* Prevent multiple tokens in k3s.service.env
If site.yml playbook is executed multiple times with different tokens,
they will all accumulate in k3s.service.env. They won't do any harm
because the last one wins, however it is a matter of good housekeeping
to delete the old before inserting a new one.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Selectively remove existing token from the environment file
If the existing token in the environment file is the same as the token
used for the playbook run, leave it in the file to avoid false changed
status from the task.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---------
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Security exposure related to the token
The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Restore the server URL into systemd configuration file
There aren't any security implications in keeping it there.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---------
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Make agent and server groups configurable
Signed-off-by: Meagan Harris <thewitch@siliconsorceress.com>
* Fix typo in upgrade role
Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Meagan Harris <47128741+simagick@users.noreply.github.com>
---------
Signed-off-by: Meagan Harris <thewitch@siliconsorceress.com>
Signed-off-by: Meagan Harris <47128741+simagick@users.noreply.github.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
* Implement compatible yamllint, make octals explicit
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Replace yum with dnf, yum is deprecated
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
- [Agent : Download artefact only if needed](roles/k3s_agent/tasks/main.yml#L13)
- [Server : Download artefact only if needed](roles/k3s_server/tasks/main.yml#L13)
- [Upgrade : Upgrade node only if needed](roles/k3s_upgrade/tasks/main.yml#L14)
Linked issue #264 k3s_server and k3s_agent tasks are not idempotent
Signed-off-by: Loïc Dubard <loic97429@gmail.com>
As detailed in https://github.com/k3s-io/k3s-ansible/issues/295, this
commit fixes the issue that if `kubeconfig` is set to anything other
than the defaults value, then:
- `~/.kube/config` is modified.
- No file at `{{ kubeconfig }}` is created.
- Any existing file and `{{ kubeconfig }}` is deleted.
Signed-off-by: Nick To <nick@nickto.net>
* do not blindly overwrite kube config
Signed-off-by: Roman Ivanov <me@roivanov.com>
* don't need to check if an existing config exists
Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Roman Ivanov <me@roivanov.com>
* Fixed#260: k3s autocompletion is added to .bashrc only when necessary;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Remove Jinja template from name:
Co-authored-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
---------
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>