diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58b0408..4e1325c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,7 @@ jobs: - name: Run Molecule tests run: molecule test --scenario-name "${{ matrix.scenario }}" + # continue-on-error: true env: PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' diff --git a/README.md b/README.md index ddcfcbd..e8fa3d5 100644 --- a/README.md +++ b/README.md @@ -88,17 +88,23 @@ The below variables change how and when the systemd service unit file for K3S is run. Use this with caution, please refer to the [systemd documentation](https://www.freedesktop.org/software/systemd/man/systemd.unit.html#%5BUnit%5D%20Section%20Options) for more information. -| Variable | Description | Default Value | -|------------------------|----------------------------------------------------------------|---------------| -| `k3s_start_on_boot` | Start k3s on boot. | `true` | -| `k3s_service_requires` | List of required systemd units to k3s service unit. | [] | -| `k3s_service_wants` | List of "wanted" systemd unit to k3s (weaker than "requires"). | []\* | -| `k3s_service_before` | Start k3s before a defined list of systemd units. | [] | -| `k3s_service_after` | Start k3s after a defined list of systemd units. | []\* | +| Variable | Description | Default Value | +|------------------------|----------------------------------------------------------------------|---------------| +| `k3s_start_on_boot` | Start k3s on boot. | `true` | +| `k3s_service_requires` | List of required systemd units to k3s service unit. | [] | +| `k3s_service_wants` | List of "wanted" systemd unit to k3s (weaker than "requires"). | []\* | +| `k3s_service_before` | Start k3s before a defined list of systemd units. | [] | +| `k3s_service_after` | Start k3s after a defined list of systemd units. | []\* | +| `k3s_service_env_vars` | Dictionary of environment variables to use within systemd unit file. | {} | +| `k3s_service_env_file` | Location on host of a environment file to include. | `false`\*\* | \* The systemd unit template **always** specifies `network-online.target` for `wants` and `after`. +\*\* The file must already exist on the target host, this role will not create +nor manage the file. You can manage this file outside of the role with +pre-tasks in your Ansible playbook. + ### Group/Host Variables Below are variables that are set against individual or groups of play hosts. diff --git a/defaults/main.yml b/defaults/main.yml index 6f51b86..85153b2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -91,6 +91,17 @@ k3s_service_before: [] # Start k3s after a defined list of systemd units. k3s_service_after: [] +# Dictionary of environment variables to use within systemd unit file +# Some examples below +k3s_service_env_vars: {} +# PATH: /opt/k3s/bin +# GOGC: 10 + +# Location on host of a environment file to include. This must already exist on +# the target as this role will not populate this file. +k3s_service_env_file: false + + ## # Server Configuration ## diff --git a/molecule/autodeploy/converge.yml b/molecule/autodeploy/converge.yml index 97eb7e9..69df63b 100644 --- a/molecule/autodeploy/converge.yml +++ b/molecule/autodeploy/converge.yml @@ -18,5 +18,7 @@ k3s_server_manifests_urls: - url: https://raw.githubusercontent.com/metallb/metallb/v0.9.6/manifests/namespace.yaml filename: 05-metallb-namespace.yml + k3s_service_env_vars: + GOGC: 10 roles: - role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" diff --git a/molecule/autodeploy/prepare.yml b/molecule/autodeploy/prepare.yml index e7c3acb..01d84eb 100644 --- a/molecule/autodeploy/prepare.yml +++ b/molecule/autodeploy/prepare.yml @@ -3,8 +3,10 @@ hosts: node* become: true tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' diff --git a/molecule/debug/prepare.yml b/molecule/debug/prepare.yml index 2a1a341..5ae730a 100644 --- a/molecule/debug/prepare.yml +++ b/molecule/debug/prepare.yml @@ -2,7 +2,9 @@ - name: Prepare hosts: all tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 2a1a341..5ae730a 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -2,7 +2,9 @@ - name: Prepare hosts: all tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' diff --git a/molecule/docker/prepare.yml b/molecule/docker/prepare.yml index 2a1a341..5ae730a 100644 --- a/molecule/docker/prepare.yml +++ b/molecule/docker/prepare.yml @@ -2,7 +2,9 @@ - name: Prepare hosts: all tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' diff --git a/molecule/highavailabilitydb/converge.yml b/molecule/highavailabilitydb/converge.yml index 300e903..c61eae5 100644 --- a/molecule/highavailabilitydb/converge.yml +++ b/molecule/highavailabilitydb/converge.yml @@ -10,6 +10,7 @@ datastore-endpoint: "postgres://postgres:verybadpass@database:5432/postgres?sslmode=disable" k3s_agent: snapshotter: native + k3s_service_env_file: /tmp/k3s.env pre_tasks: - name: Set each node to be a control node ansible.builtin.set_fact: diff --git a/molecule/highavailabilitydb/prepare.yml b/molecule/highavailabilitydb/prepare.yml index dade9da..d9f5501 100644 --- a/molecule/highavailabilitydb/prepare.yml +++ b/molecule/highavailabilitydb/prepare.yml @@ -33,7 +33,16 @@ - name: Prepare nodes hosts: node* tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' + + - name: Ensure environment file exists for k3s_service_env_file + ansible.builtin.lineinfile: + path: /tmp/k3s.env + line: "THISHOST={{ ansible_hostname }}" + mode: 0644 + create: true diff --git a/molecule/highavailabilityetcd/prepare.yml b/molecule/highavailabilityetcd/prepare.yml index a1e6720..b350194 100644 --- a/molecule/highavailabilityetcd/prepare.yml +++ b/molecule/highavailabilityetcd/prepare.yml @@ -33,8 +33,10 @@ - name: Prepare nodes hosts: node* tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' diff --git a/molecule/nodeploy/prepare.yml b/molecule/nodeploy/prepare.yml index 2a1a341..5ae730a 100644 --- a/molecule/nodeploy/prepare.yml +++ b/molecule/nodeploy/prepare.yml @@ -2,7 +2,9 @@ - name: Prepare hosts: all tasks: - - name: Ensure apt cache is updated + - name: Ensure apt cache is updated and iptables is installed ansible.builtin.apt: + name: iptables + state: present update_cache: true when: ansible_pkg_mgr == 'apt' diff --git a/tasks/build/docker/debian/install-prerequisites.yml b/tasks/build/docker/debian/install-prerequisites.yml index b60ae5c..8f94823 100644 --- a/tasks/build/docker/debian/install-prerequisites.yml +++ b/tasks/build/docker/debian/install-prerequisites.yml @@ -6,7 +6,7 @@ - apt-transport-https - ca-certificates - curl - - "{{ 'gnupg2' if ansible_distribution == 'Debian' else 'gnupg-agent' }}" + - "{{ 'gnupg2' if k3s_os_distribution == 'debian' else 'gnupg-agent' }}" - software-properties-common state: present register: ensure_docker_prerequisites_installed @@ -17,13 +17,13 @@ - name: Ensure Docker APT key is present ansible.builtin.apt_key: - url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + url: https://download.docker.com/linux/{{ k3s_os_distribution }}/gpg state: present become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" - name: Ensure Docker repository is installed and configured ansible.builtin.apt_repository: filename: docker-ce - repo: "deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + repo: "deb https://download.docker.com/linux/{{ k3s_os_distribution }} {{ ansible_distribution_release }} stable" update_cache: true become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/docker/redhat/install-prerequisites.yml b/tasks/build/docker/redhat/install-prerequisites.yml index dd8611b..92ea749 100644 --- a/tasks/build/docker/redhat/install-prerequisites.yml +++ b/tasks/build/docker/redhat/install-prerequisites.yml @@ -26,7 +26,7 @@ - name: Check to see if Docker repository is available for this distribution ansible.builtin.uri: - url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/{{ ansible_distribution_major_version }}" + url: "https://download.docker.com/linux/{{ k3s_os_distribution }}/{{ ansible_distribution_major_version }}" register: k3s_redhat_repo_check failed_when: false changed_when: false @@ -35,13 +35,13 @@ ansible.builtin.yum_repository: name: docker-ce description: Docker CE Repository - baseurl: https://download.docker.com/linux/{{ ansible_distribution | lower }}/{{ ansible_distribution_major_version }}/$basearch/stable - gpgkey: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + baseurl: https://download.docker.com/linux/{{ k3s_os_distribution }}/{{ ansible_distribution_major_version }}/$basearch/stable + gpgkey: https://download.docker.com/linux/{{ k3s_os_distribution }}/gpg enabled: true gpgcheck: true state: present when: - - ansible_distribution | lower not in ['amazon'] + - k3s_os_distribution not in ['amazon'] - k3s_redhat_repo_check.status == 200 become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" @@ -51,6 +51,6 @@ args: creates: /etc/yum.repos.d/docker-ce.repo when: - - ansible_distribution | lower not in ['amazon'] + - k3s_os_distribution not in ['amazon'] - k3s_redhat_repo_check.status != 200 become: "{{ k3s_become_for_package_install | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/build/install-k3s.yml b/tasks/build/install-k3s.yml index f2fc34d..202aaf4 100644 --- a/tasks/build/install-k3s.yml +++ b/tasks/build/install-k3s.yml @@ -17,6 +17,11 @@ - include_tasks: install-k3s-node.yml when: k3s_build_cluster +- name: Determine if the systems are already clustered + ansible.builtin.stat: + path: "{{ k3s_token_location }}" + register: k3s_token_cluster_check + - name: Ensure k3s initial control plane server is started ansible.builtin.systemd: name: k3s @@ -29,4 +34,5 @@ - not ansible_check_mode when: (k3s_control_node and k3s_controller_list | length == 1) or (k3s_primary_control_node and k3s_controller_list | length > 1) + or k3s_token_cluster_check.stat.exists become: "{{ k3s_become_for_systemd | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/state-installed.yml b/tasks/state-installed.yml index 10e7b4b..2edc296 100644 --- a/tasks/state-installed.yml +++ b/tasks/state-installed.yml @@ -17,13 +17,13 @@ - name: Ensure docker installation tasks are run block: - - include_tasks: build/docker/{{ ansible_os_family | lower }}/install-prerequisites.yml + - include_tasks: build/docker/{{ k3s_os_family }}/install-prerequisites.yml - import_tasks: build/docker/install.yml - when: ansible_distribution | replace(" ", "-") | lower not in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] + when: k3s_os_distribution not in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] - - include_tasks: build/docker/{{ ansible_distribution | replace(" ", "-") | lower }}/install.yml - when: ansible_distribution | replace(" ", "-") | lower in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] + - include_tasks: build/docker/{{ k3s_os_distribution }}/install.yml + when: k3s_os_distribution in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] when: - ('docker' in k3s_runtime_config and k3s_runtime_config.docker) diff --git a/tasks/state-uninstalled.yml b/tasks/state-uninstalled.yml index d96315f..3dd2427 100644 --- a/tasks/state-uninstalled.yml +++ b/tasks/state-uninstalled.yml @@ -10,12 +10,12 @@ block: - import_tasks: teardown/docker/uninstall.yml - when: ansible_distribution | replace(" ", "-") | lower not in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] + when: k3s_os_distribution not in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] - - include_tasks: teardown/docker/{{ ansible_distribution | replace(" ", "-") | lower }}/uninstall.yml - when: ansible_distribution | replace(" ", "-") | lower in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] + - include_tasks: teardown/docker/{{ k3s_os_distribution }}/uninstall.yml + when: k3s_os_distribution in ['amazon', 'suse', 'opensuse-leap', 'archlinux'] - - include_tasks: teardown/docker/{{ ansible_os_family | lower }}/uninstall-prerequisites.yml + - include_tasks: teardown/docker/{{ k3s_os_family }}/uninstall-prerequisites.yml when: - ('docker' in k3s_runtime_config and k3s_runtime_config.docker) diff --git a/tasks/teardown/docker/debian/uninstall-prerequisites.yml b/tasks/teardown/docker/debian/uninstall-prerequisites.yml index 5b87049..3652abe 100644 --- a/tasks/teardown/docker/debian/uninstall-prerequisites.yml +++ b/tasks/teardown/docker/debian/uninstall-prerequisites.yml @@ -3,13 +3,13 @@ - name: Ensure Docker repository is uninstalled ansible.builtin.apt_repository: filename: docker-ce - repo: "deb https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + repo: "deb https://download.docker.com/linux/{{ k3s_os_distribution }} {{ ansible_distribution_release }} stable" update_cache: false state: absent become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" - name: Ensure Docker APT key is uninstalled ansible.builtin.apt_key: - url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + url: https://download.docker.com/linux/{{ k3s_os_distribution }}/gpg state: absent become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/teardown/docker/redhat/uninstall-prerequisites.yml b/tasks/teardown/docker/redhat/uninstall-prerequisites.yml index 3961c60..48b6ab9 100644 --- a/tasks/teardown/docker/redhat/uninstall-prerequisites.yml +++ b/tasks/teardown/docker/redhat/uninstall-prerequisites.yml @@ -4,10 +4,10 @@ ansible.builtin.yum_repository: name: docker-ce description: Docker CE Repository - baseurl: https://download.docker.com/linux/{{ ansible_distribution | lower }}/{{ ansible_distribution_major_version }}/$basearch/stable - gpgkey: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + baseurl: https://download.docker.com/linux/{{ k3s_os_distribution }}/{{ ansible_distribution_major_version }}/$basearch/stable + gpgkey: https://download.docker.com/linux/{{ k3s_os_distribution }}/gpg enabled: false gpgcheck: true state: absent - when: ansible_distribution | lower not in ['amazon'] + when: k3s_os_distribution not in ['amazon'] become: "{{ k3s_become_for_uninstall | ternary(true, false, k3s_become_for_all) }}" diff --git a/tasks/validate/configuration/unsupported-rootless.yml b/tasks/validate/configuration/unsupported-rootless.yml index 63b3298..625ee25 100644 --- a/tasks/validate/configuration/unsupported-rootless.yml +++ b/tasks/validate/configuration/unsupported-rootless.yml @@ -50,7 +50,7 @@ ansible.builtin.assert: that: - k3s_get_unprivileged_userns_clone['content'] | b64decode | int == 1 - - k3s_get_max_user_namespaces['content'] | b64decode | int >= 28633 + - ((k3s_get_max_user_namespaces['content'] | b64decode | int >= 28633) or (k3s_os_family != "redhat")) - k3s_current_user_subuid != "UserNotFound:0:0" - k3s_current_user_subgid != "UserNotFound:0:0" - k3s_current_user_subuid.split(':')[2] | int >= 65536 diff --git a/tasks/validate/environment/remote/packages.yml b/tasks/validate/environment/remote/packages.yml index 036bfc5..99913f3 100644 --- a/tasks/validate/environment/remote/packages.yml +++ b/tasks/validate/environment/remote/packages.yml @@ -18,7 +18,8 @@ Documentation: {{ package.documentation }} {% endif %} when: + - check_k3s_required_package.rc is defined - (package.until is not defined - or k3s_release_version is version_compare(package.until, '>=')) + or (k3s_release_version | replace('v', '')) is version_compare(package.until, '>=')) - (package.from is not defined - or k3s_release_version is version_compare(package.from, '>=')) + or (k3s_release_version | replace('v', '')) is version_compare(package.from, '>=')) diff --git a/tasks/validate/main.yml b/tasks/validate/main.yml index 6a40f5d..1ee2a09 100644 --- a/tasks/validate/main.yml +++ b/tasks/validate/main.yml @@ -1,5 +1,14 @@ --- +- include_tasks: environment/remote/packages.yml + loop: "{{ k3s_check_packages[k3s_os_distribution_version] }}" + loop_control: + loop_var: package + when: + - not k3s_skip_validation + - not k3s_skip_env_checks + - k3s_check_packages[k3s_os_distribution_version] is defined + - import_tasks: configuration/variables.yml - import_tasks: configuration/experimental-variables.yml diff --git a/tasks/validate/pre-flight.yml b/tasks/validate/pre-flight.yml index cdad466..4d3ac2a 100644 --- a/tasks/validate/pre-flight.yml +++ b/tasks/validate/pre-flight.yml @@ -21,14 +21,6 @@ - not k3s_skip_validation - not k3s_skip_env_checks -- include_tasks: environment/remote/packages.yml - loop: "{{ k3s_check_packages }}" - loop_control: - loop_var: package - when: - - not k3s_skip_validation - - not k3s_skip_env_checks - - include_tasks: environment/local/issue-data.yml when: - pyratlabs_issue_controller_dump is defined diff --git a/templates/k3s.service.j2 b/templates/k3s.service.j2 index 05e4719..3df8eb6 100644 --- a/templates/k3s.service.j2 +++ b/templates/k3s.service.j2 @@ -18,6 +18,14 @@ After={{ after_unit }} [Service] Type={{ 'notify' if k3s_control_node else 'exec' }} +{% if k3s_service_env_vars is defined and k3s_service_env_vars is iterable %} +{% for env_var in k3s_service_env_vars %} +Environent={{ env_var }}={{ k3s_service_env_vars[env_var] }} +{% endfor %} +{% endif %} +{% if k3s_service_env_file is defined and k3s_service_env_file %} +EnvironmentFile={{ k3s_service_env_file }} +{% endif %} ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe overlay {% filter regex_replace('\s+', ' ') %} diff --git a/vars/main.yml b/vars/main.yml index 7c36325..5f8906f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -88,8 +88,19 @@ k3s_server_manifests_dir: "{{ k3s_data_dir }}/server/manifests" # https://github.com/k3s-io/k3s/pull/1691 k3s_server_pod_manifests_dir: "{{ k3s_data_dir }}/agent/pod-manifests" +# OS formatted strings +k3s_os_distribution: "{{ ansible_distribution | replace(' ', '-') | lower }}" +k3s_os_version: "{{ ansible_distribution_version | replace([' ', '.'], '-') | lower }}" +k3s_os_distribution_version: "{{ k3s_os_distribution }}-{{ k3s_os_version }}" +k3s_os_family: "{{ ansible_os_family | replace(' ', '-') | lower }}" + # Packages that we need to check are installed -k3s_check_packages: [] +k3s_check_packages: + debian-11: + - name: iptables-legacy + from: 1.19.2 + # until: 1.22.2 + documentation: https://rancher.com/docs/k3s/latest/en/advanced/#enabling-legacy-iptables-on-raspbian-buster # - name: dummy # from: 1.19.2 # until: 1.21.0