install_rke2.yml

- name: download RKE2 install script
  get_url:
    url: https://get.rke2.io
    dest: /tmp/rke2.sh
    mode: '0755'
  when: not rke2_installed.stat.exists or upgrade

- name: Update crypto-policy to allow SHA1
  shell: update-crypto-policies --set DEFAULT:SHA1
  when: not rke2_installed.stat.exists or upgrade

- name: Install RKE2
  command: "/tmp/rke2.sh"
  args:
    creates: /usr/bin/rke2
  environment:
    INSTALL_RKE2_VERSION: "{{ rke2_version }}"
    INSTALL_RKE2_CHANNEL: "{{ rke2_channel }}"
    INSTALL_RKE2_TYPE: "{{ node_type }}"
  notify:
    - restart rke2

- name: Revert crypto-policy
  shell: update-crypto-policies --set DEFAULT:NO-SHA1
  when: not rke2_installed.stat.exists or upgrade


# - name: install RHEL RKE2 packages to use latest minor version (otherwise cilium breaks Dont ask why)
#   dnf:
#     name:
#       - rke2-common 
#       - rke2-selinux
#     state: latest

- name: remove RKE2 install script
  file:
    path: /tmp/rke2.sh
    state: absent

- name: Copy SELinux Policies (rke2)
  template:
    src: ../selinux/my-rke2.te
    dest: /etc/selinux/targeted/policy/my-rke2.te
  when: ( 'control-plane' in group_names )

- name: Build SELinux exception module (rke2)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-rke2.mod /etc/selinux/targeted/policy/my-rke2.te
    semodule_package -o /etc/selinux/targeted/policy/my-rke2.pp -m /etc/selinux/targeted/policy/my-rke2.mod
    semodule -i /etc/selinux/targeted/policy/my-rke2.pp
  when: ( 'control-plane' in group_names )

#THAT DOESNT WORK EITHER
#- name: force downgrade containerd
#  shell: |
#    dnf install -y containerd.io-1.4.6-3.1.fc34