From 9cce71f73b61f4d1905f69183a53bf7030051aee Mon Sep 17 00:00:00 2001
From: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
Date: Sun, 13 Jul 2025 02:15:01 +0200
Subject: [PATCH] refactor(k3s): manage token securely and install guest agent

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
---
 playbooks/k3s-agents.yml                | 22 +++--------------
 playbooks/k3s-storage.yml               | 14 -----------
 roles/k3s_agent/tasks/installation.yml  |  2 +-
 roles/k3s_server/tasks/installation.yml | 33 ++++++++++++++++++++++---
 roles/k3s_server/vars/main.yml          |  1 +
 roles/proxmox/vars/main.yml             |  1 +
 vars/group_vars/k3s/secrets_token.yml   | 11 +++++++++
 7 files changed, 48 insertions(+), 36 deletions(-)
 create mode 100644 roles/k3s_server/vars/main.yml
 create mode 100644 vars/group_vars/k3s/secrets_token.yml

diff --git a/playbooks/k3s-agents.yml b/playbooks/k3s-agents.yml
index b5c2828..f8bf24f 100644
--- a/playbooks/k3s-agents.yml
+++ b/playbooks/k3s-agents.yml
@@ -1,19 +1,6 @@
 - name: Set up Agents
   hosts: k3s
   gather_facts: true
-  pre_tasks:
-    - name: Get K3s token from the first server
-      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
-      slurp:
-        src: /var/lib/rancher/k3s/server/node-token
-      register: k3s_token
-      become: true
-
-    - name: Set fact on k3s_primary_server_ip
-      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
-      set_fact:
-        k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
-
   roles:
     - role: common
       when: inventory_hostname in groups["k3s_agent"]
@@ -21,10 +8,9 @@
         - common
     - role: k3s_agent
       when: inventory_hostname in groups["k3s_agent"]
-      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s_primary_server_ip ) | select() | first | items2dict).host.hostname].k3s_token }}"
       tags:
         - k3s_agent
-    - role: node_exporter
-      when: inventory_hostname in groups["k3s_agent"]
-      tags:
-        - node_exporter
+    # - role: node_exporter
+    #   when: inventory_hostname in groups["k3s_agent"]
+    #   tags:
+    #     - node_exporter
diff --git a/playbooks/k3s-storage.yml b/playbooks/k3s-storage.yml
index 8891b26..fb78a7a 100644
--- a/playbooks/k3s-storage.yml
+++ b/playbooks/k3s-storage.yml
@@ -1,19 +1,6 @@
 - name: Set up storage
   hosts: k3s_nodes
   gather_facts: true
-  pre_tasks:
-    - name: Get K3s token from the first server
-      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
-      slurp:
-        src: /var/lib/rancher/k3s/server/node-token
-      register: k3s_token
-      become: true
-
-    - name: Set fact on k3s_primary_server_ip
-      when: host.ip == k3s_primary_server_ip and inventory_hostname in groups["k3s_server"]
-      set_fact:
-        k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
-
   roles:
     - role: common
       when: inventory_hostname in groups["k3s_storage"]
@@ -21,7 +8,6 @@
         - common
     - role: k3s_storage
       when: inventory_hostname in groups["k3s_storage"]
-      k3s_token: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s_primary_server_ip ) | select() | first | items2dict).host.hostname].k3s_token }}"
       tags:
         - k3s_storage
     - role: node_exporter
diff --git a/roles/k3s_agent/tasks/installation.yml b/roles/k3s_agent/tasks/installation.yml
index ff0a69d..7617d75 100644
--- a/roles/k3s_agent/tasks/installation.yml
+++ b/roles/k3s_agent/tasks/installation.yml
@@ -11,7 +11,7 @@
     dest: /tmp/k3s_install.sh
     mode: "0755"
 
-- name: Install K3s on the secondary servers
+- name: Install K3s on agent
   when: not k3s_status.stat.exists
   ansible.builtin.command: |
     /tmp/k3s_install.sh
diff --git a/roles/k3s_server/tasks/installation.yml b/roles/k3s_server/tasks/installation.yml
index fc83bb2..e01efb9 100644
--- a/roles/k3s_server/tasks/installation.yml
+++ b/roles/k3s_server/tasks/installation.yml
@@ -33,17 +33,44 @@
   delay: 5
   become: true
 
+- name: Check if k3s token vault file already exists
+  ansible.builtin.stat:
+    path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
+  register: k3s_vault_file_stat
+  delegate_to: localhost
+  run_once: true
+
 - name: Get K3s token from the first server
-  when: ansible_default_ipv4.address == k3s_primary_server_ip
+  when:
+    - ansible_default_ipv4.address == k3s_primary_server_ip
+    - not k3s_vault_file_stat.stat.exists
   ansible.builtin.slurp:
     src: /var/lib/rancher/k3s/server/node-token
   register: k3s_token
   become: true
 
 - name: Set fact on k3s_primary_server_ip
-  when: ansible_default_ipv4.address == k3s_primary_server_ip
   ansible.builtin.set_fact:
     k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
+  when:
+    - not k3s_vault_file_stat.stat.exists
+
+- name: Write K3s token to local file for encryption
+  ansible.builtin.copy:
+    content: |
+      k3s_token: "{{ k3s_token }}"
+    dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
+    mode: "0600"
+  delegate_to: localhost
+  run_once: true
+  when:
+    - not k3s_vault_file_stat.stat.exists
+
+- name: Encrypt k3s token
+  ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}"
+  delegate_to: localhost
+  when:
+    - not k3s_vault_file_stat.stat.exists
 
 - name: Install K3s on the secondary servers
   when: (ansible_default_ipv4.address != k3s_primary_server_ip and (not k3s_status.stat.exists))
@@ -52,5 +79,5 @@
     --node-taint CriticalAddonsOnly=true:NoExecute \
     --tls-san {{ k3s.loadbalancer.ip }}
   environment:
-    K3S_TOKEN: "{{ hostvars[(hostvars | dict2items | map(attribute='value') | map('dict2items') | map('selectattr', 'key', 'match', 'host') | map('selectattr', 'value.ip', 'match', k3s_primary_server_ip ) | select() | first | items2dict).host.hostname].k3s_token }}"
+    K3S_TOKEN: "{{ k3s_token }}"
   become: true
diff --git a/roles/k3s_server/vars/main.yml b/roles/k3s_server/vars/main.yml
new file mode 100644
index 0000000..a1deba1
--- /dev/null
+++ b/roles/k3s_server/vars/main.yml
@@ -0,0 +1 @@
+k3s_server_token_vault_file: ../vars/group_vars/k3s/secrets_token.yml
diff --git a/roles/proxmox/vars/main.yml b/roles/proxmox/vars/main.yml
index 8d88c79..5e32075 100644
--- a/roles/proxmox/vars/main.yml
+++ b/roles/proxmox/vars/main.yml
@@ -20,6 +20,7 @@ proxmox_tags:
 
 proxmox_node_dependencies:
   - libguestfs-tools
+  - qemu-guest-agent
   - nmap
 
 proxmox_localhost_dependencies: []
diff --git a/vars/group_vars/k3s/secrets_token.yml b/vars/group_vars/k3s/secrets_token.yml
new file mode 100644
index 0000000..c5b413f
--- /dev/null
+++ b/vars/group_vars/k3s/secrets_token.yml
@@ -0,0 +1,11 @@
+$ANSIBLE_VAULT;1.1;AES256
+62386434633264613939616264613563656365363664343761333233393933323264646330323637
+6565323739323834626331373539323730376538323635620a356338616537393835613834633036
+65333533646465383964363664616338316565613131336339643432656564363034663662376137
+6366633766366234360a643138396636616362383364666166323965643831363563343164343164
+38633165323935643463613939363633623131306234333863366538376363346563656263616263
+33333533376534663561303733613364376266366634616361363330333230626364653035353834
+38343033633130393166353965646635303738666562643138653435316230613131323862623264
+32393462363738666538613539393162613061343062643036643937336133663132303162323331
+38623530393531333037376535623133656238656339666361646230353438343961353333343064
+3261306235386331333063346433393534626362323731366362