* Auto-add --tls-san={{ api_endpoint }} when it differs from ansible_hostname
* Ensures first server generates certificate with all required SANs
* Add .ansible/ and PR_DESCRIPTION.md to gitignore
Signed-off-by: Guillaume Andre <mail@guillaumea.fr>
* Generate token
If a token is not explicitly provided, let the first server generate a
random one. Such a token is saved on the first server and the playbook
can retrieve it from there and store it a a fact. All other servers and
agents can use that token later to join the cluster. It will be saved
into their environment file as usual.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Document that token is (mostly) optional now
The token is still required when using Vagrant.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Prevent multiple tokens in k3s.service.env
If site.yml playbook is executed multiple times with different tokens,
they will all accumulate in k3s.service.env. They won't do any harm
because the last one wins, however it is a matter of good housekeeping
to delete the old before inserting a new one.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Selectively remove existing token from the environment file
If the existing token in the environment file is the same as the token
used for the playbook run, leave it in the file to avoid false changed
status from the task.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---------
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Security exposure related to the token
The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Restore the server URL into systemd configuration file
There aren't any security implications in keeping it there.
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
---------
Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
* Implement compatible yamllint, make octals explicit
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Replace yum with dnf, yum is deprecated
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
- [Agent : Download artefact only if needed](roles/k3s_agent/tasks/main.yml#L13)
- [Server : Download artefact only if needed](roles/k3s_server/tasks/main.yml#L13)
- [Upgrade : Upgrade node only if needed](roles/k3s_upgrade/tasks/main.yml#L14)
Linked issue #264 k3s_server and k3s_agent tasks are not idempotent
Signed-off-by: Loïc Dubard <loic97429@gmail.com>
* Limited boolean values to true/false;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Moved ArchLinux prereq task to be a handler;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Standardized task name for adding cgroup support;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Have backrefs: follow path:;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Addressed ansible-lint errors;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
* Fixed#264, task 7: Copy K3s service file;
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
---------
Signed-off-by: Jon S. Stumpf <jon.stumpf@gmail.com>
