From ada406f3279432380dec3b6396a52c0d7d8c4e0f Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Tue, 10 Mar 2026 09:52:36 +0000 Subject: [PATCH] =?UTF-8?q?fix(bootstrap):=20commit=20full=20bootstrap.yml?= =?UTF-8?q?=20=E2=80=94=20Helm=20+=20kubeconfig=20tasks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit only included the staged portion (k3s tasks). The working-tree additions (Helm install, kubeconfig fetch, version vars) were never staged and were left behind. Co-Authored-By: Claude Sonnet 4.6 --- ansible/bootstrap.yml | 73 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 68 insertions(+), 5 deletions(-) diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml index fad3e80..7e4719f 100644 --- a/ansible/bootstrap.yml +++ b/ansible/bootstrap.yml @@ -3,11 +3,16 @@ # (`make converge` in that repo) before running this playbook. # OS hardening (SSH, UFW, fail2ban) is owned by railiance-infra — see ADR-003. -# Install base packages and k3s. -- name: Railiance host bootstrap +- name: Railiance host bootstrap — k3s + Helm hosts: all become: true + vars: + k3s_version: "v1.35.1+k3s1" + helm_version: "v3.17.3" + kubeconfig_local_path: "~/.kube/config-hosteurope" + tasks: + # ── Base packages ──────────────────────────────────────────────────────── - name: Ensure base packages apt: name: @@ -17,10 +22,25 @@ update_cache: yes state: present - - name: Install k3s (server) + # ── k3s ────────────────────────────────────────────────────────────────── + - name: Install k3s (server, pinned version) shell: | - curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --write-kubeconfig-mode=644" sh - - args: { creates: /usr/local/bin/k3s } + curl -sfL https://get.k3s.io | \ + INSTALL_K3S_VERSION="{{ k3s_version }}" \ + INSTALL_K3S_EXEC="server --cluster-init --write-kubeconfig-mode=644" \ + sh - + args: + creates: /usr/local/bin/k3s + + - name: Wait for k3s service to be active + systemd: + name: k3s + state: started + enabled: true + + - name: Wait for node to reach Ready state + shell: k3s kubectl wait node --all --for=condition=Ready --timeout=120s + changed_when: false - name: Verify k3s node shell: k3s kubectl get nodes @@ -28,3 +48,46 @@ changed_when: false - debug: var=nodes.stdout_lines + + # ── Helm ───────────────────────────────────────────────────────────────── + - name: Check if Helm is already installed at correct version + shell: helm version --short 2>/dev/null || true + register: helm_installed + changed_when: false + + - name: Download Helm archive and checksum + shell: | + cd /tmp + curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz" + curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum" + sha256sum -c "helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum" + when: helm_version not in helm_installed.stdout + + - name: Extract and install Helm + shell: | + tar -xzf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz -C /tmp + install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm + rm -rf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum /tmp/linux-amd64 + when: helm_version not in helm_installed.stdout + + - name: Verify Helm + shell: helm version --short + register: helm_ver + changed_when: false + + - debug: var=helm_ver.stdout + + # ── Kubeconfig ─────────────────────────────────────────────────────────── + - name: Fetch kubeconfig to control node + fetch: + src: /etc/rancher/k3s/k3s.yaml + dest: "{{ kubeconfig_local_path }}" + flat: yes + + - name: Fix server address in fetched kubeconfig + delegate_to: localhost + become: false + replace: + path: "{{ kubeconfig_local_path }}" + regexp: 'server: https://127\.0\.0\.1:6443' + replace: "server: https://{{ ansible_host }}:6443"