Add scan for running control nodes when choosing primary control node (#219)

Signed-off-by: Thomas Matysik <thomas@matysik.co.nz>

.ansible-lint

@@ -2,3 +2,4 @@
 
 skip_list:
   - role-name
+  - name[template]

.devcontainer/Dockerfile

@@ -0,0 +1,26 @@
+ARG VARIANT=focal
+FROM ubuntu:${VARIANT}
+
+COPY molecule/requirements.txt /tmp/molecule/requirements.txt
+COPY requirements.txt /tmp/requirements.txt
+
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install curl git python3-dev python3-pip \
+        python3-venv shellcheck sudo unzip docker.io jq \
+    && curl -L \
+        "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+        -o /usr/bin/kubectl \
+    && chmod +x /usr/bin/kubectl \
+    && python3 -m pip install pip --upgrade \
+    && python3 -m pip install -r /tmp/molecule/requirements.txt
+
+RUN useradd -s /bin/bash -m vscode && \
+    usermod -aG docker vscode && \
+    echo 'vscode ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/vscode && \
+    echo 'source /etc/bash_completion.d/git-prompt' >> /home/vscode/.bashrc && \
+    echo 'sudo chown vscode /var/run/docker-host.sock' >> /home/vscode/.bashrc && \
+    echo 'export PS1="${PS1:0:-1}\[\033[38;5;196m\]$(__git_ps1)\[$(tput sgr0)\] "' >> /home/vscode/.bashrc
+
+RUN ln -s /var/run/docker-host.sock /var/run/docker.sock
+
+USER vscode

.devcontainer/devcontainer.json

@@ -0,0 +1,28 @@
+{
+	"name": "Ubuntu",
+	"build": {
+		"context": "..",
+		"dockerfile": "Dockerfile",
+		"args": { "VARIANT": "focal" }
+	},
+
+	"settings": {
+		"terminal.integrated.profiles.linux": {
+			"bash (login)": {
+				"path": "/bin/bash",
+				"args": ["-l"]
+			}
+		}
+	},
+
+	"extensions": [
+		"ms-azuretools.vscode-docker",
+		"redhat.vscode-yaml"
+	],
+
+	"mounts": [
+		"source=/var/run/docker.sock,target=/var/run/docker-host.sock,type=bind"
+	],
+
+	"remoteUser": "vscode"
+}

.github/workflows/ci.yml

@@ -16,32 +16,62 @@ defaults:
     working-directory: "xanmanning.k3s"
 
 jobs:
+  ansible-lint:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout codebase
+        uses: actions/checkout@v2
+        with:
+          path: "xanmanning.k3s"
+
+      - name: Set up Python 3
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.x"
+
+      - name: Install test dependencies
+        run: pip3 install -r molecule/lint-requirements.txt
+
+      - name: Run yamllint
+        run: yamllint -s .
+
+      - name: Run ansible-lint
+        run: ansible-lint --exclude molecule/ --exclude meta/
+
   molecule:
     name: Molecule
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
+      fail-fast: false
       matrix:
         include:
-          - distro: debian10
+          - distro: geerlingguy/docker-debian11-ansible:latest
             scenario: default
-          - distro: ubuntu2004
+            prebuilt: 'true'
+          - distro: geerlingguy/docker-ubuntu2204-ansible:latest
             scenario: default
-          - distro: amazonlinux2
+            prebuilt: 'true'
+          - distro: geerlingguy/docker-amazonlinux2-ansible:latest
             scenario: default
-          - distro: centos7
+            prebuilt: 'true'
+          - distro: geerlingguy/docker-ubuntu2004-ansible:latest
             scenario: default
-          - distro: ubuntu1804
-            scenario: default
-          - distro: fedora31
+            prebuilt: 'true'
+          - distro: geerlingguy/docker-fedora35-ansible:latest
             scenario: nodeploy
-          - distro: fedora29
+            prebuilt: 'true'
+          - distro: geerlingguy/docker-fedora34-ansible:latest
             scenario: highavailabilitydb
-          - distro: fedora30
+            prebuilt: 'true'
+          - distro: geerlingguy/docker-fedora33-ansible:latest
             scenario: autodeploy
-          - distro: debian9
+          - distro: xanmanning/docker-alpine-ansible:3.16
             scenario: highavailabilityetcd
-          - distro: centos8
+            prebuilt: 'false'
+          - distro: geerlingguy/docker-rockylinux9-ansible:latest
             scenario: highavailabilityetcd
+            prebuilt: 'true'
 
     steps:
       - name: Checkout codebase
@@ -59,7 +89,10 @@ jobs:
 
       - name: Run Molecule tests
         run: molecule test --scenario-name "${{ matrix.scenario }}"
+        # continue-on-error: true
         env:
           PY_COLORS: '1'
           ANSIBLE_FORCE_COLOR: '1'
           MOLECULE_DISTRO: ${{ matrix.distro }}
+          MOLECULE_PREBUILT: ${{ matrix.prebuilt }}
+          MOLECULE_DOCKER_COMMAND: ${{ matrix.command }}

CHANGELOG.md

@@ -14,6 +14,252 @@
 ---
 -->
 
+## 2023-05-17, v3.4.1
+
+### Notable changes
+
+  - fix: resolve ansible lint warnings and fix molecule tests in github actions
+
+### Contributors
+
+- [dbrennand](https://github.com/dbrennand)
+
+---
+
+## 2023-03-11, v3.4.0
+
+### Notable changes
+
+  - refactor: add `until: 1.23.15` to `secrets-encryption` from `k3s_experimental_config` as it is no longer experimental. Fixes #200.
+  - docs(fix): typo in `CONTRIBUTING.md`
+
+### Contributors
+
+- [dbrennand](https://github.com/dbrennand)
+
+---
+
+## 2022-11-15, v3.3.1
+
+### Notable changes
+
+  - fix: length indentation in registry.yaml
+
+---
+
+## 2022-09-11, v3.3.0
+
+### Notable changes
+
+  - fix: `no_log` removed from `ansible.builtin.uri` tasks
+  - feat: `k3s_skip_post_checks` option added
+
+---
+
+## 2022-06-17, v3.2.0
+
+### Notable changes
+
+  - feature: added support for alpine #182
+  - fix: `k3s_control_token` not working #187
+
+## 2022-05-02, v3.1.2
+
+### Notable changes
+
+  - fix: molecule tests
+
+---
+
+## 2022-02-18, v3.1.1
+
+### Notable changes
+
+  - fix: support nftables for debian 11
+
+### Contributors
+
+  - [eaglesemanation](https://github.com/eaglesemanation)
+
+---
+
+## 2022-01-30, v3.1.0
+
+### Notable changes
+
+  - feat: use basename of url for items in `k3s_server_manifests_urls` and
+    `k3s_server_pod_manifests_urls` if filename is not provided #177
+
+### Contributors
+
+  - [kossmac](https://github.com/kossmac)
+
+---
+
+## 2022-01-06, v3.0.1
+
+### Notable changes
+
+  - fix: adding become to pre checks packages #173
+
+### Contributors
+
+  - [xlejo](https://github.com/xlejo)
+
+---
+
+## 2022-01-02, v3.0.0
+
+### Notable changes
+
+  - feat: Flattened task filesystem
+  - feat: Moved some tasks into `vars/` as templated variables
+  - feat: Airgap installation method added #165
+
+### Breaking changes
+
+  - Minimum `python` version on targets is 3.6
+  - `k3s_become_for_all` renamed to `k3s_become`
+  - `k3s_become_for_*` removed.
+
+### Contributors
+
+  - [crutonjohn](https://github.com/crutonjohn)
+
+---
+
+## 2021-12-23, v2.12.1
+
+### Notable changes
+
+  - Fix typo in systemd unit file
+
+### Contributors
+
+  - [andrewchen5678](https://github.com/andrewchen5678)
+
+---
+
+## 2021-12-20, v2.12.0
+
+### Notable changes
+
+  - Fix RockyLinux HA etcd tests
+  - add Debian 11 test
+  - Fix Snapshotter in Molecule tests
+  - Added missing documentation for `k3s_api_url`
+  - Added option to change K3s updates API url
+  - Custom environment variables in systemd unit files
+  - Debian Bullseye support
+  - Fix HA etcd cluster startup
+  - Fix rootless for Debian
+
+### Contributors
+
+  - [janar153](https://github.com/janar153)
+
+---
+
+## 2021-10-10, v2.11.1
+
+### Notable changes
+
+ - docs: fixed references to `write-kubeconfig-mode` to set correct permissions #157
+ - fix:  Flag --delete-local-data has been deprecated #159
+
+---
+
+## 2021-09-08, v2.11.0
+
+### Notable changes
+
+ - docs: example of IPv6 configuration
+ - feat: checks for s3 backup configuration
+ - feat: implement config.yaml.d
+
+### Contributors
+
+ - [onedr0p](https://github.com/onedr0p)
+
+---
+
+## 2021-08-18, v2.10.6
+
+### Notable changes
+
+ -  Fix: Define registration address from node-ip #142
+
+---
+
+## 2021-08-14, v2.10.5
+
+### Notable changes
+
+ - Add advertised address #139
+
+### Contributors
+
+- [@abelfodil](https://github.com/abelfodil)
+
+---
+
+## 2021-07-24, v2.10.4
+
+### Notable changes
+
+- Updated systemd template to use token when joining a cluster #138
+
+---
+
+## 2021-07-21, v2.10.3
+
+### Notable changes
+
+- fix: typo #133
+- fix: restore clustering and avoid failure with jinja2_native=true #135
+- fix: do ignore etcd member count when uninstalling #136
+
+### Contributors
+
+- [@Yaro](https://github.com/Yajo)
+
+---
+
+## 2021-06-22, v2.10.2
+
+### Notable changes
+
+- Role is now tested against RockyLinux
+
+---
+
+## 2021-05-30, v2.10.1
+
+### Notable changes
+
+- Case insensitive control node lookup #126
+
+### Contributors
+
+- [@mrobinsn](https://github.com/mrobinsn)
+
+---
+
+## 2021-05-27, v2.10.0
+
+### Notable changes
+
+- Only deploy templates on primary controller #119
+- Allow control plane static pods #120
+- Add support for specifying URLs in templates #124
+
+### Contributors
+
+- [@bjw-s](https://github.com/bjw-s)
+- [@onedr0p](https://github.com/onedr0p)
+
+---
+
 ## 2021-05-14, v2.9.1
 
 <!-- Today was a better day... <3 -->
@@ -23,6 +269,8 @@
  - Documentation, remove references to deprecated configuration techniques #115
  - Bugfix: Templating issue.
 
+---
+
 ## 2021-05-13, v2.9.0
 
 <!-- a shit day... -->
@@ -35,6 +283,7 @@
 
  - [@anjia0532](https://github.com/anjia0532)
 
+---
 
 ## 2021-05-06, v2.8.5
 
@@ -46,6 +295,7 @@
 
  - [@angelnu](https://github.com/angelnu)
 
+---
 
 ## 2021-05-01, v2.8.4
 
@@ -57,6 +307,8 @@
 
  - [@anjia0532](https://github.com/anjia0532)
 
+---
+
 ## 2021-04-18, v2.8.3
 
 ### Notable changes

CONTRIBUTING.md

@@ -7,7 +7,7 @@ them requiring you to be able to write code. Below is a list of suggested
 contributions welcomed by the community:
 
   - Submit bug reports in GitHub issues
-  - Comment on bug reports with futher information or suggestions
+  - Comment on bug reports with further information or suggestions
   - Suggest new features
   - Create Pull Requests fixing bugs or adding new features
   - Update and improve documentation

README.md

@@ -1,10 +1,17 @@
-# Ansible Role: k3s (v2.x)
+# Ansible Role: k3s (v3.x)
 
 Ansible role for installing [K3S](https://k3s.io/) ("Lightweight
 Kubernetes") as either a standalone server or cluster.
 
 [![CI](https://github.com/PyratLabs/ansible-role-k3s/workflows/CI/badge.svg?event=push)](https://github.com/PyratLabs/ansible-role-k3s/actions?query=workflow%3ACI)
 
+## Help Wanted!
+
+Hi! :wave: [@xanmanning](https://github.com/xanmanning) is looking for a new
+maintainer to work on this Ansible role. This is because I don't have as much
+free time any more and I no longer write Ansible regularly as part of my day
+job. If you're interested, get in touch.
+
 ## Release notes
 
 Please see [Releases](https://github.com/PyratLabs/ansible-role-k3s/releases)
@@ -14,6 +21,7 @@ and [CHANGELOG.md](CHANGELOG.md).
 
 The host you're running Ansible from requires the following Python dependencies:
 
+  - `python >= 3.6.0` - [See Notes below](#important-note-about-python).
   - `ansible >= 2.9.16` or `ansible-base >= 2.10.4`
 
 You can install dependencies using the requirements.txt file in this repository:
@@ -21,21 +29,19 @@ You can install dependencies using the requirements.txt file in this repository:
 
 This role has been tested against the following Linux Distributions:
 
+  - Alpine Linux
   - Amazon Linux 2
   - Archlinux
   - CentOS 8
-  - CentOS 7
-  - Debian 9
-  - Debian 10
-  - Fedora 29
-  - Fedora 30
+  - Debian 11
   - Fedora 31
   - Fedora 32
+  - Fedora 33
   - openSUSE Leap 15
-  - Ubuntu 18.04 LTS
+  - RockyLinux 8
   - Ubuntu 20.04 LTS
 
-:warning: The v2 releases of this role only supports `k3s >= v1.19`, for
+:warning: The v3 releases of this role only supports `k3s >= v1.19`, for
 `k3s < v1.19` please consider updating or use the v1.x releases of this role.
 
 Before upgrading, see [CHANGELOG](CHANGELOG.md) for notifications of breaking
@@ -61,22 +67,29 @@ below.
 Below are variables that are set against all of the play hosts for environment
 consistency. These are generally cluster-level configuration.
 
-| Variable                         | Description                                                                     | Default Value                  |
-|----------------------------------|---------------------------------------------------------------------------------|--------------------------------|
-| `k3s_state`                      | State of k3s: installed, started, stopped, downloaded, uninstalled, validated.  | installed                      |
-| `k3s_release_version`            | Use a specific version of k3s, eg. `v0.2.0`. Specify `false` for stable.        | `false`                        |
-| `k3s_config_file`                | Location of the k3s configuration file.                                         | `/etc/rancher/k3s/config.yaml` |
-| `k3s_build_cluster`              | When multiple play hosts are available, attempt to cluster. Read notes below.   | `true`                         |
-| `k3s_registration_address`       | Fixed registration address for nodes. IP or FQDN.                               | NULL                           |
-| `k3s_github_url`                 | Set the GitHub URL to install k3s from.                                         | https://github.com/k3s-io/k3s  |
-| `k3s_install_dir`                | Installation directory for k3s.                                                 | `/usr/local/bin`               |
-| `k3s_install_hard_links`         | Install using hard links rather than symbolic links.                            | `false`                        |
-| `k3s_server_manifests_templates` | A list of Auto-Deploying Manifests Templates.                                   | []                             |
-| `k3s_use_experimental`           | Allow the use of experimental features in k3s.                                  | `false`                        |
-| `k3s_use_unsupported_config`     | Allow the use of unsupported configurations in k3s.                             | `false`                        |
-| `k3s_etcd_datastore`             | Enable etcd embedded datastore (read notes below).                              | `false`                        |
-| `k3s_debug`                      | Enable debug logging on the k3s service.                                        | `false`                        |
-| `k3s_registries`                 | Registries configuration file content.                                          | `{ mirrors: {}, configs:{} }`  |
+| Variable                             | Description                                                                                | Default Value                  |
+|--------------------------------------|--------------------------------------------------------------------------------------------|--------------------------------|
+| `k3s_state`                          | State of k3s: installed, started, stopped, downloaded, uninstalled, validated.             | installed                      |
+| `k3s_release_version`                | Use a specific version of k3s, eg. `v0.2.0`. Specify `false` for stable.                   | `false`                        |
+| `k3s_airgap`                         | Boolean to enable air-gapped installations                                                 | `false`                        |
+| `k3s_config_file`                    | Location of the k3s configuration file.                                                    | `/etc/rancher/k3s/config.yaml` |
+| `k3s_build_cluster`                  | When multiple play hosts are available, attempt to cluster. Read notes below.              | `true`                         |
+| `k3s_registration_address`           | Fixed registration address for nodes. IP or FQDN.                                          | NULL                           |
+| `k3s_github_url`                     | Set the GitHub URL to install k3s from.                                                    | https://github.com/k3s-io/k3s  |
+| `k3s_api_url`                        | URL for K3S updates API.                                                                   | https://update.k3s.io          |
+| `k3s_install_dir`                    | Installation directory for k3s.                                                            | `/usr/local/bin`               |
+| `k3s_install_hard_links`             | Install using hard links rather than symbolic links.                                       | `false`                        |
+| `k3s_server_config_yaml_d_files`     | A flat list of templates to supplement the `k3s_server` configuration.                     | []                             |
+| `k3s_agent_config_yaml_d_files`      | A flat list of templates to supplement the `k3s_agent` configuration.                      | []                             |
+| `k3s_server_manifests_urls`          | A list of URLs to deploy on the primary control plane. Read notes below.                   | []                             |
+| `k3s_server_manifests_templates`     | A flat list of templates to deploy on the primary control plane.                           | []                             |
+| `k3s_server_pod_manifests_urls`      | A list of URLs for installing static pod manifests on the control plane. Read notes below. | []                             |
+| `k3s_server_pod_manifests_templates` | A flat list of templates for installing static pod manifests on the control plane.         | []                             |
+| `k3s_use_experimental`               | Allow the use of experimental features in k3s.                                             | `false`                        |
+| `k3s_use_unsupported_config`         | Allow the use of unsupported configurations in k3s.                                        | `false`                        |
+| `k3s_etcd_datastore`                 | Enable etcd embedded datastore (read notes below).                                         | `false`                        |
+| `k3s_debug`                          | Enable debug logging on the k3s service.                                                   | `false`                        |
+| `k3s_registries`                     | Registries configuration file content.                                                     | `{ mirrors: {}, configs:{} }`  |
 
 ### K3S Service Configuration
 
@@ -84,17 +97,23 @@ The below variables change how and when the systemd service unit file for K3S
 is run. Use this with caution, please refer to the [systemd documentation](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#%5BUnit%5D%20Section%20Options)
 for more information.
 
-| Variable               | Description                                                    | Default Value |
-|------------------------|----------------------------------------------------------------|---------------|
-| `k3s_start_on_boot`    | Start k3s on boot.                                             | `true`        |
-| `k3s_service_requires` | List of required systemd units to k3s service unit.            | []            |
-| `k3s_service_wants`    | List of "wanted" systemd unit to k3s (weaker than "requires"). | []\*          |
-| `k3s_service_before`   | Start k3s before a defined list of systemd units.              | []            |
-| `k3s_service_after`    | Start k3s after a defined list of systemd units.               | []\*          |
+| Variable               | Description                                                          | Default Value |
+|------------------------|----------------------------------------------------------------------|---------------|
+| `k3s_start_on_boot`    | Start k3s on boot.                                                   | `true`        |
+| `k3s_service_requires` | List of required systemd units to k3s service unit.                  | []            |
+| `k3s_service_wants`    | List of "wanted" systemd unit to k3s (weaker than "requires").       | []\*          |
+| `k3s_service_before`   | Start k3s before a defined list of systemd units.                    | []            |
+| `k3s_service_after`    | Start k3s after a defined list of systemd units.                     | []\*          |
+| `k3s_service_env_vars` | Dictionary of environment variables to use within systemd unit file. | {}            |
+| `k3s_service_env_file` | Location on host of a environment file to include.                   | `false`\*\*   |
 
 \* The systemd unit template **always** specifies `network-online.target` for
 `wants` and `after`.
 
+\*\* The file must already exist on the target host, this role will not create
+nor manage the file. You can manage this file outside of the role with
+pre-tasks in your Ansible playbook.
+
 ### Group/Host Variables
 
 Below are variables that are set against individual or groups of play hosts.
@@ -119,7 +138,6 @@ The `k3s_server` dictionary variable will contain flags from the above
 ```yaml
 k3s_server:
   datastore-endpoint: postgres://postgres:verybadpass@database:5432/postgres?sslmode=disable
-  docker: true
   cluster-cidr: 172.20.0.0/16
   flannel-backend: 'none'  # This needs to be in quotes
   disable:
@@ -170,18 +188,42 @@ configuration.
 The below variables are used to change the way the role executes in Ansible,
 particularly with regards to privilege escalation.
 
-| Variable                            | Description                                                         | Default Value |
-|-------------------------------------|---------------------------------------------------------------------|---------------|
-| `k3s_skip_validation`               | Skip all tasks that validate configuration.                         | `false`       |
-| `k3s_skip_env_checks`               | Skill all tasks that check environment configuration.               | `false`       |
-| `k3s_become_for_all`                | Escalate user privileges for all tasks. Overrides all of the below. | `false`       |
-| `k3s_become_for_systemd`            | Escalate user privileges for systemd tasks.                         | NULL          |
-| `k3s_become_for_install_dir`        | Escalate user privileges for creating installation directories.     | NULL          |
-| `k3s_become_for_directory_creation` | Escalate user privileges for creating application directories.      | NULL          |
-| `k3s_become_for_usr_local_bin`      | Escalate user privileges for writing to `/usr/local/bin`.           | NULL          |
-| `k3s_become_for_package_install`    | Escalate user privileges for installing k3s.                        | NULL          |
-| `k3s_become_for_kubectl`            | Escalate user privileges for running `kubectl`.                     | NULL          |
-| `k3s_become_for_uninstall`          | Escalate user privileges for uninstalling k3s.                      | NULL          |
+| Variable               | Description                                                    | Default Value |
+|------------------------|----------------------------------------------------------------|---------------|
+| `k3s_skip_validation`  | Skip all tasks that validate configuration.                    | `false`       |
+| `k3s_skip_env_checks`  | Skip all tasks that check environment configuration.           | `false`       |
+| `k3s_skip_post_checks` | Skip all tasks that check post execution state.                | `false`       |
+| `k3s_become`           | Escalate user privileges for tasks that need root permissions. | `false`       |
+
+#### Important note about Python
+
+From v3 of this role, Python 3 is required on the target system as well as on
+the Ansible controller. This is to ensure consistent behaviour for Ansible
+tasks as Python 2 is now EOL.
+
+If target systems have both Python 2 and Python 3 installed, it is most likely
+that Python 2 will be selected by default. To ensure Python 3 is used on a
+target with both versions of Python, ensure `ansible_python_interpreter` is
+set in your inventory. Below is an example inventory:
+
+```yaml
+---
+
+k3s_cluster:
+  hosts:
+    kube-0:
+      ansible_user: ansible
+      ansible_host: 10.10.9.2
+      ansible_python_interpreter: /usr/bin/python3
+    kube-1:
+      ansible_user: ansible
+      ansible_host: 10.10.9.3
+      ansible_python_interpreter: /usr/bin/python3
+    kube-2:
+      ansible_user: ansible
+      ansible_host: 10.10.9.4
+      ansible_python_interpreter: /usr/bin/python3
+```
 
 #### Important note about `k3s_release_version`
 
@@ -295,6 +337,29 @@ ensure a majority in the event of a network partition. If you want to use 2
 members or an even number of members, please set `k3s_use_unsupported_config`
 to `true`.
 
+#### Important note about `k3s_server_manifests_urls` and `k3s_server_pod_manifests_urls`
+
+To deploy server manifests and server pod manifests from URL, you need to
+specify a `url` and optionally a `filename` (if none provided basename is used). Below is an example of how to deploy the
+Tigera operator for Calico and kube-vip.
+
+```yaml
+---
+
+k3s_server_manifests_urls:
+  - url: https://docs.projectcalico.org/archive/v3.19/manifests/tigera-operator.yaml
+    filename: tigera-operator.yaml
+
+k3s_server_pod_manifests_urls:
+  - url: https://raw.githubusercontent.com/kube-vip/kube-vip/main/example/deploy/0.1.4.yaml
+    filename: kube-vip.yaml
+
+```
+
+#### Important note about `k3s_airgap`
+
+When deploying k3s in an air gapped environment you should provide the `k3s` binary in `./files/`. The binary will not be downloaded from Github and will subsequently not be verified using the provided sha256 sum, nor able to verify the version that you are running. All risks and burdens associated are assumed by the user in this scenario.
+
 ## Dependencies
 
 No dependencies on other roles.

defaults/main.yml

@@ -12,10 +12,13 @@ k3s_state: installed
 # k3s_release_version: v1.19.3
 k3s_release_version: false
 
-# Loction of the k3s configuration file
-k3s_config_file: /etc/rancher/k3s/config.yaml
+# Location of the k3s configuration file
+k3s_config_file: "/etc/rancher/k3s/config.yaml"
 
-# When multiple ansible_play_hosts_all are present, attempt to cluster the nodes.
+# Location of the k3s configuration directory
+k3s_config_yaml_d_dir: "/etc/rancher/k3s/config.yaml.d"
+
+# When multiple ansible_play_hosts are present, attempt to cluster the nodes.
 # Using false will create multiple standalone nodes.
 # (default: true)
 k3s_build_cluster: true
@@ -23,21 +26,49 @@ k3s_build_cluster: true
 # URL for GitHub project
 k3s_github_url: https://github.com/k3s-io/k3s
 
+# URL for K3s updates API
+k3s_api_url: https://update.k3s.io
+
+# Install K3s in Air Gapped scenarios
+k3s_airgap: false
+
 # Skip all tasks that validate configuration
 k3s_skip_validation: false
 
 # Skip all tasks that check environment configuration
 k3s_skip_env_checks: false
 
+# Skip post-checks
+k3s_skip_post_checks: false
+
 # Installation directory for k3s
 k3s_install_dir: /usr/local/bin
 
 # Install using hard links rather than symbolic links
 k3s_install_hard_links: false
 
-# A list of templates used for preconfigure the cluster.
+# A list of templates used for configuring the server.
+k3s_server_config_yaml_d_files: []
+
+# A list of templates used for configuring the agent.
+k3s_agent_config_yaml_d_files: []
+
+# A list of templates used for pre-configuring the cluster.
 k3s_server_manifests_templates: []
 
+# A list of URLs used for pre-configuring the cluster.
+k3s_server_manifests_urls: []
+#  - url: https://some/url/to/manifest.yml
+#    filename: manifest.yml
+
+# A list of templates used for installing static pod manifests on the control plane.
+k3s_server_pod_manifests_templates: []
+
+# A list of URLs used for installing static pod manifests on the control plane.
+k3s_server_pod_manifests_urls: []
+#  - url: https://some/url/to/manifest.yml
+#    filename: manifest.yml
+
 # Use experimental features in k3s?
 k3s_use_experimental: false
 
@@ -66,6 +97,17 @@ k3s_service_before: []
 # Start k3s after a defined list of systemd units.
 k3s_service_after: []
 
+# Dictionary of environment variables to use within systemd unit file
+# Some examples below
+k3s_service_env_vars: {}
+#  PATH: /opt/k3s/bin
+#  GOGC: 10
+
+# Location on host of a environment file to include. This must already exist on
+# the target as this role will not populate this file.
+k3s_service_env_file: false
+
+
 ##
 # Server Configuration
 ##
@@ -88,15 +130,8 @@ k3s_agent: {}
 # Ansible Controller configuration
 ##
 
-# Use become privileges for
-k3s_become_for_all: false
-k3s_become_for_systemd: null
-k3s_become_for_install_dir: null
-k3s_become_for_directory_creation: null
-k3s_become_for_usr_local_bin: null
-k3s_become_for_package_install: null
-k3s_become_for_kubectl: null
-k3s_become_for_uninstall: null
+# Use become privileges?
+k3s_become: false
 
 # Private registry configuration.
 # Rancher k3s documentation: https://rancher.com/docs/k3s/latest/en/installation/private-registry/
@@ -119,4 +154,4 @@ k3s_registries:
 #        # path to the key file used in the registry
 #        key_file:
 #        # path to the ca file used in the registry
-#        ca_file:
+#        ca_file:

documentation/README.md

@@ -33,6 +33,7 @@ minimum configuration.
   - [Provision multiple standalone k3s nodes](configuration/multiple-standalone-k3s-nodes.md)
   - [Set node labels and component arguments](configuration/node-labels-and-component-args.md)
   - [Use an alternate CNI](configuration/use-an-alternate-cni.md)
+  - [IPv4/IPv6 Dual-Stack config](configuration/ipv4-ipv6-dual-stack.md)
   - [Start K3S after another service](configuration/systemd-config.md)
 
 ### Operations

documentation/configuration/ipv4-ipv6-dual-stack.md

@@ -0,0 +1,21 @@
+# IPv4 and IPv6 Dual-stack config
+
+If you need to run your K3S cluster with both IPv4 and IPv6 address ranges
+you will need to configure the `k3s_server.cluster-cidr` and
+`k3s_server.service-cidr` values specifying both ranges.
+
+:hand: if you are using `k3s<1.23` you will need to use a different CNI as
+dual-stack support is not available in Flannel.
+
+Below is a noddy example:
+
+```yaml
+---
+
+k3s_server:
+  # Using Calico on k3s<1.23 so Flannel needs to be disabled.
+  flannel-backend: 'none'
+  # Format: ipv4/cidr,ipv6/cidr
+  cluster-cidr: 10.42.0.0/16,fc00:a0::/64
+  service-cidr: 10.43.0.0/16,fc00:a1::/64
+```

documentation/quickstart-cluster.md

@@ -84,7 +84,7 @@ Here is our playbook for the k3s cluster (`cluster.yml`):
 - name: Build a cluster with a single control node
   hosts: k3s_cluster
   vars:
-    k3s_become_for_all: true
+    k3s_become: true
   roles:
     - role: xanmanning.k3s
 ```
@@ -118,7 +118,7 @@ workloads by running the following:
 
 :hand: Note we are using `sudo` because we need to be root to access the
 kube config for this node. This behavior can be changed with specifying
-`write-kubeconfig-mode: 0644` in `k3s_server`.
+`write-kubeconfig-mode: '0644'` in `k3s_server`.
 
 **Get Nodes**:
 

documentation/quickstart-ha-cluster.md

@@ -90,7 +90,7 @@ Here is our playbook for the k3s cluster (`ha_cluster.yml`):
 - name: Build a cluster with HA control plane
   hosts: k3s_cluster
   vars:
-    k3s_become_for_all: true
+    k3s_become: true
     k3s_etcd_datastore: true
     k3s_use_experimental: true  # Note this is required for k3s < v1.19.5+k3s1
   roles:
@@ -126,7 +126,7 @@ ready to execute our Kubernetes workloads by running the following:
 
 :hand: Note we are using `sudo` because we need to be root to access the
 kube config for this node. This behavior can be changed with specifying
-`write-kubeconfig-mode: 0644` in `k3s_server`.
+`write-kubeconfig-mode: '0644'` in `k3s_server`.
 
 **Get Nodes**:
 

documentation/quickstart-single-node.md

@@ -66,7 +66,7 @@ Here is our playbook for a single node k3s cluster (`single_node.yml`):
 - name: Build a single node k3s cluster
   hosts: kube-0
   vars:
-    k3s_become_for_all: true
+    k3s_become: true
   roles:
     - role: xanmanning.k3s
 ```
@@ -96,7 +96,7 @@ ready to execute our Kubernetes workloads by running the following:
 
 :hand: Note we are using `sudo` because we need to be root to access the
 kube config for this node. This behavior can be changed with specifying
-`write-kubeconfig-mode: 0644` in `k3s_server`.
+`write-kubeconfig-mode: '0644'` in `k3s_server`.
 
 **Get Nodes**:
 

handlers/main.yml

@@ -1,12 +1,17 @@
 ---
 
-- name: reload systemd
+- name: Reload systemd
   ansible.builtin.systemd:
     daemon_reload: true
     scope: "{{ k3s_systemd_context }}"
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
-- name: restart k3s
+- name: Reload service
+  ansible.builtin.set_fact:
+    k3s_service_reloaded: true
+  become: "{{ k3s_become }}"
+
+- name: Restart k3s systemd
   ansible.builtin.systemd:
     name: k3s
     state: restarted
@@ -18,15 +23,17 @@
   failed_when:
     - k3s_systemd_restart_k3s is not success
     - not ansible_check_mode
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
-- name: restart docker
-  ansible.builtin.systemd:
-    name: docker
+- name: Restart k3s service
+  ansible.builtin.service:
+    name: k3s
     state: restarted
-    enabled: true
-  register: k3s_systemd_restart_docker
+    enabled: "{{ k3s_start_on_boot }}"
+  retries: 3
+  delay: 3
+  register: k3s_service_restart_k3s
   failed_when:
-    - k3s_systemd_restart_docker is not success
+    - k3s_service_restart_k3s is not success
     - not ansible_check_mode
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"

meta/main.yml

@@ -38,6 +38,9 @@ galaxy_info:
   # platforms is a list of platforms, and each platform has a name and a list of versions.
   #
   platforms:
+    - name: Alpine
+      versions:
+        - all
     - name: Archlinux
       versions:
         - all

molecule/autodeploy/converge.yml

@@ -4,14 +4,25 @@
   become: true
   vars:
     molecule_is_test: true
-    k3s_release_version: latest
+    k3s_release_version: v1.22
     k3s_build_cluster: false
+    k3s_control_token: 55ba04e5-e17d-4535-9170-3e4245453f4d
     k3s_install_dir: /opt/k3s/bin
-    k3s_config_file: /opt/k3s/etc/k3s.yaml
+    k3s_config_file: /opt/k3s/etc/k3s_config.yaml
     k3s_server:
       data-dir: /var/lib/k3s-io
       default-local-storage-path: /var/lib/k3s-io/local-storage
+      disable:
+        - metrics-server
+        - traefik
+    # k3s_agent:
+    #   snapshotter: native
     k3s_server_manifests_templates:
       - "molecule/autodeploy/templates/00-ns-monitoring.yml.j2"
+    k3s_server_manifests_urls:
+      - url: https://raw.githubusercontent.com/metallb/metallb/v0.9.6/manifests/namespace.yaml
+        filename: 05-metallb-namespace.yml
+    k3s_service_env_vars:
+      K3S_TEST_VAR: "Hello world!"
   roles:
     - role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/autodeploy/molecule.yml

@@ -7,7 +7,6 @@ driver:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax
@@ -20,13 +19,9 @@ scenario:
     - verify
     - cleanup
     - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
 platforms:
   - name: node1
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -35,7 +30,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node2
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -44,7 +39,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node3
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro

molecule/autodeploy/prepare.yml

@@ -3,8 +3,10 @@
   hosts: node*
   become: true
   tasks:
-    - name: Ensure apt cache is updated
+    - name: Ensure apt cache is updated and iptables is installed
       ansible.builtin.apt:
+        name: iptables
+        state: present
         update_cache: true
       when: ansible_pkg_mgr == 'apt'
 

molecule/debug/converge.yml

@@ -4,6 +4,8 @@
   become: true
   vars:
     pyratlabs_issue_controller_dump: true
+    # k3s_agent:
+    #   snapshotter: native
   pre_tasks:
     - name: Ensure k3s_debug is set
       ansible.builtin.set_fact:

molecule/debug/molecule.yml

@@ -7,7 +7,6 @@ driver:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax
@@ -20,13 +19,9 @@ scenario:
     - verify
     - cleanup
     - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
 platforms:
   - name: node1
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -35,7 +30,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node2
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -44,7 +39,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node3
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro

molecule/debug/prepare.yml

@@ -2,7 +2,9 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Ensure apt cache is updated
+    - name: Ensure apt cache is updated and iptables is installed
       ansible.builtin.apt:
+        name: iptables
+        state: present
         update_cache: true
       when: ansible_pkg_mgr == 'apt'

molecule/default/converge.yml

@@ -8,3 +8,5 @@
         molecule_is_test: true
         k3s_install_hard_links: true
         k3s_release_version: stable
+        # k3s_agent:
+          # snapshotter: native

molecule/default/molecule.yml

@@ -7,7 +7,6 @@ driver:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax
@@ -20,13 +19,9 @@ scenario:
     - verify
     - cleanup
     - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
 platforms:
   - name: node1
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -35,7 +30,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node2
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -44,7 +39,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node3
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro

molecule/default/prepare.yml

@@ -2,7 +2,9 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Ensure apt cache is updated
+    - name: Ensure apt cache is updated and iptables is installed
       ansible.builtin.apt:
+        name: iptables
+        state: present
         update_cache: true
       when: ansible_pkg_mgr == 'apt'

molecule/docker/converge.yml

@@ -1,13 +0,0 @@
----
-- name: Converge
-  hosts: all
-  become: true
-  vars:
-    molecule_is_test: true
-    k3s_server:
-      https-listen-port: 26443
-      cluster-domain: examplecluster.local
-    k3s_agent:
-      docker: true
-  roles:
-    - role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/docker/molecule.yml

@@ -1,60 +0,0 @@
----
-
-dependency:
-  name: galaxy
-driver:
-  name: docker
-scenario:
-  test_sequence:
-    - dependency
-    - lint
-    - cleanup
-    - destroy
-    - syntax
-    - create
-    - prepare
-    - check
-    - converge
-    - idempotence
-    - side_effect
-    - verify
-    - cleanup
-    - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
-platforms:
-  - name: node1
-    image: "${MOLECULE_DISTRO:-geerlingguy/docker-ubuntu2004-ansible:latest}"
-    command: ${MOLECULE_DOCKER_COMMAND:-""}
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    privileged: true
-    pre_build_image: ${MOLECULE_PREBUILT:-true}
-    networks:
-      - name: k3snet
-  - name: node2
-    image: "${MOLECULE_DISTRO:-geerlingguy/docker-ubuntu2004-ansible:latest}"
-    command: ${MOLECULE_DOCKER_COMMAND:-""}
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    privileged: true
-    pre_build_image: ${MOLECULE_PREBUILT:-true}
-    networks:
-      - name: k3snet
-  - name: node3
-    image: "${MOLECULE_DISTRO:-geerlingguy/docker-ubuntu2004-ansible:latest}"
-    command: ${MOLECULE_DOCKER_COMMAND:-""}
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    privileged: true
-    pre_build_image: ${MOLECULE_PREBUILT:-true}
-    networks:
-      - name: k3snet
-provisioner:
-  name: ansible
-  options:
-    verbose: true
-verifier:
-  name: ansible

molecule/docker/prepare.yml

@@ -1,8 +0,0 @@
----
-- name: Prepare
-  hosts: all
-  tasks:
-    - name: Ensure apt cache is updated
-      ansible.builtin.apt:
-        update_cache: true
-      when: ansible_pkg_mgr == 'apt'

molecule/highavailabilitydb/converge.yml

@@ -6,8 +6,12 @@
   vars:
     molecule_is_test: true
     k3s_registration_address: loadbalancer
+    k3s_control_token: 55ba04e5-e17d-4535-9170-3e4245453f4d
     k3s_server:
       datastore-endpoint: "postgres://postgres:verybadpass@database:5432/postgres?sslmode=disable"
+    # k3s_agent:
+    #   snapshotter: native
+    k3s_service_env_file: /tmp/k3s.env
   pre_tasks:
     - name: Set each node to be a control node
       ansible.builtin.set_fact:

molecule/highavailabilitydb/molecule.yml

@@ -7,7 +7,6 @@ driver:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax
@@ -20,13 +19,9 @@ scenario:
     - verify
     - cleanup
     - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
 platforms:
   - name: node1
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -35,7 +30,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node2
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -44,7 +39,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node3
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -61,7 +56,7 @@ platforms:
     networks:
       - name: k3snet
   - name: loadbalancer
-    image: geerlingguy/docker-centos8-ansible:latest
+    image: geerlingguy/docker-rockylinux8-ansible:latest
     pre_build_image: true
     ports:
       - "6443:6443"

molecule/highavailabilitydb/prepare.yml

@@ -33,7 +33,16 @@
 - name: Prepare nodes
   hosts: node*
   tasks:
-    - name: Ensure apt cache is updated
+    - name: Ensure apt cache is updated and iptables is installed
       ansible.builtin.apt:
+        name: iptables
+        state: present
         update_cache: true
       when: ansible_pkg_mgr == 'apt'
+
+    - name: Ensure environment file exists for k3s_service_env_file
+      ansible.builtin.lineinfile:
+        path: /tmp/k3s.env
+        line: "THISHOST={{ ansible_hostname }}"
+        mode: 0644
+        create: true

molecule/highavailabilityetcd/converge.yml

@@ -5,10 +5,17 @@
   become: true
   vars:
     molecule_is_test: true
+    k3s_release_version: "v1.21"
     k3s_use_experimental: true
     k3s_etcd_datastore: true
     k3s_server:
       secrets-encryption: true
+    k3s_agent:
+      node-ip: "{{ ansible_default_ipv4.address }}"
+      snapshotter: native
+      selinux: "{{ ansible_os_family | lower == 'redhat' }}"
+    k3s_skip_validation: "{{ k3s_service_handler[ansible_service_mgr] == 'service' }}"
+    # k3s_skip_post_checks: "{{ ansible_os_family | lower == 'redhat' }}"
   pre_tasks:
     - name: Set each node to be a control node
       ansible.builtin.set_fact:

molecule/highavailabilityetcd/molecule.yml

@@ -7,7 +7,6 @@ driver:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax
@@ -20,13 +19,9 @@ scenario:
     - verify
     - cleanup
     - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
 platforms:
   - name: node1
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -35,7 +30,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node2
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -44,7 +39,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node3
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -53,7 +48,7 @@ platforms:
     networks:
       - name: k3snet
   - name: loadbalancer
-    image: geerlingguy/docker-centos8-ansible:latest
+    image: geerlingguy/docker-rockylinux8-ansible:latest
     pre_build_image: true
     ports:
       - "6443:6443"

molecule/highavailabilityetcd/prepare.yml

@@ -1,12 +1,23 @@
 ---
-- name: Prepare Load Balancer
-  hosts: loadbalancer
+
+- name: Prepare all nodes
+  hosts: all
   tasks:
     - name: Ensure apt cache is updated
       ansible.builtin.apt:
         update_cache: true
       when: ansible_pkg_mgr == 'apt'
 
+    - name: Ensure sudo is installed
+      community.general.apk:
+        name: sudo
+        state: present
+        update_cache: true
+      when: ansible_pkg_mgr == 'apk'
+
+- name: Prepare Load Balancer
+  hosts: loadbalancer
+  tasks:
     - name: Ensure HAProxy is installed
       ansible.builtin.package:
         name: haproxy
@@ -33,7 +44,16 @@
 - name: Prepare nodes
   hosts: node*
   tasks:
-    - name: Ensure apt cache is updated
+    - name: Ensure apt cache is updated and iptables is installed
       ansible.builtin.apt:
+        name: iptables
+        state: present
         update_cache: true
       when: ansible_pkg_mgr == 'apt'
+
+    - name: Ensure iproute is installed
+      ansible.builtin.dnf:
+        name: iproute
+        state: present
+        update_cache: true
+      when: ansible_pkg_mgr == 'dnf'

molecule/lint-requirements.txt

@@ -0,0 +1,4 @@
+-r ../requirements.txt
+
+yamllint>=1.25.0
+ansible-lint>=4.3.5

molecule/nodeploy/.gitignore

@@ -0,0 +1 @@
+files/*

molecule/nodeploy/converge.yml

@@ -6,5 +6,7 @@
     molecule_is_test: true
     k3s_server: "{{ lookup('file', 'k3s_server.yml') | from_yaml }}"
     k3s_agent: "{{ lookup('file', 'k3s_agent.yml') | from_yaml }}"
+    k3s_airgap: true
+    k3s_release_version: latest
   roles:
     - role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

molecule/nodeploy/k3s_agent.yml

@@ -6,3 +6,4 @@ node-label:
 kubelet-arg:
   - "cloud-provider=external"
   - "provider-id=azure"
+# snapshotter: native

molecule/nodeploy/molecule.yml

@@ -7,7 +7,6 @@ driver:
 scenario:
   test_sequence:
     - dependency
-    - lint
     - cleanup
     - destroy
     - syntax
@@ -20,13 +19,9 @@ scenario:
     - verify
     - cleanup
     - destroy
-lint: |
-  set -e
-  yamllint -s .
-  ansible-lint --exclude molecule/
 platforms:
   - name: node1
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -35,7 +30,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node2
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
@@ -44,7 +39,7 @@ platforms:
     networks:
       - name: k3snet
   - name: node3
-    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos8}-ansible:latest"
+    image: ${MOLECULE_DISTRO:-"geerlingguy/docker-rockylinux8-ansible:latest"}
     command: ${MOLECULE_DOCKER_COMMAND:-""}
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro

molecule/nodeploy/prepare.yml

@@ -2,7 +2,26 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Ensure apt cache is updated
+    - name: Ensure apt cache is updated and iptables is installed
       ansible.builtin.apt:
+        name: iptables
+        state: present
         update_cache: true
       when: ansible_pkg_mgr == 'apt'
+
+    - name: Prepare air-gapped installation
+      delegate_to: localhost
+      run_once: true
+      block:
+
+        - name: Ensure files directory exists
+          ansible.builtin.file:
+            path: ./files
+            state: directory
+            mode: 0750
+
+        - name: Ensure k3s is downloaded for air-gap installation
+          ansible.builtin.get_url:
+            url: https://github.com/k3s-io/k3s/releases/download/v1.22.5%2Bk3s1/k3s
+            dest: ./files/k3s
+            mode: 0755

molecule/requirements.txt

@@ -1,6 +1,4 @@
 -r ../requirements.txt
 
-molecule[docker]>=3.2
+molecule-plugins[docker]
 docker>=4.3.1
-yamllint>=1.25.0
-ansible-lint>=4.3.5

requirements.txt

@@ -1 +1 @@
-ansible>=2.9.16,!=2.10.0,!=2.10.1,!=2.10.2,!=2.10.3
+ansible>=2.10.7

tasks/build/configure-k3s-cluster.yml

@@ -1,86 +0,0 @@
----
-
-- name: "Ensure cluster token is captured from {{ k3s_control_delegate }}"
-  ansible.builtin.slurp:
-    path: "{{ k3s_runtime_config['data-dir'] | default(k3s_data_dir) }}/server/token"
-  register: k3s_slurped_cluster_token
-  delegate_to: "{{ k3s_control_delegate }}"
-  when:
-    - k3s_control_token is not defined
-    - not ansible_check_mode
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure cluster token is formatted correctly for use in templates
-  ansible.builtin.set_fact:
-    k3s_control_token: "{{ k3s_slurped_cluster_token.content | b64decode }}"
-  when: k3s_control_token is not defined and not ansible_check_mode
-
-- name: Ensure dummy cluster token is defined for ansible_check_mode
-  ansible.builtin.set_fact:
-    k3s_control_token: "{{ k3s_control_delegate | to_uuid }}"
-  check_mode: false
-  when: k3s_control_token is not defined and ansible_check_mode
-
-- name: Ensure the cluster token file location exists
-  ansible.builtin.file:
-    path: "{{ k3s_token_location | dirname }}"
-    state: directory
-    mode: 0755
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure k3s cluster token file is present on workers and secondary control nodes
-  ansible.builtin.template:
-    src: cluster-token.j2
-    dest: "{{ k3s_token_location }}"
-    mode: 0600
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
-  when: (k3s_control_node and not k3s_primary_control_node)
-        or not k3s_control_node
-  notify:
-    - restart k3s
-
-- name: Ensure k3s service unit file is present
-  ansible.builtin.template:
-    src: k3s.service.j2
-    dest: "{{ k3s_systemd_unit_dir }}/k3s.service"
-    mode: 0644
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
-  notify:
-    - reload systemd
-    - restart k3s
-
-- name: Ensure k3s config file exists
-  ansible.builtin.template:
-    src: config.yaml.j2
-    dest: "{{ k3s_config_file }}"
-    mode: 0644
-  notify:
-    - reload systemd
-    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure secondary controllers are started
-  ansible.builtin.systemd:
-    name: k3s
-    state: started
-    enabled: "{{ k3s_start_on_boot }}"
-  register: ensure_secondary_controllers_started
-  failed_when:
-    - ensure_secondary_controllers_started is not succeeded
-    - not ansible_check_mode
-  until: ensure_secondary_controllers_started is succeeded
-  retries: "{{ ansible_play_hosts_all | length }}"
-  delay: 5
-  when:
-    - k3s_control_node
-    - not k3s_primary_control_node
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
-
-- import_tasks: ../validate/state/control-plane.yml
-  when: not k3s_skip_validation
-
-- name: Flush Handlers
-  meta: flush_handlers
-
-- import_tasks: ../validate/state/nodes.yml
-  when: not k3s_skip_validation

tasks/build/docker/amazon/install.yml

@@ -1,13 +0,0 @@
----
-
-- name: Ensure docker is installed using amazon-linux-extras
-  ansible.builtin.command:
-    cmd: amazon-linux-extras install docker
-  args:
-    creates: /etc/docker
-  notify:
-    - restart docker
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Flush Handlers
-  meta: flush_handlers

tasks/build/docker/archlinux/install-prerequisites.yml

@@ -1 +0,0 @@
----

tasks/build/docker/archlinux/install.yml

@@ -1,16 +0,0 @@
----
-
-- name: Ensure docker is installed using Pacman
-  community.general.pacman:
-    name: docker
-    state: present
-  register: ensure_docker_prerequisites_installed
-  until: ensure_docker_prerequisites_installed is succeeded
-  retries: 3
-  delay: 10
-  notify:
-    - restart docker
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Flush Handlers
-  meta: flush_handlers

tasks/build/docker/debian/install-prerequisites.yml

@@ -1,29 +0,0 @@
----
-
-- name: Ensure Docker prerequisites are installed
-  ansible.builtin.apt:
-    name:
-      - apt-transport-https
-      - ca-certificates
-      - curl
-      - "{{ 'gnupg2' if ansible_distribution == 'Debian' else 'gnupg-agent' }}"
-      - software-properties-common
-    state: present
-  register: ensure_docker_prerequisites_installed
-  until: ensure_docker_prerequisites_installed is succeeded
-  retries: 3
-  delay: 10
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure Docker APT key is present
-  ansible.builtin.apt_key:
-    url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
-    state: present
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure Docker repository is installed and configured
-  ansible.builtin.apt_repository:
-    filename: docker-ce
-    repo: "deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
-    update_cache: true
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"

tasks/build/docker/install.yml

@@ -1,16 +0,0 @@
----
-
-- name: Ensure docker is installed
-  ansible.builtin.package:
-    name:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-    state: present
-  register: ensure_docker_installed
-  until: ensure_docker_installed is succeeded
-  retries: 3
-  delay: 10
-  notify:
-    - restart docker
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"

tasks/build/docker/opensuse-leap/install.yml

@@ -1,16 +0,0 @@
----
-
-- name: Ensure docker is installed using Zypper
-  community.general.zypper:
-    name: docker
-    state: present
-  register: ensure_docker_prerequisites_installed
-  until: ensure_docker_prerequisites_installed is succeeded
-  retries: 3
-  delay: 10
-  notify:
-    - restart docker
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Flush Handlers
-  meta: flush_handlers

tasks/build/docker/redhat/install-prerequisites.yml

@@ -1,56 +0,0 @@
----
-
-- name: Ensure python-dnf is installed
-  ansible.builtin.package:
-    name: "{{ 'python-dnf' if ansible_python_version is version_compare('3.0.0', '<') else 'python3-dnf' }}"
-    state: present
-  register: ensure_python_dnf_installed
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-  until: ensure_python_dnf_installed is succeeded
-  retries: 3
-  delay: 10
-  when: ansible_pkg_mgr == 'dnf'
-
-- name: Ensure Docker prerequisites are installed
-  ansible.builtin.yum:
-    name:
-      - yum-utils
-      - device-mapper-persistent-data
-      - lvm2
-    state: present
-  register: ensure_docker_prerequisites_installed
-  until: ensure_docker_prerequisites_installed is succeeded
-  retries: 3
-  delay: 10
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Check to see if Docker repository is available for this distribution
-  ansible.builtin.uri:
-    url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/{{ ansible_distribution_major_version }}"
-  register: k3s_redhat_repo_check
-  failed_when: false
-  changed_when: false
-
-- name: Ensure Docker repository is installed and configured
-  ansible.builtin.yum_repository:
-    name: docker-ce
-    description: Docker CE Repository
-    baseurl: https://download.docker.com/linux/{{ ansible_distribution | lower }}/{{ ansible_distribution_major_version }}/$basearch/stable
-    gpgkey: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
-    enabled: true
-    gpgcheck: true
-    state: present
-  when:
-    - ansible_distribution | lower not in ['amazon']
-    - k3s_redhat_repo_check.status == 200
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure Docker repository is installed and configured from file
-  ansible.builtin.command:
-    cmd: yum-config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
-  args:
-    creates: /etc/yum.repos.d/docker-ce.repo
-  when:
-    - ansible_distribution | lower not in ['amazon']
-    - k3s_redhat_repo_check.status != 200
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"

tasks/build/docker/suse/install-prerequisites.yml

@@ -1 +0,0 @@
----

tasks/build/docker/suse/install.yml

@@ -1,16 +0,0 @@
----
-
-- name: Ensure docker is installed using Zypper
-  community.general.zypper:
-    name: docker
-    state: present
-  register: ensure_docker_prerequisites_installed
-  until: ensure_docker_prerequisites_installed is succeeded
-  retries: 3
-  delay: 10
-  notify:
-    - restart docker
-  become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Flush Handlers
-  meta: flush_handlers

tasks/build/install-k3s-node.yml

@@ -1,58 +0,0 @@
----
-
-- name: Ensure k3s is linked into the installation destination
-  ansible.builtin.file:
-    src: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
-    dest: "{{ k3s_install_dir }}/{{ item }}"
-    state: "{{ 'hard' if k3s_install_hard_links else 'link' }}"
-    force: "{{ k3s_install_hard_links }}"
-    mode: 0755
-  loop:
-    - k3s
-    - kubectl
-    - crictl
-    - ctr
-  when: not ansible_check_mode
-  notify:
-    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure k3s config file exists
-  ansible.builtin.template:
-    src: config.yaml.j2
-    dest: "{{ k3s_config_file }}"
-    mode: 0644
-  notify:
-    - reload systemd
-    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure k3s service unit file is present
-  ansible.builtin.template:
-    src: k3s.service.j2
-    dest: "{{ k3s_systemd_unit_dir }}/k3s.service"
-    mode: 0644
-  notify:
-    - reload systemd
-    - restart k3s
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Ensure k3s killall script is present
-  ansible.builtin.template:
-    src: k3s-killall.sh.j2
-    dest: "/usr/local/bin/k3s-killall.sh"
-    mode: 0700
-  become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}"
-  when:
-    - k3s_runtime_config is defined
-    - ("rootless" not in k3s_runtime_config or not k3s_runtime_config.rootless)
-
-- name: Ensure k3s uninstall script is present
-  ansible.builtin.template:
-    src: k3s-uninstall.sh.j2
-    dest: "/usr/local/bin/k3s-uninstall.sh"
-    mode: 0700
-  become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}"
-  when:
-    - k3s_runtime_config is defined
-    - ("rootless" not in k3s_runtime_config or not k3s_runtime_config.rootless)

tasks/build/install-k3s.yml

@@ -1,32 +0,0 @@
----
-
-- include_tasks: install-k3s-directories.yml
-  loop: "{{ k3s_ensure_directories_exist }}"
-  loop_control:
-    loop_var: directory
-
-- include_tasks: install-k3s-node.yml
-  when:
-    - ((k3s_control_node and k3s_controller_list | length == 1)
-        or (k3s_primary_control_node and k3s_controller_list | length > 1))
-    - not ansible_check_mode
-
-- name: Flush Handlers
-  meta: flush_handlers
-
-- include_tasks: install-k3s-node.yml
-  when: k3s_build_cluster
-
-- name: Ensure k3s initial control plane server is started
-  ansible.builtin.systemd:
-    name: k3s
-    state: started
-    enabled: "{{ k3s_start_on_boot }}"
-    scope: "{{ k3s_systemd_context }}"
-  register: k3s_systemd_start_k3s
-  failed_when:
-    - k3s_systemd_start_k3s is not succeeded
-    - not ansible_check_mode
-  when: (k3s_control_node and k3s_controller_list | length == 1)
-        or (k3s_primary_control_node and k3s_controller_list | length > 1)
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"

tasks/build/preconfigure-k3s-auto-deploying-manifests.yml

@@ -1,18 +0,0 @@
----
-
-- name: Ensure that the manifests directory exists
-  ansible.builtin.file:
-    state: directory
-    path: "{{ k3s_server_manifests_dir }}"
-    mode: 0755
-  when: k3s_server_manifests_templates | length > 0
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
-
-# https://rancher.com/docs/k3s/latest/en/advanced/#auto-deploying-manifests
-- name: Ensure auto-deploying manifests are copied to controllers
-  ansible.builtin.template:
-    src: "{{ item }}"
-    dest: "{{ k3s_server_manifests_dir }}/{{ item | basename | replace('.j2','') }}"
-    mode: 0644
-  loop: "{{ k3s_server_manifests_templates }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"

tasks/ensure_cluster.yml

@@ -0,0 +1,108 @@
+---
+
+- name: "Ensure cluster token is captured from {{ k3s_control_delegate }}"
+  ansible.builtin.slurp:
+    path: "{{ k3s_runtime_config['data-dir'] | default(k3s_data_dir) }}/server/token"
+  register: k3s_slurped_cluster_token
+  delegate_to: "{{ k3s_control_delegate }}"
+  when:
+    - k3s_control_token is not defined
+    - not ansible_check_mode
+  become: "{{ k3s_become }}"
+
+- name: Ensure cluster token is formatted correctly for use in templates
+  ansible.builtin.set_fact:
+    k3s_control_token_content: "{{ k3s_control_token | default(k3s_slurped_cluster_token.content | b64decode) }}"
+  when:
+    - k3s_control_token is not defined
+    - not ansible_check_mode
+
+- name: Ensure dummy cluster token is defined for ansible_check_mode
+  ansible.builtin.set_fact:
+    k3s_control_token_content: "{{ k3s_control_delegate | to_uuid }}"
+  check_mode: false
+  when:
+    - ansible_check_mode
+
+- name: Ensure the cluster token file location exists
+  ansible.builtin.file:
+    path: "{{ k3s_token_location | dirname }}"
+    state: directory
+    mode: 0755
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s cluster token file is present
+  ansible.builtin.template:
+    src: cluster-token.j2
+    dest: "{{ k3s_token_location }}"
+    mode: 0600
+  become: "{{ k3s_become }}"
+  notify:
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+
+- name: Ensure k3s service unit file is present
+  ansible.builtin.template:
+    src: k3s.service.j2
+    dest: "{{ k3s_systemd_unit_dir }}/k3s.service"
+    mode: 0644
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'systemd'
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+
+- name: Ensure k3s service file is present
+  ansible.builtin.template:
+    src: k3s.openrc.j2
+    dest: "{{ k3s_openrc_service_dir }}/k3s"
+    mode: 0744
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'service'
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s logrotate file is present
+  ansible.builtin.template:
+    src: k3s.logrotate.j2
+    dest: "{{ k3s_logrotate_dir }}/k3s"
+    mode: 0640
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'service'
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s config file exists
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: "{{ k3s_config_file }}"
+    mode: 0644
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure secondary controllers are started
+  ansible.builtin.include_tasks: ensure_control_plane_started_{{ ansible_service_mgr }}.yml
+  when:
+    - k3s_control_node
+    - not k3s_primary_control_node
+
+- name: Run control plane post checks
+  ansible.builtin.import_tasks: post_checks_control_plane.yml
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_post_checks
+
+- name: Flush Handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Run node post checks
+  ansible.builtin.import_tasks: post_checks_nodes.yml
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_post_checks

tasks/ensure_containerd_registries.yml

@@ -6,6 +6,6 @@
     dest: "{{ k3s_config_dir }}/registries.yaml"
     mode: 0600
   notify:
-    - reload systemd
-    - restart k3s
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"

tasks/ensure_control_plane_started_openrc.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Ensure k3s control plane server is started
+  ansible.builtin.service:
+    name: k3s
+    state: started
+    enabled: "{{ k3s_start_on_boot }}"
+  register: k3s_service_start_k3s
+  until: k3s_service_start_k3s is succeeded
+  retries: 3
+  delay: 3
+  failed_when:
+    - k3s_service_start_k3s is not succeeded
+    - not ansible_check_mode
+  become: "{{ k3s_become }}"

tasks/ensure_control_plane_started_systemd.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Ensure k3s control plane server is started
+  ansible.builtin.systemd:
+    name: k3s
+    state: started
+    enabled: "{{ k3s_start_on_boot }}"
+    scope: "{{ k3s_systemd_context }}"
+  register: k3s_systemd_start_k3s
+  until: k3s_systemd_start_k3s is succeeded
+  retries: 3
+  delay: 3
+  failed_when:
+    - k3s_systemd_start_k3s is not succeeded
+    - not ansible_check_mode
+  become: "{{ k3s_become }}"

tasks/ensure_directories.yml

@@ -5,7 +5,7 @@
     path: "{{ directory.path }}"
     state: directory
     mode: "{{ directory.mode | default(755) }}"
-  become: "{{ k3s_become_for_directory_creation | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
   when:
     - directory.path is defined
     - directory.path | length > 0

tasks/ensure_downloads.yml

@@ -48,4 +48,4 @@
     dest: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
     checksum: "sha256:{{ k3s_hash_sum }}"
     mode: 0755
-  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all)  }}"
+  become: "{{ k3s_become }}"

tasks/ensure_drain_and_remove_nodes.yml

@@ -4,11 +4,15 @@
   ansible.builtin.stat:
     path: "{{ k3s_install_dir }}/kubectl"
   register: k3s_check_kubectl
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
 - name: Clean up nodes that are in an uninstalled state
+  when:
+    - k3s_check_kubectl.stat.exists is defined
+    - k3s_check_kubectl.stat.exists
+    - k3s_control_delegate is defined
+    - not ansible_check_mode
   block:
-
     - name: Gather a list of nodes
       ansible.builtin.command:
         cmd: "{{ k3s_install_dir }}/kubectl get nodes"
@@ -17,40 +21,34 @@
       delegate_to: "{{ k3s_control_delegate }}"
       run_once: true
       register: kubectl_get_nodes_result
-      become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+      become: "{{ k3s_become }}"
 
-    - name: Ensure uninstalled nodes are drained
+    - name: Ensure uninstalled nodes are drained # noqa no-changed-when
       ansible.builtin.command:
         cmd: >-
-          {{ k3s_install_dir }}/kubectl drain {{ item }}
+          {{ k3s_install_dir }}/kubectl drain {{ hostvars[item].ansible_hostname }}
             --ignore-daemonsets
-            --delete-local-data
+            --{{ k3s_drain_command[ansible_version.string is version_compare('1.22', '>=')] }}
             --force
       delegate_to: "{{ k3s_control_delegate }}"
       run_once: true
       when:
         - kubectl_get_nodes_result.stdout is defined
-        - item in kubectl_get_nodes_result.stdout
+        - hostvars[item].ansible_hostname in kubectl_get_nodes_result.stdout
         - hostvars[item].k3s_state is defined
         - hostvars[item].k3s_state == 'uninstalled'
-      loop: "{{ ansible_play_hosts_all }}"
-      become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+      loop: "{{ ansible_play_hosts }}"
+      become: "{{ k3s_become }}"
 
-    - name: Ensure uninstalled nodes are removed
+    - name: Ensure uninstalled nodes are removed # noqa no-changed-when
       ansible.builtin.command:
-        cmd: "{{ k3s_install_dir }}/kubectl delete node {{ item }}"
+        cmd: "{{ k3s_install_dir }}/kubectl delete node {{ hostvars[item].ansible_hostname }}"
       delegate_to: "{{ k3s_control_delegate }}"
       run_once: true
       when:
         - kubectl_get_nodes_result.stdout is defined
-        - item in kubectl_get_nodes_result.stdout
+        - hostvars[item].ansible_hostname in kubectl_get_nodes_result.stdout
         - hostvars[item].k3s_state is defined
         - hostvars[item].k3s_state == 'uninstalled'
-      loop: "{{ ansible_play_hosts_all }}"
-      become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
-
-  when:
-    - k3s_check_kubectl.stat.exists is defined
-    - k3s_check_kubectl.stat.exists
-    - k3s_control_delegate is defined
-    - not ansible_check_mode
+      loop: "{{ ansible_play_hosts }}"
+      become: "{{ k3s_become }}"

tasks/ensure_installed.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Ensure directories exist
+  ansible.builtin.include_tasks: ensure_directories.yml
+  loop: "{{ k3s_ensure_directories_exist }}"
+  loop_control:
+    loop_var: directory
+
+- name: Ensure installed node
+  ansible.builtin.include_tasks: ensure_installed_node.yml
+  when:
+    - ((k3s_control_node and k3s_controller_list | length == 1)
+        or (k3s_primary_control_node and k3s_controller_list | length > 1))
+    - not ansible_check_mode
+
+- name: Flush Handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Ensure installed node | k3s_build_cluster
+  ansible.builtin.include_tasks: ensure_installed_node.yml
+  when: k3s_build_cluster
+
+- name: Determine if the systems are already clustered
+  ansible.builtin.stat:
+    path: "{{ k3s_token_location }}"
+  register: k3s_token_cluster_check
+
+- name: Ensure control plane started with {{ ansible_service_mgr }}
+  ansible.builtin.include_tasks: ensure_control_plane_started_{{ ansible_service_mgr }}.yml
+  when: (k3s_control_node and k3s_controller_list | length == 1)
+        or (k3s_primary_control_node and k3s_controller_list | length > 1)
+        or k3s_token_cluster_check.stat.exists

tasks/ensure_installed_node.yml

@@ -0,0 +1,103 @@
+---
+
+- name: Ensure k3s is linked into the installation destination
+  ansible.builtin.file:
+    src: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
+    dest: "{{ k3s_install_dir }}/{{ item }}"
+    state: "{{ 'hard' if k3s_install_hard_links else 'link' }}"
+    force: "{{ k3s_install_hard_links }}"
+    mode: 0755
+  loop:
+    - k3s
+    - kubectl
+    - crictl
+    - ctr
+  when: not ansible_check_mode
+  notify:
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s config file exists
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: "{{ k3s_config_file }}"
+    mode: 0644
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure cluster token is present when pre-defined
+  when: k3s_control_token is defined
+  block:
+    - name: Ensure the cluster token file location exists
+      ansible.builtin.file:
+        path: "{{ k3s_token_location | dirname }}"
+        state: directory
+        mode: 0755
+      become: "{{ k3s_become }}"
+
+    - name: Ensure k3s cluster token file is present
+      ansible.builtin.template:
+        src: cluster-token.j2
+        dest: "{{ k3s_token_location }}"
+        mode: 0600
+      become: "{{ k3s_become }}"
+      notify:
+        - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+
+- name: Ensure k3s service unit file is present
+  ansible.builtin.template:
+    src: k3s.service.j2
+    dest: "{{ k3s_systemd_unit_dir }}/k3s.service"
+    mode: 0644
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'systemd'
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s service file is present
+  ansible.builtin.template:
+    src: k3s.openrc.j2
+    dest: "{{ k3s_openrc_service_dir }}/k3s"
+    mode: 0744
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'service'
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s logrotate file is present
+  ansible.builtin.template:
+    src: k3s.logrotate.j2
+    dest: "{{ k3s_logrotate_dir }}/k3s"
+    mode: 0640
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'service'
+  notify:
+    - "Reload {{ k3s_service_handler[ansible_service_mgr] }}"
+    - "Restart k3s {{ k3s_service_handler[ansible_service_mgr] }}"
+  become: "{{ k3s_become }}"
+
+- name: Ensure k3s killall script is present
+  ansible.builtin.template:
+    src: k3s-killall.sh.j2
+    dest: "/usr/local/bin/k3s-killall.sh"
+    mode: 0700
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_runtime_config is defined
+    - ("rootless" not in k3s_runtime_config or not k3s_runtime_config.rootless)
+
+- name: Ensure k3s uninstall script is present
+  ansible.builtin.template:
+    src: k3s-uninstall.sh.j2
+    dest: "/usr/local/bin/k3s-uninstall.sh"
+    mode: 0700
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_runtime_config is defined
+    - ("rootless" not in k3s_runtime_config or not k3s_runtime_config.rootless)

tasks/ensure_k3s_auto_deploy.yml

@@ -0,0 +1,70 @@
+---
+
+- name: Ensure that the manifests directory exists
+  ansible.builtin.file:
+    state: directory
+    path: "{{ k3s_server_manifests_dir }}"
+    mode: 0755
+  when: >-
+    k3s_primary_control_node and
+    (k3s_server_manifests_templates | length > 0
+    or k3s_server_manifests_urls | length > 0)
+  become: "{{ k3s_become }}"
+
+- name: Ensure that the pod-manifests directory exists
+  ansible.builtin.file:
+    state: directory
+    path: "{{ k3s_server_pod_manifests_dir }}"
+    mode: 0755
+  when: >-
+    k3s_control_node and
+    (k3s_server_pod_manifests_templates | length > 0
+    or k3s_server_pod_manifests_urls | length > 0)
+  become: "{{ k3s_become }}"
+
+# https://rancher.com/docs/k3s/latest/en/advanced/#auto-deploying-manifests
+- name: Ensure auto-deploying manifests are copied to the primary controller
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "{{ k3s_server_manifests_dir }}/{{ item | basename | replace('.j2', '') }}"
+    mode: 0644
+  loop: "{{ k3s_server_manifests_templates }}"
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_primary_control_node
+    - k3s_server_manifests_templates | length > 0
+
+- name: Ensure auto-deploying manifests are downloaded to the primary controller
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: "{{ k3s_server_manifests_dir }}/{{ item.filename | default(item.url | basename) }}"
+    mode: 0644
+  loop: "{{ k3s_server_manifests_urls }}"
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_primary_control_node
+    - not ansible_check_mode
+    - k3s_server_manifests_urls | length > 0
+
+# https://github.com/k3s-io/k3s/pull/1691
+- name: Ensure static pod manifests are copied to controllers
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "{{ k3s_server_pod_manifests_dir }}/{{ item | basename | replace('.j2', '') }}"
+    mode: 0644
+  loop: "{{ k3s_server_pod_manifests_templates }}"
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_control_node
+
+# https://rancher.com/docs/k3s/latest/en/advanced/#auto-deploying-manifests
+- name: Ensure auto-deploying manifests are downloaded to the primary controller
+  ansible.builtin.get_url:
+    url: "{{ item.url }}"
+    dest: "{{ k3s_server_pod_manifests_dir }}/{{ item.filename | default(item.url | basename) }}"
+    mode: 0644
+  loop: "{{ k3s_server_pod_manifests_urls }}"
+  become: "{{ k3s_become }}"
+  when:
+    - k3s_control_node
+    - not ansible_check_mode

tasks/ensure_k3s_config_files.yml

@@ -0,0 +1,31 @@
+---
+
+- name: Ensure that the config.yaml.d directory exists
+  ansible.builtin.file:
+    state: directory
+    path: "{{ k3s_config_yaml_d_dir }}"
+    mode: 0755
+  when: >-
+    k3s_server_config_yaml_d_files | length > 0
+    or k3s_agent_config_yaml_d_files | length > 0
+  become: "{{ k3s_become }}"
+
+# https://github.com/k3s-io/k3s/pull/3162
+- name: Ensure configuration files are copied to controllers
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "{{ k3s_config_yaml_d_dir }}/{{ item | basename | replace('.j2', '') }}"
+    mode: 0644
+  loop: "{{ k3s_server_config_yaml_d_files }}"
+  become: "{{ k3s_become }}"
+  when: k3s_control_node
+
+# https://github.com/k3s-io/k3s/pull/3162
+- name: Ensure configuration files are copied to agents
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "{{ k3s_config_yaml_d_dir }}/{{ item | basename | replace('.j2', '') }}"
+    mode: 0644
+  loop: "{{ k3s_agent_config_yaml_d_files }}"
+  become: "{{ k3s_become }}"
+  when: not k3s_control_node

tasks/ensure_pre_configuration.yml

@@ -4,17 +4,17 @@
   ansible.builtin.set_fact:
     k3s_build_cluster: false
   when:
-    - ansible_play_hosts_all | length < 2
+    - ansible_play_hosts | length < 2
     - k3s_registration_address is not defined
 
 - name: Ensure k3s control node fact is set
   ansible.builtin.set_fact:
-    k3s_control_node: "{{ 'false' if k3s_build_cluster else 'true' }}"
+    k3s_control_node: "{{ not k3s_build_cluster }}"
   when: k3s_control_node is not defined
 
 - name: Ensure k3s primary control node fact is set
   ansible.builtin.set_fact:
-    k3s_primary_control_node: "{{ 'false' if k3s_build_cluster else 'true' }}"
+    k3s_primary_control_node: "{{ not k3s_build_cluster }}"
   when: k3s_primary_control_node is not defined
 
 - name: Ensure k3s control plane port is captured
@@ -22,58 +22,98 @@
     k3s_control_plane_port: "{{ k3s_runtime_config['https-listen-port'] | default(6443) }}"
   delegate_to: k3s_primary_control_node
 
-- name: Ensure a count of control nodes is generated from ansible_play_hosts_all
+- name: Ensure k3s node IP is configured when node-ip is defined
   ansible.builtin.set_fact:
-    k3s_controller_list: "{{ k3s_controller_list + [ item ] }}"
+    k3s_node_ip: "{{ k3s_runtime_config['node-ip'] }}"
+  when:
+    - k3s_runtime_config['node-ip'] is defined
+
+- name: Ensure a count of control nodes is generated from ansible_play_hosts
+  ansible.builtin.set_fact:
+    k3s_controller_list: "{{ k3s_controller_list + [item] }}"
   when:
     - hostvars[item].k3s_control_node is defined
     - hostvars[item].k3s_control_node
-  loop: "{{ ansible_play_hosts_all }}"
-
-- name: Ensure a k3s control node is defined if none are found in ansible_play_hosts_all
-  block:
-
-    - name: Set the control host
-      ansible.builtin.set_fact:
-        k3s_control_node: true
-      when: inventory_hostname == ansible_play_hosts_all[0]
-
-    - name: Ensure a count of control nodes is generated
-      ansible.builtin.set_fact:
-        k3s_controller_list: "{{ k3s_controller_list + [ item ] }}"
-      when:
-        - hostvars[item].k3s_control_node is defined
-        - hostvars[item].k3s_control_node
-      loop: "{{ ansible_play_hosts_all }}"
+  loop: "{{ ansible_play_hosts }}"
 
+- name: Ensure a k3s control node is defined if none are found in ansible_play_hosts
   when:
     - k3s_controller_list | length < 1
     - k3s_build_cluster is defined
     - k3s_build_cluster
+  block:
+    - name: Set the control host
+      ansible.builtin.set_fact:
+        k3s_control_node: true
+      when: inventory_hostname == ansible_play_hosts[0]
 
-- name: Ensure a primary k3s control node is defined if multiple are found in ansible_play_hosts_all
+    - name: Ensure a count of control nodes is generated
+      ansible.builtin.set_fact:
+        k3s_controller_list: "{{ k3s_controller_list + [item] }}"
+      when:
+        - hostvars[item].k3s_control_node is defined
+        - hostvars[item].k3s_control_node
+      loop: "{{ ansible_play_hosts }}"
+
+- name: Ensure an existing primary k3s control node is defined if multiple are found and at least one is running
+  when:
+    - k3s_controller_list | length >= 1
+    - k3s_build_cluster is defined
+    - k3s_build_cluster
+    - k3s_control_delegate is not defined
+  block:
+    - name: Test if control plane is running
+      ansible.builtin.wait_for:
+        port: "{{ k3s_runtime_config['https-listen-port'] | default('6443') }}"
+        host: "{{ k3s_runtime_config['bind-address'] | default('127.0.0.1') }}"
+        timeout: 5
+      register: k3s_control_node_running
+      ignore_errors: true
+      when: k3s_control_node
+
+    - name: List running control planes
+      ansible.builtin.set_fact:
+        k3s_running_controller_list: "{{ k3s_running_controller_list + [item] }}"
+      when:
+        - hostvars[item].k3s_control_node_running is not skipped
+        - hostvars[item].k3s_control_node_running is succeeded
+      loop: "{{ ansible_play_hosts }}"
+
+    - name: Choose first running node as delegate
+      ansible.builtin.set_fact:
+        k3s_control_delegate: "{{ k3s_running_controller_list[0] }}"
+      when: k3s_running_controller_list | length >= 1
+
+- name: Ensure k3s_primary_control_node is set on the delegate
+  ansible.builtin.set_fact:
+    k3s_primary_control_node: true
+  when:
+    - k3s_control_delegate is defined
+    - inventory_hostname == k3s_control_delegate
+
+- name: Ensure a primary k3s control node is defined if multiple are found in ansible_play_hosts
   ansible.builtin.set_fact:
     k3s_primary_control_node: true
   when:
     - k3s_controller_list is defined
-    - k3s_controller_list | length > 1
     - inventory_hostname == k3s_controller_list[0]
     - k3s_build_cluster is defined
     - k3s_build_cluster
+    - k3s_control_delegate is not defined
 
 - name: Ensure ansible_host is mapped to inventory_hostname
   ansible.builtin.blockinfile:
     path: /tmp/inventory.txt
     block: |
-      {% for host in ansible_play_hosts_all %}
+      {% for host in ansible_play_hosts %}
       {% filter replace('\n', ' ') %}
       {{ host }}
       @@@
-      {{ hostvars[host].ansible_host | default(hostvars[host].ansible_fqdn) }}
+      {{ hostvars[host].ansible_host | default(hostvars[host].ansible_fqdn) | string }}
       @@@
-      C_{{ hostvars[host].k3s_control_node }}
+      C_{{ hostvars[host].k3s_control_node | string }}
       @@@
-      P_{{ hostvars[host].k3s_primary_control_node | default(False) }}
+      P_{{ hostvars[host].k3s_primary_control_node | default(False) | string }}
       {% endfilter %}
       @@@ END:{{ host }}
       {% endfor %}
@@ -83,10 +123,12 @@
   when: k3s_control_node is defined
 
 - name: Delegate an initializing control plane node
+  when: k3s_registration_address is not defined
+        or k3s_control_delegate is not defined
   block:
     - name: Lookup control node from file
       ansible.builtin.command:
-        cmd: "grep '{{ 'P_True' if (k3s_controller_list | length > 1) else 'C_True' }}' /tmp/inventory.txt"
+        cmd: "grep -i '{{ 'P_True' if (k3s_controller_list | length > 1) else 'C_True' }}' /tmp/inventory.txt"
       changed_when: false
       check_mode: false
       register: k3s_control_delegate_raw
@@ -103,6 +145,15 @@
       check_mode: false
       when: k3s_control_node_address is defined
 
+    - name: Ensure the node registration address is defined from node-ip
+      ansible.builtin.set_fact:
+        k3s_registration_address: "{{ hostvars[k3s_control_delegate].k3s_node_ip }}"
+      check_mode: false
+      when:
+        - k3s_registration_address is not defined
+        - k3s_control_node_address is not defined
+        - hostvars[k3s_control_delegate].k3s_node_ip is defined
+
     - name: Ensure the node registration address is defined
       ansible.builtin.set_fact:
         k3s_registration_address: "{{ hostvars[k3s_control_delegate].ansible_host | default(hostvars[k3s_control_delegate].ansible_fqdn) }}"
@@ -110,20 +161,3 @@
       when:
         - k3s_registration_address is not defined
         - k3s_control_node_address is not defined
-
-  when: k3s_registration_address is not defined
-        or k3s_control_delegate is not defined
-
-- name: Ensure k3s_runtime_config is set for control plane
-  ansible.builtin.set_fact:
-    k3s_runtime_config: "{{ (k3s_server | default({})) | combine((k3s_agent | default({}))) }}"
-  when:
-    - (k3s_server is defined or k3s_agent is defined)
-    - (k3s_control_node is defined and k3s_control_node)
-
-- name: Ensure k3s_runtime_config is set for agents
-  ansible.builtin.set_fact:
-    k3s_runtime_config: "{{ (k3s_agent | default({})) }}"
-  when:
-    - k3s_agent is defined
-    - (k3s_control_node is not defined or not k3s_control_node)

tasks/ensure_started.yml

@@ -6,7 +6,7 @@
     state: started
     enabled: "{{ k3s_start_on_boot }}"
   when: k3s_non_root is not defined or not k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
 - name: Ensure k3s service is started
   ansible.builtin.systemd:
@@ -17,4 +17,4 @@
   when:
     - k3s_non_root is defined
     - k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"

tasks/ensure_stopped.yml

@@ -6,9 +6,9 @@
     state: stopped
     enabled: "{{ k3s_start_on_boot }}"
   when: k3s_non_root is not defined or not k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
-- name: Ensure k3s service is started
+- name: Ensure k3s service is stopped
   ansible.builtin.systemd:
     name: k3s
     state: stopped
@@ -17,4 +17,4 @@
   when:
     - k3s_non_root is defined
     - k3s_non_root
-  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"

tasks/ensure_uninstalled.yml

@@ -10,20 +10,13 @@
     path: /usr/local/bin/k3s-uninstall.sh
   register: check_k3s_uninstall_script
 
-- name: Check to see if docker is present
-  ansible.builtin.command:
-    cmd: which docker
-  failed_when: false
-  changed_when: false
-  register: check_k3s_docker_path
-
 - name: Run k3s-killall.sh
   ansible.builtin.command:
     cmd: /usr/local/bin/k3s-killall.sh
   register: k3s_killall
   changed_when: k3s_killall.rc == 0
   when: check_k3s_killall_script.stat.exists
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
 - name: Run k3s-uninstall.sh
   ansible.builtin.command:
@@ -33,7 +26,7 @@
   register: k3s_uninstall
   changed_when: k3s_uninstall.rc == 0
   when: check_k3s_uninstall_script.stat.exists
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"
 
 - name: Ensure hard links are removed
   ansible.builtin.file:
@@ -46,11 +39,4 @@
   when:
     - k3s_install_hard_links
     - not ansible_check_mode
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"
-
-- name: Clean up Docker
-  ansible.builtin.command:
-    cmd: docker system prune -a --force
-  when:
-    - ("docker" in k3s_runtime_config and k3s_runtime_config.docker)
-    - check_k3s_docker_path.rc == 0
+  become: "{{ k3s_become }}"

tasks/ensure_uploads.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Ensure installation directory exists
+  ansible.builtin.file:
+    path: "{{ k3s_install_dir }}"
+    state: directory
+    mode: 0755
+
+- name: Ensure k3s binary is copied from controller to target host
+  ansible.builtin.copy:
+    src: k3s
+    # TODO: allow airgap to bypass version post-fix
+    dest: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
+    mode: 0755
+  become: "{{ k3s_become }}"

tasks/main.yml

@@ -1,5 +1,7 @@
 ---
 
-- import_tasks: validate/pre-flight.yml
+- name: Run pre-checks
+  ansible.builtin.import_tasks: pre_checks.yml
 
-- include_tasks: state-{{ (k3s_state | lower) | default('installed') }}.yml
+- name: Ensure state {{ (k3s_state | lower) | default('installed') }}
+  ansible.builtin.include_tasks: state_{{ (k3s_state | lower) | default('installed') }}.yml

tasks/post_checks_nodes.yml

@@ -4,17 +4,18 @@
   ansible.builtin.command:
     cmd: "{{ k3s_install_dir }}/kubectl get nodes"
   changed_when: false
-  failed_when: kubectl_get_nodes_result.stdout.find("was refused") != -1 or
-               kubectl_get_nodes_result.stdout.find("ServiceUnavailable") != -1
+  failed_when: >-
+    kubectl_get_nodes_result.stdout.find("was refused") != -1 or
+    kubectl_get_nodes_result.stdout.find("ServiceUnavailable") != -1
   register: kubectl_get_nodes_result
   until:
     - kubectl_get_nodes_result.rc == 0
     - kubectl_get_nodes_result.stdout.find("NotReady") == -1
   retries: 30
-  delay: 20
+  delay: 5
   when:
     - k3s_control_node
     - ("flannel-backend" not in k3s_runtime_config
        or k3s_runtime_config["flannel-backend"] != "none")
     - not ansible_check_mode
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"

tasks/post_checks_uninstalled.yml

@@ -9,18 +9,6 @@
   changed_when: false
   register: check_k3s_process
 
-- name: Check that docker is not running
-  ansible.builtin.command:
-    cmd: pgrep docker
-  failed_when:
-    - check_k3s_docker_process.rc == 0
-    - not ansible_check_mode
-  changed_when: false
-  register: check_k3s_docker_process
-  when:
-    - k3s_runtime_config.docker is defined
-    - k3s_runtime_config.docker
-
 - name: Fail if k3s binaries have not been removed
   ansible.builtin.stat:
     path: "{{ k3s_install_dir }}/{{ item }}"

tasks/pre_checks.yml

@@ -0,0 +1,132 @@
+---
+
+- name: Check that k3s_state is a supported value
+  ansible.builtin.assert:
+    that:
+      - k3s_state in k3s_valid_states
+    fail_msg: "k3s_state not valid. Check README.md for details."
+    success_msg: "k3s_state is valid."
+  when: k3s_state is defined
+
+- name: Check that Ansible v{{ ansible_version.string }} is supported by this role
+  ansible.builtin.assert:
+    that:
+      - ansible_version.string is version_compare(k3s_ansible_min_version, '>=')
+    fail_msg: >-
+      Ansible v{{ ansible_version.string }} is not supported by this role.
+      Please install >= v{{ k3s_ansible_min_version }}.
+    success_msg: "Ansible v{{ ansible_version.string }} is supported."
+  become: false
+  delegate_to: localhost
+  run_once: true
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+
+- name: Check that Python v{{ ansible_python_version }} is supported by this role
+  ansible.builtin.assert:
+    that:
+      - ansible_python_version is version_compare(k3s_python_min_version, '>=')
+    fail_msg: >-
+      Python v{{ ansible_python_version }} is not supported by this role.
+      Please install >= v{{ k3s_python_min_version }}.
+    success_msg: "Python v{{ ansible_python_version }} is supported."
+  become: false
+  delegate_to: localhost
+  run_once: true
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+
+- name: Check that the target init system is supported by this role
+  ansible.builtin.assert:
+    that:
+      - ansible_service_mgr in k3s_supported_init
+    fail_msg: >-
+      {{ ansible_service_mgr }} is not supported by this role.
+      Supported init systems: {{ k3s_supported_init | join(', ') }}
+    success_msg: "{{ ansible_service_mgr }} is supported"
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+
+- name: Determining if {{ ansible_service_mgr }} is actually openrc
+  ansible.builtin.stat:
+    path: /sbin/openrc-run
+  register: k3s_check_openrc_run
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'service'
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+
+- name: Check that {{ ansible_service_mgr }} is actually openrc
+  ansible.builtin.assert:
+    that:
+      - k3s_check_openrc_run.stat.exists
+    fail_msg: >-
+      openrc was not found, cannot install to {{ ansible_service_mgr }}
+    success_msg: "openrc found"
+  when:
+    - k3s_service_handler[ansible_service_mgr] == 'service'
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+
+- name: Run version pre-checks
+  ansible.builtin.include_tasks: pre_checks_version.yml
+  when:
+    - (k3s_release_version is not defined
+        or not k3s_release_version
+        or k3s_release_version is not regex('\\+k3s[1-9]$'))
+    - not k3s_airgap
+
+- name: Run cgroups pre-checks
+  ansible.builtin.include_tasks: pre_checks_cgroups.yml
+  loop: "{{ k3s_cgroup_subsys }}"
+  loop_control:
+    loop_var: cgroup
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+
+- name: Run packages pre-checks
+  ansible.builtin.include_tasks: pre_checks_packages.yml
+  loop: "{{ k3s_check_packages[k3s_os_distribution_version] }}"
+  loop_control:
+    loop_var: package
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_env_checks
+    - k3s_check_packages[k3s_os_distribution_version] is defined
+
+- name: Run issue data pre-checks
+  ansible.builtin.include_tasks: pre_checks_issue_data.yml
+  when:
+    - pyratlabs_issue_controller_dump is defined
+    - pyratlabs_issue_controller_dump
+
+- name: Run variables pre-checks
+  ansible.builtin.import_tasks: pre_checks_variables.yml
+  when:
+    - not k3s_skip_validation
+
+- name: Ensure experimental variables pre-checks
+  ansible.builtin.import_tasks: pre_checks_experimental_variables.yml
+  when:
+    - not k3s_skip_validation
+
+- name: Run unsupported rootless pre-checks
+  ansible.builtin.import_tasks: pre_checks_unsupported_rootless.yml
+  when:
+    - k3s_runtime_config.rootless is defined
+    - k3s_runtime_config.rootless
+    - not k3s_skip_validation
+
+- name: Run pre-configuration tasks
+  ansible.builtin.import_tasks: ensure_pre_configuration.yml
+
+- name: Run control node count pre-checks
+  ansible.builtin.import_tasks: pre_checks_control_node_count.yml
+  when:
+    - k3s_build_cluster is defined
+    - k3s_build_cluster
+    - not k3s_skip_validation

tasks/pre_checks_cluster.yml

@@ -16,4 +16,4 @@
   failed_when:
     - not k3s_check_cluster_token.stat.exists
     - not ansible_check_mode
-  become: "{{ k3s_become_for_kubectl | ternary(true, false, k3s_become_for_all) }}"
+  become: "{{ k3s_become }}"

tasks/pre_checks_control_node_count.yml

@@ -43,3 +43,4 @@
     - k3s_etcd_datastore
     - not k3s_use_unsupported_config
     - k3s_control_node
+    - k3s_state != 'uninstalled'

tasks/pre_checks_issue_data.yml

@@ -50,11 +50,11 @@
       # End ANSIBLE ROLES
 
       # Begin PLAY HOSTS
-      {{ ansible_play_hosts_all | to_json }}
+      {{ ansible_play_hosts | to_json }}
       # End PLAY HOSTS
 
       # Begin K3S ROLE CONFIG
-      {% for host in ansible_play_hosts_all %}
+      {% for host in ansible_play_hosts %}
       ## {{ host }}
       {% for config_key in hostvars[host] %}
       {% if config_key | regex_search('^k3s_') %}
@@ -66,7 +66,7 @@
       # End K3S ROLE CONFIG
 
       # Begin K3S RUNTIME CONFIG
-      {% for host in ansible_play_hosts_all %}
+      {% for host in ansible_play_hosts %}
       ## {{ host }}
       {% if hostvars[host].k3s_runtime_config is defined %}
       {{ hostvars[host].k3s_runtime_config }}
@@ -80,6 +80,8 @@
 
 - name: Fail the play
   ansible.builtin.fail:
-    msg: "Please include the output of {{ playbook_dir }}/pyratlabs-issue-dump.txt in your bug report."
+    msg: >-
+      Please include the output of
+      {{ playbook_dir }}/pyratlabs-issue-dump.txt in your bug report.
   delegate_to: localhost
   run_once: true

tasks/pre_checks_packages.yml

@@ -6,6 +6,7 @@
   changed_when: false
   failed_when: false
   register: check_k3s_required_package
+  become: "{{ k3s_become }}"
 
 - name: Test that checks for {{ package.name }} passed
   ansible.builtin.assert:
@@ -18,7 +19,8 @@
       Documentation: {{ package.documentation }}
       {% endif %}
   when:
+    - check_k3s_required_package.rc is defined
     - (package.until is not defined
-       or k3s_release_version is version_compare(package.until, '>='))
+       or (k3s_release_version | replace('v', '')) is version_compare(package.until, '<'))
     - (package.from is not defined
-       or k3s_release_version is version_compare(package.from, '>='))
+       or (k3s_release_version | replace('v', '')) is version_compare(package.from, '>='))

tasks/pre_checks_unsupported_rootless.yml

@@ -50,7 +50,7 @@
   ansible.builtin.assert:
     that:
       - k3s_get_unprivileged_userns_clone['content'] | b64decode | int == 1
-      - k3s_get_max_user_namespaces['content'] | b64decode | int >= 28633
+      - ((k3s_get_max_user_namespaces['content'] | b64decode | int >= 28633) or (k3s_os_family != "redhat"))
       - k3s_current_user_subuid != "UserNotFound:0:0"
       - k3s_current_user_subgid != "UserNotFound:0:0"
       - k3s_current_user_subuid.split(':')[2] | int >= 65536

tasks/pre_checks_variables.yml

@@ -6,6 +6,7 @@
       - (k3s_release_version | replace('v', '')) is version_compare(k3s_min_version, '>=')
     success_msg: "{{ k3s_release_version }} is supported by this role."
     fail_msg: "{{ k3s_release_version }} is not supported by this role, please use xanmanning.k3s v1.x."
+  when: not k3s_airgap
 
 - name: Check configuration in k3s_server and k3s_agent that needs alternate configuration
   ansible.builtin.assert:
@@ -34,6 +35,7 @@
       {% endif %}
   loop: "{{ k3s_deprecated_config }}"
   when:
+    - not k3s_airgap
     - (item.when is not defined
        or (item.when is defined and (k3s_release_version | replace('v', '')) is version_compare(item.when, '>=')))
     - not k3s_use_unsupported_config

tasks/pre_checks_version.yml

@@ -13,13 +13,12 @@
     k3s_release_channel: "{{ k3s_release_version | default('stable') }}"
   check_mode: false
 
-- name: Get the latest release version from k3s.io
+- name: "Get the latest release version from {{ k3s_api_releases }}"
   ansible.builtin.uri:
     url: "{{ k3s_api_releases }}"
     return_content: true
     body_format: json
   register: k3s_latest_release
-  no_log: true
   check_mode: false
 
 - name: Ensure the release version is set as a fact

tasks/state-downloaded.yml

@@ -1,6 +0,0 @@
----
-
-- import_tasks: build/get-version.yml
-  when: k3s_release_version is not defined or not k3s_release_version
-
-- import_tasks: build/download-k3s.yml

tasks/state-installed.yml

@@ -1,61 +0,0 @@
----
-
-- import_tasks: build/preconfigure-k3s.yml
-
-- import_tasks: teardown/drain-and-remove-nodes.yml
-
-- import_tasks: build/get-version.yml
-  when: k3s_release_version is not defined
-        or not k3s_release_version
-        or k3s_release_version is not regex('\\+k3s[1-9]$')
-
-- import_tasks: validate/main.yml
-  when: not k3s_skip_validation
-
-- import_tasks: build/get-systemd-context.yml
-
-- name: Ensure docker installation tasks are run
-  block:
-
-    - include_tasks: build/docker/{{ ansible_os_family | lower }}/install-prerequisites.yml
-
-    - import_tasks: build/docker/install.yml
-      when: ansible_distribution | replace(" ", "-") | lower not in ['amazon', 'suse', 'opensuse-leap', 'archlinux']
-
-    - include_tasks: build/docker/{{ ansible_distribution | replace(" ", "-") | lower }}/install.yml
-      when: ansible_distribution | replace(" ", "-") | lower in ['amazon', 'suse', 'opensuse-leap', 'archlinux']
-
-  when:
-    - ('docker' in k3s_runtime_config and k3s_runtime_config.docker)
-    - ('rootless' not in k3s_runtime_config or not k3s_runtime_config.rootless)
-
-- name: Flush Handlers
-  meta: flush_handlers
-
-- import_tasks: build/download-k3s.yml
-
-- import_tasks: build/preconfigure-k3s-auto-deploying-manifests.yml
-  when:
-    - k3s_control_node
-    - k3s_server_manifests_templates | length > 0
-
-- import_tasks: build/install-k3s.yml
-
-- name: Ensure containerd installation tasks are run
-  block:
-    - include_tasks: build/containerd/registries.yml
-  when:
-    - k3s_registries is defined
-    - (k3s_runtime_config.docker is not defined or not k3s_runtime_config.docker)
-    - ('rootless' not in k3s_runtime_config or not k3s_runtime_config.rootless)
-
-- include_tasks: validate/configuration/cluster-init.yml
-  when:
-    - k3s_control_delegate is defined
-    - k3s_control_delegate == inventory_hostname
-
-- import_tasks: build/configure-k3s-cluster.yml
-  when:
-    - k3s_build_cluster is defined
-    - k3s_build_cluster
-    - k3s_registration_address is defined

tasks/state-restarted.yml

@@ -1,5 +0,0 @@
----
-
-- import_tasks: operate/stop-k3s.yml
-
-- import_tasks: operate/start-k3s.yml

tasks/state-started.yml

@@ -1,3 +0,0 @@
----
-
-- import_tasks: operate/start-k3s.yml

tasks/state-stopped.yml

@@ -1,3 +0,0 @@
----
-
-- import_tasks: operate/stop-k3s.yml

tasks/state-uninstalled.yml

@@ -1,25 +0,0 @@
----
-
-- import_tasks: build/preconfigure-k3s.yml
-
-- import_tasks: teardown/drain-and-remove-nodes.yml
-
-- import_tasks: teardown/uninstall-k3s.yml
-
-- name: Ensure docker uninstall tasks are run
-  block:
-
-    - import_tasks: teardown/docker/uninstall.yml
-      when: ansible_distribution | replace(" ", "-") | lower not in ['amazon', 'suse', 'opensuse-leap', 'archlinux']
-
-    - include_tasks: teardown/docker/{{ ansible_distribution | replace(" ", "-") | lower }}/uninstall.yml
-      when: ansible_distribution | replace(" ", "-") | lower in ['amazon', 'suse', 'opensuse-leap', 'archlinux']
-
-    - include_tasks: teardown/docker/{{ ansible_os_family | lower }}/uninstall-prerequisites.yml
-
-  when:
-    - ('docker' in k3s_runtime_config and k3s_runtime_config.docker)
-    - ('rootless' not in k3s_runtime_config or not k3s_runtime_config.rootless)
-
-- import_tasks: validate/state/uninstalled.yml
-  when: not k3s_skip_validation

tasks/state-validated.yml

@@ -1,7 +0,0 @@
----
-
-- import_tasks: validate/pre-flight.yml
-
-- import_tasks: validate/main.yml
-
-- import_tasks: validate/post-install.yml

tasks/state_downloaded.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Run version pre-checks
+  ansible.builtin.import_tasks: pre_checks_version.yml
+  when:
+    - k3s_release_version is not defined or not k3s_release_version
+    - not k3s_airgap
+
+- name: Run k3s binary download and install tasks
+  ansible.builtin.import_tasks: ensure_downloads.yml
+  when: not k3s_airgap
+
+- name: Run k3s binary upload tasks | k3s_airgap
+  ansible.builtin.import_tasks: ensure_uploads.yml
+  when: k3s_airgap

tasks/state_installed.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Ensure nodes are drained and removed
+  ansible.builtin.import_tasks: ensure_drain_and_remove_nodes.yml
+
+- name: Determine systemd context
+  ansible.builtin.import_tasks: determine_systemd_context.yml
+
+- name: Flush Handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Run k3s binary download and install tasks
+  ansible.builtin.import_tasks: ensure_downloads.yml
+  when: not k3s_airgap
+
+- name: Run k3s binary upload tasks | k3s_airgap
+  ansible.builtin.import_tasks: ensure_uploads.yml
+  when: k3s_airgap
+
+- name: Run auto-deploy manifests and pod manifests tasks
+  ansible.builtin.import_tasks: ensure_k3s_auto_deploy.yml
+
+- name: Ensure k3s configuration files are copied to controllers and agents
+  ansible.builtin.import_tasks: ensure_k3s_config_files.yml
+
+- name: Run k3s installation tasks
+  ansible.builtin.import_tasks: ensure_installed.yml
+
+- name: Ensure containerd registries
+  ansible.builtin.include_tasks: ensure_containerd_registries.yml
+  when:
+    - (k3s_registries.mirrors | default(None)) != None or (k3s_registries.configs | default(None) != None)
+    - ('rootless' not in k3s_runtime_config or not k3s_runtime_config.rootless)
+
+- name: Run cluster pre-checks
+  ansible.builtin.include_tasks: pre_checks_cluster.yml
+  when:
+    - k3s_control_delegate is defined
+    - k3s_control_delegate == inventory_hostname
+
+- name: Run k3s cluster tasks
+  ansible.builtin.import_tasks: ensure_cluster.yml
+  when:
+    - k3s_build_cluster is defined
+    - k3s_build_cluster
+    - k3s_registration_address is defined
+
+- name: Flush Handlers
+  ansible.builtin.meta: flush_handlers

tasks/state_restarted.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Ensure k3s is stopped
+  ansible.builtin.import_tasks: ensure_stopped.yml
+
+- name: Ensure k3s is started
+  ansible.builtin.import_tasks: ensure_started.yml

tasks/state_started.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Ensure k3s is started
+  ansible.builtin.import_tasks: ensure_started.yml

tasks/state_stopped.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Ensure k3s is stopped
+  ansible.builtin.import_tasks: ensure_stopped.yml

tasks/state_uninstalled.yml

@@ -0,0 +1,16 @@
+---
+
+- name: Run pre-configuration tasks
+  ansible.builtin.import_tasks: ensure_pre_configuration.yml
+
+- name: Ensure nodes are drained and removed
+  ansible.builtin.import_tasks: ensure_drain_and_remove_nodes.yml
+
+- name: Run uninstall tasks
+  ansible.builtin.import_tasks: ensure_uninstalled.yml
+
+- name: Run uninstall post checks
+  ansible.builtin.import_tasks: post_checks_uninstalled.yml
+  when:
+    - not k3s_skip_validation
+    - not k3s_skip_post_checks

tasks/state_validated.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run control plane post checks
+  ansible.builtin.import_tasks: post_checks_control_plane.yml
+
+- name: Run node post checks
+  ansible.builtin.import_tasks: post_checks_nodes.yml

tasks/teardown/docker/amazon/uninstall.yml

@@ -1,8 +0,0 @@
----
-
-- name: Ensure docker is uninstalled using amazon-linux-extras
-  ansible.builtin.command:
-    cmd: amazon-linux-extras uninstall docker
-  register: uninstall_docker_from_amazon_linux
-  changed_when: uninstall_docker_from_amazon_linux.rc == 0
-  become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}"