adding logic to determine join token and which node is up

roles/rke2/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
-rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}"
+rke2_kubernetes_api_server_host: ""
 rke2_tarball_install_dir: "/usr/local"
 rke2_local_install_tarball_path: ""
 rke2_install_tarball_url: ""
 rke2_images_urls: []
 rke2_images_local_tarball_path: []
-rke2_channel: stable
+rke2_channel: "stable"
 rke2_audit_policy_config_file_path: ""
 rke2_registry_config_file_path: ""
 rke2_pod_security_admission_config_file_path: ""

roles/rke2/handlers/main.yml

@@ -7,6 +7,13 @@
   when:
     - not rke2_reboot
 
+- name: Restart fapolicyd
+  ansible.builtin.service:
+    state: restarted
+    name: fapolicyd
+  when:
+    - not rke2_reboot
+
 - name: Restart rke2-server
   ansible.builtin.service:
     state: restarted

roles/rke2/tasks/add_ansible_managed_config.yml

@@ -0,0 +1,37 @@
+---
+- name: "Add {{ file_description }} file"
+  ansible.builtin.template:
+    src: ansible_managed_yaml.j2
+    dest: "{{ file_destination }}"
+    mode: '0640'
+    owner: root
+    group: root
+  when:
+    - file_path | default("") | length != 0
+  notify: "Restart {{ service_name }}"
+
+- name: "Remove {{ file_description }} file"
+  when:
+    - file_path | default("") | length == 0
+  block:
+    - name: "Check that the {{ file_description }} file exists"
+      ansible.builtin.stat:
+        path: "{{ file_destination }}"
+      register: stat_result
+
+    - name: "Check that the {{ file_description }} config file has ansible managed comments"
+      ansible.builtin.lineinfile:
+        name: "{{ file_destination }}"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists | bool is true
+
+    - name: "Remove the {{ file_description }} file if exists and has ansible managed comments"
+      ansible.builtin.file:
+        path: "{{ file_destination }}"
+        state: absent
+      when:
+        - ansible_managed_check.changed | bool is false
+      notify: "Restart {{ service_name }}"

roles/rke2/tasks/cluster_state.yml

@@ -0,0 +1,67 @@
+---
+
+- name: Check for existing cluster
+  block:
+    - name: Check for node-token (existing cluster)
+      ansible.builtin.stat:
+        path: /var/lib/rancher/rke2/server/node-token
+      register: node_token_tmp
+
+    - name: Read node-token (existing cluster)
+      ansible.builtin.slurp:
+        src: /var/lib/rancher/rke2/server/node-token
+      register: rke2_config_token_tmp
+      when:
+        - node_token_tmp.stat.exists
+
+    - name: Set node-token fact (existing cluster)
+      ansible.builtin.set_fact:
+        rke2_config_token: "{{ rke2_config_token_tmp.content | b64decode | regex_replace('\n', '') }}"
+      when:
+        - rke2_config_token_tmp.stat.exists
+
+    - name: Set node-token fact on all hosts (existing cluster)
+      ansible.builtin.set_fact:
+        rke2_config_token: "{{ hostvars[item]['rke2_config_token'] }}"
+      delegate_to: localhost
+      run_once: true
+      loop: "{{ groups['all'] }}"
+      when: "hostvars[item]['rke2_config_token'] is defined"
+      vars:
+        rke2_config_token: "{{ rke2_config_token | default('') }}"
+
+    - name: Debug found token
+      ansible.builtin.debug:
+        msg: "rke2_config_token: {{ rke2_config_token }}"
+      when: rke2_config_token != ""
+
+    - name: Read host with token (existing cluster)
+      ansible.builtin.set_fact:
+        existing_join_host: "{{ ansible_hostname }}"
+      when:
+        - node_token_tmp.stat.exists
+
+    - name: Set join server fact on all hosts (existing cluster)
+      ansible.builtin.set_fact:
+        rke2_kubernetes_api_server_host: "{{ hostvars[item]['existing_join_host'] }}"
+      delegate_to: localhost
+      run_once: true
+      loop: "{{ groups['all'] }}"
+      when:
+        - "hostvars[item]['existing_join_host'] is defined"
+        - hostvars[item]['rke2_kubernetes_api_server_host'] == ""
+      vars:
+        rke2_kubernetes_api_server_host: "{{ existing_join_host | default('') }}"
+  when:
+    - rke2_running is defined
+    - rke2_running
+
+- name: No existing cluster found and api server not set
+  ansible.builtin.set_fact:
+    rke2_kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}"
+  when:
+    - rke2_kubernetes_api_server_host == ""
+
+- name: Debug found join_server
+  ansible.builtin.debug:
+    msg: "Join Server: {{ rke2_kubernetes_api_server_host }}"

roles/rke2/tasks/configure_rke2.yml

@@ -7,23 +7,38 @@
     recurse: yes
 
 - name: Run CIS-Hardening Tasks
-  ansible.builtin.include_tasks: cis-hardening.yml
+  ansible.builtin.include_tasks: cis_hardening.yml
 
-- name: Configure registries.yaml
-  ansible.builtin.include_tasks: add-registry-config.yml
+- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}"
+  ansible.builtin.include_tasks: add_ansible_managed_config.yml
+  vars:
+    file_contents: "{{ lookup('file', rke2_registry_config_file_path) }}"
+    file_destination: "/etc/rancher/rke2/registries.yaml"
+    file_description: "registry configuration"
+    file_path: "{{ rke2_registry_config_file_path }}"
 
-- name: Configure audit policy
-  ansible.builtin.include_tasks: add-audit-policy-config.yml
+- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}"
+  ansible.builtin.include_tasks: add_ansible_managed_config.yml
+  vars:
+    file_contents: "{{ lookup('file', rke2_audit_policy_config_file_path) }}"
+    file_destination: "/etc/rancher/rke2/audit-policy.yaml"
+    file_description: "audit policy configuration"
+    file_path: "{{ rke2_audit_policy_config_file_path }}"
   when:
     - inventory_hostname in groups['rke2_servers']
 
-- name: Configure psa policy
-  ansible.builtin.include_tasks: add-pod-security-admission-config.yml
+- name: "Include task file add_ansible_managed_config.yml for {{ file_description }}"
+  ansible.builtin.include_tasks: add_ansible_managed_config.yml
+  vars:
+    file_contents: "{{ lookup('file', rke2_pod_security_admission_config_file_path) }}"
+    file_destination: "/etc/rancher/rke2/pod-security-admission-config.yaml"
+    file_description: "pod security admission config"
+    file_path: "{{ rke2_pod_security_admission_config_file_path }}"
   when:
     - inventory_hostname in groups['rke2_servers']
 
 - name: Configure first server manifests
-  ansible.builtin.include_tasks: add-manifest-addons.yml
+  ansible.builtin.include_tasks: add_manifest_addons.yml
   vars:
     src: "{{ rke2_initial_manifest_config_file_path }}"
   when:

roles/rke2/tasks/first_server.yml

@@ -6,17 +6,17 @@
 - name: Wait for rke2
   ansible.builtin.include_tasks: wait_for_rke2.yml
 
-- name: Add generated Token if none provided
+- name: Determine generated token
   block:
     - name: Wait for node-token
       ansible.builtin.wait_for:
         path: /var/lib/rancher/rke2/server/node-token
 
-    - name: Read node-token from master
+    - name: Read node-token from first server
       ansible.builtin.slurp:
         src: /var/lib/rancher/rke2/server/node-token
       register: node_token
 
-    - name: Store Master node-token
+    - name: Store join node-token
       ansible.builtin.set_fact:
         rke2_config_token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}"

roles/rke2/tasks/main.yml

@@ -43,6 +43,9 @@
 - name: Has rke2 been installed already
   ansible.builtin.include_tasks: previous_install.yml
 
+- name: Determine cluster state
+  ansible.builtin.include_tasks: cluster_state.yml
+
 - name: Check for images bundle
   ansible.builtin.include_tasks: images_bundle.yml
   when:
@@ -71,21 +74,29 @@
 - name: RKE2 on first node
   ansible.builtin.include_tasks: first_server.yml
   when:
+    - "rke2_config_token is not defined"
     - inventory_hostname in groups['rke2_servers'][0]
 
 - name: RKE2 on all other nodes
   ansible.builtin.include_tasks: other_nodes.yml
   when:
     - inventory_hostname in groups['rke2_servers'][1:] or
       inventory_hostname in groups.get('rke2_agents', [])
+  when:
+    - "rke2_config_token is not defined"
+
+- name: Confirm configuration on cluster
+  when:
+    - "existing_join_host is defined"
+  ansible.builtin.include_tasks: other_nodes.yml
 
 - name: Configure kubectl,crictl,ctr
   ansible.builtin.include_tasks: utilities.yml
   when:
     - inventory_hostname in groups['rke2_servers']
 
 - name: Configure cluster manifests
-  ansible.builtin.include_tasks: add-manifest-addons.yml
+  ansible.builtin.include_tasks: add_manifest_addons.yml
   vars:
     src: "{{ rke2_cluster_manifest_config_file_path }}"
   when:

roles/rke2/tasks/pre_reqs.yml

@@ -19,4 +19,23 @@
   ansible.builtin.include_tasks: iptables_rules.yml
   when:
     - ansible_facts.services["iptables.service"] is defined
-    - rek2_add_iptables_rules | bool
+    - rke2_add_iptables_rules | bool
+
+- name: Add fapolicyd rules
+  ansible.builtin.copy:
+    content: "{{ fapolicyd_rules }}"
+    dest: /etc/fapolicyd/rules.d/80-rke2.rules
+    mode: '0644'
+    owner: root
+    group: fapolicyd
+  when:
+    - ansible_facts.services["fapolicyd.service"] is defined
+    - ansible_facts.services["fapolicyd.service"].state == "running"
+  vars:
+    fapolicyd_rules: |
+      allow perm=any all : dir=/var/lib/rancher/
+      allow perm=any all : dir=/opt/cni/
+      allow perm=any all : dir=/run/k3s/
+      allow perm=any all : dir=/var/lib/kubelet/
+  notify: Restart fapolicyd
+