Versioncheck fix, CIS Fix, add handlers

.gitignore

@@ -1,8 +1,9 @@
 *.retry
 .cache/
-
+.vscode/
+files/
 venv/
-
+inventory/homelab/*
 test_inventory*
 
 rke2-images.linux-amd64.tar.gz

inventory/sample/group_vars/rke2_servers.yml

@@ -33,7 +33,6 @@ rke2_config: {}
 #
 #  write-kubeconfig-mode: "0640"
 
-
 # See https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
 # Add a policy configuration file by specifying the file path on the control host
 # audit_policy_config_file_path: "{{ playbook_dir }}/sample_files/audit-policy.yaml"

roles/rke2_common/tasks/calculate_rke2_version.yml

@@ -24,8 +24,7 @@
 
 - name: Set rke2_full_version fact
   ansible.builtin.set_fact:
-    rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or
-    (install_rke2_version | length == 0)) else install_rke2_version }}"
+    rke2_full_version: "{{ rke2_full_version.stdout if ((install_rke2_version is not defined) or (install_rke2_version | length == 0)) else install_rke2_version }}"
 
 - name: Set dot version
   ansible.builtin.shell:

roles/rke2_common/tasks/cis-hardening.yml

@@ -16,6 +16,11 @@
         shell: /usr/sbin/nologin
         group: etcd
         create_home: false
+
+    - name: "Check for rke2-cis-sysctl.conf in the /opt directory"
+      ansible.builtin.stat:
+        path: "/opt/rke2/share/rke2/rke2-cis-sysctl.conf"
+      register: rke2_cis_conf_in_opt
 
     - name: Copy systemctl file for kernel hardening for yum installs
       ansible.builtin.copy:
@@ -28,6 +33,7 @@
         - ansible_os_family == 'RedHat' or ansible_os_family == 'Rocky'
         - not rke2_binary_tarball_check.stat.exists
         - rke2_tarball_url is not defined or rke2_tarball_url == ""
+        - not rke2_cis_conf_in_opt.stat.exists
 
     - name: Copy systemctl file for kernel hardening for non-yum installs
       ansible.builtin.copy:
@@ -37,16 +43,27 @@
         mode: 0600
       register: sysctl_operation_tarball
       when: >-
+        not rke2_cis_conf_in_opt.stat.exists and
         (ansible_facts['os_family'] != 'RedHat' and
         ansible_facts['os_family'] != 'Rocky') or
         rke2_binary_tarball_check.stat.exists or
         (rke2_tarball_url is defined and rke2_tarball_url != "")
 
+    - name: Copy systemctl file for kernel hardening for other
+      ansible.builtin.copy:
+        src: /opt/rke2/share/rke2/rke2-cis-sysctl.conf
+        dest: /etc/sysctl.d/60-rke2-cis.conf
+        remote_src: true
+        mode: 0600
+      register: sysctl_operation_other
+      when:
+        - rke2_cis_conf_in_opt.stat.exists
+
     - name: Restart systemd-sysctl
       ansible.builtin.service:
         state: restarted
         name: systemd-sysctl
-      when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed
+      when: sysctl_operation_yum.changed or sysctl_operation_tarball.changed or sysctl_operation_other.changed
 
     # Per CIS hardening guide, if Kubernetes is already running, making changes to sysctl can result in unexpected
     # side-effects. Rebooting node if RKE2 is already running to prevent potential issues whereas before we were

roles/rke2_common/tasks/previous_install.yml

@@ -33,18 +33,39 @@
     path: /usr/local/bin/rke2
   register: rke2_binary
 
+- name: Check for the rke2 binary
+  ansible.builtin.stat:
+    path: /opt/rke2/bin/rke2
+  register: rke2_binary
+  when: not rke2_binary.stat.exists
+
 - name: Get current RKE2 version if already installed
   ansible.builtin.shell: set -o pipefail && /usr/local/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }'
   register: installed_rke2_version_tmp
   changed_when: false
   args:
     executable: /usr/bin/bash
-  when: rke2_binary.stat.exists
+  when: 
+   - rke2_binary.stat.exists
+   - rke2_binary.stat.path == '/usr/local/bin/rke2'
+  failed_when: >
+    (installed_rke2_version_tmp.rc != 141) and
+    (installed_rke2_version_tmp.rc != 0)
+
+- name: Get current RKE2 version if already installed
+  ansible.builtin.shell: set -o pipefail && /opt/rke2/bin/rke2 -v | awk '$1 ~ /rke2/ { print $3 }'
+  register: installed_rke2_version_tmp
+  changed_when: false
+  args:
+    executable: /usr/bin/bash
+  when: 
+   - rke2_binary.stat.exists
+   - rke2_binary.stat.path == '/opt/rke2/bin/rke2'
   failed_when: >
     (installed_rke2_version_tmp.rc != 141) and
     (installed_rke2_version_tmp.rc != 0)
 
-- name: Determine if current version differs what what is being installed
+- name: Determine if current version differs from what is being installed
   ansible.builtin.set_fact:
     installed_rke2_version: "{{ installed_rke2_version_tmp.stdout }}"
   when: rke2_binary.stat.exists

roles/rke2_common/tasks/tarball_install.yml

@@ -37,7 +37,7 @@
     - rke2_tarball_url != ""
 
 
-- name: Determine if current version differs what what is being installed
+- name: Determine if current version differs from what is being installed
   ansible.builtin.set_fact:
     rke2_version_changed: true
   when:
@@ -82,7 +82,7 @@
       ansible.builtin.set_fact:
         tarball_rke2_version: "{{ tarball_rke2_version_tmp.stdout }}"
 
-    - name: Determine if current version differs what what is being installed
+    - name: Determine if current version differs from what is being installed
       ansible.builtin.set_fact:
         rke2_version_changed: true
       when:

roles/rke2_server/defaults/main.yml

@@ -1,2 +1,2 @@
 ---
-kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}"
+kubernetes_api_server_host: "{{ hostvars[groups['rke2_servers'][0]].inventory_hostname }}"

roles/rke2_server/handlers/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Ensure the RKE2 Service is started 
+  block:
+    - name: Attempt to start RKE2
+      ansible.builtin.systemd:
+        name: rke2-server
+        enabled: yes 
+        state: started
+      register: rke2_service_start
+      retries: 20
+      delay: 10
+      until: rke2_service_start is succeeded
+      listen: Start RKE2
+
+    - name: Wait to ensure the service started correctly
+      ansible.builtin.pause:
+        seconds: 20
+      listen: Start RKE2
+
+    - name: Verify rke2-server started 
+      ansible.builtin.systemd:
+        name: rke2-server 
+        state: started 
+      failed_when: rke2_service_start is failed
+      listen: Start RKE2

roles/rke2_server/tasks/other_servers.yml

@@ -29,28 +29,25 @@
     insertbefore: BOF
   when:
     - '"server:" not in server_url_check.stdout'
+  notify: Start RKE2
 
-- name: Start rke2-server
-  throttle: 1
-  ansible.builtin.systemd:
-    name: rke2-server
-    state: started
-    enabled: yes
+- name: Flush handlers
+  meta: flush_handlers
 
 - name: Wait for k8s apiserver reachability
   ansible.builtin.wait_for:
     host: "{{ kubernetes_api_server_host }}"
     port: "6443"
     state: present
-    timeout: 300
+    timeout: 600
 
 - name: Wait for kubelet process to be present on host
   ansible.builtin.command: >-
     ps -C kubelet -F -ww --no-headers
   register: kubelet_check
   until: kubelet_check.rc == 0
   retries: 20
-  delay: 10
+  delay: 30
   changed_when: false
 
 - name: Extract the hostname-override parameter from the kubelet process
@@ -66,6 +63,6 @@
     -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
   register: status_result
   until: status_result.stdout.find("True") != -1
-  retries: 20
-  delay: 10
+  retries: 60
+  delay: 30
   changed_when: false

roles/rke2_server/tasks/utilities.yml

@@ -4,6 +4,7 @@
   ansible.builtin.lineinfile:
     dest: "/root/.bashrc"
     line: 'PATH=$PATH:/var/lib/rancher/rke2/bin'
+    create: true
     insertafter: EOF
 
 - name: Symlink crictl config to /etc/crictl.yaml