From ecc2c41afe4936b4f21cbc733c3487da11828c8b Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Wed, 4 May 2022 00:06:49 +0200
Subject: [PATCH] Update k3s deployment

---
 defaults/main.yml                           |  2 +-
 tasks/cluster_k3s.yml                       | 32 ++++++++++++++-------
 templates/etc/rancher/k3s/config.yaml.j2    | 21 ++++++++++++++
 templates/etc/systemd/system/k3s.service.j2 |  8 ++----
 4 files changed, 45 insertions(+), 18 deletions(-)
 create mode 100644 templates/etc/rancher/k3s/config.yaml.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index ae62123..a6702a2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,6 @@ kubernetes_interface: '{{ ansible_default_ipv4.interface }}'
 # value for kuberntes_network: flannel, calico, weave-net
 #kubernetes_network: weave-net
 kubernetes_kubeproxy_mode: ipvs
-kubernetes_version: 1.23.5
+kubernetes_version: 1.23.6
 kubernetes_pods_network: "10.244.0.0/16"
 lb_auth_pass: 1be344d62acc46c6858ae8475668a245
diff --git a/tasks/cluster_k3s.yml b/tasks/cluster_k3s.yml
index 58aa51f..a1ad874 100644
--- a/tasks/cluster_k3s.yml
+++ b/tasks/cluster_k3s.yml
@@ -5,21 +5,30 @@
 #  when:
 #    - kubernetes_cni == "wireguard"
 
+- name: Import Rancher key
+  ansible.builtin.rpm_key:
+    state: present
+    key: https://rpm.rancher.io/public.key
+  when:
+    - ansible_os_family == "RedHat"
+
 - name: Install the k3s-selinux rpm from a remote repo for yum distro
   yum:
-    name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm"
+    name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el7.noarch.rpm"
     state: present
-    disable_gpg_check: yes
   when:
     - ansible_pkg_mgr == "yum"
+    - ansible_os_family == "RedHat"
+    - ansible_distribution_major_version == '7'
 
 - name: Install the k3s-selinux rpm from a remote repo for dnf distro
   dnf:
-    name: "https://github.com/k3s-io/k3s-selinux/releases/download/v0.2.stable.1/k3s-selinux-0.2-1.el7_8.noarch.rpm"
+    name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.1.stable.1/k3s-selinux-1.1-1.el8.noarch.rpm"
     state: present
-    disable_gpg_check: yes
   when:
     - ansible_pkg_mgr == "dnf"
+    - ansible_os_family == "RedHat"
+    - ansible_distribution_major_version == '8'
 
 - name: Check if /usr/local/bin/k3s already existe
   stat:
@@ -29,7 +38,7 @@
 
 - name: retreive k3s binary for x86_64
   get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s"
+    url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s"
     dest: "/usr/local/bin/k3s"
     group: root
     owner: root
@@ -40,7 +49,7 @@
 
 - name: retreive k3s binary for arm64
   get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s-arm64"
+    url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s-arm64"
     dest: "/usr/local/bin/k3s"
     group: root
     owner: root
@@ -51,7 +60,7 @@
 
 - name: retreive k3s binary for armv6/armv7
   get_url:
-    url: "https://github.com/rancher/k3s/releases/download/v1.23.2%2Bk3s1/k3s-armhf"
+    url: "https://github.com/rancher/k3s/releases/download/v1.23.6%2Bk3s1/k3s-armhf"
     dest: "/usr/local/bin/k3s"
     group: root
     owner: root
@@ -140,14 +149,15 @@
   block:
   - name: Deploy systemd service
     template:
-      src: "etc/systemd/system/{{ item }}.j2"
-      dest: "/etc/systemd/system/{{ item }}"
+      src: "{{ item }}.j2"
+      dest: "{{ item }}"
       owner: root
       group: root
       mode: 0600
     with_items:
-      - "k3s.service"
-      - "k3s.service.env"
+      - "etc/systemd/system/k3s.service"
+      - "etc/systemd/system/k3s.service.env"
+      - "etc/rancher/k3s/config.yaml"
     when:
       - ansible_service_mgr == "systemd"
 
diff --git a/templates/etc/rancher/k3s/config.yaml.j2 b/templates/etc/rancher/k3s/config.yaml.j2
new file mode 100644
index 0000000..ae8b6f3
--- /dev/null
+++ b/templates/etc/rancher/k3s/config.yaml.j2
@@ -0,0 +1,21 @@
+flannel-backend: wireguard
+{% if kubernetes_master|bool %}
+{% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
+cluster-init: true
+{% else %}
+server: https://{{ kubernetes_master }}:6443
+token: ${NODE_TOKEN}
+{% endif %}
+{% else %}
+server: https://{{ kubernetes_master }}:6443
+token: ${NODE_TOKEN}
+{% endif %}
+#node-label:
+#  - "foo=bar"
+#  - "something=amazing"
+{% if ansible_os_family == "RedHat" %}
+selinux: true
+{% endif %}
+secrets-encryption: true
+disable:
+  - traefik
diff --git a/templates/etc/systemd/system/k3s.service.j2 b/templates/etc/systemd/system/k3s.service.j2
index 03f00a5..206c539 100644
--- a/templates/etc/systemd/system/k3s.service.j2
+++ b/templates/etc/systemd/system/k3s.service.j2
@@ -7,13 +7,9 @@ After=network-online.target
 Type=notify
 EnvironmentFile=/etc/systemd/system/k3s.service.env
 {% if kubernetes_master|bool %}
-{% if vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined %}
-ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --cluster-init --selinux
+ExecStart=/usr/local/bin/k3s server
 {% else %}
-ExecStart=/usr/local/bin/k3s server --flannel-backend=wireguard --disable traefik --secrets-encryption --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux
-{% endif %}
-{% else %}
-ExecStart=/usr/local/bin/k3s agent --server https://{{ kubernetes_master }}:6443 --token ${NODE_TOKEN} --selinux
+ExecStart=/usr/local/bin/k3s agent
 {% endif %}
 KillMode=process
 Delegate=yes