Enforce use of a defined token. Simplifies additional server and agent joining process.

Signed-off-by: Derek Nola <derek.nola@suse.com>
2025-12-25 00:12:37 +01:00 · 2023-11-08 14:00:52 -08:00
parent 9ecdc933ca
commit 565c9fa049
7 changed files with 16 additions and 42 deletions
--- a/roles/k3s/server/defaults/main.yml
+++ b/roles/k3s/server/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 k3s_server_location: "/var/lib/rancher/k3s"
 systemd_dir: "/etc/systemd/system"
+api_port: 6443
--- a/roles/k3s/server/tasks/main.yml
+++ b/roles/k3s/server/tasks/main.yml
@@ -6,7 +6,7 @@
      ansible.builtin.command:
        cmd: >
          systemd-run -p RestartSec=2 -p Restart=on-failure --unit=k3s-init k3s server
-          --cluster-init --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args}}
+          --cluster-init --token {{ token }} --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args}}
        # noqa: jinja[spacing]
        creates: "{{ k3s_server_location }}/server/node-token"
      when: groups['server'] | length > 1
@@ -15,38 +15,10 @@
      ansible.builtin.command:
        cmd: >
          systemd-run -p RestartSec=2 -p Restart=on-failure --unit=k3s-init k3s server
-           --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args }}
+          --token {{ token }} --tls-san {{ api_endpoint }} --data-dir {{ k3s_server_location }} {{ extra_server_args }}
        creates: "{{ k3s_server_location }}/server/node-token"
      when: groups['server'] | length == 1

-    - name: Wait for node-token
-      ansible.builtin.wait_for:
-        path: "{{ k3s_server_location }}/server/node-token"
-
-    - name: Register node-token file access mode
-      ansible.builtin.stat:
-        path: "{{ k3s_server_location }}/server/node-token"
-      register: p
-
-    - name: Change file access node-token
-      ansible.builtin.file:
-        path: "{{ k3s_server_location }}/server/node-token"
-        mode: "g+rx,o+rx"
-
-    - name: Read node-token from server
-      ansible.builtin.slurp:
-        path: "{{ k3s_server_location }}/server/node-token"
-      register: node_token
-
-    - name: Store server node-token
-      ansible.builtin.set_fact:
-        token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}"
-
-    - name: Restore node-token file access
-      ansible.builtin.file:
-        path: "{{ k3s_server_location }}/server/node-token"
-        mode: "{{ p.stat.mode }}"
-
    - name: Create directory .kube
      ansible.builtin.file:
        path: ~{{ ansible_user }}/.kube
--- a/roles/k3s/server/templates/k3s-server.service.j2
+++ b/roles/k3s/server/templates/k3s-server.service.j2
@@ -7,7 +7,7 @@ After=network-online.target
 Type=notify
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }}
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} --token {{ token }}
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead