Merge c5a5b9e0d8 into 33c15e7c2f

Fix some ansible-lints and firewalld
Fix playbooks folder name according to the ansible collection scheme... Refactor firewalld policy Signed-off-by: Przemyslaw Sztoch <przemyslaw@sztoch.pl>
2024-04-05 08:30:13 +00:00 · 2024-04-05 10:29:12 +02:00
5 changed files with 55 additions and 25 deletions
--- a/roles/airgap/tasks/main.yml
+++ b/roles/airgap/tasks/main.yml
@ -15,7 +15,7 @@
        url: https://get.k3s.io/
        timeout: 120
        dest: "{{ airgap_dir }}/k3s-install.sh"
-        mode: 0755
+        mode: "0755"

    - name: Distribute K3s install script
      ansible.builtin.copy:
@ -23,7 +23,7 @@
        dest: /usr/local/bin/k3s-install.sh
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"

    - name: Distribute K3s binary
      ansible.builtin.copy:
@ -31,7 +31,7 @@
        dest: /usr/local/bin/k3s
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"

    - name: Distribute K3s SELinux RPM
      ansible.builtin.copy:
@ -39,7 +39,7 @@
        dest: /tmp/
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"
      with_fileglob:
        - "{{ airgap_dir }}/k3s-selinux*.rpm"
      register: selinux_copy
@ -57,7 +57,7 @@
    - name: Make images directory
      ansible.builtin.file:
        path: "/var/lib/rancher/k3s/agent/images/"
-        mode: 0755
+        mode: "0755"
        state: directory

    - name: Determine Architecture
@ -71,7 +71,7 @@
        dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"
      with_first_found:
        - files:
            - "{{ airgap_dir }}/k3s-airgap-images-amd64.tar.zst"
@ -86,7 +86,7 @@
        dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"
      with_first_found:
        - files:
            - "{{ airgap_dir }}/k3s-airgap-images-arm64.tar.zst"
@ -101,7 +101,7 @@
        dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"
      with_first_found:
        - files:
            - "{{ airgap_dir }}/k3s-airgap-images-arm.tar.zst"
--- a/roles/k3s_agent/tasks/main.yml
+++ b/roles/k3s_agent/tasks/main.yml
@ -24,7 +24,7 @@
        dest: /usr/local/bin/k3s-install.sh
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"

    - name: Download K3s binary
      ansible.builtin.command:
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@ -24,7 +24,7 @@
        dest: /usr/local/bin/k3s-install.sh
        owner: root
        group: root
-        mode: 0755
+        mode: "0755"

    - name: Download K3s binary
      ansible.builtin.command:
@ -46,13 +46,13 @@
    - name: Make config directory
      ansible.builtin.file:
        path: "/etc/rancher/k3s"
-        mode: 0755
+        mode: "0755"
        state: directory
    - name: Copy config values
      ansible.builtin.copy:
        content: "{{ server_config_yaml }}"
        dest: "/etc/rancher/k3s/config.yaml"
-        mode: 0644
+        mode: "0644"

 - name: Init first server node
  when: inventory_hostname == groups['server'][0]
@ -64,7 +64,7 @@
        dest: "{{ systemd_dir }}/k3s.service"
        owner: root
        group: root
-        mode: 0644
+        mode: "0644"

    - name: Copy K3s service file [HA]
      when: groups['server'] | length > 1
@ -73,7 +73,7 @@
        dest: "{{ systemd_dir }}/k3s.service"
        owner: root
        group: root
-        mode: 0644
+        mode: "0644"

    - name: Add service environment variables
      when: extra_service_envs is defined
@ -154,7 +154,7 @@
        dest: "{{ systemd_dir }}/k3s.service"
        owner: root
        group: root
-        mode: 0644
+        mode: "0644"

    - name: Enable and check K3s service
      ansible.builtin.systemd:
--- a/roles/prereq/defaults/main.yml
+++ b/roles/prereq/defaults/main.yml
@ -1,2 +1,13 @@
 ---
+# Zone for inter-node traffic
+k3s_firewalld_node_zone: internal
+
+# List of IP addresses or cidr masks of your nodes
+k3s_firewalld_node_cidrs: []
+
+# List of public services
+k3s_firewalld_public_ports:
+  - 80/tcp
+  - 443/tcp
+
 api_port: 6443
--- a/roles/prereq/tasks/main.yml
+++ b/roles/prereq/tasks/main.yml
@ -73,7 +73,7 @@
    - name: If firewalld enabled, open api port
      ansible.posix.firewalld:
        port: "{{ api_port }}/tcp"
-        zone: internal
+        zone: "{{ k3s_firewalld_node_zone }}"
        state: enabled
        permanent: true
        immediate: true
@ -82,15 +82,15 @@
      when: groups['server'] | length > 1
      ansible.posix.firewalld:
        port: "2379-2381/tcp"
-        zone: internal
+        zone: "{{ k3s_firewalld_node_zone }}"
        state: enabled
        permanent: true
        immediate: true

-    - name: If firewalld enabled, open inbound ports
+    - name: If firewalld enabled, open inter-node ports
      ansible.posix.firewalld:
        port: "{{ item }}"
-        zone: internal
+        zone: "{{ k3s_firewalld_node_zone }}"
        state: enabled
        permanent: true
        immediate: true
@ -100,7 +100,26 @@
        - 51820/udp
        - 51821/udp
        - 5001/tcp
-        - 6443/tcp
+
+    - name: If firewalld enabled, allow node CIDRs
+      ansible.posix.firewalld:
+        source: "{{ item }}"
+        zone: "{{ k3s_firewalld_node_zone }}"
+        state: enabled
+        permanent: true
+        immediate: true
+      when: k3s_firewalld_node_cidrs is defined
+      loop: "{{ k3s_firewalld_node_cidrs }}"
+
+    - name: If firewalld enabled, open public ports
+      ansible.posix.firewalld:
+        port: "{{ item }}"
+        zone: "public"
+        state: enabled
+        permanent: true
+        immediate: true
+      when: k3s_firewalld_public_ports is defined
+      loop: "{{ k3s_firewalld_public_ports }}"

    - name: If firewalld enabled, allow default CIDRs
      ansible.posix.firewalld:
@ -199,7 +218,7 @@
    - name: Make rancher directory
      ansible.builtin.file:
        path: "/var/lib/rancher"
-        mode: 0755
+        mode: "0755"
        state: directory
    - name: Create symlink
      ansible.builtin.file:
@ -214,13 +233,13 @@
    - name: Make manifests directory
      ansible.builtin.file:
        path: "/var/lib/rancher/k3s/server/manifests"
-        mode: 0700
+        mode: "0700"
        state: directory
    - name: Copy manifests
      ansible.builtin.copy:
        src: "{{ item }}"
        dest: "/var/lib/rancher/k3s/server/manifests"
-        mode: 0600
+        mode: "0600"
      loop: "{{ extra_manifests }}"

 - name: Setup optional private registry configuration
@ -229,10 +248,10 @@
    - name: Make k3s config directory
      ansible.builtin.file:
        path: "/etc/rancher/k3s"
-        mode: 0755
+        mode: "0755"
        state: directory
    - name: Copy config values
      ansible.builtin.copy:
        content: "{{ registries_config_yaml }}"
        dest: "/etc/rancher/k3s/registries.yaml"
-        mode: 0644
+        mode: "0644"
Author	SHA1	Message	Date
Przemysław Sztoch	1e1b244af5	Merge `c5a5b9e0d8` into `33c15e7c2f`	2024-04-05 08:30:13 +00:00
Przemyslaw Sztoch	c5a5b9e0d8	Fix some ansible-lints and firewalld Fix playbooks folder name according to the ansible collection scheme... Refactor firewalld policy Signed-off-by: Przemyslaw Sztoch <przemyslaw@sztoch.pl>	2024-04-05 10:29:12 +02:00