Merge pull request #231 from rancherfederal/fix-cis-hardening-with-ta…

…r-url fix the CIS hardening steps when tar URL is used
rancherfederal · May 24, 2024 · 9560581 · 9560581
2 parents 88e70d3 + 860877f
commit 9560581
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 39 deletions.
diff --git a/roles/rke2_common/tasks/cis-hardening.yml b/roles/rke2_common/tasks/cis-hardening.yml
@@ -27,6 +27,7 @@
       when:
         - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky'
         - not rke2_binary_tarball_check.stat.exists
+        - rke2_tarball_url is not defined or rke2_tarball_url == ""
 
     - name: Copy systemctl file for kernel hardening for non-yum installs
       ansible.builtin.copy:
@@ -38,7 +39,8 @@
       when: >-
         (ansible_facts['os_family'] != 'RedHat' and
         ansible_facts['os_family'] != 'Rocky') or
-        rke2_binary_tarball_check.stat.exists
+        rke2_binary_tarball_check.stat.exists or
+        (rke2_tarball_url is defined and rke2_tarball_url != "")
 
     - name: Restart systemd-sysctl
       ansible.builtin.service:

diff --git a/roles/rke2_common/tasks/main.yml b/roles/rke2_common/tasks/main.yml
@@ -24,7 +24,7 @@
   ansible.builtin.include_tasks: calculate_rke2_version.yml
   when:
     - not rke2_binary_tarball_check.stat.exists
-    - rke2_tarball_url == ""
+    - rke2_tarball_url is not defined or rke2_tarball_url == ""
 
 - name: SLES/Ubuntu/Tarball Installation
   ansible.builtin.include_tasks: tarball_install.yml
@@ -33,7 +33,7 @@
       ((ansible_facts['os_family'] != 'RedHat' and
       ansible_facts['os_family'] != 'Rocky') or
       rke2_binary_tarball_check.stat.exists or
-      rke2_tarball_url != "" )
+      (rke2_tarball_url is defined and rke2_tarball_url != ""))
 
 - name: RHEL/CentOS Installation
   when:

diff --git a/roles/rke2_server/tasks/other_servers.yml b/roles/rke2_server/tasks/other_servers.yml
@@ -30,44 +30,42 @@
   when:
     - '"server:" not in server_url_check.stdout'
 
-- name: Start and wait for healthy node
+- name: Start rke2-server
   throttle: 1
-  block:
-    - name: Start rke2-server
-      ansible.builtin.systemd:
-        name: rke2-server
-        state: started
-        enabled: yes
+  ansible.builtin.systemd:
+    name: rke2-server
+    state: started
+    enabled: yes
 
-    - name: Wait for k8s apiserver reachability
-      ansible.builtin.wait_for:
-        host: "{{ kubernetes_api_server_host }}"
-        port: "6443"
-        state: present
-        timeout: 300
+- name: Wait for k8s apiserver reachability
+  ansible.builtin.wait_for:
+    host: "{{ kubernetes_api_server_host }}"
+    port: "6443"
+    state: present
+    timeout: 300
 
-    - name: Wait for kubelet process to be present on host
-      ansible.builtin.command: >-
-        ps -C kubelet -F -ww --no-headers
-      register: kubelet_check
-      until: kubelet_check.rc == 0
-      retries: 20
-      delay: 10
-      changed_when: false
+- name: Wait for kubelet process to be present on host
+  ansible.builtin.command: >-
+    ps -C kubelet -F -ww --no-headers
+  register: kubelet_check
+  until: kubelet_check.rc == 0
+  retries: 20
+  delay: 10
+  changed_when: false
 
-    - name: Extract the hostname-override parameter from the kubelet process
-      ansible.builtin.set_fact:
-        kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \
-          regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\
-          '\\1') }}"
+- name: Extract the hostname-override parameter from the kubelet process
+  ansible.builtin.set_fact:
+    kubelet_hostname_override_parameter: "{{ kubelet_check.stdout | \
+      regex_search('\\s--hostname-override=((([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]))\\s',\
+      '\\1') }}"
 
-    - name: Wait for node to show Ready status
-      ansible.builtin.command: >-
-        /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml
-        --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }}
-        -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
-      register: status_result
-      until: status_result.stdout.find("True") != -1
-      retries: 20
-      delay: 10
-      changed_when: false
+- name: Wait for node to show Ready status
+  ansible.builtin.command: >-
+    /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml
+    --server https://127.0.0.1:6443 get no {{ kubelet_hostname_override_parameter[0] }}
+    -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
+  register: status_result
+  until: status_result.stdout.find("True") != -1
+  retries: 20
+  delay: 10
+  changed_when: false