variables to activate become for some steps

README.md

@@ -79,6 +79,10 @@ consistency.
 | `k3s_datastore_cafile`           | Define the database TLS CA file.                                                    | _NULL_                                  |
 | `k3s_datastore_certfile`         | Define the database TLS Cert file.                                                  | _NULL_                                  |
 | `k3s_datastore_keyfile`          | Define the database TLS Key file.                                                   | _NULL_                                  |
+| `k3s_become_for_all`             | Enable become for all (where value for `k3s_become_for_*` is _NULL_                 | `false`                                 |
+| `k3s_become_for_systemd`         | Enable become for systemd                                                           | _NULL_                                  |
+| `k3s_become_for_install_dir`     | Enable become for writing to `k3s_install_dir`                                      | _NULL_                                  |
+| `k3s_become_for_usr_local_bin`   | Enable become for writing to /usr/local/bin/                                        | _NULL_                                  |
 | `k3s_dqlite_datastore`           | Use DQLite as the database backend for HA. (EXPERIMENTAL)                           | `false`                                 |
 | `k3s_secrets_encryption`         | Use secrets encryption at rest. (EXPERIMENTAL)                                      | `false`                                 |
 

defaults/main.yml

@@ -98,3 +98,9 @@ k3s_default_local_storage_path: false
 
 # Use secret encryption at rest (EXPERIMENTAL)
 k3s_secrets_encryption: false
+
+# with become privileges for
+k3s_become_for_all: false
+k3s_become_for_systemd: null
+k3s_become_for_install_dir: null
+k3s_become_for_usr_local_bin: null

handlers/main.yml

@@ -4,6 +4,7 @@
   systemd:
     daemon_reload: true
     scope: "{{ k3s_systemd_context }}"
+  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
 
 - name: restart k3s
   systemd:
@@ -11,6 +12,7 @@
     state: restarted
     scope: "{{ k3s_systemd_context }}"
     enabled: true
+  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
 
 - name: restart docker
   systemd:

tasks/build/download-k3s.yml

@@ -35,3 +35,4 @@
     dest: "{{ k3s_install_dir }}/k3s-{{ k3s_release_version }}"
     checksum: "sha256:{{ k3s_hash_sum }}"
     mode: 0755
+  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all)  }}"

tasks/build/install-k3s.yml

@@ -16,6 +16,7 @@
         or (k3s_primary_control_node and k3s_controller_count | length > 1)
   notify:
     - reload systemd
+  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"
 
 - meta: flush_handlers
 
@@ -24,12 +25,14 @@
     src: k3s-killall.sh.j2
     dest: "/usr/local/bin/k3s-killall.sh"
     mode: 0700
+  become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}"
 
 - name: Ensure k3s uninstall script is present on all nodes
   template:
     src: k3s-uninstall.sh.j2
     dest: "/usr/local/bin/k3s-uninstall.sh"
     mode: 0700
+  become: "{{ k3s_become_for_usr_local_bin | ternary(true, false, k3s_become_for_all) }}"
 
 - name: Ensure k3s is symlinked into the installation destinations
   file:
@@ -43,6 +46,7 @@
     - kubectl
     - crictl
     - ctr
+  become: "{{ k3s_become_for_install_dir | ternary(true, false, k3s_become_for_all) }}"
 
 - name: Ensure k3s control plane is started
   systemd:
@@ -52,3 +56,4 @@
     scope: "{{ k3s_systemd_context }}"
   when: (k3s_control_node and k3s_controller_count | length == 1)
         or (k3s_primary_control_node and k3s_controller_count | length > 1)
+  become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}"