mirrors/k3s-ansible
1
0
Fork 1
mirror of https://github.com/k3s-io/k3s-ansible.git synced 2025-12-25 00:12:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automatically inject tls-san when api_endpoint differs from hostname (#434)

Browse Source 
* Auto-add --tls-san={{ api_endpoint }} when it differs from ansible_hostname
* Ensures first server generates certificate with all required SANs
* Add .ansible/ and PR_DESCRIPTION.md to gitignore

Signed-off-by: Guillaume Andre <mail@guillaumea.fr>
This commit is contained in:
Guillaume A
2025-09-16 02:21:20 +08:00
committed by GitHub
parent cb640b853f
commit f2aed3ba47
7 changed files with 52 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -3,4 +3,6 @@ venv
.vscode .vscode
.vagrant .vagrant
inventory.yml inventory.yml
playbook/debug.yml playbook/debug.yml
.ansible/
PR_DESCRIPTION.md

22
roles/k3s_agent/tasks/main.yml
View File

@@ -41,6 +41,28 @@
}) }} }) }}
changed_when: true changed_when: true
- name: Compute final agent arguments
ansible.builtin.set_fact:
_api_endpoint_in_agent_config: >-
{% if agent_config_yaml is defined and api_endpoint is defined and agent_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
true
{% else %}
false
{% endif %}
_api_endpoint_in_agent_args: >-
{% if api_endpoint is defined and extra_agent_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
true
{% else %}
false
{% endif %}
- name: Add TLS SAN to agent arguments if needed
ansible.builtin.set_fact:
opt_tls_san: >-
{% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_agent_config | bool == false and _api_endpoint_in_agent_args | bool == false %}
--tls-san={{ api_endpoint }}
{% endif %}
- name: Setup optional config file - name: Setup optional config file
when: agent_config_yaml is defined when: agent_config_yaml is defined
block: block:

2
roles/k3s_agent/templates/k3s-agent.service.j2
View File

@@ -26,4 +26,4 @@ RestartSec=5s
ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service' ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }} ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ opt_tls_san }} {{ extra_agent_args }}

23
roles/k3s_server/tasks/main.yml
View File

@@ -46,6 +46,29 @@
regexp: '\.\s+<\(k3s completion bash\)' regexp: '\.\s+<\(k3s completion bash\)'
line: ". <(k3s completion bash) # Added by k3s-ansible" line: ". <(k3s completion bash) # Added by k3s-ansible"
- name: Compute final server arguments
ansible.builtin.set_fact:
_api_endpoint_in_config: >-
{% if server_config_yaml is defined and api_endpoint is defined and server_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
true
{% else %}
false
{% endif %}
_api_endpoint_in_args: >-
{% if api_endpoint is defined and extra_server_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
true
{% else %}
false
{% endif %}
- name: Add TLS SAN to server arguments if needed
ansible.builtin.set_fact:
final_server_args: >-
{{ extra_server_args }}
{% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_config | bool == false and _api_endpoint_in_args | bool == false %}
--tls-san={{ api_endpoint }}
{% endif %}
- name: Setup optional config file - name: Setup optional config file
when: server_config_yaml is defined when: server_config_yaml is defined
block: block:

2
roles/k3s_server/templates/k3s-cluster-init.service.j2
View File

@@ -25,4 +25,4 @@ Restart=always
RestartSec=5s RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ final_server_args }}

2
roles/k3s_server/templates/k3s-ha.service.j2
View File

@@ -25,4 +25,4 @@ Restart=always
RestartSec=5s RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }} ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ final_server_args }}

2
roles/k3s_server/templates/k3s-single.service.j2
View File

@@ -25,4 +25,4 @@ Restart=always
RestartSec=5s RestartSec=5s
ExecStartPre=-/sbin/modprobe br_netfilter ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ final_server_args }}