From 9954f2331790354416c074ddd545845dfaabda4d Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Thu, 18 Aug 2022 16:48:05 +0200
Subject: [PATCH] reverting most of the ansible logic to pre-selinux and hoping
 my policy exception is now corect

---
 roles/rke2/selinux/my-openstack.te |  3 +++
 roles/rke2/tasks/kubeconfig.yml    | 34 ++++++++++++++--------------
 roles/rke2/tasks/main.yml          |  6 ++---
 roles/rke2/tasks/setup_host.yml    | 36 +++++++++++++++++-------------
 roles/rke2/tasks/templates.yml     |  4 ++--
 5 files changed, 46 insertions(+), 37 deletions(-)

diff --git a/roles/rke2/selinux/my-openstack.te b/roles/rke2/selinux/my-openstack.te
index 9c3023b..0cdb1a0 100644
--- a/roles/rke2/selinux/my-openstack.te
+++ b/roles/rke2/selinux/my-openstack.te
@@ -5,8 +5,11 @@ require {
         type container_t;
         class dir read;
         class lnk_file read;
+        class file read;
+        class file write;
 }
 
 #============= container_t ==============
 allow container_t cert_t:dir read;
 allow container_t cert_t:lnk_file read;
+allow container_t cert_t:file {read write};
\ No newline at end of file
diff --git a/roles/rke2/tasks/kubeconfig.yml b/roles/rke2/tasks/kubeconfig.yml
index 2d19b94..72b769b 100644
--- a/roles/rke2/tasks/kubeconfig.yml
+++ b/roles/rke2/tasks/kubeconfig.yml
@@ -10,24 +10,24 @@
   when:  ( 'master' in group_names )
 #  notify:
 #  - wait for RANCHER to come up
-- name: start rke2 on the servers
-  ansible.builtin.systemd:
-    name: "rke2-{{ node_type }}"
-    enabled: yes
-    masked: no
-    state: started
-    daemon_reload: yes
-  ignore_errors: True
-#  when:  ( 'servers' in group_names )
+# - name: start rke2 on the servers
+#   ansible.builtin.systemd:
+#     name: "rke2-{{ node_type }}"
+#     enabled: yes
+#     masked: no
+#     state: started
+#     daemon_reload: yes
+#   ignore_errors: True
+# #  when:  ( 'servers' in group_names )
 
-- name: start rke2 everywhere
-  ansible.builtin.systemd:
-    name: "rke2-{{ node_type }}"
-    enabled: yes
-    masked: no
-    state: started
-    daemon_reload: yes
-  ignore_errors: True
+# - name: start rke2 everywhere
+#   ansible.builtin.systemd:
+#     name: "rke2-{{ node_type }}"
+#     enabled: yes
+#     masked: no
+#     state: started
+#     daemon_reload: yes
+#   ignore_errors: True
 
 - name: wait for kubeconfig
   wait_for:
diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index 185e567..28c947a 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -17,7 +17,7 @@
   when: state != 'absent' 
 
 - include_tasks: kubeconfig.yml
-  when: state != 'absent' #and 'master' in group_names 
+  when: state != 'absent' and 'master' in group_names 
 
 # Flush the handlers only for fresh installs
 #- name: Flush handlers
@@ -25,8 +25,8 @@
 
   
 #This task runs only after the full installer went through and had a bit of time to boot, then starts to enforce SELinux
-- include_tasks: fix_selinux.yml
-  when: state != 'absent' and 'control-plane' in group_names
+#- include_tasks: fix_selinux.yml
+#  when: state != 'absent' and 'control-plane' in group_names
 
 - name: uninstall rke2
   command: rke2-uninstall.sh
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index fefb629..8bd536b 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -13,13 +13,13 @@
     /usr/sbin/pvresize -y -q /dev/vda2 
     /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root 
 
-- name: Upgrade to latest kernel
-  shell: |
-    dnf upgrade -y 
-    dnf updateinfo list --security --available
-    dnf install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm --assumeyes
-    dnf --enablerepo=elrepo-kernel install kernel-ml --assumeyes
-    touch /.autorelabel
+# - name: Upgrade to latest kernel
+#   shell: |
+#     dnf upgrade -y 
+#     dnf updateinfo list --security --available
+#     dnf install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm --assumeyes
+#     dnf --enablerepo=elrepo-kernel install kernel-ml --assumeyes
+#     touch /.autorelabel
     
 - name: install RHEL packages
   dnf:
@@ -71,15 +71,11 @@
     name: etcd
     group: etcd
 
-- name: Reboot but not on upgrades, so kernel updates only install at initial runs 
-  ansible.builtin.reboot:
-    reboot_timeout: 3600
-  when: ( not upgrade ) 
+# - name: Reboot but not on upgrades, so kernel updates only install at initial runs 
+#   ansible.builtin.reboot:
+#     reboot_timeout: 3600
+#   when: ( not upgrade ) 
 
-- name: Download root CA
-  get_url:
-    url: https://curl.se/ca/cacert.pem
-    dest: /etc/ssl/certs
 
 - name: Disable SELinux
   selinux:
@@ -87,6 +83,11 @@
     state: permissive
   when: ( 'control-plane' in group_names )
 
+- name: Download root CA
+  get_url:
+    url: https://curl.se/ca/cacert.pem
+    dest: /etc/ssl/certs
+
 - name: Update CA trust
   shell: update-ca-trust
   
@@ -129,3 +130,8 @@
     state: directory
     recurse: yes
 
+- name: Enable SELinux
+  selinux:
+    policy: targeted
+    state: enforcing
+
diff --git a/roles/rke2/tasks/templates.yml b/roles/rke2/tasks/templates.yml
index 619fd2e..f8e1c5e 100644
--- a/roles/rke2/tasks/templates.yml
+++ b/roles/rke2/tasks/templates.yml
@@ -7,8 +7,8 @@
         dest: '/var/lib/rancher/rke2/server/manifests/{{ item.key }}.yaml'
       with_dict: "{{ manifests_config }}"
       when: item.value.enabled
-      #notify:
-      #  - restart rke2
+      notify:
+        - restart rke2
 
     - name: Remove manifest template files
       ansible.builtin.file:
-- 
GitLab