refactor(k3s): enhance kubeconfig generation and token management

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
2025-07-13 09:33:39 +02:00
parent 9cce71f73b
commit 4aa939426b
5 changed files with 135 additions and 59 deletions
--- a/roles/k3s_server/tasks/create_kubeconfig.yml
+++ b/roles/k3s_server/tasks/create_kubeconfig.yml
@@ -0,0 +1,87 @@
+---
+- name: Slurp original k3s.yaml from primary K3s server
+  ansible.builtin.slurp:
+    src: /etc/rancher/k3s/k3s.yaml
+  register: original_k3s_kubeconfig_slurp
+  become: true
+
+- name: Parse original k3s.yaml content to extract cert data
+  ansible.builtin.set_fact:
+    original_parsed_k3s_kubeconfig: "{{ original_k3s_kubeconfig_slurp.content | b64decode | from_yaml }}"
+  delegate_to: localhost
+  run_once: true
+
+- name: Set facts for certificate and key data needed by the template
+  ansible.builtin.set_fact:
+    k3s_server_ca_data: "{{ original_parsed_k3s_kubeconfig.clusters[0].cluster['certificate-authority-data'] }}"
+    k3s_client_cert_data: "{{ original_parsed_k3s_kubeconfig.users[0].user['client-certificate-data'] }}"
+    k3s_client_key_data: "{{ original_parsed_k3s_kubeconfig.users[0].user['client-key-data'] }}"
+  delegate_to: localhost
+  run_once: true
+
+- name: Decode and save K3s Server CA certificate
+  ansible.builtin.copy:
+    content: "{{ k3s_server_ca_data | b64decode }}"
+    dest: "/tmp/k3s-ca.crt"
+    mode: "0644"
+  delegate_to: localhost
+  become: false
+
+- name: Decode and save K3s Client certificate
+  ansible.builtin.copy:
+    content: "{{ k3s_client_cert_data | b64decode }}"
+    dest: "/tmp/k3s-client.crt"
+    mode: "0644"
+  delegate_to: localhost
+  become: false
+
+- name: Decode and save K3s Client key
+  ansible.builtin.copy:
+    content: "{{ k3s_client_key_data | b64decode }}"
+    dest: "/tmp/k3s-client.key"
+    mode: "0600"
+  delegate_to: localhost
+  become: false
+
+- name: Add K3s cluster to kubeconfig
+  ansible.builtin.command: >
+    kubectl config set-cluster "{{ k3s_cluster_name }}"
+    --server="https://{{ k3s_server_name }}:6443"
+    --certificate-authority=/tmp/k3s-ca.crt
+    --embed-certs=true
+  environment:
+    KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config"
+  delegate_to: localhost
+  become: false
+
+- name: Add K3s user credentials to kubeconfig
+  ansible.builtin.command: >
+    kubectl config set-credentials "{{ k3s_user_name }}"
+    --client-certificate=/tmp/k3s-client.crt
+    --client-key=/tmp/k3s-client.key
+    --embed-certs=true
+  environment:
+    KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config"
+  delegate_to: localhost
+  become: false
+
+- name: Add K3s context to kubeconfig
+  ansible.builtin.command: >
+    kubectl config set-context "{{ k3s_context_name }}"
+    --cluster="{{ k3s_cluster_name }}"
+    --user="{{ k3s_user_name }}"
+  environment:
+    KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config"
+  delegate_to: localhost
+  become: false
+
+- name: Clean up temporary certificate and key files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/tmp/k3s-ca.crt"
+    - "/tmp/k3s-client.crt"
+    - "/tmp/k3s-client.key"
+  delegate_to: localhost
+  become: false
--- a/roles/k3s_server/tasks/installation.yml
+++ b/roles/k3s_server/tasks/installation.yml
@@ -1,79 +1,22 @@
 ---
- name: See if k3s file exists
-  ansible.builtin.stat:
-    path: /usr/local/bin/k3s
-  register: k3s_status
-
 - name: Download K3s install script to /tmp/
-  when: not k3s_status.stat.exists
  ansible.builtin.get_url:
    url: https://get.k3s.io
    dest: /tmp/k3s_install.sh
    mode: "0755"

 - name: Install K3s server with node taint and TLS SAN
-  when: (ansible_default_ipv4.address == k3s_primary_server_ip and (not k3s_status.stat.exists))
+  when: (ansible_default_ipv4.address == k3s_primary_server_ip)
  ansible.builtin.command: |
    /tmp/k3s_install.sh server \
    --node-taint CriticalAddonsOnly=true:NoExecute \
    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}
    --tls-san {{ k3s_server_name }}
  become: true
-  async: 300
-  poll: 0
  register: k3s_primary_install

- name: Wait for K3s to be installed
-  when: (ansible_default_ipv4.address == k3s_primary_server_ip and (not k3s_status.stat.exists))
-  ansible.builtin.async_status:
-    jid: "{{ k3s_primary_install.ansible_job_id }}"
-  register: k3s_primary_install_status
-  until: k3s_primary_install_status.finished
-  retries: 60
-  delay: 5
-  become: true
-
- name: Check if k3s token vault file already exists
-  ansible.builtin.stat:
-    path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
-  register: k3s_vault_file_stat
-  delegate_to: localhost
-  run_once: true
-
- name: Get K3s token from the first server
-  when:
-    - ansible_default_ipv4.address == k3s_primary_server_ip
-    - not k3s_vault_file_stat.stat.exists
-  ansible.builtin.slurp:
-    src: /var/lib/rancher/k3s/server/node-token
-  register: k3s_token
-  become: true
-
- name: Set fact on k3s_primary_server_ip
-  ansible.builtin.set_fact:
-    k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
-  when:
-    - not k3s_vault_file_stat.stat.exists
-
- name: Write K3s token to local file for encryption
-  ansible.builtin.copy:
-    content: |
-      k3s_token: "{{ k3s_token }}"
-    dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
-    mode: "0600"
-  delegate_to: localhost
-  run_once: true
-  when:
-    - not k3s_vault_file_stat.stat.exists
-
- name: Encrypt k3s token
-  ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}"
-  delegate_to: localhost
-  when:
-    - not k3s_vault_file_stat.stat.exists
-
 - name: Install K3s on the secondary servers
-  when: (ansible_default_ipv4.address != k3s_primary_server_ip and (not k3s_status.stat.exists))
+  when: (ansible_default_ipv4.address != k3s_primary_server_ip)
  ansible.builtin.command: |
    /tmp/k3s_install.sh server \
    --node-taint CriticalAddonsOnly=true:NoExecute \
--- a/roles/k3s_server/tasks/main.yml
+++ b/roles/k3s_server/tasks/main.yml
@@ -1,2 +1,21 @@
 ---
+- name: See if k3s file exists
+  ansible.builtin.stat:
+    path: /usr/local/bin/k3s
+  register: k3s_status
+
 - include_tasks: installation.yml
+  when: not k3s_status.stat.exists
+
+- include_tasks: create_kubeconfig.yml
+  when: ansible_default_ipv4.address == k3s_primary_server_ip
+
+- name: Check if k3s token vault file already exists
+  ansible.builtin.stat:
+    path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
+  register: k3s_vault_file_stat
+  delegate_to: localhost
+  run_once: true
+
+- include_tasks: pull_token.yml
+  when: not k3s_vault_file_stat.stat.exists
--- a/roles/k3s_server/tasks/pull_token.yml
+++ b/roles/k3s_server/tasks/pull_token.yml
@@ -0,0 +1,24 @@
+- name: Get K3s token from the first server
+  when:
+    - ansible_default_ipv4.address == k3s_primary_server_ip
+  ansible.builtin.slurp:
+    src: /var/lib/rancher/k3s/server/node-token
+  register: k3s_token
+  become: true
+
+- name: Set fact on k3s_primary_server_ip
+  ansible.builtin.set_fact:
+    k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
+
+- name: Write K3s token to local file for encryption
+  ansible.builtin.copy:
+    content: |
+      k3s_token: "{{ k3s_token }}"
+    dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
+    mode: "0600"
+  delegate_to: localhost
+  run_once: true
+
+- name: Encrypt k3s token
+  ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}"
+  delegate_to: localhost