Commit Graph

166 Commits

Author SHA1 Message Date
anon-software
2d98982809
Security exposure related to the token (#356)
* Security exposure related to the token

The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

* Restore the server URL into systemd configuration file

There aren't any security implications in keeping it there.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

---------

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
2024-09-04 14:02:52 -07:00
Lihai Tu
61ba8b57a3
Cleanup redundant conditions (#355)
Signed-off-by: tu1h <lihai.tu@daocloud.io>
2024-08-22 14:13:06 -07:00
anon-software
04c8ae9a57
More flexible cgroup settings (#352)
* More flexible cgroup settings

If there are already required cgroup boot parameters present but in a
different order than specified, the script will add them again. It is
better to test for the individual parameter in a loop and selectively
add them as necessary.

Signed-off-by: Marko Vukovic <anonsoftware@gmail.com>

Signed-off-by: Marko Vukovic <anonsoftware@gmail.com>
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
2024-08-15 10:32:22 -07:00
Peter Klijn
e53d895428
Introduce copy of k3s.yaml file to detect changes and skip control node changes (#347)
Signed-off-by: Peter Klijn <pjmklijn@gmail.com>
2024-07-15 13:55:31 -07:00
Peter Klijn
4f769544b3
Add a handler to restart the K3s Server when the service file changes (#344)
* Add a handler to restart the K3s Server when the service file changes

Signed-off-by: Peter Klijn <pjmklijn@gmail.com>
2024-07-15 10:00:25 -07:00
haseHH
71d6ba0580
Don't install linux-modules-extra-raspi on Ubuntu 24.04 and up (#346)
The extra modules were merged into the normal modules packet as of Kernel 6.8/Ubuntu 24.04

Signed-off-by: haseHH <christian@hase.hamburg>
2024-07-11 10:18:06 -07:00
Derek Nola
a4b5363318
Don't enable K3s service during airgap install (#345)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-07-08 10:58:08 -07:00
Peter Klijn
31b8b1edcf
POC: Supporting k3s-ansible with external database (#339)
* POC: Supporting k3s-ansible with external database

Signed-off-by: Peter Klijn <pjmklijn@gmail.com>
2024-07-02 13:34:34 -07:00
laszlojau
1907e6fb79
Add group variables to the prereq role (#334)
Signed-off-by: laszlojau <49835454+laszlojau@users.noreply.github.com>
2024-06-10 09:58:06 -07:00
Meagan Harris
006653f3ff
Make agent and server groups configurable (#331)
* Make agent and server groups configurable

Signed-off-by: Meagan Harris <thewitch@siliconsorceress.com>

* Fix typo in upgrade role

Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Meagan Harris <47128741+simagick@users.noreply.github.com>

---------

Signed-off-by: Meagan Harris <thewitch@siliconsorceress.com>
Signed-off-by: Meagan Harris <47128741+simagick@users.noreply.github.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2024-06-04 10:06:14 -07:00
Derek Nola
af29159231
Implement compatible yamllint, make octals explicit (#332)
* Implement compatible yamllint, make octals explicit

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Replace yum with dnf, yum is deprecated

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-06-04 09:56:07 -07:00
laszlojau
8120b7c0d1
Update firewall rules (#329)
Signed-off-by: laszlojau <49835454+laszlojau@users.noreply.github.com>
2024-05-30 10:05:43 -07:00
Derek Nola
ddc664a7f6
Apply noqa and fix line lenght limit. ansible-lint production profile (#326)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-05-03 09:38:01 -07:00
laszlojau
7ec16a8d53
Keep service backups under /etc/systemd/system (#324)
Signed-off-by: laszlojau <49835454+laszlojau@users.noreply.github.com>
2024-04-05 13:54:57 -07:00
dreamingdeer
33c15e7c2f
feat add custom registries_config_yaml for private-registry (#319)
* feat add custom registries_config_yaml for private-registry

Signed-off-by: dreamingdeer <dreamingdeer@yandex.ru>
Co-authored-by: dreamingdeer <dreamingdeer@yandex.ru>
2024-04-02 12:24:23 -07:00
dreamingdeer
485ee0f285
fix keep extension on uploaded file on airgap install (#311)
* fix keep extension on uploaded file on airgap install
* fix other tasks distribute K3s images

Signed-off-by: dreamingdeer <dreamingdeer@yandex.ru>
Co-authored-by: dreamingdeer <dreamingdeer@yandex.ru>
2024-04-01 11:31:44 -07:00
Mykyta Orlov
5dd8c3f5a3
Fix typo in main.yml (#317)
Signed-off-by: Mykyta Orlov <orlovmyk@gmail.com>
2024-04-01 11:15:20 -07:00
Jose Luis Pedrosa
91405dc517
fix: skip cgroups when cmdline.txt is not present (#320)
Signed-off-by: Jose Luis Pedrosa <jlpedrosa@gmail.com>
2024-04-01 11:08:05 -07:00
Vivek Sarin
c84c1ce5b1
Added custom context name (#315)
* Added custom context name

Signed-off-by: Vivek Sarin <vivek@sarin.info>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Vivek Sarin <vivek@sarin.info>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2024-04-01 09:35:55 -07:00
Derek Nola
6c14e5d923
Add a minimum ansible core check (#308)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-03-19 10:05:10 -07:00
LawiK974
a2916230ba
Check K3s installed version before download tasks (#297)
- [Agent : Download artefact only if needed](roles/k3s_agent/tasks/main.yml#L13)
- [Server : Download artefact only if needed](roles/k3s_server/tasks/main.yml#L13)
- [Upgrade : Upgrade node only if needed](roles/k3s_upgrade/tasks/main.yml#L14)

Linked issue #264 k3s_server and k3s_agent tasks are not idempotent

Signed-off-by: Loïc Dubard <loic97429@gmail.com>
2024-03-07 16:05:07 -08:00
Jose Luis Pedrosa
1e266a52f9
Enable skipping bootcmd verification in Raspberry PI (#300)
* Enable skipping bootcmd verification in Raspberry PI

Signed-off-by: Jose Luis Pedrosa <jlpedrosa@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2024-03-04 10:10:01 -08:00
laszlojau
9c8ba5c155
Set firewall rules for custom CIDR ranges (#293)
Signed-off-by: laszlojau <49835454+laszlojau@users.noreply.github.com>
2024-02-22 09:34:36 -08:00
Nick To
060362178d
Fix unexpected behaviour when kubeconfig is set (#296)
As detailed in https://github.com/k3s-io/k3s-ansible/issues/295, this
commit fixes the issue that if `kubeconfig` is set to anything other
than the defaults value, then:

- `~/.kube/config` is modified.
- No file at `{{ kubeconfig }}` is created.
- Any existing file and `{{ kubeconfig }}` is deleted.

Signed-off-by: Nick To <nick@nickto.net>
2024-02-05 12:10:45 -08:00
Dmitriy Safronov
fe3df5c836
[#287] fix control node tasks logic to properly change server address on control node (#288)
Signed-off-by: Dmitriy Safronov <zimniy@cyberbrain.pw>
2024-01-17 16:06:20 -08:00
Dmitriy Safronov
502d93bc02
[289] Add K3s autocomplete to user bashrc on any server node, not only on first (#290)
Signed-off-by: Dmitriy Safronov <zimniy@cyberbrain.pw>
2024-01-16 10:33:02 -08:00
shkuviak
d1d7864337
k3s agent - Fix bad reference to k3s-agent.service.env in k3s-agent.service (#283)
Signed-off-by: Nicolas JENDROWIAK <75165555+shkuviak@users.noreply.github.com>
2024-01-04 11:54:22 -08:00
Derek Nola
7df05a755b
Completely setup kubectl for ansible_user, with option to disable it (#278)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-12-13 12:59:04 -08:00
Xiangkun Liu
1527df5631
Use inventory_hostname instead of ansible_hostname (#274)
Signed-off-by: Xiangkun Liu <git@lxk.sh>
Co-authored-by: Xiangkun Liu <git@lxk.sh>
2023-12-11 14:44:02 -08:00
Dani Hodovic
fdaba90bb0
fix: yaml conditional logic (#273)
Running the playbook with version 2.16.1
Replace `&&` with `and`
Signed-off-by: Dani Hodovic <dani.hodovic@gmail.com>
2023-12-11 14:31:13 -08:00
Derek Nola
1c11767619
Only setup/cleanup yaml config for servers (#272)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-12-06 13:55:32 -08:00
Derek Nola
9998f503b4
Support user defined kubeconfig, fix merging context (#266)
* Support user defined kubeconfig, fix merging context

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-12-06 09:13:05 -08:00
Jon S. Stumpf
4d6e60281e
Role tweaks (#268)
* Limited boolean values to true/false;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

* Moved ArchLinux prereq task to be a handler;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

* Standardized task name for adding cgroup support;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

* Have backrefs: follow path:;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

* Addressed ansible-lint errors;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

* Fixed #264, task 7: Copy K3s service file;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

---------

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
2023-12-04 09:46:45 -08:00
Roman Ivanov
ec02f1cafd
do not blindly overwrite kube config (#263)
* do not blindly overwrite kube config

Signed-off-by: Roman Ivanov <me@roivanov.com>

* don't need to check if an existing config exists

Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Roman Ivanov <me@roivanov.com>
2023-12-01 09:00:30 -08:00
Jon S. Stumpf
34bf054f94
Fixed #260: k3s autocompletion is added to .bashrc only when necessary; (#262)
* Fixed #260: k3s autocompletion is added to .bashrc only when necessary;

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

* Remove Jinja template from name:

Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>

---------

Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2023-12-01 08:58:12 -08:00
Derek Nola
19c206d0cb
Update minimum ansible version requirements to avoid airgap error (#258)
* Update minimum ansible version requirements to avoid airgap error

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-30 12:32:19 -08:00
Derek Nola
7fcf82ac64
Rework iptables old version checks (#255)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-16 12:43:45 -08:00
Derek Nola
1e633c5ad1
Rework Role Structure (#254)
* Add more defaults
* Rename roles, covert download to airgap role
* Remove unnecessary gather_facts

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-16 12:03:07 -08:00
Derek Nola
52941b749b
Airgap Support (#253)
* Initial airgap support
* Support any of the compressed image formats
* Add airgap section to README
* Support Airgap SElinux RPM install

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-14 14:36:15 -08:00
Derek Nola
46a842a551
Support K3s config yaml (#252)
* Support K3s config yaml

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-13 14:09:15 -08:00
Derek Nola
bec34905c2 Only use iptables alternative on older iptables versions
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-10 15:25:10 -08:00
Derek Nola
3b9982013a Fix issue around using ip addresses in inventory, download and remove agent service properly
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-10 15:25:10 -08:00
Derek Nola
e01a8a2a8a
Extra Manifest delpoyment (#244)
* Allow additional manifests to be deployed

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-10 12:13:39 -08:00
Derek Nola
9d918c9da0 Handle apparmor for Debian 11 when parser not present
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-10 11:03:58 -08:00
Derek Nola
bfd030290d Add apparmor-parser support for SUSE
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-10 11:03:58 -08:00
Derek Nola
e9a283b48c
Minimal Firewall Exceptions (#242)
* Add rules to UFW firewall for basic K3s funtionality

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Add firewalld exceptions

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-09 19:21:46 -08:00
Derek Nola
fd4e8bf70b
Allow SELinuix on RHEL family (#241)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-09 19:19:00 -08:00
Derek Nola
bb55bcf07a
Fix reboot handler calls (#239)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-09 13:56:22 -08:00
Derek Nola
45289ba7d9
Add support for Rocky, bump default install version (#238)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-09 12:56:38 -08:00
Derek Nola
e6233d9f7d
Add support for Service Envs (#237)
* Add support for service ENVs
* Rename PR template
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-11-09 12:30:18 -08:00