Merge branch 'techno-tim:master' into calico

Small tweak to reduce delta from head

Set calico option to be disabled by default

Add rescue blocks in case updating existing

Refactor items and update comments

Refactor and consolidate calico.yml into block

Refactor to use template for Calico CRs

Revert use_calico to false

Template blockSize

Align default cidr in template with all.yml sample

Apply upstream version tags

Revert to current ver tags. Upstream's don't work.

Update template address detection

Add Tigera Operator/Calico CNI option

.github/ISSUE_TEMPLATE.md

@@ -35,7 +35,7 @@ k3s_version: ""
 ansible_user: NA
 systemd_dir: ""
 
-flannel_iface: ""
+container_iface: ""
 
 apiserver_endpoint: ""
 

.github/workflows/cache.yml

@@ -1,42 +0,0 @@
----
-name: "Cache"
-on:
-  workflow_call:
-jobs:
-  molecule:
-    name: cache
-    runs-on: self-hosted
-    env:
-      PYTHON_VERSION: "3.11"
-
-    steps:
-      - name: Check out the codebase
-        uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v3 2.5.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # 2.3.3
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'pip' # caching pip dependencies
-
-      - name: Cache Vagrant boxes
-        id: cache-vagrant
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
-        with:
-          lookup-only: true #if it exists, we don't need to restore and can skip the next step
-          path: |
-            ~/.vagrant.d/boxes
-          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
-          restore-keys: |
-            vagrant-boxes
-
-      - name: Download Vagrant boxes for all scenarios
-        # To save some cache space, all scenarios share the same cache key.
-        # On the other hand, this means that the cache contents should be
-        # the same across all scenarios. This step ensures that.
-        if: steps.cache-vagrant.outputs.cache-hit != 'true' # only run if false since this is just a cache step
-        run: |
-          ./.github/download-boxes.sh
-          vagrant box list

.github/workflows/ci.yml

@@ -8,11 +8,8 @@ on:
     paths-ignore:
       - '**/README.md'
 jobs:
-  pre:
-    uses: ./.github/workflows/cache.yml
   lint:
     uses: ./.github/workflows/lint.yml
-    needs: [pre]
   test:
     uses: ./.github/workflows/test.yml
-    needs: [pre, lint]
+    needs: [lint]

.github/workflows/lint.yml

@@ -5,7 +5,7 @@ on:
 jobs:
   pre-commit-ci:
     name: Pre-Commit
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     env:
       PYTHON_VERSION: "3.11"
 
@@ -21,11 +21,21 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
 
-      - name: Restore Ansible cache
+      - name: Cache pip
-        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('./requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Cache Ansible
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
         with:
           path: ~/.ansible/collections
-          key: ansible-${{ hashFiles('collections/requirements.yml') }}
+          key: ${{ runner.os }}-ansible-${{ hashFiles('collections/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-ansible-
 
       - name: Install dependencies
         run: |
@@ -37,12 +47,16 @@ jobs:
           python3 -m pip install -r requirements.txt
           echo "::endgroup::"
 
+          echo "::group::Install Ansible role requirements from collections/requirements.yml"
+          ansible-galaxy install -r collections/requirements.yml
+          echo "::endgroup::"
+
       - name: Run pre-commit
         uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 # 3.0.0
 
   ensure-pinned-actions:
     name: Ensure SHA Pinned Actions
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791 # v3 2.5.0

.github/workflows/test.yml

@@ -5,7 +5,7 @@ on:
 jobs:
   molecule:
     name: Molecule
-    runs-on: self-hosted
+    runs-on: macos-12
     strategy:
       matrix:
         scenario:
@@ -30,19 +30,35 @@ jobs:
           * fdad:bad:ba55::/64
           EOF
 
+      - name: Cache pip
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('./requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Cache Vagrant boxes
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # 3.0.11
+        with:
+          path: |
+            ~/.vagrant.d/boxes
+          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
+          restore-keys: |
+            vagrant-boxes
+
+      - name: Download Vagrant boxes for all scenarios
+        # To save some cache space, all scenarios share the same cache key.
+        # On the other hand, this means that the cache contents should be
+        # the same across all scenarios. This step ensures that.
+        run: ./.github/download-boxes.sh
+
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # 2.3.3
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: 'pip' # caching pip dependencies
 
-      - name: Restore vagrant Boxes cache
-        uses: actions/cache/restore@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # 4.0
-        with:
-          path: ~/.vagrant.d/boxes
-          key: vagrant-boxes-${{ hashFiles('**/molecule.yml') }}
-          fail-on-cache-miss: true
-
       - name: Install dependencies
         run: |
           echo "::group::Upgrade pip"
@@ -59,7 +75,7 @@ jobs:
         env:
           ANSIBLE_K3S_LOG_DIR: ${{ runner.temp }}/logs/k3s-ansible/${{ matrix.scenario }}
           ANSIBLE_SSH_RETRIES: 4
-          ANSIBLE_TIMEOUT: 120
+          ANSIBLE_TIMEOUT: 60
           PY_COLORS: 1
           ANSIBLE_FORCE_COLOR: 1
 

inventory/sample/group_vars/all.yml

@@ -1,5 +1,5 @@
 ---
-k3s_version: v1.26.12+k3s1
+k3s_version: v1.25.16+k3s4
 # this is the user that has ssh access to these machines
 ansible_user: ansibleuser
 systemd_dir: /etc/systemd/system
@@ -7,8 +7,14 @@ systemd_dir: /etc/systemd/system
 # Set your timezone
 system_timezone: "Your/Timezone"
 
-# interface which will be used for flannel
+# node interface which will be used for the container network interface (flannel or calico)
-flannel_iface: "eth0"
+container_iface: "eth0"
+
+# set use_calico to true to use tigera operator/calico instead of the default CNI flannel
+# install reference: https://docs.tigera.io/calico/latest/getting-started/kubernetes/k3s/multi-node-install#install-calico
+use_calico: false
+calico_cidr: "10.52.0.0/16" # pod cidr pool
+calico_tag: "v3.27.0" # calico version tag
 
 # apiserver_endpoint is virtual ip-address which will be configured on each master
 apiserver_endpoint: "192.168.30.222"
@@ -20,23 +26,30 @@ k3s_token: "some-SUPER-DEDEUPER-secret-password"
 # The IP on which the node is reachable in the cluster.
 # Here, a sensible default is provided, you can still override
 # it for each of your hosts, though.
-k3s_node_ip: '{{ ansible_facts[flannel_iface]["ipv4"]["address"] }}'
+k3s_node_ip: '{{ ansible_facts[container_iface]["ipv4"]["address"] }}'
 
 # Disable the taint manually by setting: k3s_master_taint = false
 k3s_master_taint: "{{ true if groups['node'] | default([]) | length >= 1 else false }}"
 
 # these arguments are recommended for servers as well as agents:
 extra_args: >-
-  --flannel-iface={{ flannel_iface }}
+  {{ '--flannel-iface=' + container_iface if not use_calico else '' }}
   --node-ip={{ k3s_node_ip }}
 
 # change these to your liking, the only required are: --disable servicelb, --tls-san {{ apiserver_endpoint }}
+# the contents of the if block is also required if using calico
 extra_server_args: >-
   {{ extra_args }}
   {{ '--node-taint node-role.kubernetes.io/master=true:NoSchedule' if k3s_master_taint else '' }}
+  {% if use_calico %}
+  --flannel-backend=none
+  --disable-network-policy
+  --cluster-cidr={{ calico_cidr }}
+  {% endif %}
   --tls-san {{ apiserver_endpoint }}
   --disable servicelb
   --disable traefik
+
 extra_agent_args: >-
   {{ extra_args }}
 
@@ -66,9 +79,9 @@ metal_lb_ip_range: "192.168.30.80-192.168.30.90"
 # Please read https://gist.github.com/triangletodd/02f595cd4c0dc9aac5f7763ca2264185 before using this.
 # Most notably, your containers must be privileged, and must not have nesting set to true.
 # Please note this script disables most of the security of lxc containers, with the trade off being that lxc
-# containers are significantly more resource efficient compared to full VMs.
+# containers are significantly more resource efficent compared to full VMs.
 # Mixing and matching VMs and lxc containers is not supported, ymmv if you want to do this.
-# I would only really recommend using this if you have particularly low powered proxmox nodes where the overhead of
+# I would only really recommend using this if you have partiularly low powered proxmox nodes where the overhead of
 # VMs would use a significant portion of your available resources.
 proxmox_lxc_configure: false
 # the user that you would use to ssh into the host, for example if you run ssh some-user@my-proxmox-host,

molecule/default/molecule.yml

@@ -7,7 +7,7 @@ platforms:
 
   - name: control1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -23,7 +23,7 @@ platforms:
 
   - name: control2
     box: generic/debian11
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -34,7 +34,7 @@ platforms:
 
   - name: control3
     box: generic/rocky9
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -45,7 +45,7 @@ platforms:
 
   - name: node1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -61,7 +61,7 @@ platforms:
 
   - name: node2
     box: generic/rocky9
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -72,8 +72,6 @@ platforms:
 
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -84,6 +82,7 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
+    - lint
     - cleanup
     - destroy
     - syntax

molecule/default/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        flannel_iface: eth1
+        container_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45

molecule/ipv6/molecule.yml

@@ -6,7 +6,7 @@ driver:
 platforms:
   - name: control1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -22,7 +22,7 @@ platforms:
 
   - name: control2
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -38,7 +38,7 @@ platforms:
 
   - name: node1
     box: generic/ubuntu2204
-    memory: 1024
+    memory: 2048
     cpus: 2
     groups:
       - k3s_cluster
@@ -53,8 +53,6 @@ platforms:
       ssh.password: "vagrant"
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -65,6 +63,7 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
+    - lint
     - cleanup
     - destroy
     - syntax

molecule/ipv6/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        flannel_iface: eth1
+        container_iface: eth1
 
         # In this scenario, we have multiple interfaces that the VIP could be
         # broadcasted on. Since we have assigned a dedicated private network
@@ -27,13 +27,13 @@
           - fdad:bad:ba55::1b:0/112
           - 192.168.123.80-192.168.123.90
 
-        # k3s_node_ip is by default set to the IPv4 address of flannel_iface.
+        # k3s_node_ip is by default set to the IPv4 address of container_iface.
         # We want IPv6 addresses here of course, so we just specify them
         # manually below.
         k3s_node_ip: "{{ node_ipv4 }},{{ node_ipv6 }}"
 
     - name: Override host variables (2/2)
-      # Since "extra_args" depends on "k3s_node_ip" and "flannel_iface" we have
+      # Since "extra_args" depends on "k3s_node_ip" and "container_iface" we have
       # to set this AFTER overriding the both of them.
       ansible.builtin.set_fact:
         # A few extra server args are necessary:

molecule/ipv6/prepare.yml

@@ -30,7 +30,7 @@
         name: net.ipv6.conf.{{ item }}.accept_dad
         value: "0"
       with_items:
-        - "{{ flannel_iface }}"
+        - "{{ container_iface }}"
 
     - name: Write IPv4 configuration
       ansible.builtin.template:

molecule/ipv6/templates/55-flannel-ipv4.yaml.j2

@@ -3,6 +3,6 @@ network:
   version: 2
   renderer: networkd
   ethernets:
-    {{ flannel_iface }}:
+    {{ container_iface }}:
       addresses:
       - {{ node_ipv4 }}/24

molecule/single_node/molecule.yml

@@ -21,8 +21,6 @@ platforms:
         ip: 192.168.30.50
 provisioner:
   name: ansible
-  env:
-    ANSIBLE_VERBOSITY: 1
   playbooks:
     converge: ../resources/converge.yml
     side_effect: ../resources/reset.yml
@@ -33,6 +31,7 @@ provisioner:
 scenario:
   test_sequence:
     - dependency
+    - lint
     - cleanup
     - destroy
     - syntax

molecule/single_node/overrides.yml

@@ -6,7 +6,7 @@
       ansible.builtin.set_fact:
         # See:
         # https://github.com/flannel-io/flannel/blob/67d603aaf45ef80f5dd39f43714fc5e6f8a637eb/Documentation/troubleshooting.md#Vagrant
-        flannel_iface: eth1
+        container_iface: eth1
 
         # The test VMs might be a bit slow, so we give them more time to join the cluster:
         retry_count: 45

requirements.in

@@ -1,10 +1,10 @@
-ansible-core>=2.16.2
+ansible-core>=2.13.5
 jmespath>=1.0.1
-jsonpatch>=1.33
+jsonpatch>=1.32
-kubernetes>=29.0.0
+kubernetes>=25.3.0
-molecule-plugins[vagrant]
+molecule-vagrant>=1.0.0
-molecule>=6.0.3
+molecule>=4.0.3
-netaddr>=0.10.1
+netaddr>=0.8.0
-pre-commit>=3.6.0
+pre-commit>=2.20.0
-pre-commit-hooks>=4.5.0
+pre-commit-hooks>=1.3.1
-pyyaml>=6.0.1
+pyyaml>=6.0

requirements.txt

@@ -4,165 +4,174 @@
 #
 #    pip-compile requirements.in
 #
-ansible-compat==4.1.11
+ansible-compat==3.0.1
     # via molecule
-ansible-core==2.16.2
+ansible-core==2.15.4
     # via
     #   -r requirements.in
     #   ansible-compat
-    #   molecule
+arrow==1.2.3
-attrs==23.2.0
+    # via jinja2-time
-    # via
+attrs==22.1.0
-    #   jsonschema
+    # via jsonschema
-    #   referencing
+binaryornot==0.4.4
-bracex==2.4
+    # via cookiecutter
-    # via wcmatch
+cachetools==5.2.0
-cachetools==5.3.2
     # via google-auth
-certifi==2023.11.17
+certifi==2022.9.24
     # via
     #   kubernetes
     #   requests
-cffi==1.16.0
+cffi==1.15.1
     # via cryptography
-cfgv==3.4.0
+cfgv==3.3.1
     # via pre-commit
-charset-normalizer==3.3.2
+chardet==5.0.0
+    # via binaryornot
+charset-normalizer==2.1.1
     # via requests
-click==8.1.7
+click==8.1.3
     # via
     #   click-help-colors
+    #   cookiecutter
     #   molecule
-click-help-colors==0.9.4
+click-help-colors==0.9.1
     # via molecule
-cryptography==41.0.7
+commonmark==0.9.1
+    # via rich
+cookiecutter==2.1.1
+    # via molecule
+cryptography==38.0.3
     # via ansible-core
-distlib==0.3.8
+distlib==0.3.6
     # via virtualenv
+distro==1.8.0
+    # via selinux
 enrich==1.2.7
     # via molecule
-filelock==3.13.1
+filelock==3.8.0
     # via virtualenv
-google-auth==2.26.2
+google-auth==2.14.0
     # via kubernetes
-identify==2.5.33
+identify==2.5.8
     # via pre-commit
-idna==3.6
+idna==3.4
     # via requests
-jinja2==3.1.3
+jinja2==3.1.2
     # via
     #   ansible-core
+    #   cookiecutter
+    #   jinja2-time
     #   molecule
+    #   molecule-vagrant
+jinja2-time==0.2.0
+    # via cookiecutter
 jmespath==1.0.1
     # via -r requirements.in
 jsonpatch==1.33
     # via -r requirements.in
-jsonpointer==2.4
+jsonpointer==2.3
     # via jsonpatch
-jsonschema==4.21.1
+jsonschema==4.17.0
     # via
     #   ansible-compat
     #   molecule
-jsonschema-specifications==2023.12.1
+kubernetes==25.3.0
-    # via jsonschema
-kubernetes==29.0.0
     # via -r requirements.in
-markdown-it-py==3.0.0
+markupsafe==2.1.1
-    # via rich
-markupsafe==2.1.4
     # via jinja2
-mdurl==0.1.2
+molecule==4.0.4
-    # via markdown-it-py
-molecule==6.0.3
     # via
     #   -r requirements.in
-    #   molecule-plugins
+    #   molecule-vagrant
-molecule-plugins[vagrant]==23.5.0
+molecule-vagrant==1.0.0
     # via -r requirements.in
-netaddr==0.10.1
+netaddr==0.10.0
     # via -r requirements.in
-nodeenv==1.8.0
+nodeenv==1.7.0
     # via pre-commit
 oauthlib==3.2.2
-    # via
+    # via requests-oauthlib
-    #   kubernetes
+packaging==21.3
-    #   requests-oauthlib
-packaging==23.2
     # via
     #   ansible-compat
     #   ansible-core
     #   molecule
-platformdirs==4.1.0
+platformdirs==2.5.2
     # via virtualenv
-pluggy==1.3.0
+pluggy==1.0.0
     # via molecule
-pre-commit==3.6.0
+pre-commit==2.21.0
     # via -r requirements.in
 pre-commit-hooks==4.5.0
     # via -r requirements.in
-pyasn1==0.5.1
+pyasn1==0.4.8
     # via
     #   pyasn1-modules
     #   rsa
-pyasn1-modules==0.3.0
+pyasn1-modules==0.2.8
     # via google-auth
 pycparser==2.21
     # via cffi
-pygments==2.17.2
+pygments==2.13.0
     # via rich
+pyparsing==3.0.9
+    # via packaging
+pyrsistent==0.19.2
+    # via jsonschema
 python-dateutil==2.8.2
-    # via kubernetes
+    # via
+    #   arrow
+    #   kubernetes
+python-slugify==6.1.2
+    # via cookiecutter
 python-vagrant==1.0.0
-    # via molecule-plugins
+    # via molecule-vagrant
 pyyaml==6.0.1
     # via
     #   -r requirements.in
     #   ansible-compat
     #   ansible-core
+    #   cookiecutter
     #   kubernetes
     #   molecule
+    #   molecule-vagrant
     #   pre-commit
-referencing==0.32.1
+requests==2.28.1
-    # via
-    #   jsonschema
-    #   jsonschema-specifications
-requests==2.31.0
     # via
+    #   cookiecutter
     #   kubernetes
     #   requests-oauthlib
 requests-oauthlib==1.3.1
     # via kubernetes
-resolvelib==1.0.1
+resolvelib==0.8.1
     # via ansible-core
-rich==13.7.0
+rich==12.6.0
     # via
     #   enrich
     #   molecule
-rpds-py==0.17.1
-    # via
-    #   jsonschema
-    #   referencing
 rsa==4.9
     # via google-auth
-ruamel-yaml==0.18.5
+ruamel-yaml==0.17.21
     # via pre-commit-hooks
-ruamel-yaml-clib==0.2.8
+selinux==0.2.1
-    # via ruamel-yaml
+    # via molecule-vagrant
 six==1.16.0
     # via
+    #   google-auth
     #   kubernetes
     #   python-dateutil
 subprocess-tee==0.4.1
     # via ansible-compat
-urllib3==2.1.0
+text-unidecode==1.3
+    # via python-slugify
+urllib3==1.26.12
     # via
     #   kubernetes
     #   requests
-virtualenv==20.25.0
+virtualenv==20.16.6
     # via pre-commit
-wcmatch==8.5
+websocket-client==1.4.2
-    # via molecule
-websocket-client==1.7.0
     # via kubernetes
 
 # The following packages are considered to be unsafe in a requirements file:

roles/k3s_agent/tasks/http_proxy.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: Create k3s-node.service.d directory
+- name: Create k3s.service.d directory
   file:
-    path: '{{ systemd_dir }}/k3s-node.service.d'
+    path: '{{ systemd_dir }}/k3s.service.d'
     state: directory
     owner: root
     group: root
@@ -12,7 +12,7 @@
 - name: Copy K3s http_proxy conf file
   template:
     src: "http_proxy.conf.j2"
-    dest: "{{ systemd_dir }}/k3s-node.service.d/http_proxy.conf"
+    dest: "{{ systemd_dir }}/k3s.service.d/http_proxy.conf"
     owner: root
     group: root
     mode: '0755'

roles/k3s_server/tasks/main.yml

@@ -6,13 +6,6 @@
     state: stopped
   failed_when: false
 
-# k3s-init won't work if the port is already in use
-- name: Stop k3s
-  systemd:
-    name: k3s
-    state: stopped
-  failed_when: false
-
 - name: Clean previous runs of k3s-init  # noqa command-instead-of-module
   # The systemd module does not support "reset-failed", so we need to resort to command.
   command: systemctl reset-failed k3s-init
@@ -36,7 +29,7 @@
                       -p Restart=on-failure \
                       --unit=k3s-init \
                       k3s server {{ server_init_args }}"
-    creates: "{{ systemd_dir }}/k3s-init.service"
+    creates: "{{ systemd_dir }}/k3s.service"
 
 - name: Verification
   when: not ansible_check_mode

roles/k3s_server_post/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # Timeout to wait for MetalLB services to come up
-metal_lb_available_timeout: 240s
+metal_lb_available_timeout: 120s
 
 # Name of the master group
 group_name_master: master

roles/k3s_server_post/tasks/calico.yml

@@ -0,0 +1,99 @@
+---
+- block:
+    - name: Create manifests directory on first master
+      file:
+        path: /tmp/k3s
+        state: directory
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: "Download to first master: manifest for Tigera Operator and Calico CRDs"
+      ansible.builtin.get_url:
+        url: "https://raw.githubusercontent.com/projectcalico/calico/{{ calico_tag }}/manifests/tigera-operator.yaml"
+        dest: "/tmp/k3s/tigera-operator.yaml"
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: Copy Calico custom resources manifest to first master
+      ansible.builtin.template:
+        src: "calico.crs.j2"
+        dest: /tmp/k3s/custom-resources.yaml
+
+    - name: Deploy or replace Tigera Operator
+      block:
+        - name: Deploy Tigera Operator
+          ansible.builtin.command:
+            cmd: kubectl create -f /tmp/k3s/tigera-operator.yaml
+          register: create_operator
+          changed_when: "'created' in create_operator.stdout"
+          failed_when: "'Error' in create_operator.stderr and 'already exists' not in create_operator.stderr"
+      rescue:
+        - name: Replace existing Tigera Operator
+          ansible.builtin.command:
+            cmd: kubectl replace -f /tmp/k3s/tigera-operator.yaml
+          register: replace_operator
+          changed_when: "'replaced' in replace_operator.stdout"
+          failed_when: "'Error' in replace_operator.stderr"
+
+    - name: Wait for Tigera Operator resources
+      command: >-
+        k3s kubectl wait {{ item.type }}/{{ item.name }}
+        --namespace='tigera-operator'
+        --for=condition=Available=True
+        --timeout=7s
+      register: tigera_result
+      changed_when: false
+      until: tigera_result is succeeded
+      retries: 7
+      delay: 7
+      with_items:
+        - { name: tigera-operator, type: deployment }
+      loop_control:
+        label: "{{ item.type }}/{{ item.name }}"
+    
+    - name: Deploy Calico custom resources
+      block:
+        - name: Deploy custom resources for Calico
+          ansible.builtin.command:
+            cmd: kubectl create -f /tmp/k3s/custom-resources.yaml
+          register: create_cr
+          changed_when: "'created' in create_cr.stdout"
+          failed_when: "'Error' in create_cr.stderr and 'already exists' not in create_cr.stderr"
+      rescue:
+        - name: Apply new Calico custom resource manifest
+          ansible.builtin.command:
+            cmd: kubectl apply -f /tmp/k3s/custom-resources.yaml
+          register: apply_cr
+          changed_when: "'configured' in apply_cr.stdout or 'created' in apply_cr.stdout"
+          failed_when: "'Error' in apply_cr.stderr"
+    
+    - name: Wait for Calico system resources to be available
+      command: >-
+        {% if item.type == 'daemonset' %}
+        k3s kubectl wait pods
+        --namespace='{{ item.namespace }}'
+        --selector={{ item.selector }}
+        --for=condition=Ready
+        {% else %}
+        k3s kubectl wait {{ item.type }}/{{ item.name }}
+        --namespace='{{ item.namespace }}'
+        --for=condition=Available
+        {% endif %}
+        --timeout=7s
+      register: cr_result
+      changed_when: false
+      until: cr_result is succeeded
+      retries: 30
+      delay: 7
+      with_items:
+        - { name: calico-typha, type: deployment, namespace: calico-system }
+        - { name: calico-kube-controllers, type: deployment, namespace: calico-system }
+        - { name: csi-node-driver, type: daemonset, selector: 'k8s-app=csi-node-driver', namespace: calico-system }
+        - { name: calico-node, type: daemonset, selector: 'k8s-app=calico-node', namespace: calico-system }
+        - { name: calico-apiserver, type: deployment, selector: 'k8s-app=calico-apiserver', namespace: calico-apiserver }
+      loop_control:
+        label: "{{ item.type }}/{{ item.name }}"
+  when: ansible_hostname == hostvars[groups[group_name_master | default('master')][0]]['ansible_hostname']
+  run_once: true # stops "skipped" log spam

roles/k3s_server_post/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Deploy calico
+  include_tasks: calico.yml
+  tags: calico
+  when: use_calico == true
+
 - name: Deploy metallb pool
   include_tasks: metallb.yml
   tags: metallb

roles/k3s_server_post/templates/calico.crs.j2

@@ -0,0 +1,28 @@
+# This section includes base Calico installation configuration.
+# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.Installation
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  # Configures Calico networking.
+  calicoNetwork:
+    # Note: The ipPools section cannot be modified post-install.
+    ipPools:
+    - blockSize: {{ calico_blockSize if calico_blockSize is defined else '26' }}
+      cidr: {{ calico_cidr if calico_cidr is defined else '10.52.0.0/16' }}
+      encapsulation: {{ calico_encapsulation if calico_encapsulation is defined else 'VXLANCrossSubnet' }}
+      natOutgoing: {{ calico_natOutgoing if calico_natOutgoing is defined else 'Enabled' }}
+      nodeSelector: {{ calico_nodeSelector if calico_nodeSelector is defined else 'all()' }}
+    nodeAddressAutodetectionV4:
+      interface: {{ container_iface if container_iface is defined else 'eth0' }}
+
+---
+
+# This section configures the Calico API server.
+# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
+apiVersion: operator.tigera.io/v1
+kind: APIServer
+metadata:
+  name: default
+spec: {}

roles/raspberrypi/tasks/main.yml

@@ -17,19 +17,21 @@
   when:
     grep_cpuinfo_raspberrypi.rc == 0 or grep_device_tree_model_raspberrypi.rc == 0
 
-- name: Set detected_distribution to Raspbian (ARM64 on Raspbian, Debian Buster/Bullseye/Bookworm)
+- name: Set detected_distribution to Raspbian
+  set_fact:
+    detected_distribution: Raspbian
+  when: >
+    raspberry_pi|default(false) and
+    ( ansible_facts.lsb.id|default("") == "Raspbian" or
+      ansible_facts.lsb.description|default("") is match("[Rr]aspbian.*") )
+
+- name: Set detected_distribution to Raspbian (ARM64 on Debian Buster)
   set_fact:
     detected_distribution: Raspbian
-  vars:
-    allowed_descriptions:
-      - "[Rr]aspbian.*"
-      - "Debian.*buster"
-      - "Debian.*bullseye"
-      - "Debian.*bookworm"
   when:
     - ansible_facts.architecture is search("aarch64")
     - raspberry_pi|default(false)
-    - ansible_facts.lsb.description|default("") is match(allowed_descriptions | join('|'))
+    - ansible_facts.lsb.description|default("") is match("Debian.*buster")
 
 - name: Set detected_distribution_major_version
   set_fact:
@@ -37,6 +39,14 @@
   when:
     - detected_distribution | default("") == "Raspbian"
 
+- name: Set detected_distribution to Raspbian (ARM64 on Debian Bullseye)
+  set_fact:
+    detected_distribution: Raspbian
+  when:
+    - ansible_facts.architecture is search("aarch64")
+    - raspberry_pi|default(false)
+    - ansible_facts.lsb.description|default("") is match("Debian.*bullseye")
+
 - name: Execute OS related tasks on the Raspberry Pi - {{ action_ }}
   include_tasks: "{{ item }}"
   with_first_found:

roles/reset/tasks/main.yml

@@ -51,9 +51,7 @@
     name: "{{ item }}"
     state: absent
   with_items:
-    - "{{ systemd_dir }}/k3s.service.d/http_proxy.conf"
     - "{{ systemd_dir }}/k3s.service.d"
-    - "{{ systemd_dir }}/k3s-node.service.d/http_proxy.conf"
     - "{{ systemd_dir }}/k3s-node.service.d"
   when: proxy_env is defined