From fb56dbb64deb3efb8424e224f2dfadd993752c1a Mon Sep 17 00:00:00 2001
From: Laszlo Rafael <rlacko99@gmail.com>
Date: Sat, 10 Dec 2022 23:11:23 +0100
Subject: [PATCH] Remove cis profile and add custom config back

---
 ansible/k8s/templates/custom-config.yaml.j2 | 48 +++++++++++++++++++++
 ansible/k8s/vars/main.yaml                  |  5 ++-
 2 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 ansible/k8s/templates/custom-config.yaml.j2

diff --git a/ansible/k8s/templates/custom-config.yaml.j2 b/ansible/k8s/templates/custom-config.yaml.j2
new file mode 100644
index 0000000..5d7f456
--- /dev/null
+++ b/ansible/k8s/templates/custom-config.yaml.j2
@@ -0,0 +1,48 @@
+{% if active_server is defined %}
+server: https://{{ rke2_api_ip }}:9345
+{% endif %}
+token: {{ rke2_token }}
+data-dir: {{ rke2_data_path }}
+{% if inventory_hostname in groups[rke2_servers_group_name] %}
+cni: {{ rke2_cni }}
+disable-kube-proxy: {{ rke2_disable_kube_proxy }}
+tls-san:
+  - cluster.local
+  - {{ rke2_api_ip }}
+{% for san in rke2_additional_sans %}
+  - {{ san }}
+{% endfor %}
+{% endif %}
+{% if ( combined_node_taints is defined and combined_node_taints|length > 0) %}
+node-taint:
+{% for taint in combined_node_taints %}
+  - {{ taint }}
+{% endfor %}
+{% endif %}
+{% if rke2_disable and ( inventory_hostname|string() in groups[rke2_servers_group_name] ) %}
+disable: {{ rke2_disable }}
+{% endif %}
+{% if rke2_kube_apiserver_args is defined and inventory_hostname in groups[rke2_servers_group_name] %}
+kube-apiserver-arg: {{ rke2_kube_apiserver_args}}
+{% endif %}
+{% if ( k8s_node_label is defined ) %}
+node-label:
+{% for label in k8s_node_label %}
+  - {{ label }}
+{% endfor %}
+{% endif %}
+snapshotter: {{ rke2_snapshooter }}
+node-name: {{ inventory_hostname }}
+{% if 'cis' in rke2_cis_profile %}
+profile: {{ rke2_cis_profile }}
+{%endif%}
+{% if rke2_server_options is defined and inventory_hostname in groups[rke2_servers_group_name] %}
+{% for option in rke2_server_options %}
+{{ option }}
+{% endfor %}
+{% endif %}
+{% if rke2_agent_options is defined and inventory_hostname in groups[rke2_agents_group_name] %}
+{% for option in rke2_agent_options %}
+{{ option }}
+{% endfor %}
+{% endif %}
diff --git a/ansible/k8s/vars/main.yaml b/ansible/k8s/vars/main.yaml
index 5d6c92e..b23c42c 100644
--- a/ansible/k8s/vars/main.yaml
+++ b/ansible/k8s/vars/main.yaml
@@ -136,7 +136,7 @@ rke2_custom_registry_mirrors:
 rke2_custom_registry_path: templates/registries.yaml.j2
 
 # Path to RKE2 config file template
-#rke2_config: templates/custom-config.yaml.j2
+rke2_config: templates/custom-config.yaml.j2
 
 # Etcd snapshot source directory
 rke2_etcd_snapshot_source_dir: etcd_snapshots
@@ -155,10 +155,11 @@ rke2_snapshooter: overlayfs
 
 # Deploy RKE2 with default CNI canal
 rke2_cni: cilium
+rke2_disable_kube_proxy: true
 
 # Validate system configuration against the selected benchmark
 # (Supported value is "cis-1.23" or eventually "cis-1.6" if you are running RKE2 prior 1.25)
-rke2_cis_profile: "cis-1.23"
+rke2_cis_profile: ""
 
 # Download Kubernetes config file to the Ansible controller
 rke2_download_kubeconf: false
-- 
GitLab