mirror of
https://github.com/k3s-io/k3s-ansible.git
synced 2025-12-25 00:12:37 +01:00
2d98982809
* Security exposure related to the token The installation playbook saves the token into the systemd unit configuration file /etc/systemd/system/k3s.service. The problem is that according to K3s' documentation "the server token should be guarded carefully" (https://docs.k3s.io/cli/token), yet the configuration file is readable by anybody. A better solution is to save the token into its corresponding environment file /etc/systemd/system/k3s.service.env which is readable by the super user only. This is what the standard K3s' installation script (https://get.k3s.io) does. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> * Restore the server URL into systemd configuration file There aren't any security implications in keeping it there. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --------- Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>
61 lines
2.1 KiB
YAML
61 lines
2.1 KiB
YAML
---
|
|
- name: Get k3s installed version
|
|
ansible.builtin.command: k3s --version
|
|
register: k3s_version_output
|
|
changed_when: false
|
|
ignore_errors: true
|
|
|
|
- name: Set k3s installed version
|
|
when: k3s_version_output.rc == 0
|
|
ansible.builtin.set_fact:
|
|
installed_k3s_version: "{{ k3s_version_output.stdout_lines[0].split(' ')[2] }}"
|
|
|
|
# If airgapped, all K3s artifacts are already on the node.
|
|
# We should be downloading and installing the newer version only if we are in one of the following cases :
|
|
# - we couldn't get k3s installed version in the first task of this role
|
|
# - the installed version of K3s on the nodes is older than the requested version in ansible vars
|
|
- name: Download artifact only if needed
|
|
when: k3s_version_output.rc != 0 or installed_k3s_version is version(k3s_version, '<') and airgap_dir is undefined
|
|
block:
|
|
- name: Download K3s install script
|
|
ansible.builtin.get_url:
|
|
url: https://get.k3s.io/
|
|
timeout: 120
|
|
dest: /usr/local/bin/k3s-install.sh
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: Download K3s binary
|
|
ansible.builtin.command:
|
|
cmd: /usr/local/bin/k3s-install.sh
|
|
environment:
|
|
INSTALL_K3S_SKIP_START: "true"
|
|
INSTALL_K3S_VERSION: "{{ k3s_version }}"
|
|
INSTALL_K3S_EXEC: "agent"
|
|
changed_when: true
|
|
|
|
- name: Add the token for joining the cluster to the environment
|
|
no_log: true # avoid logging the server token
|
|
ansible.builtin.lineinfile:
|
|
path: "{{ systemd_dir }}/k3s-agent.service.env"
|
|
line: "{{ item }}"
|
|
with_items:
|
|
- "K3S_TOKEN={{ token }}"
|
|
|
|
- name: Copy K3s service file
|
|
register: k3s_agent_service
|
|
ansible.builtin.template:
|
|
src: "k3s-agent.service.j2"
|
|
dest: "{{ systemd_dir }}/k3s-agent.service"
|
|
owner: root
|
|
group: root
|
|
mode: "u=rw,g=r,o=r"
|
|
|
|
- name: Enable and check K3s service
|
|
ansible.builtin.systemd:
|
|
name: k3s-agent
|
|
daemon_reload: "{{ true if k3s_agent_service.changed else false }}"
|
|
state: "{{ 'restarted' if k3s_agent_service.changed else 'started' }}"
|
|
enabled: true
|