From b0f1458cd9f978db223b520b750388097b3310c0 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Thu, 30 Jun 2022 14:58:08 +0200
Subject: [PATCH] using a kubectl rollout restart instead of the dodgy wait
 condition

---
 roles/rke2/tasks/fix_selinux.yml | 59 +++++++++++++++-----------------
 roles/rke2/tasks/setup_host.yml  | 11 ++++++
 2 files changed, 39 insertions(+), 31 deletions(-)

diff --git a/roles/rke2/tasks/fix_selinux.yml b/roles/rke2/tasks/fix_selinux.yml
index 696f97b..fa7fed7 100644
--- a/roles/rke2/tasks/fix_selinux.yml
+++ b/roles/rke2/tasks/fix_selinux.yml
@@ -1,36 +1,33 @@
+- name: kill the openstack ccm pods to make sure they boot in permissive mode
+  shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml --namespace=kube-system  rollout restart ds openstack-cloud-controller-manager"
+  register: openstack_ccm_ready
 
-- name: Copy SELinux Policies
-  template:
-    src: ../selinux/my-openstack.te
-    dest: /etc/selinux/targeted/policy/my-openstack.te
-
-
-- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
-  shell: |
-    checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
-    semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
-    semodule -i /etc/selinux/targeted/policy/my-openstack.pp
-
-
-- name: Wait for all control-plane pods to become created
-  shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get po --namespace=kube-system --selector tier=control-plane --output=jsonpath='{.items[*].metadata.name}'"
-  register: control_plane_pods_created
-  until: item in control_plane_pods_created.stdout
-  retries: 10
-  delay: 30
-  when: ('master' in group_names )
-  ignore_errors: True
-  with_items:
-    - etcd
-    - kube-apiserver
-    - kube-controller-manager
-    - kube-scheduler
 
-- name: Wait for openstack-cloud-controller deamon set to be ready
-  shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml wait --namespace=kube-system --for=condition=Ready pods --selector app=openstack-cloud-controller-manager --timeout=360s"
-  register: openstack_ccm_ready
-  when: ('master' in group_names)
-  ignore_errors: True
+- name: Sleep for 300 seconds and continue with play
+  ansible.builtin.wait_for:
+    timeout: 30
+  delegate_to: localhost
+
+# - name: Wait for all control-plane pods to become created
+#   shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get po --namespace=kube-system --selector tier=control-plane --output=jsonpath='{.items[*].metadata.name}'"
+#   register: control_plane_pods_created
+#   until: item in control_plane_pods_created.stdout
+#   retries: 1
+#   delay: 30
+#   when: ('master' in group_names )
+#   ignore_errors: True
+#   with_items:
+#     - etcd
+#     - kube-apiserver
+#     - kube-controller-manager
+#     - kube-scheduler
+
+# - name: Wait for openstack-cloud-controller deamon set to be ready
+#   shell: "/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml wait --namespace=kube-system --for=condition=Ready pods --selector app=openstack-cloud-controller-manager --timeout=360s"
+#   register: openstack_ccm_ready
+#   until: openstack_ccm_ready.stout
+#   when: ('master' in group_names)
+#   ignore_errors: True
 
 
 - name: Enable SELinux
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index 7aa84cb..47a41e3 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -72,6 +72,17 @@
     policy: targeted
     state: permissive
 
+- name: Copy SELinux Policies
+  template:
+    src: ../selinux/my-openstack.te
+    dest: /etc/selinux/targeted/policy/my-openstack.te
+
+
+- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
+  shell: |
+    checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
+    semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
+    semodule -i /etc/selinux/targeted/policy/my-openstack.pp
 
 - name: Ensure /var/lib/rancher/rke2/server/manifests
   file:
-- 
GitLab