* Security exposure related to the token
The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Restore the server URL into systemd configuration file
There aren't any security implications in keeping it there.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---------
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* More flexible cgroup settings
If there are already required cgroup boot parameters present but in a
different order than specified, the script will add them again. It is
better to test for the individual parameter in a loop and selectively
add them as necessary.
Signed-off-by: Marko Vukovic <anonsoftware@gmail.com>
Signed-off-by: Marko Vukovic <anonsoftware@gmail.com>
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Make agent and server groups configurable
Signed-off-by: Meagan Harris <thewitch@siliconsorceress.com>
* Fix typo in upgrade role
Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Meagan Harris <47128741+simagick@users.noreply.github.com>
---------
Signed-off-by: Meagan Harris <thewitch@siliconsorceress.com>
Signed-off-by: Meagan Harris <47128741+simagick@users.noreply.github.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
* Implement compatible yamllint, make octals explicit
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Replace yum with dnf, yum is deprecated
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
- [Agent : Download artefact only if needed](roles/k3s_agent/tasks/main.yml#L13)
- [Server : Download artefact only if needed](roles/k3s_server/tasks/main.yml#L13)
- [Upgrade : Upgrade node only if needed](roles/k3s_upgrade/tasks/main.yml#L14)
Linked issue #264 k3s_server and k3s_agent tasks are not idempotent
Signed-off-by: Loïc Dubard <loic97429@gmail.com>
* Enable skipping bootcmd verification in Raspberry PI
Signed-off-by: Jose Luis Pedrosa <jlpedrosa@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
As detailed in https://github.com/k3s-io/k3s-ansible/issues/295, this
commit fixes the issue that if `kubeconfig` is set to anything other
than the defaults value, then:
- `~/.kube/config` is modified.
- No file at `{{ kubeconfig }}` is created.
- Any existing file and `{{ kubeconfig }}` is deleted.
Signed-off-by: Nick To <nick@nickto.net>
* Limited boolean values to true/false;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Moved ArchLinux prereq task to be a handler;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Standardized task name for adding cgroup support;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Have backrefs: follow path:;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Addressed ansible-lint errors;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Fixed#264, task 7: Copy K3s service file;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
---------
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* do not blindly overwrite kube config
Signed-off-by: Roman Ivanov <me@roivanov.com>
* don't need to check if an existing config exists
Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Roman Ivanov <me@roivanov.com>
* Fixed#260: k3s autocompletion is added to .bashrc only when necessary;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Remove Jinja template from name:
Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
---------
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
* Initial airgap support
* Support any of the compressed image formats
* Add airgap section to README
* Support Airgap SElinux RPM install
Signed-off-by: Derek Nola <derek.nola@suse.com>