diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index 24b59c452fb27a70f646a37759fd682b86308bac..6b4d9ecb27634673d471cc54f08860a25eff91c0 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -21,12 +21,12 @@
#This task runs only after the full installer went through and had a bit of time to boot, then starts to enforce SELinux
- include_tasks: fix_selinux.yml
- when: state != 'absent' and 'control-plane' in group_names and postinstall
+ when: state != 'absent' and postinstall
- name: uninstall rke2
command: rke2-uninstall.sh
when: rke2_installed.stat.exists and state == 'absent'
-#- include_tasks: rotate_encryption.yml
-# when: state != 'absent' and 'control-plane' in group_names and (rotate != 'absent')
+- include_tasks: rotate_encryption.yml
+ when: state != 'absent' and 'control-plane' in group_names and rotate and not postinstall
diff --git a/roles/rke2/tasks/rotate_encryption.yml b/roles/rke2/tasks/rotate_encryption.yml
index 67281fa2c635fe7b77a6a2975ad0e0b0a64091e7..fe1adb88080da89cb7562212dc06244060915d3a 100644
--- a/roles/rke2/tasks/rotate_encryption.yml
+++ b/roles/rke2/tasks/rotate_encryption.yml
@@ -4,9 +4,50 @@
- debug: var=encryption_status.stdout_lines
-- name: Sequentially restart the controlplane nodes
- serial: 1
+- name: Prepare Master Node for key-rotation
+ shell: "rke2 secrets-encrypt prepare"
+ register: encryption_master_prepared
+ when: ( 'master' in group_names )
+
+- name: Sequentially restart the controlplane nodes after PREPARED
+ throttle: 1
+ ansible.builtin.systemd:
+ name: "rke2-{{ node_type }}"
+ masked: no
+ enabled: yes
+ state: restarted
+ daemon_reload: yes
+
+- name: Rotate keys on Master Node
+ shell: "rke2 secrets-encrypt rotate"
+ register: encryption_master_rotated
+ when: ( 'master' in group_names )
+
+- name: Sequentially restart the controlplane nodes after ROTATED
+ throttle: 1
ansible.builtin.systemd:
- name: rke2-server
+ name: "rke2-{{ node_type }}"
+ masked: no
+ enabled: yes
state: restarted
+ daemon_reload: yes
+
+- name: Re-encrypt keys on Master Node
+ shell: "rke2 secrets-encrypt reencrypt"
+ register: encryption_master_reencrypted
+ when: ( 'master' in group_names )
+
+- name: Sequentially restart the controlplane nodes after REENCRYPTED
+ throttle: 1
+ ansible.builtin.systemd:
+ name: "rke2-{{ node_type }}"
+ masked: no
+ enabled: yes
+ state: restarted
+ daemon_reload: yes
+
+- name: Check status of key encryption AFTERWARDS
+ shell: "rke2 secrets-encrypt status"
+ register: encryption_status_after
+- debug: var=encryption_status_after.stdout_lines
\ No newline at end of file
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index 47a41e3485c8716e5ae45d86197d566af8d40cde..bce32655a29c3b088620d750ac3e083543203862 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -67,22 +67,29 @@
#Let openstack cloud controller access the /etc/ssl/certs directory (SELinux)
-- name: Enable SELinux
+# - name: Disable SELinux
+# selinux:
+# policy: targeted
+# state: permissive
+# when: ( 'control-plane' in group_names )
+
+- name: Disable SELinux
selinux:
- policy: targeted
- state: permissive
+ state: disabled
+ when: ( 'control-plane' in group_names )
- name: Copy SELinux Policies
template:
src: ../selinux/my-openstack.te
dest: /etc/selinux/targeted/policy/my-openstack.te
-
+ when: ( 'control-plane' in group_names )
- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
shell: |
checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
semodule -i /etc/selinux/targeted/policy/my-openstack.pp
+ when: ( 'control-plane' in group_names )
- name: Ensure /var/lib/rancher/rke2/server/manifests
file: