Merge f6ee0c72ef into 70e658cf98

Small tweak to reduce delta from head

Set calico option to be disabled by default

Add rescue blocks in case updating existing

Refactor items and update comments

Refactor and consolidate calico.yml into block

Refactor to use template for Calico CRs

Revert use_calico to false

Template blockSize

Align default cidr in template with all.yml sample

Apply upstream version tags

Revert to current ver tags. Upstream's don't work.

Update template address detection

Add Tigera Operator/Calico CNI option

.ansible-lint

@@ -13,8 +13,5 @@ exclude_paths:
   - 'molecule/**/prepare.yml'
   - 'molecule/**/reset.yml'
 
-  # The file was generated by galaxy ansible - don't mess with it.
-  - 'galaxy.yml'
-
 skip_list:
   - 'fqcn-builtins'

.github/ISSUE_TEMPLATE.md

@@ -35,7 +35,7 @@ k3s_version: ""
 ansible_user: NA
 systemd_dir: ""
 
-flannel_iface: ""
+container_iface: ""
 
 apiserver_endpoint: ""
 

.github/workflows/cache.yml

@@ -1,42 +0,0 @@
----
-name: "Cache"
-on:
-  workflow_call:
-jobs:
-  molecule:
-    name: cache
-    runs-on: self-hosted
-    env:
-      PYTHON_VERSION: "3.11"
-
-    steps:
-      - name: Check out the codebase
-        uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v3 2.5.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # 2.3.3
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'pip' # caching pip dependencies
-
-      - name: Cache Vagrant boxes
-        id: cache-vagrant
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
-        with:
-          lookup-only: true #if it exists, we don't need to restore and can skip the next step
-          path: |
-            ~/.vagrant.d/boxes
-          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
-          restore-keys: |
-            vagrant-boxes
-
-      - name: Download Vagrant boxes for all scenarios
-        # To save some cache space, all scenarios share the same cache key.
-        # On the other hand, this means that the cache contents should be
-        # the same across all scenarios. This step ensures that.
-        if: steps.cache-vagrant.outputs.cache-hit != 'true' # only run if false since this is just a cache step
-        run: |
-          ./.github/download-boxes.sh
-          vagrant box list

.github/workflows/ci.yml

@@ -8,11 +8,8 @@ on:
     paths-ignore:
       - '**/README.md'
 jobs:
-  pre:
-    uses: ./.github/workflows/cache.yml
   lint:
     uses: ./.github/workflows/lint.yml
-    needs: [pre]
   test:
     uses: ./.github/workflows/test.yml
-    needs: [pre, lint]
+    needs: [lint]

.github/workflows/lint.yml

@@ -5,7 +5,7 @@ on:
 jobs:
   pre-commit-ci:
     name: Pre-Commit
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     env:
       PYTHON_VERSION: "3.11"
 
@@ -21,11 +21,21 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
 
-      - name: Restore Ansible cache
-        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
+      - name: Cache pip
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('./requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Cache Ansible
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
         with:
           path: ~/.ansible/collections
-          key: ansible-${{ hashFiles('collections/requirements.yml') }}
+          key: ${{ runner.os }}-ansible-${{ hashFiles('collections/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
 
       - name: Install dependencies
         run: |
@@ -37,12 +47,16 @@ jobs:
           python3 -m pip install -r requirements.txt
           echo "::endgroup::"
 
+          echo "::group::Install Ansible role requirements from collections/requirements.yml"
+          ansible-galaxy install -r collections/requirements.yml
+          echo "::endgroup::"
+
       - name: Run pre-commit
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # 3.0.0
 
   ensure-pinned-actions:
     name: Ensure SHA Pinned Actions
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v3 2.5.0

.github/workflows/test.yml

@@ -5,7 +5,7 @@ on:
 jobs:
   molecule:
     name: Molecule
-    runs-on: self-hosted
+    runs-on: macos-12
     strategy:
       matrix:
         scenario:
@@ -30,19 +30,35 @@ jobs:
           * fdad:bad:ba55::/64
           EOF
 
+      - name: Cache pip
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('./requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Cache Vagrant boxes
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        with:
+          path: |
+            ~/.vagrant.d/boxes
+          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
+          restore-keys: |
+            vagrant-boxes
+
+      - name: Download Vagrant boxes for all scenarios
+        # To save some cache space, all scenarios share the same cache key.
+        # On the other hand, this means that the cache contents should be
+        # the same across all scenarios. This step ensures that.
+        run: ./.github/download-boxes.sh
+
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # 2.3.3
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
 
-      - name: Restore vagrant Boxes cache
-        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
-        with:
-          path: ~/.vagrant.d/boxes
-          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
-          fail-on-cache-miss: true
-
       - name: Install dependencies
         run: |
           echo "::group::Upgrade pip"
@@ -59,7 +75,7 @@ jobs:
         env:
           ANSIBLE_K3S_LOG_DIR: ${{ runner.temp }}/logs/k3s-ansible/${{ matrix.scenario }}
           ANSIBLE_SSH_RETRIES: 4
-          ANSIBLE_TIMEOUT: 120
+          ANSIBLE_TIMEOUT: 60
           PY_COLORS: 1
           ANSIBLE_FORCE_COLOR: 1
 

.yamllint

@@ -6,6 +6,4 @@ rules:
     max: 120
     level: warning
   truthy:
-    allowed-values: ['true', 'false']
-ignore:
-  - galaxy.yml
+    allowed-values: ['true', 'false', 'yes', 'no']

README.md

@@ -118,28 +118,6 @@ You can find more information about it [here](molecule/README.md).
 
 This repo uses `pre-commit` and `pre-commit-hooks` to lint and fix common style and syntax errors.  Be sure to install python packages and then run `pre-commit install`.  For more information, see [pre-commit](https://pre-commit.com/)
 
-## 🌌 Ansible Galaxy
-
-This collection can now be used in larger ansible projects.
-
-Instructions:
-
-- create or modify a file `collections/requirements.yml` in your project
-
-```yml
-collections:
-  - name: ansible.utils
-  - name: community.general
-  - name: ansible.posix
-  - name: kubernetes.core
-  - name: https://github.com/techno-tim/k3s-ansible.git
-    type: git
-    version: master
-```
-
-- install via `ansible-galaxy collection install -r ./collections/requirements.yml`
-- every role is now available via the prefix `techno_tim.k3s_ansible.` e.g. `techno_tim.k3s_ansible.lxc`
-
 ## Thanks 🤝
 
 This repo is really standing on the shoulders of giants. Thank you to all those who have contributed and thanks to these repos for code and ideas:

galaxy.yml

@@ -1,81 +0,0 @@
-### REQUIRED
-# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
-# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
-# underscores or numbers and cannot contain consecutive underscores
-namespace: techno_tim
-
-# The name of the collection. Has the same character restrictions as 'namespace'
-name: k3s_ansible
-
-# The version of the collection. Must be compatible with semantic versioning
-version: 1.0.0
-
-# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
-readme: README.md
-
-# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
-# @nicks:irc/im.site#channel'
-authors:
-- your name <example@domain.com>
-
-
-### OPTIONAL but strongly recommended
-# A short summary description of the collection
-description: >
-  The easiest way to bootstrap a self-hosted High Availability Kubernetes
-  cluster. A fully automated HA k3s etcd install with kube-vip, MetalLB,
-  and more.
-
-# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
-# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
-license:
-- Apache-2.0
-
-
-# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
-# requirements as 'namespace' and 'name'
-tags:
-  - etcd
-  - high-availability
-  - k8s
-  - k3s
-  - k3s-cluster
-  - kube-vip
-  - kubernetes
-  - metallb
-  - rancher
-
-# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
-# collection label 'namespace.name'. The value is a version range
-# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
-# range specifiers can be set and are separated by ','
-dependencies:
-  ansible.utils: '*'
-  ansible.posix: '*'
-  community.general: '*'
-  kubernetes.core: '*'
-
-# The URL of the originating SCM repository
-repository: https://github.com/techno-tim/k3s-ansible
-
-# The URL to any online docs
-documentation: https://github.com/techno-tim/k3s-ansible
-
-# The URL to the homepage of the collection/project
-homepage: https://www.youtube.com/watch?v=CbkEWcUZ7zM
-
-# The URL to the collection issue tracker
-issues: https://github.com/techno-tim/k3s-ansible/issues
-
-# A list of file glob-like patterns used to filter any files or directories that should not be included in the build
-# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
-# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
-# and '.git' are always filtered. Mutually exclusive with 'manifest'
-build_ignore: []
-
-# A dict controlling use of manifest directives used in building the collection artifact. The key 'directives' is a
-# list of MANIFEST.in style
-# L(directives,https://packaging.python.org/en/latest/guides/using-manifest-in/#manifest-in-commands). The key
-# 'omit_default_directives' is a boolean that controls whether the default directives are used. Mutually exclusive
-# with 'build_ignore'
-# manifest: null

inventory/sample/group_vars/all.yml

@@ -7,8 +7,14 @@ systemd_dir: /etc/systemd/system
 # Set your timezone
 system_timezone: "Your/Timezone"
 
-# interface which will be used for flannel
-flannel_iface: "eth0"
+# node interface which will be used for the container network interface (flannel or calico)
+container_iface: "eth0"
+
+# set use_calico to true to use tigera operator/calico instead of the default CNI flannel
+# install reference: https://docs.tigera.io/calico/latest/getting-started/kubernetes/k3s/multi-node-install#install-calico
+use_calico: false
+calico_cidr: "10.52.0.0/16" # pod cidr pool
+calico_tag: "v3.27.0" # calico version tag
 
 # apiserver_endpoint is virtual ip-address which will be configured on each master
 apiserver_endpoint: "192.168.30.222"
@@ -20,23 +26,30 @@ k3s_token: "some-SUPER-DEDEUPER-secret-password"
 # The IP on which the node is reachable in the cluster.
 # Here, a sensible default is provided, you can still override
 # it for each of your hosts, though.
-k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}'
+k3s_node_ip: '{{ ansible_facts[container_iface]["ipv4"]["address"] }}'
 
 # Disable the taint manually by setting: k3s_master_taint = false
 k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}"
 
 # these arguments are recommended for servers as well as agents:
 extra_args: >-
-  --flannel-iface={{ flannel_iface }}
+  {{ '--flannel-iface=' + container_iface if not use_calico else '' }}
   --node-ip={{ k3s_node_ip }}
 
 # change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }}
+# the contents of the if block is also required if using calico
 extra_server_args: >-
   {{ extra_args }}
   {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }}
+  {% if use_calico %}
+  --flannel-backend=none
+  --disable-network-policy
+  --cluster-cidr={{ calico_cidr }}
+  {% endif %}
   --tls-san {{ apiserver_endpoint }}
   --disable servicelb
   --disable traefik
+
 extra_agent_args: >-
   {{ extra_args }}
 
@@ -66,9 +79,9 @@ metal_lb_ip_range: "192.168.30.80-192.168.30.90"
 # Please read https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185 before using this.
 # Most notably, your containers must be privileged, and must not have nesting set to true.
 # Please note this script disables most of the security of lxc containers, with the trade off being that lxc
-# containers are significantly more resource efficient compared to full VMs.
+# containers are significantly more resource efficent compared to full VMs.
 # Mixing and matching VMs and lxc containers is not supported, ymmv if you want to do this.
-# I would only really recommend using this if you have particularly low powered proxmox nodes where the overhead of
+# I would only really recommend using this if you have partiularly low powered proxmox nodes where the overhead of
 # VMs would use a significant portion of your available resources.
 proxmox_lxc_configure: false
 # the user that you would use to ssh into the host, for example if you run ssh some-user@my-proxmox-host,

molecule/default/molecule.yml

@@ -7,7 +7,7 @@ platforms:
 
   - name: control1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -23,7 +23,7 @@ platforms:
 
   - name: control2
     box: generic/debian11
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -34,7 +34,7 @@ platforms:
 
   - name: control3
     box: generic/rocky9
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -45,7 +45,7 @@ platforms:
 
   - name: node1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -61,7 +61,7 @@ platforms:
 
   - name: node2
     box: generic/rocky9
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -72,8 +72,6 @@ platforms:
 
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -84,6 +82,7 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
+    - lint
     - cleanup
     - destroy
     - syntax

molecule/default/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        flannel_iface: eth1
+        container_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45

molecule/default/prepare.yml

@@ -17,6 +17,6 @@
       # and security needs.
       ansible.builtin.systemd:
         name: firewalld
-        enabled: false
+        enabled: no
         state: stopped
       become: true

molecule/ipv6/molecule.yml

@@ -6,7 +6,7 @@ driver:
 platforms:
   - name: control1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -22,7 +22,7 @@ platforms:
 
   - name: control2
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -38,7 +38,7 @@ platforms:
 
   - name: node1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -53,8 +53,6 @@ platforms:
       ssh.password: "vagrant"
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -65,6 +63,7 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
+    - lint
     - cleanup
     - destroy
     - syntax

molecule/ipv6/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        flannel_iface: eth1
+        container_iface: eth1
 
         # In this scenario, we have multiple interfaces that the VIP could be
         # broadcasted on. Since we have assigned a dedicated private network
@@ -27,13 +27,13 @@
           - fdad:bad:ba55::1b:0/112
           - 192.168.123.80-192.168.123.90
 
-        # k3s_node_ip is by default set to the IPv4 address of flannel_iface.
+        # k3s_node_ip is by default set to the IPv4 address of container_iface.
         # We want IPv6 addresses here of course, so we just specify them
         # manually below.
         k3s_node_ip: "{{ node_ipv4 }},{{ node_ipv6 }}"
 
     - name: Override host variables (2/2)
-      # Since "extra_args" depends on "k3s_node_ip" and "flannel_iface" we have
+      # Since "extra_args" depends on "k3s_node_ip" and "container_iface" we have
       # to set this AFTER overriding the both of them.
       ansible.builtin.set_fact:
         # A few extra server args are necessary:

molecule/ipv6/prepare.yml

@@ -30,7 +30,7 @@
         name: net.ipv6.conf.{{ item }}.accept_dad
         value: "0"
       with_items:
-        - "{{ flannel_iface }}"
+        - "{{ container_iface }}"
 
     - name: Write IPv4 configuration
       ansible.builtin.template:

molecule/ipv6/templates/55-flannel-ipv4.yaml.j2

@@ -3,6 +3,6 @@ network:
   version: 2
   renderer: networkd
   ethernets:
-    {{ flannel_iface }}:
+    {{ container_iface }}:
       addresses:
       - {{ node_ipv4 }}/24

molecule/resources/verify_from_outside/tasks/test/deploy-example.yml

@@ -35,7 +35,7 @@
     - name: Assert that the nginx welcome page is available
       ansible.builtin.uri:
         url: http://{{ ip | ansible.utils.ipwrap }}:{{ port_ }}/
-        return_content: true
+        return_content: yes
       register: result
       failed_when: "'Welcome to nginx!' not in result.content"
       vars:

molecule/single_node/molecule.yml

@@ -21,8 +21,6 @@ platforms:
         ip: 192.168.30.50
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -33,6 +31,7 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
+    - lint
     - cleanup
     - destroy
     - syntax

molecule/single_node/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        flannel_iface: eth1
+        container_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45

reboot.yml

@@ -1,7 +1,7 @@
 ---
 - name: Reboot k3s_cluster
   hosts: k3s_cluster
-  gather_facts: true
+  gather_facts: yes
   tasks:
     - name: Reboot the nodes (and Wait upto 5 mins max)
       become: true

requirements.in

@@ -1,10 +1,10 @@
-ansible-core>=2.16.2
+ansible-core>=2.13.5
 jmespath>=1.0.1
-jsonpatch>=1.33
-kubernetes>=29.0.0
-molecule-plugins[vagrant]
-molecule>=6.0.3
-netaddr>=0.10.1
-pre-commit>=3.6.0
-pre-commit-hooks>=4.5.0
-pyyaml>=6.0.1
+jsonpatch>=1.32
+kubernetes>=25.3.0
+molecule-vagrant>=1.0.0
+molecule>=4.0.3
+netaddr>=0.8.0
+pre-commit>=2.20.0
+pre-commit-hooks>=1.3.1
+pyyaml>=6.0

requirements.txt

@@ -4,165 +4,174 @@
 #
 #    pip-compile requirements.in
 #
-ansible-compat==4.1.11
+ansible-compat==3.0.1
     # via molecule
-ansible-core==2.16.2
+ansible-core==2.15.4
     # via
     #   -r requirements.in
     #   ansible-compat
-    #   molecule
-attrs==23.2.0
-    # via
-    #   jsonschema
-    #   referencing
-bracex==2.4
-    # via wcmatch
-cachetools==5.3.2
+arrow==1.2.3
+    # via jinja2-time
+attrs==22.1.0
+    # via jsonschema
+binaryornot==0.4.4
+    # via cookiecutter
+cachetools==5.2.0
     # via google-auth
-certifi==2023.11.17
+certifi==2022.9.24
     # via
     #   kubernetes
     #   requests
-cffi==1.16.0
+cffi==1.15.1
     # via cryptography
-cfgv==3.4.0
+cfgv==3.3.1
     # via pre-commit
-charset-normalizer==3.3.2
+chardet==5.0.0
+    # via binaryornot
+charset-normalizer==2.1.1
     # via requests
-click==8.1.7
+click==8.1.3
     # via
     #   click-help-colors
+    #   cookiecutter
     #   molecule
-click-help-colors==0.9.4
+click-help-colors==0.9.1
     # via molecule
-cryptography==41.0.7
+commonmark==0.9.1
+    # via rich
+cookiecutter==2.1.1
+    # via molecule
+cryptography==38.0.3
     # via ansible-core
-distlib==0.3.8
+distlib==0.3.6
     # via virtualenv
+distro==1.8.0
+    # via selinux
 enrich==1.2.7
     # via molecule
-filelock==3.13.1
+filelock==3.8.0
     # via virtualenv
-google-auth==2.26.2
+google-auth==2.14.0
     # via kubernetes
-identify==2.5.33
+identify==2.5.8
     # via pre-commit
-idna==3.6
+idna==3.4
     # via requests
-jinja2==3.1.3
+jinja2==3.1.2
     # via
     #   ansible-core
+    #   cookiecutter
+    #   jinja2-time
     #   molecule
+    #   molecule-vagrant
+jinja2-time==0.2.0
+    # via cookiecutter
 jmespath==1.0.1
     # via -r requirements.in
 jsonpatch==1.33
     # via -r requirements.in
-jsonpointer==2.4
+jsonpointer==2.3
     # via jsonpatch
-jsonschema==4.21.1
+jsonschema==4.17.0
     # via
     #   ansible-compat
     #   molecule
-jsonschema-specifications==2023.12.1
-    # via jsonschema
-kubernetes==29.0.0
+kubernetes==25.3.0
     # via -r requirements.in
-markdown-it-py==3.0.0
-    # via rich
-markupsafe==2.1.4
+markupsafe==2.1.1
     # via jinja2
-mdurl==0.1.2
-    # via markdown-it-py
-molecule==6.0.3
+molecule==4.0.4
     # via
     #   -r requirements.in
-    #   molecule-plugins
-molecule-plugins[vagrant]==23.5.0
+    #   molecule-vagrant
+molecule-vagrant==1.0.0
     # via -r requirements.in
-netaddr==0.10.1
+netaddr==0.10.0
     # via -r requirements.in
-nodeenv==1.8.0
+nodeenv==1.7.0
     # via pre-commit
 oauthlib==3.2.2
-    # via
-    #   kubernetes
-    #   requests-oauthlib
-packaging==23.2
+    # via requests-oauthlib
+packaging==21.3
     # via
     #   ansible-compat
     #   ansible-core
     #   molecule
-platformdirs==4.1.0
+platformdirs==2.5.2
     # via virtualenv
-pluggy==1.3.0
+pluggy==1.0.0
     # via molecule
-pre-commit==3.6.0
+pre-commit==2.21.0
     # via -r requirements.in
 pre-commit-hooks==4.5.0
     # via -r requirements.in
-pyasn1==0.5.1
+pyasn1==0.4.8
     # via
     #   pyasn1-modules
     #   rsa
-pyasn1-modules==0.3.0
+pyasn1-modules==0.2.8
     # via google-auth
 pycparser==2.21
     # via cffi
-pygments==2.17.2
+pygments==2.13.0
     # via rich
+pyparsing==3.0.9
+    # via packaging
+pyrsistent==0.19.2
+    # via jsonschema
 python-dateutil==2.8.2
-    # via kubernetes
+    # via
+    #   arrow
+    #   kubernetes
+python-slugify==6.1.2
+    # via cookiecutter
 python-vagrant==1.0.0
-    # via molecule-plugins
+    # via molecule-vagrant
 pyyaml==6.0.1
     # via
     #   -r requirements.in
     #   ansible-compat
     #   ansible-core
+    #   cookiecutter
     #   kubernetes
     #   molecule
+    #   molecule-vagrant
     #   pre-commit
-referencing==0.32.1
-    # via
-    #   jsonschema
-    #   jsonschema-specifications
-requests==2.31.0
+requests==2.28.1
     # via
+    #   cookiecutter
     #   kubernetes
     #   requests-oauthlib
 requests-oauthlib==1.3.1
     # via kubernetes
-resolvelib==1.0.1
+resolvelib==0.8.1
     # via ansible-core
-rich==13.7.0
+rich==12.6.0
     # via
     #   enrich
     #   molecule
-rpds-py==0.17.1
-    # via
-    #   jsonschema
-    #   referencing
 rsa==4.9
     # via google-auth
-ruamel-yaml==0.18.5
+ruamel-yaml==0.17.21
     # via pre-commit-hooks
-ruamel-yaml-clib==0.2.8
-    # via ruamel-yaml
+selinux==0.2.1
+    # via molecule-vagrant
 six==1.16.0
     # via
+    #   google-auth
     #   kubernetes
     #   python-dateutil
 subprocess-tee==0.4.1
     # via ansible-compat
-urllib3==2.1.0
+text-unidecode==1.3
+    # via python-slugify
+urllib3==1.26.12
     # via
     #   kubernetes
     #   requests
-virtualenv==20.25.0
+virtualenv==20.16.6
     # via pre-commit
-wcmatch==8.5
-    # via molecule
-websocket-client==1.7.0
+websocket-client==1.4.2
     # via kubernetes
 
 # The following packages are considered to be unsafe in a requirements file:

reset.yml

@@ -1,7 +1,7 @@
 ---
 - name: Reset k3s cluster
   hosts: k3s_cluster
-  gather_facts: true
+  gather_facts: yes
   roles:
     - role: reset
       become: true
@@ -17,7 +17,7 @@
 - name: Revert changes to Proxmox cluster
   hosts: proxmox
   gather_facts: true
-  become: true
+  become: yes
   remote_user: "{{ proxmox_lxc_ssh_user }}"
   roles:
     - role: reset_proxmox_lxc

roles/k3s_agent/tasks/http_proxy.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: Create k3s-node.service.d directory
+- name: Create k3s.service.d directory
   file:
-    path: '{{ systemd_dir }}/k3s-node.service.d'
+    path: '{{ systemd_dir }}/k3s.service.d'
     state: directory
     owner: root
     group: root
@@ -12,7 +12,7 @@
 - name: Copy K3s http_proxy conf file
   template:
     src: "http_proxy.conf.j2"
-    dest: "{{ systemd_dir }}/k3s-node.service.d/http_proxy.conf"
+    dest: "{{ systemd_dir }}/k3s.service.d/http_proxy.conf"
     owner: root
     group: root
     mode: '0755'

roles/k3s_agent/tasks/main.yml

@@ -15,6 +15,6 @@
 - name: Enable and check K3s service
   systemd:
     name: k3s-node
-    daemon_reload: true
+    daemon_reload: yes
     state: restarted
-    enabled: true
+    enabled: yes

roles/k3s_server/tasks/main.yml

@@ -6,13 +6,6 @@
     state: stopped
   failed_when: false
 
-# k3s-init won't work if the port is already in use
-- name: Stop k3s
-  systemd:
-    name: k3s
-    state: stopped
-  failed_when: false
-
 - name: Clean previous runs of k3s-init  # noqa command-instead-of-module
   # The systemd module does not support "reset-failed", so we need to resort to command.
   command: systemctl reset-failed k3s-init
@@ -36,7 +29,7 @@
                       -p Restart=on-failure \
                       --unit=k3s-init \
                       k3s server {{ server_init_args }}"
-    creates: "{{ systemd_dir }}/k3s-init.service"
+    creates: "{{ systemd_dir }}/k3s.service"
 
 - name: Verification
   when: not ansible_check_mode
@@ -74,9 +67,9 @@
 - name: Enable and check K3s service
   systemd:
     name: k3s
-    daemon_reload: true
+    daemon_reload: yes
     state: restarted
-    enabled: true
+    enabled: yes
 
 - name: Wait for node-token
   wait_for:
@@ -117,7 +110,7 @@
   copy:
     src: /etc/rancher/k3s/k3s.yaml
     dest: "{{ ansible_user_dir }}/.kube/config"
-    remote_src: true
+    remote_src: yes
     owner: "{{ ansible_user_id }}"
     mode: "u=rw,g=,o="
 

roles/k3s_server_post/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # Timeout to wait for MetalLB services to come up
-metal_lb_available_timeout: 240s
+metal_lb_available_timeout: 120s
 
 # Name of the master group
 group_name_master: master

roles/k3s_server_post/tasks/calico.yml

@@ -0,0 +1,97 @@
+---
+- block:
+    - name: Create manifests directory on first master
+      file:
+        path: /tmp/k3s
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: "Download to first master: manifest for Tigera Operator and Calico CRDs"
+      ansible.builtin.get_url:
+        url: "https://raw.githubusercontent.com/projectcalico/calico/{{ calico_tag }}/manifests/tigera-operator.yaml"
+        dest: "/tmp/k3s/tigera-operator.yaml"
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: Copy Calico custom resources manifest to first master
+      ansible.builtin.template:
+        src: "calico.crs.j2"
+        dest: /tmp/k3s/custom-resources.yaml
+
+    - name: Deploy or replace Tigera Operator
+      block:
+        - name: Deploy Tigera Operator
+          ansible.builtin.command:
+            cmd: kubectl create -f /tmp/k3s/tigera-operator.yaml
+          register: create_operator
+          changed_when: "'created' in create_operator.stdout"
+          failed_when: "'Error' in create_operator.stderr and 'already exists' not in create_operator.stderr"
+      rescue:
+        - name: Replace existing Tigera Operator
+          ansible.builtin.command:
+            cmd: kubectl replace -f /tmp/k3s/tigera-operator.yaml
+          register: replace_operator
+          changed_when: "'replaced' in replace_operator.stdout"
+          failed_when: "'Error' in replace_operator.stderr"
+
+    - name: Wait for Tigera Operator resources
+      command: >-
+        k3s kubectl wait {{ item.type }}/{{ item.name }}
+        --namespace='tigera-operator'
+        --for=condition=Available=True
+        --timeout=7s
+      register: tigera_result
+      changed_when: false
+      until: tigera_result is succeeded
+      retries: 7
+      delay: 7
+      with_items:
+        - { name: tigera-operator, type: deployment }
+      loop_control:
+        label: "{{ item.type }}/{{ item.name }}"
+    
+    - name: Deploy Calico custom resources
+      block:
+        - name: Deploy custom resources for Calico
+          ansible.builtin.command:
+            cmd: kubectl create -f /tmp/k3s/custom-resources.yaml
+          register: create_cr
+          changed_when: "'created' in create_cr.stdout"
+          failed_when: "'Error' in create_cr.stderr and 'already exists' not in create_cr.stderr"
+      rescue:
+        - name: Apply new Calico custom resource manifest
+          ansible.builtin.command:
+            cmd: kubectl apply -f /tmp/k3s/custom-resources.yaml
+          register: apply_cr
+          changed_when: "'configured' in apply_cr.stdout or 'created' in apply_cr.stdout"
+          failed_when: "'Error' in apply_cr.stderr"
+    
+    - name: Wait for Calico system resources to be available
+      command: >-
+        {% if item.type == 'daemonset' %}
+        k3s kubectl wait pods
+        --namespace='calico-system'
+        --selector={{ item.selector }}
+        --for=condition=Ready
+        {% else %}
+        k3s kubectl wait {{ item.type }}/{{ item.name }}
+        --namespace='calico-system'
+        --for=condition=Available
+        {% endif %}
+        --timeout=7s
+      register: cr_result
+      changed_when: false
+      until: cr_result is succeeded
+      retries: 30
+      delay: 7
+      with_items:
+        - { name: calico-typha, type: deployment }
+        - { name: calico-kube-controllers, type: deployment }
+        - { name: csi-node-driver, type: daemonset, selector: 'k8s-app=csi-node-driver' }
+        - { name: calico-node, type: daemonset, selector: 'k8s-app=calico-node' }
+      loop_control:
+        label: "{{ item.type }}/{{ item.name }}"
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']

roles/k3s_server_post/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Deploy calico
+  include_tasks: calico.yml
+  tags: calico
+  when: use_calico == true
+
 - name: Deploy metallb pool
   include_tasks: metallb.yml
   tags: metallb

roles/k3s_server_post/templates/calico.crs.j2

@@ -0,0 +1,28 @@
+# This section includes base Calico installation configuration.
+# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.Installation
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  # Configures Calico networking.
+  calicoNetwork:
+    # Note: The ipPools section cannot be modified post-install.
+    ipPools:
+    - blockSize: {{ calico_blockSize if calico_blockSize is defined else '26' }}
+      cidr: {{ calico_cidr if calico_cidr is defined else '10.52.0.0/16' }}
+      encapsulation: {{ calico_encapsulation if calico_encapsulation is defined else 'VXLANCrossSubnet' }}
+      natOutgoing: {{ calico_natOutgoing if calico_natOutgoing is defined else 'Enabled' }}
+      nodeSelector: {{ calico_nodeSelector if calico_nodeSelector is defined else 'all()' }}
+    nodeAddressAutodetectionV4:
+      interface: {{ container_iface if container_iface is defined else 'eth0' }}
+
+---
+
+# This section configures the Calico API server.
+# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
+apiVersion: operator.tigera.io/v1
+kind: APIServer
+metadata:
+  name: default
+spec: {}

roles/prereq/tasks/main.yml

@@ -14,7 +14,7 @@
     name: net.ipv4.ip_forward
     value: "1"
     state: present
-    reload: true
+    reload: yes
   tags: sysctl
 
 - name: Enable IPv6 forwarding
@@ -22,7 +22,7 @@
     name: net.ipv6.conf.all.forwarding
     value: "1"
     state: present
-    reload: true
+    reload: yes
   tags: sysctl
 
 - name: Enable IPv6 router advertisements
@@ -30,7 +30,7 @@
     name: net.ipv6.conf.all.accept_ra
     value: "2"
     state: present
-    reload: true
+    reload: yes
   tags: sysctl
 
 - name: Add br_netfilter to /etc/modules-load.d/
@@ -51,7 +51,7 @@
     name: "{{ item }}"
     value: "1"
     state: present
-    reload: true
+    reload: yes
   when: ansible_os_family == "RedHat"
   loop:
     - net.bridge.bridge-nf-call-iptables

roles/raspberrypi/tasks/main.yml

@@ -17,19 +17,21 @@
   when:
     grep_cpuinfo_raspberrypi.rc == 0 or grep_device_tree_model_raspberrypi.rc == 0
 
-- name: Set detected_distribution to Raspbian (ARM64 on Raspbian, Debian Buster/Bullseye/Bookworm)
+- name: Set detected_distribution to Raspbian
+  set_fact:
+    detected_distribution: Raspbian
+  when: >
+    raspberry_pi|default(false) and
+    ( ansible_facts.lsb.id|default("") == "Raspbian" or
+      ansible_facts.lsb.description|default("") is match("[Rr]aspbian.*") )
+
+- name: Set detected_distribution to Raspbian (ARM64 on Debian Buster)
   set_fact:
     detected_distribution: Raspbian
-  vars:
-    allowed_descriptions:
-      - "[Rr]aspbian.*"
-      - "Debian.*buster"
-      - "Debian.*bullseye"
-      - "Debian.*bookworm"
   when:
     - ansible_facts.architecture is search("aarch64")
     - raspberry_pi|default(false)
-    - ansible_facts.lsb.description|default("") is match(allowed_descriptions | join('|'))
+    - ansible_facts.lsb.description|default("") is match("Debian.*buster")
 
 - name: Set detected_distribution_major_version
   set_fact:
@@ -37,6 +39,14 @@
   when:
     - detected_distribution | default("") == "Raspbian"
 
+- name: Set detected_distribution to Raspbian (ARM64 on Debian Bullseye)
+  set_fact:
+    detected_distribution: Raspbian
+  when:
+    - ansible_facts.architecture is search("aarch64")
+    - raspberry_pi|default(false)
+    - ansible_facts.lsb.description|default("") is match("Debian.*bullseye")
+
 - name: Execute OS related tasks on the Raspberry Pi - {{ action_ }}
   include_tasks: "{{ item }}"
   with_first_found:

roles/raspberrypi/tasks/setup/Rocky.yml

@@ -2,7 +2,7 @@
 - name: Enable cgroup via boot commandline if not already enabled for Rocky
   lineinfile:
     path: /boot/cmdline.txt
-    backrefs: true
+    backrefs: yes
     regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
     line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
   notify: reboot

roles/raspberrypi/tasks/setup/Ubuntu.yml

@@ -2,7 +2,7 @@
 - name: Enable cgroup via boot commandline if not already enabled for Ubuntu on a Raspberry Pi
   lineinfile:
     path: /boot/firmware/cmdline.txt
-    backrefs: true
+    backrefs: yes
     regexp: '^((?!.*\bcgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory\b).*)$'
     line: '\1 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory'
   notify: reboot

roles/reset/tasks/main.yml

@@ -3,7 +3,7 @@
   systemd:
     name: "{{ item }}"
     state: stopped
-    enabled: false
+    enabled: no
   failed_when: false
   with_items:
     - k3s
@@ -51,15 +51,13 @@
     name: "{{ item }}"
     state: absent
   with_items:
-    - "{{ systemd_dir }}/k3s.service.d/http_proxy.conf"
     - "{{ systemd_dir }}/k3s.service.d"
-    - "{{ systemd_dir }}/k3s-node.service.d/http_proxy.conf"
     - "{{ systemd_dir }}/k3s-node.service.d"
   when: proxy_env is defined
 
 - name: Reload daemon_reload
   systemd:
-    daemon_reload: true
+    daemon_reload: yes
 
 - name: Remove tmp directory used for manifests
   file:

site.yml

@@ -2,7 +2,7 @@
 - name: Prepare Proxmox cluster
   hosts: proxmox
   gather_facts: true
-  become: true
+  become: yes
   environment: "{{ proxy_env | default({}) }}"
   roles:
     - role: proxmox_lxc
@@ -10,7 +10,7 @@
 
 - name: Prepare k3s nodes
   hosts: k3s_cluster
-  gather_facts: true
+  gather_facts: yes
   environment: "{{ proxy_env | default({}) }}"
   roles:
     - role: lxc