From bc961793ffda3f46de877f34b0546d28648a89f7 Mon Sep 17 00:00:00 2001
From: m0e <mkleiber@nyxsec.de>
Date: Thu, 30 Oct 2025 14:48:41 +0100
Subject: [PATCH] added k3s role

---
 ansible/roles/k3s/README.md         | 10 ++++
 ansible/roles/k3s/defaults/main.yml |  5 ++
 ansible/roles/k3s/files/k3s.config  | 11 +++++
 ansible/roles/k3s/handlers/main.yml |  3 ++
 ansible/roles/k3s/meta/main.yml     |  2 +
 ansible/roles/k3s/tasks/main.yml    | 74 +++++++++++++++++++++++++++++
 ansible/roles/k3s/tests/inventory   |  3 ++
 ansible/roles/k3s/tests/test.yml    |  6 +++
 ansible/roles/k3s/vars/main.yml     |  3 ++
 9 files changed, 117 insertions(+)
 create mode 100644 ansible/roles/k3s/README.md
 create mode 100644 ansible/roles/k3s/defaults/main.yml
 create mode 100644 ansible/roles/k3s/files/k3s.config
 create mode 100644 ansible/roles/k3s/handlers/main.yml
 create mode 100644 ansible/roles/k3s/meta/main.yml
 create mode 100644 ansible/roles/k3s/tasks/main.yml
 create mode 100644 ansible/roles/k3s/tests/inventory
 create mode 100644 ansible/roles/k3s/tests/test.yml
 create mode 100644 ansible/roles/k3s/vars/main.yml

diff --git a/ansible/roles/k3s/README.md b/ansible/roles/k3s/README.md
new file mode 100644
index 0000000..b2213b6
--- /dev/null
+++ b/ansible/roles/k3s/README.md
@@ -0,0 +1,10 @@
+Role Name
+=========
+
+This role installs a single-node k3s installation and fetches the kubeconfig to the basedir.
+It also installs helm.
+
+License
+-------
+
+BSD
diff --git a/ansible/roles/k3s/defaults/main.yml b/ansible/roles/k3s/defaults/main.yml
new file mode 100644
index 0000000..0046987
--- /dev/null
+++ b/ansible/roles/k3s/defaults/main.yml
@@ -0,0 +1,5 @@
+#SPDX-License-Identifier: MIT-0
+---
+# defaults/main.yml
+k3s_version: "latest"
+
diff --git a/ansible/roles/k3s/files/k3s.config b/ansible/roles/k3s/files/k3s.config
new file mode 100644
index 0000000..caec79b
--- /dev/null
+++ b/ansible/roles/k3s/files/k3s.config
@@ -0,0 +1,11 @@
+cluster-init: true
+disable:
+#  - servicelb
+  - traefik
+#cluster-cidr: 10.42.0.0/16
+#flannel-backend: "none"
+#disable-kube-proxy: true
+#disable-network-policy: true
+#kube-apiserver-arg:
+#  - kubelet-arg=max-pods=65534 
+#  - kube-controller-manager-arg=node-cidr-mask-size=16 
diff --git a/ansible/roles/k3s/handlers/main.yml b/ansible/roles/k3s/handlers/main.yml
new file mode 100644
index 0000000..a1c19b4
--- /dev/null
+++ b/ansible/roles/k3s/handlers/main.yml
@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# handlers file for k3s
diff --git a/ansible/roles/k3s/meta/main.yml b/ansible/roles/k3s/meta/main.yml
new file mode 100644
index 0000000..e82d86c
--- /dev/null
+++ b/ansible/roles/k3s/meta/main.yml
@@ -0,0 +1,2 @@
+#SPDX-License-Identifier: MIT-0
+#---
diff --git a/ansible/roles/k3s/tasks/main.yml b/ansible/roles/k3s/tasks/main.yml
new file mode 100644
index 0000000..592a2e4
--- /dev/null
+++ b/ansible/roles/k3s/tasks/main.yml
@@ -0,0 +1,74 @@
+#SPDX-License-Identifier: MIT-0
+---
+# tasks/main.yml
+
+## shell used as workaround cause get.helm.sh is down atm
+- name: Add helm key
+  shell: |
+    curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null
+  args:
+    creates: /usr/share/keyrings/helm.gpg
+
+- name: Add helm repo
+  lineinfile:
+    path: /etc/apt/sources.list.d/helm-stable-debian.list
+    line: "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main"
+    create: yes
+
+- name: Update apt repository
+  apt:
+    update_cache: yes
+
+- name: Install required packages
+  apt:
+    name:
+      - curl
+      - wget
+      - apt-transport-https
+      - ca-certificates
+      - pip
+      - gpg
+      - helm
+    state: present
+
+- name: Install python kubernetes module
+  ansible.builtin.pip:
+    break_system_packages: yes
+    name: kubernetes
+
+### Ubuntu workaround
+#- name: Install helm
+#  command: snap install --classic helm
+
+### k3s config for Cilium CNI installation
+#- name: Copy k3s.config to server
+#  ansible.builtin.copy:
+#    src: k3s.config
+#    dest: /root/config.yaml
+
+- name: Install k3s (disabled traefik in favour of nginx for modSecurity support)
+  shell: |
+    curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --disable=traefik --cluster-init" sh -s -
+  args:
+    executable: /bin/bash
+
+- name: Check if k3s is running
+  systemd:
+    name: k3s
+    state: started
+    enabled: yes
+
+- name: Get k3s version
+  command: k3s --version
+  register: k3s_version
+
+- name: Show k3s version
+  debug:
+    msg: "K3s version: {{ k3s_version.stdout }}"
+
+# Download kubeconfig for remote access
+- name: Fetch kubconfig
+ ansible.builtin.fetch:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: ../kubeconfig
+    flat: yes
diff --git a/ansible/roles/k3s/tests/inventory b/ansible/roles/k3s/tests/inventory
new file mode 100644
index 0000000..03ca42f
--- /dev/null
+++ b/ansible/roles/k3s/tests/inventory
@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+localhost
+
diff --git a/ansible/roles/k3s/tests/test.yml b/ansible/roles/k3s/tests/test.yml
new file mode 100644
index 0000000..4499a58
--- /dev/null
+++ b/ansible/roles/k3s/tests/test.yml
@@ -0,0 +1,6 @@
+#SPDX-License-Identifier: MIT-0
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - k3s
diff --git a/ansible/roles/k3s/vars/main.yml b/ansible/roles/k3s/vars/main.yml
new file mode 100644
index 0000000..ef89913
--- /dev/null
+++ b/ansible/roles/k3s/vars/main.yml
@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# vars file for k3s