From 99f313dfc8ee1628a890fca5bab5572194170c28 Mon Sep 17 00:00:00 2001 From: Marko Vukovic <8951449+anon-software@users.noreply.github.com> Date: Tue, 24 Sep 2024 21:57:43 -0700 Subject: [PATCH 1/4] Generate token If a token is not explicitly provided, let the first server generate a random one. Such a token is saved on the first server and the playbook can retrieve it from there and store it a a fact. All other servers and agents can use that token later to join the cluster. It will be saved into their environment file as usual. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- roles/k3s_agent/defaults/main.yml | 1 + roles/k3s_agent/tasks/main.yml | 4 ++++ roles/k3s_server/tasks/main.yml | 26 ++++++++++++++++++++++++-- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/roles/k3s_agent/defaults/main.yml b/roles/k3s_agent/defaults/main.yml index cf5acb9f4..c190cc64d 100644 --- a/roles/k3s_agent/defaults/main.yml +++ b/roles/k3s_agent/defaults/main.yml @@ -1,4 +1,5 @@ --- +server_group: server # noqa var-naming[no-role-prefix] k3s_server_location: "/var/lib/rancher/k3s" # noqa var-naming[no-role-prefix] systemd_dir: "/etc/systemd/system" # noqa var-naming[no-role-prefix] api_port: 6443 # noqa var-naming[no-role-prefix] diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml index 39df326ac..693cf8091 100644 --- a/roles/k3s_agent/tasks/main.yml +++ b/roles/k3s_agent/tasks/main.yml @@ -35,6 +35,10 @@ INSTALL_K3S_EXEC: "agent" changed_when: true +- name: Get the token from the first server + set_fact: + token: "{{ hostvars[groups[server_group][0]].token }}" + - name: Delete any existing token from the environment if different from the new one ansible.builtin.lineinfile: state: absent diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index 12131f2af..6f8f2f43a 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -90,14 +90,16 @@ ansible.builtin.lineinfile: state: absent path: "{{ systemd_dir }}/k3s.service.env" - regexp: "^K3S_TOKEN=\\s*(?!{{ token }}\\s*$)" + regexp: "^K3S_TOKEN=\\s*(?!{{ token | default('') }}\\s*$)" - # Add the token to the environment. + # Add the token to the environment if it has been provided. + # Otherwise, let the first server create one on the first run. - name: Add token as an environment variable no_log: true # avoid logging the server token ansible.builtin.lineinfile: path: "{{ systemd_dir }}/k3s.service.env" line: "K3S_TOKEN={{ token }}" + when: token is defined - name: Restart K3s service when: @@ -182,11 +184,31 @@ changed_when: - mv_result.rc == 0 + - name: Get the token if randomly generated + when: token is not defined + block: + - name: Wait for token + wait_for: + path: /var/lib/rancher/k3s/server/token + + - name: Read node-token from master + slurp: + src: /var/lib/rancher/k3s/server/token + register: node_token + + - name: Store Master node-token + set_fact: + token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" + - name: Start other server if any and verify status when: - (groups[server_group] | length) > 1 - inventory_hostname != groups[server_group][0] block: + - name: Get the token from the first server + set_fact: + token: "{{ hostvars[groups[server_group][0]].token }}" + - name: Delete any existing token from the environment if different from the new one ansible.builtin.lineinfile: state: absent From 9ee4f3f182dc5e0f31db8177585e6b9f7cdfa8d5 Mon Sep 17 00:00:00 2001 From: Marko Vukovic <8951449+anon-software@users.noreply.github.com> Date: Mon, 11 Nov 2024 08:54:26 -0800 Subject: [PATCH 2/4] Remove trailing space Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- roles/k3s_server/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index 6f8f2f43a..a598da2dc 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -99,7 +99,7 @@ ansible.builtin.lineinfile: path: "{{ systemd_dir }}/k3s.service.env" line: "K3S_TOKEN={{ token }}" - when: token is defined + when: token is defined - name: Restart K3s service when: From 123f9c41b53bc1fbc3ba43f9320605137f48e076 Mon Sep 17 00:00:00 2001 From: Marko Vukovic <8951449+anon-software@users.noreply.github.com> Date: Mon, 11 Nov 2024 08:54:26 -0800 Subject: [PATCH 3/4] Fix Lint errors Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- roles/k3s_agent/tasks/main.yml | 2 +- roles/k3s_server/tasks/main.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml index 693cf8091..c7f9b9609 100644 --- a/roles/k3s_agent/tasks/main.yml +++ b/roles/k3s_agent/tasks/main.yml @@ -36,7 +36,7 @@ changed_when: true - name: Get the token from the first server - set_fact: + ansible.builtin.set_fact: token: "{{ hostvars[groups[server_group][0]].token }}" - name: Delete any existing token from the environment if different from the new one diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml index a598da2dc..aa8eba1c7 100644 --- a/roles/k3s_server/tasks/main.yml +++ b/roles/k3s_server/tasks/main.yml @@ -188,16 +188,16 @@ when: token is not defined block: - name: Wait for token - wait_for: + ansible.builtin.wait_for: path: /var/lib/rancher/k3s/server/token - name: Read node-token from master - slurp: + ansible.builtin.slurp: src: /var/lib/rancher/k3s/server/token register: node_token - name: Store Master node-token - set_fact: + ansible.builtin.set_fact: token: "{{ node_token.content | b64decode | regex_replace('\n', '') }}" - name: Start other server if any and verify status @@ -206,7 +206,7 @@ - inventory_hostname != groups[server_group][0] block: - name: Get the token from the first server - set_fact: + ansible.builtin.set_fact: token: "{{ hostvars[groups[server_group][0]].token }}" - name: Delete any existing token from the environment if different from the new one From 221ba2f08f8e0068372e5dc4cde7a6092c842058 Mon Sep 17 00:00:00 2001 From: Marko Vukovic <8951449+anon-software@users.noreply.github.com> Date: Mon, 11 Nov 2024 12:57:18 -0800 Subject: [PATCH 4/4] Document that token is (mostly) optional now The token is still required when using Vagrant. Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com> --- Vagrantfile | 1 + inventory-sample.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index c26c6270e..4f4c7c058 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -28,6 +28,7 @@ def provision(vm, role, node_num) ansible.extra_vars = { k3s_version: "v1.28.14+k3s1", api_endpoint: "#{NETWORK_PREFIX}.100", + # Required for vagrant ansible provisioner token: "myvagrant", # Required to use the private network configured above extra_server_args: "--node-external-ip #{node_ip} --flannel-iface eth1", diff --git a/inventory-sample.yml b/inventory-sample.yml index 8c09d3fb4..e237881fd 100644 --- a/inventory-sample.yml +++ b/inventory-sample.yml @@ -19,6 +19,7 @@ k3s_cluster: # - openssl rand -base64 64 # - pwgen -s 64 1 # You can use ansible-vault to encrypt this value / keep it secret. + # Or you can omit it if not using Vagrant and let the first server automatically generate one. token: "changeme!" api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}" extra_server_args: ""