fix(bootstrap): commit full bootstrap.yml — Helm + kubeconfig tasks

The previous commit only included the staged portion (k3s tasks). The working-tree additions (Helm install, kubeconfig fetch, version vars) were never staged and were left behind. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-10 09:52:36 +00:00
parent 871c31a95d
commit ada406f327
1 changed files with 68 additions and 5 deletions
--- a/ansible/bootstrap.yml
+++ b/ansible/bootstrap.yml
@@ -3,11 +3,16 @@
 # (`make converge` in that repo) before running this playbook.
 # OS hardening (SSH, UFW, fail2ban) is owned by railiance-infra — see ADR-003.

-# Install base packages and k3s.
- name: Railiance host bootstrap
+- name: Railiance host bootstrap — k3s + Helm
  hosts: all
  become: true
+  vars:
+    k3s_version: "v1.35.1+k3s1"
+    helm_version: "v3.17.3"
+    kubeconfig_local_path: "~/.kube/config-hosteurope"
+
  tasks:
+    # ── Base packages ────────────────────────────────────────────────────────
    - name: Ensure base packages
      apt:
        name:
@@ -17,10 +22,25 @@
        update_cache: yes
        state: present

-    - name: Install k3s (server)
+    # ── k3s ──────────────────────────────────────────────────────────────────
+    - name: Install k3s (server, pinned version)
      shell: |
-        curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --write-kubeconfig-mode=644" sh -
-      args: { creates: /usr/local/bin/k3s }
+        curl -sfL https://get.k3s.io | \
+          INSTALL_K3S_VERSION="{{ k3s_version }}" \
+          INSTALL_K3S_EXEC="server --cluster-init --write-kubeconfig-mode=644" \
+          sh -
+      args:
+        creates: /usr/local/bin/k3s
+
+    - name: Wait for k3s service to be active
+      systemd:
+        name: k3s
+        state: started
+        enabled: true
+
+    - name: Wait for node to reach Ready state
+      shell: k3s kubectl wait node --all --for=condition=Ready --timeout=120s
+      changed_when: false

    - name: Verify k3s node
      shell: k3s kubectl get nodes
@@ -28,3 +48,46 @@
      changed_when: false

    - debug: var=nodes.stdout_lines
+
+    # ── Helm ─────────────────────────────────────────────────────────────────
+    - name: Check if Helm is already installed at correct version
+      shell: helm version --short 2>/dev/null || true
+      register: helm_installed
+      changed_when: false
+
+    - name: Download Helm archive and checksum
+      shell: |
+        cd /tmp
+        curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz"
+        curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum"
+        sha256sum -c "helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum"
+      when: helm_version not in helm_installed.stdout
+
+    - name: Extract and install Helm
+      shell: |
+        tar -xzf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz -C /tmp
+        install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
+        rm -rf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum /tmp/linux-amd64
+      when: helm_version not in helm_installed.stdout
+
+    - name: Verify Helm
+      shell: helm version --short
+      register: helm_ver
+      changed_when: false
+
+    - debug: var=helm_ver.stdout
+
+    # ── Kubeconfig ───────────────────────────────────────────────────────────
+    - name: Fetch kubeconfig to control node
+      fetch:
+        src: /etc/rancher/k3s/k3s.yaml
+        dest: "{{ kubeconfig_local_path }}"
+        flat: yes
+
+    - name: Fix server address in fetched kubeconfig
+      delegate_to: localhost
+      become: false
+      replace:
+        path: "{{ kubeconfig_local_path }}"
+        regexp: 'server: https://127\.0\.0\.1:6443'
+        replace: "server: https://{{ ansible_host }}:6443"