build: bump version 1.4.0 -> 1.5.0

!52

.cz.yaml

@@ -4,5 +4,5 @@ commitizen:
   prerelease_offset: 1
   tag_format: $version
   update_changelog_on_bump: false
-  version: 1.2.0
+  version: 1.5.0
   version_scheme: semver

CHANGELOG.md

@@ -1,3 +1,27 @@
+## 1.5.0 (2024-03-21)
+
+### Feat
+
+- **collection**: nofusscomputing.firewall update 1.0.1 -> 1.1.0
+
+## 1.4.0 (2024-03-20)
+
+### Feat
+
+- **install**: "ansible_check_mode=true" no hostname check
+
+## 1.3.0 (2024-03-18)
+
+### Feat
+
+- dont attempt to install if already installed
+
+### Fix
+
+- **handler**: add missing 'reboot_host' handler
+- **firewall**: ensure slave nodes can access ALL masters API point
+- **firewall**: dont add rules for disabled features
+
 ## 1.2.0 (2024-03-16)
 
 ### Feat
@@ -41,31 +65,9 @@
 
 ## 1.0.0 (2024-03-13)
 
-### BREAKING CHANGE
-
-- Repository restructure from Ansible Role to Ansible Collection
-
-### Feat
-
-- **playbook**: add the install playbook
-- restructure repository as ansible collection
-
 ### Refactor
 
 - **nfc_kubernetes**: update meta file
 - remove dependency on role nfc_common
-- **nfc_kubernetes**: layout role ingress to install prime -> master -> worker nodes as separate groups
-- **docs**: restructure docs
 
 ## 0.3.0 (2024-03-13)
-
-### Feat
-
-- remove old var and update kube version
-- install helm binary
-- disable node ipv6 support
-- **kubevirt**: install virtctl plugin
-
-### Refactor
-
-- image var update for calico

docs/projects/ansible/collection/kubernetes/index.md

@@ -46,6 +46,11 @@ ansible-playbook nofusscomputing.kubernetes.install
 
 ```
 
+!!! danger
+    By default when the install task is run, The firewall is also configured. The default sets the `FORWARD` and `INPUT` tables to have a policy of `DROP`. Failing to add any required additional rules before installing/configuring kubernetes will cause you to not have remote access to the machine. 
+    
+    You are encouraged to run `ansible-playbook nofusscomputing.firewall.install` with your rules configured within your inventory first. see the [firewall docs](../firewall/index.md) for more information.
+
 The install playbook has a dynamic `hosts` key. This has been done to specifically support running the playbook from AWX and being able to populate the field from the survey feature. Order of precedence for the host variable is as follows:
 
 - `nfc_pb_host` set to any valid value that a playbook `hosts` key can accept

galaxy.yml

@@ -8,7 +8,7 @@ namespace: nofusscomputing
 name: kubernetes
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.2.0
+version: 1.5.0
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
@@ -46,7 +46,7 @@ tags:
 dependencies:
   ansible.posix: '1.5.4'
   kubernetes.core: '3.0.0'
-  nofusscomputing.firewall: '1.0.1'
+  nofusscomputing.firewall: '1.1.0'
 
 
 # The URL of the originating SCM repository

roles/nfc_kubernetes/handlers/main.yml

@@ -1,5 +1,12 @@
 ---
 
+- name: Reboot Node
+  ansible.builtin.reboot:
+    reboot_timeout: 300
+  listen: reboot_host
+  when: ansible_connection == 'ssh'
+  
+
 - name: Restart Kubernetes
   ansible.builtin.service:
     name: |-
@@ -32,4 +39,3 @@
         nfc_kubernetes_no_restart_slave
       )
     )
-

roles/nfc_kubernetes/tasks/install.yaml

@@ -14,6 +14,8 @@
     msg: The hostname must match the inventory_hostname
   when: >
     inventory_hostname != 'localhost'
+      and
+    not ansible_check_mode
 
 
 - name: Check Machine Architecture

roles/nfc_kubernetes/tasks/main.yaml

@@ -9,6 +9,8 @@
     kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
       and
     nfc_role_kubernetes_prime | bool
+      and
+    not kubernetes_installed | default(false)
 
 
 - name: Install/Configure Kubernetes on remaining Master Nodes
@@ -20,6 +22,8 @@
     kubernetes_config.cluster.prime.name | default(inventory_hostname) != inventory_hostname
       and
     nfc_role_kubernetes_master | bool
+      and
+    not kubernetes_installed | default(false)
 
 
 - name: Install/Configure Kubernetes on Worker Nodes
@@ -33,3 +37,5 @@
     not nfc_role_kubernetes_prime | bool
       and
     not nfc_role_kubernetes_master | bool
+      and
+    not kubernetes_installed | default(false)

roles/nfc_kubernetes/templates/iptables-kubernetes.rules.j2

@@ -149,8 +149,13 @@
 
       {#- All cluster Hosts -#}
 
-
-      {%- if nfc_role_kubernetes_master | default(false) | bool -%}
+      {%- if 
+        nfc_role_kubernetes_master | default(false) | bool
+          and
+        kubernetes_host not in groups['kubernetes_master']
+          and
+        '-I kubernetes-api -s ' + kubernetes_host + ' -j ACCEPT' not in data.firewall_rules
+      -%}
 
         {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-api -s ' + kubernetes_host + ' -j ACCEPT'] -%}
 
@@ -162,9 +167,17 @@
 
       {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-four -s ' + kubernetes_host + ' -j ACCEPT'] -%}
 
-      {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-six -s ' + kubernetes_host + ' -j ACCEPT'] -%}
+      {%- if false -%}{# see IPv6 is disabled #}
+        
+        {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-flannel-wg-six -s ' + kubernetes_host + ' -j ACCEPT'] -%}
+      
+      {%- endif -%}
 
-      {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-calico-bgp -s ' + kubernetes_host + ' -j ACCEPT'] -%}
+      {%- if false -%}{# see Installation-manifest-Calico_Cluster.yaml.j2 bgp is disabled #}
+      
+        {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-calico-bgp -s ' + kubernetes_host + ' -j ACCEPT'] -%}
+
+      {%- endif -%}
 
       {%- set data.firewall_rules = data.firewall_rules + ['-I kubernetes-calico-typha -s ' + kubernetes_host + ' -j ACCEPT'] -%}