diff --git a/roles/k3s_server/tasks/create_kubeconfig.yml b/roles/k3s_server/tasks/create_kubeconfig.yml new file mode 100644 index 0000000..73981fd --- /dev/null +++ b/roles/k3s_server/tasks/create_kubeconfig.yml @@ -0,0 +1,87 @@ +--- +- name: Slurp original k3s.yaml from primary K3s server + ansible.builtin.slurp: + src: /etc/rancher/k3s/k3s.yaml + register: original_k3s_kubeconfig_slurp + become: true + +- name: Parse original k3s.yaml content to extract cert data + ansible.builtin.set_fact: + original_parsed_k3s_kubeconfig: "{{ original_k3s_kubeconfig_slurp.content | b64decode | from_yaml }}" + delegate_to: localhost + run_once: true + +- name: Set facts for certificate and key data needed by the template + ansible.builtin.set_fact: + k3s_server_ca_data: "{{ original_parsed_k3s_kubeconfig.clusters[0].cluster['certificate-authority-data'] }}" + k3s_client_cert_data: "{{ original_parsed_k3s_kubeconfig.users[0].user['client-certificate-data'] }}" + k3s_client_key_data: "{{ original_parsed_k3s_kubeconfig.users[0].user['client-key-data'] }}" + delegate_to: localhost + run_once: true + +- name: Decode and save K3s Server CA certificate + ansible.builtin.copy: + content: "{{ k3s_server_ca_data | b64decode }}" + dest: "/tmp/k3s-ca.crt" + mode: "0644" + delegate_to: localhost + become: false + +- name: Decode and save K3s Client certificate + ansible.builtin.copy: + content: "{{ k3s_client_cert_data | b64decode }}" + dest: "/tmp/k3s-client.crt" + mode: "0644" + delegate_to: localhost + become: false + +- name: Decode and save K3s Client key + ansible.builtin.copy: + content: "{{ k3s_client_key_data | b64decode }}" + dest: "/tmp/k3s-client.key" + mode: "0600" + delegate_to: localhost + become: false + +- name: Add K3s cluster to kubeconfig + ansible.builtin.command: > + kubectl config set-cluster "{{ k3s_cluster_name }}" + --server="https://{{ k3s_server_name }}:6443" + --certificate-authority=/tmp/k3s-ca.crt + --embed-certs=true + environment: + KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config" + delegate_to: localhost + become: false + +- name: Add K3s user credentials to kubeconfig + ansible.builtin.command: > + kubectl config set-credentials "{{ k3s_user_name }}" + --client-certificate=/tmp/k3s-client.crt + --client-key=/tmp/k3s-client.key + --embed-certs=true + environment: + KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config" + delegate_to: localhost + become: false + +- name: Add K3s context to kubeconfig + ansible.builtin.command: > + kubectl config set-context "{{ k3s_context_name }}" + --cluster="{{ k3s_cluster_name }}" + --user="{{ k3s_user_name }}" + environment: + KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config" + delegate_to: localhost + become: false + +- name: Clean up temporary certificate and key files + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "/tmp/k3s-ca.crt" + - "/tmp/k3s-client.crt" + - "/tmp/k3s-client.key" + delegate_to: localhost + become: false diff --git a/roles/k3s_server/tasks/installation.yml b/roles/k3s_server/tasks/installation.yml index e01efb9..217c2ad 100644 --- a/roles/k3s_server/tasks/installation.yml +++ b/roles/k3s_server/tasks/installation.yml @@ -1,79 +1,22 @@ --- -- name: See if k3s file exists - ansible.builtin.stat: - path: /usr/local/bin/k3s - register: k3s_status - - name: Download K3s install script to /tmp/ - when: not k3s_status.stat.exists ansible.builtin.get_url: url: https://get.k3s.io dest: /tmp/k3s_install.sh mode: "0755" - name: Install K3s server with node taint and TLS SAN - when: (ansible_default_ipv4.address == k3s_primary_server_ip and (not k3s_status.stat.exists)) + when: (ansible_default_ipv4.address == k3s_primary_server_ip) ansible.builtin.command: | /tmp/k3s_install.sh server \ --node-taint CriticalAddonsOnly=true:NoExecute \ --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }} --tls-san {{ k3s_server_name }} become: true - async: 300 - poll: 0 register: k3s_primary_install -- name: Wait for K3s to be installed - when: (ansible_default_ipv4.address == k3s_primary_server_ip and (not k3s_status.stat.exists)) - ansible.builtin.async_status: - jid: "{{ k3s_primary_install.ansible_job_id }}" - register: k3s_primary_install_status - until: k3s_primary_install_status.finished - retries: 60 - delay: 5 - become: true - -- name: Check if k3s token vault file already exists - ansible.builtin.stat: - path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}" - register: k3s_vault_file_stat - delegate_to: localhost - run_once: true - -- name: Get K3s token from the first server - when: - - ansible_default_ipv4.address == k3s_primary_server_ip - - not k3s_vault_file_stat.stat.exists - ansible.builtin.slurp: - src: /var/lib/rancher/k3s/server/node-token - register: k3s_token - become: true - -- name: Set fact on k3s_primary_server_ip - ansible.builtin.set_fact: - k3s_token: "{{ k3s_token['content'] | b64decode | trim }}" - when: - - not k3s_vault_file_stat.stat.exists - -- name: Write K3s token to local file for encryption - ansible.builtin.copy: - content: | - k3s_token: "{{ k3s_token }}" - dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}" - mode: "0600" - delegate_to: localhost - run_once: true - when: - - not k3s_vault_file_stat.stat.exists - -- name: Encrypt k3s token - ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}" - delegate_to: localhost - when: - - not k3s_vault_file_stat.stat.exists - - name: Install K3s on the secondary servers - when: (ansible_default_ipv4.address != k3s_primary_server_ip and (not k3s_status.stat.exists)) + when: (ansible_default_ipv4.address != k3s_primary_server_ip) ansible.builtin.command: | /tmp/k3s_install.sh server \ --node-taint CriticalAddonsOnly=true:NoExecute \ diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index fc446ac..5419e8a 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -1,2 +1,21 @@ --- +- name: See if k3s file exists + ansible.builtin.stat: + path: /usr/local/bin/k3s + register: k3s_status + - include_tasks: installation.yml + when: not k3s_status.stat.exists + +- include_tasks: create_kubeconfig.yml + when: ansible_default_ipv4.address == k3s_primary_server_ip + +- name: Check if k3s token vault file already exists + ansible.builtin.stat: + path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}" + register: k3s_vault_file_stat + delegate_to: localhost + run_once: true + +- include_tasks: pull_token.yml + when: not k3s_vault_file_stat.stat.exists diff --git a/roles/k3s_server/tasks/pull_token.yml b/roles/k3s_server/tasks/pull_token.yml new file mode 100644 index 0000000..9b91065 --- /dev/null +++ b/roles/k3s_server/tasks/pull_token.yml @@ -0,0 +1,24 @@ +- name: Get K3s token from the first server + when: + - ansible_default_ipv4.address == k3s_primary_server_ip + ansible.builtin.slurp: + src: /var/lib/rancher/k3s/server/node-token + register: k3s_token + become: true + +- name: Set fact on k3s_primary_server_ip + ansible.builtin.set_fact: + k3s_token: "{{ k3s_token['content'] | b64decode | trim }}" + +- name: Write K3s token to local file for encryption + ansible.builtin.copy: + content: | + k3s_token: "{{ k3s_token }}" + dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}" + mode: "0600" + delegate_to: localhost + run_once: true + +- name: Encrypt k3s token + ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}" + delegate_to: localhost diff --git a/vars/group_vars/k3s/vars.yml b/vars/group_vars/k3s/vars.yml index 6f2d1da..b9a37d5 100644 --- a/vars/group_vars/k3s/vars.yml +++ b/vars/group_vars/k3s/vars.yml @@ -5,3 +5,6 @@ k3s: k3s_primary_server_ip: "{{ groups['k3s_server'] | map('extract', hostvars, 'ansible_default_ipv4') | map(attribute='address') | unique | list | first }}" k3s_server_name: "k3s.{{ internal_domain }}" +k3s_cluster_name: homelab +k3s_user_name: "{{ user }}" +k3s_context_name: "{{ k3s_cluster_name }}"