--- - name: Install Wireguard ansible.builtin.include_role: name: wireguard when: # - kubernetes_cni == "wireguard" - "'Vpn' not in group_names" - name: Import Rancher key ansible.builtin.rpm_key: state: present key: https://rpm.rancher.io/public.key when: - ansible_os_family == "RedHat" - name: Install the k3s-selinux rpm from a remote repo for yum distro ansible.builtin.yum: name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.stable.1/k3s-selinux-1.6-1.el7.noarch.rpm" state: present when: - ansible_pkg_mgr == "yum" - ansible_os_family == "RedHat" - ansible_distribution_major_version == '7' - name: Install the k3s-selinux rpm from a remote repo for dnf distro ansible.builtin.dnf: name: "https://github.com/k3s-io/k3s-selinux/releases/download/v1.6.stable.1/k3s-selinux-1.6-1.el{{ ansible_distribution_major_version }}.noarch.rpm" state: present when: - ansible_pkg_mgr == "dnf" - ansible_os_family == "RedHat" - ansible_distribution_major_version >= '8' - name: Check if /usr/local/bin/k3s already existe ansible.builtin.stat: path: /usr/local/bin/k3s register: k3s_bin check_mode: false changed_when: False - name: Retreive k3s binary for x86_64 ansible.builtin.get_url: url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version | urlencode }}/k3s" dest: "/usr/local/bin/k3s" group: root owner: root mode: 0755 when: - not k3s_bin.stat.exists - ansible_machine == "x86_64" - name: Retreive k3s binary for arm64 ansible.builtin.get_url: url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version | urlencode }}/k3s-arm64" dest: "/usr/local/bin/k3s" group: root owner: root mode: 0755 when: - not k3s_bin.stat.exists - ansible_machine == "arm64" - name: Retreive k3s binary for armv6/armv7 ansible.builtin.get_url: url: "https://github.com/rancher/k3s/releases/download/v{{ kubernetes_k3s_version | urlencode }}/k3s-armhf" dest: "/usr/local/bin/k3s" group: root owner: root mode: 0755 when: - not k3s_bin.stat.exists - (ansible_machine == "armv7l") or (ansible_machine == "armv6l") - name: Create tools link ansible.builtin.file: src: "k3s" dest: "/usr/local/bin/{{ item }}" owner: root group: root state: link with_items: - "kubectl" - "crictl" - "ctr" - name: Create logical volume for k3s when: - kubernetes_lvm|bool block: - name: Create thin volumes for k3s community.general.lvol: vg: "{{ item.vg }}" lv: "{{ item.name }}" thinpool: kubernetes size: "{{ item.size }}" with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} - name: Create file system on containerd lv community.general.filesystem: fstype: ext4 dev: "/dev/{{ item.vg }}/{{ item.name }}" with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} - name: Mount logical volumes ansible.posix.mount: name: "{{ item.mount_point }}" src: "/dev/{{ item.vg }}/{{ item.name }}" fstype: ext4 opts: "{{ item.mount_opts }}" state: mounted with_items: - { name: var_lib_k3s, vg: vg_sys, size: 10g, mount_point: /var/lib/rancher/k3s, mount_opts: "discard"} - name: Ensure protect-kernel-defaults is set ansible.posix.sysctl: name: "{{ item.name }}" value: "{{ item.value }}" sysctl_file: /etc/sysctl.d/90-kubelet.conf reload: true with_items: - { name: "vm.panic_on_oom", value: "0" } - { name: "vm.overcommit_memory", value: "1" } - { name: "kernel.panic", value: "10" } - { name: "kernel.panic_on_oops", value: "1" } when: - kubernetes_server|bool - name: /etc/kubernetes directory ansible.builtin.file: path: "/etc/kubernetes" state: directory owner: root group: root mode: 0755 when: - kubernetes_master|bool - name: Configure Pod Security ansible.builtin.copy: src: "etc/kubernetes/psa.yaml" dest: "/etc/kubernetes/psa.yaml" group: root owner: root mode: 0644 when: - kubernetes_master|bool - name: Audit policies directory ansible.builtin.file: path: "/etc/kubernetes/policies" state: directory owner: root group: root mode: 0700 when: - kubernetes_master|bool - name: Configure audit policy ansible.builtin.copy: src: "etc/kubernetes/policies/audit-policy.yaml" dest: "/etc/kubernetes/policies/audit-policy.yaml" group: root owner: root mode: 0644 when: - kubernetes_master|bool # Check controlers - name: Check if /etc/rancher/k3s/k3s.yaml already existe ansible.builtin.stat: path: /etc/rancher/k3s/k3s.yaml register: st check_mode: false changed_when: False when: - kubernetes_master|bool - name: Create KubernetesMasterConfigured group ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} check_mode: false when: - kubernetes_master|bool - st.stat.exists # First controler - name: Configure first controler # run_once: true block: - name: Create k3s directories on master nodes ansible.builtin.file: path: "{{ item }}" state: directory owner: root group: root mode: 0700 with_items: - "/etc/rancher" - "/etc/rancher/k3s" - "/etc/rancher/k3s/config.yaml.d" - "/var/lib/rancher" - "/var/lib/rancher/k3s" - "/var/lib/rancher/k3s/server" - "/var/lib/rancher/k3s/server/manifests" when: - kubernetes_master|bool - name: Create k3s directories on all nodes ansible.builtin.file: path: "{{ item }}" state: directory owner: root group: root mode: 0700 with_items: - "/var/lib/rancher/k3s/storage" # semanage fcontext -a -t container_file_t "/var/lib/rancher/k3s/storage(/.*)?" - name: Allow K3S local-path provisioner to create directories in /var/lib/rancher/k3s/storage community.general.sefcontext: target: '/var/lib/rancher/k3s/storage(/.*)?' setype: container_file_t state: present - name: Apply new SELinux file context to filesystem ansible.builtin.command: restorecon -R /var/lib/rancher/k3s/storage/ - name: Deploy Network Policies ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" owner: root group: root mode: 0600 with_items: - "var/lib/rancher/k3s/server/manifests/np-00-intra-namespace.yaml" - "var/lib/rancher/k3s/server/manifests/np-01-default-network-dns-policy.yaml" - "var/lib/rancher/k3s/server/manifests/np-03-metrics-server-traefik.yaml" when: - kubernetes_master|bool - name: Deploy systemd service ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" owner: root group: root mode: 0600 with_items: - "etc/systemd/system/k3s.service" - "etc/systemd/system/k3s.service.env" - "etc/rancher/k3s/config.yaml" when: - ansible_service_mgr == "systemd" - name: Reload systemd ansible.builtin.systemd: daemon_reload: true - name: Enable k3s on boot ansible.builtin.service: name: k3s state: started enabled: true - name: Wait for k3s.yaml wait_for: path: /etc/rancher/k3s/k3s.yaml - name: Wait for token wait_for: path: /var/lib/rancher/k3s/server/token - name: Add {{ ansible_hostname }} to KubernetesMasterConfigured group ansible.builtin.group_by: key: KubernetesMasterConfigured_{{ kubernetes_cluster_name }} check_mode: false when: - kubernetes_master|bool - vars['KubernetesMasterConfigured_' ~ kubernetes_cluster_name] is not defined # chmod -R 600 /var/lib/rancher/k3s/server/tls/*.crt # Manque kubernetes_server_token, kubernetes_master url # - name: Deploy systemd service # ansible.builtin.template: # src: "etc/systemd/system/{{ item }}.j2" # dest: "/etc/systemd/system/{{ item }}" # owner: root # group: root # mode: 0600 # with_items: # - "k3s.service" # - "k3s.service.env" # when: # - ansible_service_mgr == "systemd" - name: Enable k3s on boot ansible.builtin.service: name: k3s state: started enabled: true