From 89d84c85adf7e6af28d7a2727aee73fc0a8b2559 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Fri, 1 Jul 2022 10:39:30 +0200
Subject: [PATCH] now I ll totally disable it, not just put it into permissive
 mode, its annoying me too much

---
 roles/rke2/tasks/main.yml              |  6 ++--
 roles/rke2/tasks/rotate_encryption.yml | 47 ++++++++++++++++++++++++--
 roles/rke2/tasks/setup_host.yml        | 15 +++++---
 3 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index 24b59c4..6b4d9ec 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -21,12 +21,12 @@
 
 #This task runs only after the full installer went through and had a bit of time to boot, then starts to enforce SELinux
 - include_tasks: fix_selinux.yml
-  when: state != 'absent' and 'control-plane' in group_names and postinstall
+  when: state != 'absent' and postinstall
 
 - name: uninstall rke2
   command: rke2-uninstall.sh
   when: rke2_installed.stat.exists and state == 'absent'
 
 
-#- include_tasks: rotate_encryption.yml
-#  when: state != 'absent' and 'control-plane' in group_names and (rotate != 'absent')
+- include_tasks: rotate_encryption.yml
+  when: state != 'absent' and 'control-plane' in group_names and rotate and not postinstall
diff --git a/roles/rke2/tasks/rotate_encryption.yml b/roles/rke2/tasks/rotate_encryption.yml
index 67281fa..fe1adb8 100644
--- a/roles/rke2/tasks/rotate_encryption.yml
+++ b/roles/rke2/tasks/rotate_encryption.yml
@@ -4,9 +4,50 @@
 
 - debug: var=encryption_status.stdout_lines
 
-- name: Sequentially restart the controlplane nodes
-  serial: 1
+- name: Prepare Master Node for key-rotation
+  shell: "rke2 secrets-encrypt prepare"
+  register: encryption_master_prepared
+  when: ( 'master' in group_names )
+
+- name: Sequentially restart the controlplane nodes after PREPARED
+  throttle: 1
+  ansible.builtin.systemd:
+    name: "rke2-{{ node_type }}"
+    masked: no
+    enabled: yes
+    state: restarted
+    daemon_reload: yes
+
+- name: Rotate keys on Master Node 
+  shell: "rke2 secrets-encrypt rotate"
+  register: encryption_master_rotated
+  when: ( 'master' in group_names )
+
+- name: Sequentially restart the controlplane nodes after ROTATED
+  throttle: 1
   ansible.builtin.systemd:
-    name: rke2-server
+    name: "rke2-{{ node_type }}"
+    masked: no
+    enabled: yes
     state: restarted
+    daemon_reload: yes
+
+- name: Re-encrypt keys on Master Node 
+  shell: "rke2 secrets-encrypt reencrypt"
+  register: encryption_master_reencrypted
+  when: ( 'master' in group_names )
+
+- name: Sequentially restart the controlplane nodes after REENCRYPTED
+  throttle: 1
+  ansible.builtin.systemd:
+    name: "rke2-{{ node_type }}"
+    masked: no
+    enabled: yes
+    state: restarted
+    daemon_reload: yes
+
+- name: Check status of key encryption AFTERWARDS
+  shell: "rke2 secrets-encrypt status"
+  register: encryption_status_after
 
+- debug: var=encryption_status_after.stdout_lines
\ No newline at end of file
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index 47a41e3..bce3265 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -67,22 +67,29 @@
 
 #Let openstack cloud controller access the /etc/ssl/certs directory (SELinux)
 
-- name: Enable SELinux
+# - name: Disable SELinux
+#   selinux:
+#     policy: targeted
+#     state: permissive
+#   when: ( 'control-plane' in group_names )
+
+- name: Disable SELinux
   selinux:
-    policy: targeted
-    state: permissive
+    state: disabled
+  when: ( 'control-plane' in group_names )
 
 - name: Copy SELinux Policies
   template:
     src: ../selinux/my-openstack.te
     dest: /etc/selinux/targeted/policy/my-openstack.te
-
+  when: ( 'control-plane' in group_names )
 
 - name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
   shell: |
     checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
     semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
     semodule -i /etc/selinux/targeted/policy/my-openstack.pp
+  when: ( 'control-plane' in group_names )
 
 - name: Ensure /var/lib/rancher/rke2/server/manifests
   file:
-- 
GitLab