validating

rancherfederal · Jun 17, 2024 · d105fb5 · d105fb5
1 parent aee3ff5
commit d105fb5
Show file tree

Hide file tree

Showing 18 changed files with 149 additions and 185 deletions.
diff --git a/roles/rke2/defaults/main.yml b/roles/rke2/defaults/main.yml
@@ -4,11 +4,13 @@ tarball_dir: "/usr/local"
 rke2_local_tarball_path: ""
 rke2_tarball_url: ""
 rke2_images_urls: []
+rke2_images_local_tarball_path: []
 rke2_channel: stable
 audit_policy_config_file_path: ""
 registry_config_file_path: ""
 pod_security_admission_config_file_path: ""
 add_iptables_rules: false
+cluster_manifest_config_file_path: ""
 rke2_common_yum_repo:
   name: rancher-rke2-common
   description: "Rancher RKE2 Common Latest"

diff --git a/roles/rke2/handlers/main.yml b/roles/rke2/handlers/main.yml
@@ -5,27 +5,34 @@
     state: restarted
     name: systemd-sysctl
   when:
-    - reboot is not defined
+    - not reboot
 
 - name: Restart rke2-server
   ansible.builtin.service:
     state: restarted
     name: rke2-server
   throttle: 1
   when:
-    - reboot is not defined
+    - not reboot
 
 - name: Restart rke2-agent
   ansible.builtin.service:
     state: restarted
     name: rke2-agent
   throttle: 1
   when:
-    - reboot is not defined
+    - not reboot
 
 - name: Reboot the machine
   ansible.builtin.reboot:
     reboot_timeout: 300
   throttle: 1
   when:
     - reboot
+
+- name: Reload NetworkManager
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: reloaded
+  when:
+    - not reboot
diff --git a/roles/rke2/tasks/add-audit-policy-config.yml b/roles/rke2/tasks/add-audit-policy-config.yml
@@ -1,14 +1,39 @@
 ---
-- name: Create the /etc/rancher/rke2 config dir
-  ansible.builtin.file:
-    path: /etc/rancher/rke2
-    state: directory
-    recurse: yes
-
 - name: Add audit policy configuration file
-  ansible.builtin.copy:
-    src: "{{ audit_policy_config_file_path }}"
+  vars:
+    file_contents: "{{ lookup('file', audit_policy_config_file_path) }}"
+  ansible.builtin.template:
+    src: ansible_header.j2
     dest: "/etc/rancher/rke2/audit-policy.yaml"
     mode: '0640'
     owner: root
     group: root
+  when:
+    - audit_policy_config_file_path|length != 0
+  notify: "Restart {{ service_name }}"
+
+- name: Remove audit policy configuration file
+  when:
+    - audit_policy_config_file_path|length == 0
+  block:
+    - name: Check that the audit policy config file exists
+      ansible.builtin.stat:
+        path: "/etc/rancher/rke2/audit-policy.yaml"
+      register: stat_result
+
+    - name: "Check that the audit policy config file has ansible managed comments"
+      ansible.builtin.lineinfile:
+        name: "/etc/rancher/rke2/audit-policy.yaml"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists | bool is true
+
+    - name: Remove the audit policy config file if exists and has ansible managed comments
+      ansible.builtin.file:
+        path: "/etc/rancher/rke2/audit-policy.yaml"
+        state: absent
+      when:
+        - ansible_managed_check.changed | bool is false
+      notify: "Restart {{ service_name }}"
diff --git a/roles/rke2/tasks/add-pod-security-admission-config.yml b/roles/rke2/tasks/add-pod-security-admission-config.yml
@@ -1,10 +1,4 @@
 ---
-- name: Create the /etc/rancher/rke2 config dir
-  ansible.builtin.file:
-    path: /etc/rancher/rke2
-    state: directory
-    recurse: yes
-
 - name: Add pod security admission config file
   vars:
     file_contents: "{{ lookup('file', pod_security_admission_config_file_path) }}"
@@ -15,9 +9,8 @@
     owner: root
     group: root
   when:
-    - pod_security_admission_config_file_path is defined
     - pod_security_admission_config_file_path|length != 0
-  notify: Restart rke2-server
+  notify: "Restart {{ service_name }}"
 
 - name: Remove pod security admission config file
   when:
@@ -43,3 +36,4 @@
         state: absent
       when:
         - ansible_managed_check.changed | bool is false
+      notify: "Restart {{ service_name }}"
diff --git a/roles/rke2/tasks/add-registry-config.yml b/roles/rke2/tasks/add-registry-config.yml
@@ -1,26 +1,39 @@
 ---
-- name: Create the /etc/rancher/rke2 config dir
-  ansible.builtin.file:
-    path: /etc/rancher/rke2
-    state: directory
-    recurse: yes
-
 - name: Add registry configuration file
-  ansible.builtin.copy:
-    src: "{{ registry_config_file_path }}"
+  vars:
+    file_contents: "{{ lookup('file', registry_config_file_path) }}"
+  ansible.builtin.template:
+    src: ansible_header.j2
     dest: "/etc/rancher/rke2/registries.yaml"
     mode: '0640'
     owner: root
     group: root
-  when: rke2_common_caller_role_name == "server"
-  notify: Restart rke2-server
+  when:
+    - registry_config_file_path|length != 0
+  notify: "Restart {{ service_name }}"
 
-- name: Add registry configuration file
-  ansible.builtin.copy:
-    src: "{{ registry_config_file_path }}"
-    dest: "/etc/rancher/rke2/registries.yaml"
-    mode: '0640'
-    owner: root
-    group: root
-  when: rke2_common_caller_role_name == "agent"
-  notify: Restart rke2-agent
+- name: Remove registry configuration file
+  when:
+    - registry_config_file_path|length == 0
+  block:
+    - name: Check that the registry config file exists
+      ansible.builtin.stat:
+        path: "/etc/rancher/rke2/registries.yaml"
+      register: stat_result
+
+    - name: "Check that the registry config file has ansible managed comments"
+      ansible.builtin.lineinfile:
+        name: "/etc/rancher/rke2/registries.yaml"
+        line: '## This is an Ansible managed file, contents will be overwritten ##'
+        state: present
+      check_mode: yes
+      register: ansible_managed_check
+      when: stat_result.stat.exists | bool is true
+
+    - name: Remove the registry config file if exists and has ansible managed comments
+      ansible.builtin.file:
+        path: "/etc/rancher/rke2/registries.yaml"
+        state: absent
+      when:
+        - ansible_managed_check.changed | bool is false
+      notify: "Restart {{ service_name }}"
diff --git a/roles/rke2/tasks/calculate_rke2_version.yml b/roles/rke2/tasks/calculate_rke2_version.yml
@@ -3,10 +3,10 @@
 - name: "Calculate rke2 full version"
   when: ( install_rke2_version is not defined ) or ( install_rke2_version | length == 0 )
   block:
-    - name: Stop if the provided is not valid
-      ansible.builtin.fail:
-        msg: "Provided channel is not valid"
-      when: rke2_channel not in channels
+    # - name: Stop if the provided is not valid
+    #   ansible.builtin.fail:
+    #     msg: "Provided channel is not valid"
+    #   when: rke2_channel not in channels
 
     - name: Get full version name url
       ansible.builtin.uri:

diff --git a/roles/rke2/tasks/cis-hardening.yml b/roles/rke2/tasks/cis-hardening.yml
@@ -1,9 +1,9 @@
 ---
+
 - name: CIS MODE
   become: yes
   when: rke2_config.profile | default("") | regex_search('^cis(-\\d+.\\d+)?$')
   block:
-
     - name: Create etcd group
       ansible.builtin.group:
         name: etcd
@@ -28,7 +28,7 @@
         - install_method == "rpm"
       notify:
         - Restart systemd-sysctl
-        - Restart {{ service_name }}
+        - "Restart {{ service_name }}"
         - Reboot the machine
 
     - name: Copy systemctl file for kernel hardening for non-yum installs
@@ -42,15 +42,9 @@
         - install_method == "tarball"
       notify:
         - Restart systemd-sysctl
-        - Restart {{ service_name }}
+        - "Restart {{ service_name }}"
         - Reboot the machine
 
-    # - name: Restart systemd-sysctl
-    #   ansible.builtin.service:
-    #     state: restarted
-    #     name: systemd-sysctl
-    #   when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed
-
     # Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected
     # side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were
     # always rebooting, even if the node was brand new and RKE2 not running yet.
@@ -61,10 +55,3 @@
         - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed)
         - rke2_running is defined
         - rke2_running
-      # ansible.builtin.reboot:
-      #   reboot_timeout: 300
-      # throttle: 1
-      # when:
-      #   - (sysctl_operation_yum.changed or sysctl_operation_tarball.changed)
-      #   - rke2_running is defined
-      #   - rke2_running
diff --git a/roles/rke2/tasks/config.yml b/roles/rke2/tasks/config.yml
@@ -256,21 +256,3 @@
     path: /tmp/ansible-config.txt
     state: absent
   changed_when: false
-
-- name: Restart rke2-server if package installed and config changed or RKE2 version changed
-  ansible.builtin.service:
-    state: restarted
-    name: rke2-server
-  when:
-    - ansible_facts.services["rke2-server.service"] is defined
-    - "ansible_facts.services['rke2-server.service'].state == 'running'"
-    - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false)))
-
-- name: Restart rke2-agent if package installed and config changed or RKE2 version changed
-  ansible.builtin.service:
-    state: restarted
-    name: rke2-agent
-  when:
-    - ansible_facts.services["rke2-agent.service"] is defined
-    - "ansible_facts.services['rke2-agent.service'].state == 'running'"
-    - (tmp_sha1 != previous_rke2_config.stat.checksum or (rke2_version_changed | default(false)))
diff --git a/roles/rke2/tasks/configure_rke2.yml b/roles/rke2/tasks/configure_rke2.yml
@@ -1,23 +1,26 @@
 ---
 
+- name: Create the /etc/rancher/rke2 config dir
+  ansible.builtin.file:
+    path: /etc/rancher/rke2
+    state: directory
+    recurse: yes
+
 - name: Run CIS-Hardening Tasks
   ansible.builtin.include_tasks: cis-hardening.yml
 
 - name: Configure registries.yaml
   ansible.builtin.include_tasks: add-registry-config.yml
-  when: registry_config_file_path | length > 0
 
 - name: Configure audit policy
   ansible.builtin.include_tasks: add-audit-policy-config.yml
   when:
     - inventory_hostname in groups['rke2_servers']
-    - audit_policy_config_file_path | length > 0
 
 - name: Configure psa policy
   ansible.builtin.include_tasks: add-pod-security-admission-config.yml
   when:
     - inventory_hostname in groups['rke2_servers']
-    - pod_security_admission_config_file_path | length > 0
 
 - name: Configure first server manifests
   ansible.builtin.include_tasks: add-manifest-addons.yml

diff --git a/roles/rke2/tasks/first_server.yml b/roles/rke2/tasks/first_server.yml
@@ -6,7 +6,7 @@
 - name: Wait for rke2
   ansible.builtin.include_tasks: wait_for_rke2.yml
 
-- name: Add generated Token if none provided  ### <- what's the intent here?
+- name: Add generated Token if none provided
   block:
     - name: Wait for node-token
       ansible.builtin.wait_for:

diff --git a/roles/rke2/tasks/images_bundle.yml b/roles/rke2/tasks/images_bundle.yml
@@ -0,0 +1,28 @@
+---
+
+- name: Create images directory
+  ansible.builtin.file:
+    path: /var/lib/rancher/rke2/agent/images
+    state: directory
+    mode: '0644'
+
+- name: Download images tar files url
+  ansible.builtin.get_url:
+    url: "{{ item }}"
+    dest: "/var/lib/rancher/rke2/agent/images"
+    mode: "0644"
+  when:
+    - rke2_images_urls != []
+  with_items: "{{ rke2_images_urls }}"
+  notify: "Restart {{ service_name }}"
+
+- name: Copy local tarball images
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /var/lib/rancher/rke2/agent/images/
+    mode: '0644'
+  with_items:
+    - "{{ rke2_images_local_tarball_path }}"
+  when:
+    - rke2_images_local_tarball_path != []
+  notify: "Restart {{ service_name }}"
diff --git a/roles/rke2/tasks/images_tarball_install.yml b/roles/rke2/tasks/images_tarball_install.yml