562 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,10 @@ consistency. | `k3s_datastore_cafile` | Define the database TLS CA file. | _NULL_ | | `k3s_datastore_certfile` | Define the database TLS Cert file. | _NULL_ | | `k3s_datastore_keyfile` | Define the database TLS Key file. | _NULL_ | +| `k3s_become_for_all` | Enable become for all (where value for `k3s_become_for_*` is _NULL_ | `false` | +| `k3s_become_for_systemd` | Enable become for systemd | _NULL_ | +| `k3s_become_for_install_dir` | Enable become for writing to `k3s_install_dir` | _NULL_ | +| `k3s_become_for_usr_local_bin` | Enable become for writing to /usr/local/bin/ | _NULL_ | | `k3s_dqlite_datastore` | Use DQLite as the database backend for HA. (EXPERIMENTAL) | `false` | | `k3s_secrets_encryption` | Use secrets encryption at rest. (EXPERIMENTAL) | `false` | diff --git a/defaults/main.yml b/defaults/main.yml index ad6928b..1a199b6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -98,3 +98,9 @@ k3s_default_local_storage_path: false # Use secret encryption at rest (EXPERIMENTAL) k3s_secrets_encryption: false + +# with become privileges for +k3s_become_for_all: false +k3s_become_for_systemd: null +k3s_become_for_install_dir: null +k3s_become_for_usr_local_bin: null diff --git a/handlers/main.yml b/handlers/main.yml index 70f856a..d17cfe3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,6 +4,7 @@ systemd: daemon_reload: true scope: "{{ k3s_systemd_context }}" + become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}" - name: restart k3s systemd: @@ -11,6 +12,7 @@ state: restarted scope: "{{ k3s_systemd_context }}" enabled: true + become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}" - name: restart docker systemd: diff --git a/tasks/build/download-k3s.yml b/tasks/build/download-k3s.yml index 32f889a..b5c8606 100644 --- a/tasks/build/download-k3s.yml +++ b/tasks/build/download-k3s.yml @@ -35,3 +35,4 @@ dest: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}" checksum: "sha256:{{ k3s_hash_sum }}" mode: 0755 + become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/install-k3s.yml b/tasks/build/install-k3s.yml index 1951d31..e06bf96 100644 --- a/tasks/build/install-k3s.yml +++ b/tasks/build/install-k3s.yml @@ -16,6 +16,7 @@ or (k3s_primary_control_node and k3s_controller_count | length > 1) notify: - reload systemd + become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}" - meta: flush_handlers @@ -24,12 +25,14 @@ src: k3s-killall.sh.j2 dest: "/usr/local/bin/k3s-killall.sh" mode: 0700 + become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}" - name: Ensure k3s uninstall script is present on all nodes template: src: k3s-uninstall.sh.j2 dest: "/usr/local/bin/k3s-uninstall.sh" mode: 0700 + become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}" - name: Ensure k3s is symlinked into the installation destinations file: @@ -43,6 +46,7 @@ - kubectl - crictl - ctr + become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}" - name: Ensure k3s control plane is started systemd: @@ -52,3 +56,4 @@ scope: "{{ k3s_systemd_context }}" when: (k3s_control_node and k3s_controller_count | length == 1) or (k3s_primary_control_node and k3s_controller_count | length > 1) + become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"