diff --git a/roles/k3s_upgrade/tasks/main.yml b/roles/k3s_upgrade/tasks/main.yml index 7cd0d8c..7ba89d6 100644 --- a/roles/k3s_upgrade/tasks/main.yml +++ b/roles/k3s_upgrade/tasks/main.yml @@ -36,6 +36,7 @@ name: "{{ (server_group in group_names) | ternary('k3s', 'k3s-agent') }}" # We only save the token if the user did not provide one, leading to an auto-generated token on first install. + # If you want the actual token value, you need to use the k3s_upgrade_old_token.stdout - name: Save the existing K3s token if needed when: - token is not defined @@ -44,6 +45,80 @@ register: k3s_upgrade_old_token changed_when: false + - name: Construct Server config + when: server_group in group_names + block: + # Start with an empty config + - name: Set empty server config + ansible.builtin.set_fact: + k3s_server_config: {} + + # If token is provided, add it to the config + - name: Add token to server config + when: token is defined + ansible.builtin.set_fact: + k3s_server_config: "{{ k3s_server_config | combine({'token': token}) }}" + + # If token is not defined, use the old token + - name: Add old token to server config + when: token is not defined + ansible.builtin.set_fact: + k3s_server_config: "{{ k3s_server_config | combine({'token': k3s_upgrade_old_token.stdout}) }}" + + - name: Determine if tls-san is already in config or args + # noqa var-naming[no-role-prefix] + ansible.builtin.set_fact: + _api_endpoint_in_config: >- + {% if server_config_yaml is defined and api_endpoint is defined and server_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %} + true + {% else %} + false + {% endif %} + _api_endpoint_in_args: >- + {% if api_endpoint is defined and extra_server_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %} + true + {% else %} + false + {% endif %} + + - name: Add TLS SAN to config if needed + when: + - api_endpoint is defined + - api_endpoint != ansible_hostname + - not (_api_endpoint_in_config | trim | bool) + - not (_api_endpoint_in_args | trim | bool) + ansible.builtin.set_fact: + k3s_server_config: "{{ k3s_server_config | combine({'tls-san': api_endpoint}) }}" + + - name: Add cluster-init to server config for first server in HA-IC setup + when: + - (groups[server_group] | length) > 1 + - inventory_hostname == groups[server_group][0] or ansible_host == groups[server_group][0] + - not use_external_database + ansible.builtin.set_fact: + k3s_server_config: "{{ k3s_server_config | combine({'cluster-init': true}) }}" + + # If not the first server in an HA-IC setup, setup the server: URL for joining the cluster + # server: https://{{ api_endpoint }}:{{ api_port }} + - name: Add server URL to server config for joining servers in HA-IC setup + when: (groups[server_group] | length) > 1 and inventory_hostname != groups[server_group][0] and not use_external_database + ansible.builtin.set_fact: + k3s_server_config: "{{ k3s_server_config | combine({'server': 'https://' + api_endpoint + ':' + api_port | string}) }}" + + # If the user has provided additional server config, merge it with the generated config + - name: Merge user server config with generated server config + when: server_config_yaml is defined + ansible.builtin.set_fact: + k3s_server_config: "{{ k3s_server_config | combine(server_config_yaml | from_yaml) }}" + + - name: Convert server config to YAML and write to file + when: not ansible_check_mode + ansible.builtin.copy: + content: "{{ k3s_server_config | to_nice_yaml }}" + dest: "/etc/rancher/k3s/config.yaml" + mode: "0644" + register: k3s_server_config_result + - name: Install new K3s Version [server] # For some reason, ansible-lint thinks using enviroment with command is an error # even though its valid https://ansible.readthedocs.io/projects/lint/rules/inline-env-var/#correct-code @@ -64,8 +139,11 @@ - name: Get the token from the first server # noqa var-naming[no-role-prefix] + when: + - agent_group in group_names + - token is not defined ansible.builtin.set_fact: - k3s_server_upgrade_old_token: "{{ hostvars[groups[server_group][0]].k3s_upgrade_old_token }}" + k3s_upgrade_old_server_token: "{{ hostvars[groups[server_group][0]].k3s_upgrade_old_token }}" - name: Install new K3s Version [agent] # For some reason, ansible-lint thinks using enviroment with command is an error @@ -85,88 +163,22 @@ INSTALL_K3S_SYSTEMD_DIR: "{{ systemd_dir }}" INSTALL_K3S_VERSION: "{{ k3s_version }}" INSTALL_K3S_EXEC: "agent --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}" - K3S_TOKEN: "{{ token if token is defined else k3s_server_upgrade_old_token.stdout }}" + K3S_TOKEN: "{{ token if token is defined else k3s_upgrade_old_server_token.stdout }}" # We overrides the extra_install_envs with required keys from _base_envs on purpose _install_envs: "{{ extra_install_envs | default({}) | combine(_base_envs) }}" changed_when: true - - name: Regenerate K3s service file [server] - when: server_group in group_names - block: - - name: Determine if tls-san is already in config or args - # noqa var-naming[no-role-prefix] - ansible.builtin.set_fact: - _api_endpoint_in_args: >- - {% if api_endpoint is defined and extra_server_args | default('') | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %} - true - {% else %} - false - {% endif %} - - - name: Add TLS SAN to arguments if needed - when: - - api_endpoint is defined - - api_endpoint != ansible_hostname - - not (_api_endpoint_in_args | trim | bool) - # noqa var-naming[no-role-prefix] - ansible.builtin.set_fact: - opt_tls_san: "--tls-san={{ api_endpoint }}" - - - name: Copy K3s service file [Single/External DB] - when: groups[server_group] | length == 1 or use_external_database | default(false) - ansible.builtin.template: - src: "k3s.service.j2" - dest: "{{ systemd_dir }}/k3s.service" - owner: root - group: root - mode: "0644" - vars: - cluster_init: false - join: false - - - name: Copy K3s service file [HA - first server] - when: - - groups[server_group] | length > 1 - - not use_external_database | default(false) - - inventory_hostname == groups[server_group][0] or ansible_host == groups[server_group][0] - ansible.builtin.template: - src: "k3s.service.j2" - dest: "{{ systemd_dir }}/k3s.service" - owner: root - group: root - mode: "0644" - vars: - cluster_init: true - join: false - - - name: Copy K3s service file [HA - joining server] - when: - - groups[server_group] | length > 1 - - not use_external_database | default(false) - - inventory_hostname != groups[server_group][0] and ansible_host != groups[server_group][0] - ansible.builtin.template: - src: "k3s.service.j2" - dest: "{{ systemd_dir }}/k3s.service" - owner: root - group: root - mode: "0644" - vars: - cluster_init: false - join: true - - - name: Add token to the environment [server] - when: server_group in group_names - no_log: true # avoid logging the server token - ansible.builtin.lineinfile: - path: "{{ systemd_dir }}/k3s.service.env" - regexp: '^K3S_TOKEN=' - line: "K3S_TOKEN={{ token is defined | ternary(token, k3s_upgrade_old_token.stdout) }}" + - name: Reload systemd daemon + when: + - not ansible_check_mode + - ansible_facts['service_mgr'] == 'systemd' + ansible.builtin.systemd: + daemon_reload: true - name: Restart K3s service [server] when: server_group in group_names - ansible.builtin.systemd: + ansible.builtin.service: state: restarted - daemon_reload: true name: k3s - name: Restart K3s service [agent] diff --git a/roles/k3s_upgrade/templates/k3s.service.j2 b/roles/k3s_upgrade/templates/k3s.service.j2 deleted file mode 100644 index e415005..0000000 --- a/roles/k3s_upgrade/templates/k3s.service.j2 +++ /dev/null @@ -1,31 +0,0 @@ -[Unit] -Description=Lightweight Kubernetes -Documentation=https://k3s.io -Wants=network-online.target -After=network-online.target - -[Install] -WantedBy=multi-user.target - -[Service] -Type=notify -EnvironmentFile=-/etc/default/%N -EnvironmentFile=-/etc/sysconfig/%N -EnvironmentFile=-/etc/systemd/system/k3s.service.env -KillMode=process -Delegate=yes -# Having non-zero Limit*s causes performance problems due to accounting overhead -# in the kernel. We recommend using cgroups to do container-local accounting. -LimitNOFILE=1048576 -LimitNPROC=infinity -LimitCORE=infinity -TasksMax=infinity -TimeoutStartSec=0 -Restart=always -RestartSec=5s -ExecStartPre=-/sbin/modprobe br_netfilter -ExecStartPre=-/sbin/modprobe overlay -ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {% if cluster_init == true %}--cluster-init {% endif %} \ - {% if join == true %}--server https://{{ api_endpoint }}:{{ api_port }} {% endif %} \ - {{ opt_tls_san | default('') }} \ - {{ extra_server_args }}