Issue #842: Order of tasks updated

Signed-off-by: Bhagyashree-shetty <Bhagyashree_Shetty@dellteam.com>

control_plane/roles/control_plane_common/tasks/pre_requisite.yml

@@ -80,28 +80,6 @@
   register: os_value
   tags: [ init, validate ]
 
-- block:
-    - name: Fetch SElinux mode
-      command: sestatus
-      register: sestatus_current
-      changed_when: false
-
-    - name: Disable SElinux
-      replace:
-        path: /etc/sysconfig/selinux
-        regexp: 'SELINUX=[a-z]+'
-        replace: 'SELINUX=disabled'
-      when: '"SELinux status: enabled" in sestatus_current.stdout_lines'
-
-    - name: Status of SElinux
-      fail:
-        msg: "{{ selinux_status }}"
-      when: '"SELinux status: enabled" in sestatus_current.stdout_lines'
-      register: selinux_value
-  tags: init
-  when:
-    - os_supported_leap not in mgmt_os
-
 - name: State of firewall
   service:
     name: firewalld

control_plane/roles/control_plane_k8s/tasks/k8s_installation.yml

@@ -19,10 +19,6 @@
     fstype: swap
     state: absent
 
-- name: Disable selinux
-  selinux:
-    state: disabled
-
 - name: Copy k8s.conf file
   copy:
     src: k8s.conf

control_plane/roles/control_plane_security/tasks/install_apparmor.yml

@@ -0,0 +1,27 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install apparmor-utils on Leap
+  zypper:
+    name: "{{ item }}"
+    state: present
+  changed_when: false
+  with_items:
+    - apparmor-utils
+    - apparmor-profiles
+  
+- name: Enable Apparmor
+  command: rcapparmor start
+  changed_when: false

control_plane/roles/control_plane_security/tasks/main.yml

@@ -39,6 +39,9 @@
     - block:
         - name: Install 389 directory server
           include_tasks: install_389ds.yml
+
+        - name: Install Apparmor on Leap
+          include_tasks: install_apparmor.yml
       when: os_supported_leap in mgmt_os
       
     - name: Install snoopy
@@ -53,4 +56,4 @@
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml
-  when: enable_security_support
+  when: enable_security_support

roles/common/tasks/main.yml

@@ -73,11 +73,6 @@
         fstype: swap
         state: absent
 
-    - name: Disable selinux
-      selinux:
-        state: disabled
-      tags: install
-
     - name: Install common packages
       package:
         name: "{{ common_packages }}"

roles/k8s_common/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2020 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -13,19 +13,6 @@
 #  limitations under the License.
 ---
 
-- name: Add kubernetes repo
-  yum_repository:
-    name: kubernetes
-    description: kubernetes
-    baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
-    enabled: yes
-    gpgcheck: no
-    repo_gpgcheck: no
-    gpgkey:
-      - https://packages.cloud.google.com/yum/doc/yum-key.gpg
-      - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
-  tags: install
-
 - name: Update sysctl to handle incorrectly routed traffic when iptables is bypassed
   copy:
     src: k8s.conf
@@ -40,20 +27,125 @@
   changed_when: true
   tags: install
 
-- name: Install k8s packages
-  package:
-    name: "{{ k8s_packages }}"
-    state: present
-  tags: install
+- block:
+    - name: Add kubernetes repo
+      yum_repository:
+        name: kubernetes
+        description: kubernetes
+        baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
+        enabled: yes
+        gpgcheck: no
+        repo_gpgcheck: no
+        gpgkey:
+          - https://packages.cloud.google.com/yum/doc/yum-key.gpg
+          - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+      tags: install
 
-- name: Versionlock kubernetes
-  command: "yum versionlock '{{ item }}'"
-  args:
-    warn: false
-  with_items:
-    - "{{ k8s_packages }}"
-  changed_when: true
-  tags: install
+    - name: Install k8s packages
+      package:
+        name: "{{ k8s_packages }}"
+        state: present
+      tags: install
+
+    - name: Versionlock kubernetes
+      command: "yum versionlock '{{ item }}'"
+      args:
+        warn: false
+      with_items:
+        - "{{ k8s_packages }}"
+      changed_when: true
+      tags: install
+  when: os_supported_leap not in compute_os
+
+- block:
+    - name: Add kubernetes repo
+      zypper_repository:
+        name: google-k8s
+        repo: "{{ k8s_repo_leap }}"
+        state: present
+        autorefresh: yes
+        disable_gpg_check: yes
+      tags: install
+
+    - name: Import rpm-package key for installing kubernetes
+      rpm_key:
+        key: "{{ rpm_pkg_leap }}"
+        state: present
+      tags: install
+
+    - name: Import yum key for installing kubernetes
+      rpm_key:
+        key: "{{ yum_key_leap }}"
+        state: present
+      tags: install
+
+    - name: Import gpg-pubkey key for installing kubernetes
+      command: "{{ gpg_pubkey_leap }}"
+      args:
+        warn: false
+      changed_when: false
+      tags: install
+
+    - name: Refresh repositories and installing conntrack-tools
+      package:
+        name: conntrack-tools
+        state: present
+      tags: install
+
+    - name: Install Kubeadm
+      ansible.builtin.expect:
+        command: zypper install --oldpackage "{{ kubeadm_version }}"
+        responses:
+            (.*) [1/2/c/d/?](.): '2'
+            (.*)(y): 'y'
+      register: kubeadm_status
+      until: kubeadm_status is not failed
+      retries: "{{ max_retries }}"
+      tags: install
+
+    - name: Install Kubelet
+      ansible.builtin.expect:
+        command: zypper install --oldpackage "{{ kubelet_version }}"
+        responses:
+            (.*) [1/2/c/d/?](.): '2'
+            (.*)(y): 'y'
+      register: kubelet_status
+      until: kubelet_status is not failed
+      retries: "{{ max_retries }}"
+      tags: install
+
+    - name: Install Kubectl
+      zypper:
+        name: "{{ kubectl_version }}"
+        state: present
+        oldpackage: yes
+        force: yes
+      register: kubectl_status
+      until: kubectl_status is not failed
+      retries: "{{ max_retries }}"
+      tags: install
+
+    - name: Versionlocking kubeadm
+      command: zypper addlock "{{ kubeadm_version }}"
+      args:
+        warn: false
+      changed_when: false
+      tags: install
+
+    - name: Versionlocking kubectl
+      command: zypper addlock "{{ kubelet_version }}"
+      args:
+        warn: false
+      changed_when: false
+      tags: install
+
+    - name: Versionlocking kubelet
+      command: zypper addlock "{{ kubectl_version }}"
+      args:
+        warn: false
+      changed_when: false
+      tags: install
+  when: ( os_supported_leap in compute_os ) and ( ansible_distribution_version >= os_supported_leap_version )
 
 - name: Start and enable docker service
   service:
@@ -66,4 +158,4 @@
   service:
     name: kubelet
     state: restarted
-    enabled: yes
+    enabled: yes

roles/k8s_common/vars/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -12,6 +12,18 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 ---
+k8s_repo_leap: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
+rpm_pkg_leap: https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+yum_key_leap:  https://packages.cloud.google.com/yum/doc/yum-key.gpg
+gpg_pubkey_leap: "rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}'"
+docker_repo_url_leap: https://download.docker.com/linux/sles/docker-ce.repo
+docker_repo_dest_leap: /etc/YaST2/docker-ce.repo
+os_supported_leap: "leap"
+os_supported_leap_version: "15.3"
+kubeadm_version: "kubeadm-{{ hostvars['127.0.0.1']['k8s_version'] }}"
+kubelet_version: "kubelet-{{ hostvars['127.0.0.1']['k8s_version'] }}"
+kubectl_version: "kubectl-{{ hostvars['127.0.0.1']['k8s_version'] }}"
+max_retries: 20
 
 k8s_packages:
   - "kubelet-{{ hostvars['127.0.0.1']['k8s_version'] }}"
@@ -24,4 +36,4 @@ k8s_conf_dest: /etc/sysctl.d/
 
 k8s_repo_file_mode: 0644
 
-k8s_conf_file_mode: 0644
+k8s_conf_file_mode: 0644

roles/k8s_start_manager/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -69,7 +69,7 @@
 - name: Initialize kubeadm (This process may take 5-10min)
   block:
     - name: Initialize kubeadm (This process may take 5-10min)
-      command: "/bin/kubeadm init --pod-network-cidr='{{ hostvars['127.0.0.1']['k8s_pod_network_cidr'] }}' \
+      command: "kubeadm init --pod-network-cidr='{{ hostvars['127.0.0.1']['k8s_pod_network_cidr'] }}' \
         --apiserver-advertise-address='{{ ansible_default_ipv4.address }}'"
       changed_when: true
       register: init_output
@@ -80,7 +80,7 @@
       changed_when: true
 
     - name: Initialize kubeadm (This process may take 5-10min)
-      command: "/bin/kubeadm init --pod-network-cidr='{{ hostvars['127.0.0.1']['k8s_pod_network_cidr'] }}' \
+      command: "kubeadm init --pod-network-cidr='{{ hostvars['127.0.0.1']['k8s_pod_network_cidr'] }}' \
         --apiserver-advertise-address='{{ ansible_default_ipv4.address }}'"
       changed_when: true
       register: init_output

roles/login_node/tasks/install_apparmor.yml

@@ -0,0 +1,30 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install and enable Apparmor on Leap
+  block:
+    - name: Install apparmor-utils on Leap
+      zypper:
+        name: "{{ item }}"
+        state: present
+      changed_when: false
+      with_items:
+        - apparmor-utils
+        - apparmor-profiles
+
+    - name: Enable Apparmor
+      command: rcapparmor start
+      changed_when: false
+  when: os_leap in ansible_distribution | lower

roles/login_node/tasks/main.yml

@@ -23,6 +23,9 @@
     - block:
         - name: FreeIPA configuration
           include_tasks: ipa_configuration.yml
+
+        - name: Install Apparmor on Leap
+          include_tasks: install_apparmor.yml
           
         - name: Install snoopy
           include_tasks: install_snoopy.yml

tools/copy_files_container.yml

@@ -0,0 +1,23 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+- name: Fetching container files
+  hosts: localhost
+  tasks:
+  - name: Include vars file
+    include_vars: "pod_details.yml"
+
+  - name: Copying files from container env
+    command: "kubectl cp {{ pod_name }}:{{ container_file_location | regex_replace('^\\/', '') }} {{ local_folder_location }} -n {{ namespace }} -c {{ container_name }}"
+    changed_when: true

tools/pod_details.yml

@@ -0,0 +1,25 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+# namespace: Namespace of container from which files needs to retrived
+# pod_name: Name of the pod
+# container_file_location: The file/folder which needs to be saved on local machine
+# local_folder_location: Local machine location, on which retrived files need to be saved
+# container_name: Name of the container from which files needs to be retrived
+# Note: All fields are mandatory
+namespace:
+pod_name:
+container_file_location:
+local_folder_location:
+container_name: