Merge branch 'automated-tasks' into 'development'

chore(gitlab-ci): Automated update of git sub-module

See merge request nofusscomputing/projects/ansible/collections/kubernetes!83

.cz.yaml

@@ -4,5 +4,5 @@ commitizen:
   prerelease_offset: 1
   tag_format: $version
   update_changelog_on_bump: false
-  version: 1.8.1-a1
+  version: 1.13.2
   version_scheme: semver

.gitlab/integration_test.gitlab-ci.yml

@@ -37,6 +37,8 @@
     - | # enter test container
       docker exec -i test_image_${CI_JOB_ID} ps aux
     - docker ps
+    - docker exec -i test_image_${CI_JOB_ID} bash -c 'apt update || true'
+    - docker exec -i test_image_${CI_JOB_ID} bash -c 'apt update || true'
     - docker exec -i test_image_${CI_JOB_ID} apt update
     - docker exec -i test_image_${CI_JOB_ID} apt install -y --no-install-recommends python3-pip net-tools dnsutils iptables
     - |

CHANGELOG.md

@@ -1,85 +1,71 @@
-## 1.8.1-a1 (2024-05-02)
+## 1.13.2 (2024-07-30)
 
 ### Fix
 
-- **nfc_kubernetes**: correct url build to loop through all cpu arch
+- **nfc_kubernetes**: correct logic for prime node to always be labeled prime
 
-## 1.8.0 (2024-05-02)
+## 1.13.1 (2024-07-28)
+
+### Fix
+
+- **nfc_kubernetes**: prime node to always be labeled prime
+
+## 1.13.0 (2024-07-28)
 
 ### Feat
 
-- **nfc_kubernetes**: build url and on use cast as string
+- **nfc_kubernetes**: prime node to always be labeled prime
+- **nfc_kubernetes**: ability to add node labels and taints
 
-## 1.7.2 (2024-04-25)
+## 1.12.0 (2024-07-08)
 
 ### Fix
 
-- **nfc_kubernetes**: adjust some tasks to run during checkmode
+- **kubernetes_roles**: conditional checks for prime
+- **kubernetes_roles**: conditional checks for prime
+- **kubernetes_roles**: conditional checks for prime
+- **kubernetes_roles**: clean up white space
+- **kubernetes_roles**: clean up white space
+- **kubernetes_roles**: clean up white space
+- **kubernetes_roles**: clean up white space
+- **kubernetes_role**: delete leftover ]
+- **kubernetes_role**: Change "https://" + hostvars[ns.prime_name].ansible_host + ":6443" -> "https://" + ns.prime_name.ansible_host + ":6443"
+- **kubernetes_role**: get prime hostname
+- **kubernetes_role**: set server var -> "https://" + hostvars[nfc_role_kubernetes_node_prime].ansible_host + ":6443"
+- **kubernetes_role**: remove not nfc_role_kubernetes_cluster_upgraded | default(true) | bool section
 
-## 1.7.1 (2024-04-24)
-
-### Fix
-
-- add role readme
-
-## 1.7.0 (2024-04-24)
+## 1.11.0 (2024-06-27)
 
 ### Feat
 
-- **kubernetes_netbox**: custom field bug work around
-- **services**: add netbox service fields
-- **role**: New role kubernetes_netbox
+- **firewall**: update collection nfc_firewall 1.1.0 -> 1.1.1
+
+## 1.10.3 (2024-06-27)
 
 ### Fix
 
-- **nfc_kubernetes**: ensure install tasks run when job_tags specified
-- **facts**: gather required facts if not already available
-- **install**: correct template installed var
-- **install**: as part of install check, confirm service
+- **install**: ensure ipv6 is installed before attempting to disable
 
-## 1.6.0 (2024-03-29)
-
-### Feat
-
-- **test**: add integration test. playbook install
-- add retry=3 delay=10 secs to all ansible url modules
-- **upgrade**: If upgrade occurs, dont run remaining tasks
-- support upgrading cluster
+## 1.10.2 (2024-05-03)
 
 ### Fix
 
-- **docs**: use correct badge query url
+- **nfc_kubernetes**: set default for var so task 'Copy Template' when clause doesn't fail task with undefined var
 
-### Refactor
-
-- **galaxy**: for dependent collections prefix with `>=` so as to not cause version lock
-
-## 1.5.0 (2024-03-21)
-
-### Feat
-
-- **collection**: nofusscomputing.firewall update 1.0.1 -> 1.1.0
-
-## 1.4.0 (2024-03-20)
-
-### Feat
-
-- **install**: "ansible_check_mode=true" no hostname check
-
-## 1.3.0 (2024-03-18)
+## 1.10.1 (2024-05-03)
 
 ### Fix
 
-- **handler**: add missing 'reboot_host' handler
-- **firewall**: ensure slave nodes can access ALL masters API point
-- **firewall**: dont add rules for disabled features
+- **nfc_kubernetes**: set default for var so when clause doesn't fail task with undefined var
 
-## 1.2.0 (2024-03-16)
-
-### Feat
-
-- **firewall**: use collection nofusscomputing.firewall to configure kubernetes firewall
+## 1.10.0 (2024-05-03)
 
 ### Fix
 
-- **config**: use correct var name when setting node name
+- **nfc_kubernetes**: correct 'Create Required directories' when logic
+
+## 1.9.0 (2024-05-03)
+
+### Feat
+
+- **nfc_kubernetes**: add debug out to k3s download on failure

galaxy.yml

@@ -8,7 +8,7 @@ namespace: nofusscomputing
 name: kubernetes
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.8.1-a1
+version: 1.13.2
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
@@ -46,7 +46,7 @@ tags:
 dependencies:
   ansible.posix: '>=1.5.4'
   kubernetes.core: '>=3.0.0'
-  nofusscomputing.firewall: '>=1.1.0'
+  nofusscomputing.firewall: '>=1.1.1'
   netbox.netbox: '>=3.16.0'
 
 

roles/nfc_kubernetes/defaults/main.yml

@@ -46,6 +46,10 @@ nfc_role_kubernetes_install_kubevirt: false
 
 nfc_role_kubernetes_kubevirt_operator_replicas: 1
 
+nfc_role_kubernetes_node_labels: {}     # Optional, Dict. Node labels.
+nfc_role_kubernetes_node_taints: {}     # Optional, Dict. Node taints.
+# nfc_role_kubernetes_node_prime: ''    # Mandatory*, string. the inventory_hostname of the prime node. ONLY required for multi-node deployments
+
 nfc_role_kubernetes_oidc_enabled: false
 
 nfc_role_kubernetes_resolv_conf_file: /etc/resolv.conf
@@ -53,8 +57,8 @@ nfc_role_kubernetes_resolv_conf_file: /etc/resolv.conf
 nfc_role_kubernetes_pod_subnet: 172.16.248.0/21
 nfc_role_kubernetes_service_subnet: 172.16.244.0/22
 
-nfc_role_kubernetes_prime: true                         # Mandatory for a node designated as the prime master node
-nfc_role_kubernetes_master: true                        # Mandatory for a node designated as a master node and the prime master node
+nfc_role_kubernetes_prime: false                         # Mandatory for a node designated as the prime master node
+nfc_role_kubernetes_master: false                        # Mandatory for a node designated as a master node and the prime master node
 nfc_role_kubernetes_worker: false                       # Mandatory for a node designated as a worker node
 
 ############################################################################################################
@@ -136,7 +140,7 @@ k3s:
         #       usernames: []
         #       runtimeClasses: []
         #       namespaces: [kube-system]
-      when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}"
+      when: "{{ nfc_role_kubernetes_prime | bool }}"
 
 
 #############################################################################################

roles/nfc_kubernetes/tasks/k3s/configure.yaml

@@ -34,13 +34,13 @@
 
       - src: kubernetes-manifest-rbac.yaml.j2
         dest: /var/lib/rancher/k3s/server/manifests/rbac-authorization-common.yaml
-        when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}"
+        when: "{{ nfc_role_kubernetes_prime | bool }}"
 
       - src: iptables-kubernetes.rules.j2
         dest: "/etc/iptables-reloader/rules.d/iptables-kubernetes.rules"
         notify: firewall_reloader
         when: |-
-          {%- if firewall_installed -%}
+          {%- if firewall_installed | default(false) -%}
 
             {{ firewall_rules_dir_metadata.stat.exists }}
 
@@ -58,21 +58,41 @@
       kind: Node
       metadata:
         name: "{{ inventory_hostname }}"
-        {% if kubernetes_config.hosts[inventory_hostname].labels | default([]) | list | length > 0 -%}
+        {% if
+          nfc_role_kubernetes_node_labels
+            and
+          not nfc_role_kubernetes_prime | bool
+        -%}
         labels:
-          {{ kubernetes_config.hosts[inventory_hostname].labels | to_nice_yaml | indent(4) }}
+          {{ nfc_role_kubernetes_node_labels | to_nice_yaml(indent=0) | indent(4) }}
+
+        {% elif
+          nfc_role_kubernetes_prime | bool
+        %}
+
+        labels:
+          node-role.kubernetes.io/prime: "true"
+
+          {% if nfc_role_kubernetes_node_labels %}
+
+          {{ nfc_role_kubernetes_node_labels | to_nice_yaml(indent=0) | indent(4) }}
+
+          {% endif %}
+
         {%- endif +%}
-      {% if kubernetes_config.hosts[inventory_hostname].taints | default([]) | list | length > 0 -%}
+      {% if nfc_role_kubernetes_node_taints -%}
       spec:
         taints:
-          {{ kubernetes_config.hosts[inventory_hostname].taints | to_nice_yaml(indent=0) | indent(4) }}
+          {{ nfc_role_kubernetes_node_taints | to_nice_yaml(indent=0) | indent(4) }}
       {% endif %}
     dest: /var/lib/rancher/k3s/server/manifests/node-manifest-{{ inventory_hostname }}.yaml
     owner: root
     group: root
     mode: '700'
-  delegate_to: "{{ kubernetes_config.cluster.prime.name }}"
+  delegate_to: "{{ nfc_role_kubernetes_node_prime }}"
   when:
-    kubernetes_config.hosts[inventory_hostname].labels | default([]) | list | length > 0
+    nfc_role_kubernetes_node_labels
       or
-    kubernetes_config.hosts[inventory_hostname].taints | default([]) | list | length > 0
+    nfc_role_kubernetes_node_taints
+      or
+    nfc_role_kubernetes_prime | bool

roles/nfc_kubernetes/tasks/k3s/install.yaml

@@ -15,12 +15,16 @@
   ansible.builtin.stat:
     name: /var/lib/rancher/k3s/server/manifests/calico.yaml
   register: file_calico_yaml_metadata
+  when: >
+    nfc_role_kubernetes_prime | bool
 
 
 - name: Check for calico Operator deployment manifest
   ansible.builtin.stat:
     name: /var/lib/rancher/k3s/ansible/deployment-manifest-calico_operator.yaml
   register: file_calico_operator_yaml_metadata
+  when: >
+    nfc_role_kubernetes_prime | bool
 
 
 - name: Install dependent packages
@@ -108,15 +112,30 @@
       - name: /var/lib/rancher/k3s/server/logs
         state: directory
         mode: 700
+        when: >
+          {{ nfc_role_kubernetes_master | bool }}
       - name: /var/lib/rancher/k3s/server/manifests
         state: directory
         mode: 700
+        when: >
+          {{ nfc_role_kubernetes_master | bool }}
       - name: /var/lib/rancher/k3s/ansible
         state: directory
         mode: 700
+        when: >
+          {{ nfc_role_kubernetes_master | bool }}
+  when: >
+    item.when | default(true)
 
 
-- name: Add sysctl net.ipv4.ip_forward
+- name: Check if IPv6 Enabled
+  ansible.builtin.stat:
+    path: /proc/sys/net/ipv6/conf/all/disable_ipv6
+  register: ipv6_file
+  failed_when: false
+
+
+- name: Add sysctl settings
   ansible.posix.sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
@@ -135,8 +154,11 @@
         value: '512'
       - name: net.ipv6.conf.all.disable_ipv6
         value: '1'
-  when:
-    - ansible_os_family == 'Debian'
+        when: "{{ ipv6_file.stat.exists }}"
+  when: >
+    ansible_os_family == 'Debian'
+      and
+    item.when | default(true) | bool
 
 
 - name: Check for Network Manager Directory
@@ -304,62 +326,62 @@
   when: >
     file_cached_k3s_binary.stat.checksum | default('0') != node_k3s.desired_hash
 
-  # Workaround. See: https://github.com/ansible/awx/issues/15161
-- name: Build K3s Download URL
-  ansible.builtin.set_fact:
-    cacheable: false
-    url_download_k3s: |-
-      [
-        {%- for key, value in nfc_kubernetes_install_architectures | dict2items -%}
-        "https://github.com/k3s-io/k3s/releases/download/
-          {{- node_k3s.desired_version | urlencode -}}
-        /k3s
-        {%- if key == 'aarch64' -%}
-        -arm64
-        {%- endif %}",
-        {%- endfor -%}
-      ]
-  changed_when: false
-  check_mode: false
-  delegate_to: localhost
-  loop: "{{ nfc_kubernetes_install_architectures | dict2items }}"
-  loop_control:
-    loop_var: cpu_arch
-  vars:
-    ansible_connection: local
+- name: Try / Catch
+  block:
 
 
-- name: Download K3s Binary
-  ansible.builtin.uri:
-    url: "{{ url | string }}"
-    method: GET
-    return_content: false
-    status_code:
-      - 200
-      - 304
-    dest: "/tmp/k3s.{{ ansible_architecture }}"
-    mode: "744"
-  changed_when: not ansible_check_mode
-  check_mode: false
-  delay: 10
-  retries: 3
-  register: k3s_download_files
-  delegate_to: localhost
-  failed_when: >
-    (lookup('ansible.builtin.file', '/tmp/k3s.' + ansible_architecture) | hash('sha256') | string) != node_k3s.desired_hash
-      and
-    (
-      k3s_download_files.status | int != 200
-        or
-      k3s_download_files.status | int != 304
-    )
-  run_once: true
-  when: ansible_os_family == 'Debian'
-  loop: "{{ url_download_k3s }}"
-  loop_control:
-    loop_var: url
-  vars:
-    ansible_connection: local
+    - name: Download K3s Binary
+      ansible.builtin.uri:
+        url: |-
+          https://github.com/k3s-io/k3s/releases/download/
+            {{- node_k3s.desired_version | urlencode -}}
+          /k3s
+          {%- if cpu_arch.key == 'aarch64' -%}
+          -arm64
+          {%- endif %}
+        method: GET
+        return_content: false
+        status_code:
+          - 200
+          - 304
+        dest: "/tmp/k3s.{{ ansible_architecture }}"
+        mode: "744"
+      changed_when: not ansible_check_mode
+      check_mode: false
+      delay: 10
+      retries: 3
+      register: k3s_download_files
+      delegate_to: localhost
+      failed_when: >
+        (lookup('ansible.builtin.file', '/tmp/k3s.' + ansible_architecture) | hash('sha256') | string) != node_k3s.desired_hash
+          and
+        (
+          k3s_download_files.status | int != 200
+            or
+          k3s_download_files.status | int != 304
+        )
+      run_once: true
+      when: ansible_os_family == 'Debian'
+      loop: "{{ nfc_kubernetes_install_architectures | dict2items }}"
+      loop_control:
+        loop_var: cpu_arch
+      vars:
+        ansible_connection: local
+
+  rescue:
+
+
+    - name: TRACE - Debug out
+      ansible.builtin.debug:
+        msg:
+          - "Download file hash: {{ (lookup('ansible.builtin.file', '/tmp/k3s.' + ansible_architecture) | hash('sha256') | string) }}"
+
+
+    - name: Fail task
+      ansible.builtin.assert:
+        that:
+          - false
+        msg: "Task failed, review previous task for error"
 
 
 - name: Copy K3s binary to Host
@@ -499,7 +521,7 @@
         dest: /var/lib/rancher/k3s/server/manifests/calico.yaml
         when: >
           {{
-            kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+            nfc_role_kubernetes_prime | bool
               and
             (
               (
@@ -530,6 +552,14 @@
 #     ipv6: true
 
 
+- name: Set IP6Tables to legacy mode
+  ansible.builtin.command:
+    cmd: update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+  changed_when: false
+  when: >
+    not nfc_role_kubernetes_cluster_upgraded | default(false) | bool
+
+
 - name: Set IPTables to legacy mode
   ansible.builtin.command:
     cmd: update-alternatives --set iptables /usr/sbin/iptables-legacy
@@ -546,7 +576,7 @@
       /tmp/install.sh {% if nfc_role_kubernetes_etcd_enabled %}--cluster-init{% endif %}
   changed_when: false
   when: >
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    nfc_role_kubernetes_prime | bool
       and
     not node_k3s.installed | bool
       and
@@ -567,12 +597,12 @@
         'operator_calico' in ansible_run_tags
       )
         or
-      not file_calico_yaml_metadata.stat.exists
+      not file_calico_yaml_metadata.stat.exists | default(false)
     )
       and
     'calico_manifest' not in ansible_run_tags
       and
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    nfc_role_kubernetes_prime | bool
       and
     not nfc_role_kubernetes_cluster_upgraded | default(false) | bool
 
@@ -593,7 +623,7 @@
   when: >-
     nfc_kubernetes_enable_metallb | default(false) | bool
       and
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    nfc_role_kubernetes_prime | bool
       and
     not nfc_role_kubernetes_cluster_upgraded | default(false) | bool
 
@@ -609,7 +639,7 @@
         exit 127;
       fi
     executable: /bin/bash
-  delegate_to: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) }}"
+  delegate_to: "{{ nfc_role_kubernetes_node_prime }}"
   run_once: true
   register: kubernetes_ready_check
   retries: 30
@@ -649,7 +679,7 @@
     install_olm.rc == 1
   register: install_olm
   when: >
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    nfc_role_kubernetes_prime | bool
       and
     nfc_role_kubernetes_install_olm | default(false) | bool
       and
@@ -679,7 +709,7 @@
   failed_when: false
   register: install_olm
   when: >
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    nfc_role_kubernetes_prime | bool
       and
     'olm_uninstall' in ansible_run_tags
       and
@@ -692,7 +722,7 @@
   changed_when: false
   failed_when: false    # New cluster will fail
   when: >
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    nfc_role_kubernetes_prime | bool
       and
     kubernetes_config.cluster.networking.encrypt | default(false) | bool
       and
@@ -712,7 +742,7 @@
 - name: Fetch Join Token
   ansible.builtin.slurp:
     src: /var/lib/rancher/k3s/server/token
-  delegate_to: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) }}"
+  delegate_to: "{{ nfc_role_kubernetes_node_prime }}"
   run_once: true
   register: k3s_join_token
   no_log: true # Value is sensitive
@@ -723,7 +753,7 @@
 - name: Create Token fact
   ansible.builtin.set_fact:
     k3s_join_token: "{{ k3s_join_token.content | b64decode | replace('\n', '') }}"
-  delegate_to: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) }}"
+  delegate_to: "{{ nfc_role_kubernetes_node_prime }}"
   run_once: true
   no_log: true # Value is sensitive
   when: >
@@ -743,7 +773,7 @@
   when: >
     nfc_role_kubernetes_master | default(false) | bool
       and
-    not kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    not nfc_role_kubernetes_prime | bool
       and
     not node_k3s.installed | bool
       and
@@ -758,14 +788,14 @@
       INSTALL_K3S_SKIP_DOWNLOAD=true \
       INSTALL_K3S_VERSION="v{{ node_k3s.desired_version }}" \
       K3S_TOKEN="{{ k3s_join_token }}" \
-      K3S_URL="https://{{ hostvars[kubernetes_config.cluster.prime.name | default(inventory_hostname)].ansible_host }}:6443" \
+      K3S_URL="https://{{ hostvars[nfc_role_kubernetes_node_prime].ansible_host }}:6443" \
       /tmp/install.sh -
     executable: /bin/bash
   changed_when: false
   when: >
     not nfc_role_kubernetes_master | default(false) | bool
       and
-    not kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+    not nfc_role_kubernetes_prime | bool
       and
     not node_k3s.installed | bool
       and

roles/nfc_kubernetes/tasks/main.yaml

@@ -1,15 +1,29 @@
 ---
 
+- name: Default Variable adjustment [Probable Single Node Install]
+  ansible.builtin.set_fact:
+    cacheable: false
+    nfc_role_kubernetes_prime: true
+    nfc_role_kubernetes_master: true
+    nfc_role_kubernetes_node_prime: "{{ inventory_hostname }}"
+  when: >
+    not nfc_role_kubernetes_worker | bool
+      and
+    not nfc_role_kubernetes_prime | bool
+      and
+    not nfc_role_kubernetes_master | bool
+
+
 - name: Install/Configure Kubernetes Prime Master Node
   ansible.builtin.include_tasks:
     file: install.yaml
   tags:
     - always
   when:
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
-      and
     nfc_role_kubernetes_prime | bool
       and
+    not nfc_role_kubernetes_worker | bool
+      and
     not kubernetes_installed | default(false)
 
 
@@ -19,10 +33,12 @@
   tags:
     - always
   when:
-    kubernetes_config.cluster.prime.name | default(inventory_hostname) != inventory_hostname
-      and
     nfc_role_kubernetes_master | bool
       and
+    not nfc_role_kubernetes_prime | bool
+      and
+    not nfc_role_kubernetes_worker | bool
+      and
     not kubernetes_installed | default(false)
 
 

roles/nfc_kubernetes/templates/k3s-config.yaml.j2

@@ -9,9 +9,10 @@
 {%- if 
   nfc_role_kubernetes_master
     or
-  kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+  nfc_role_kubernetes_prime | default(true) | bool
+    and
+  not nfc_role_kubernetes_worker
 -%}
-
   {%
 
   set kube_apiserver_arg = [
@@ -197,13 +198,28 @@
     }) -%}
 
   {%- elif 
-    kubernetes_config.cluster.prime.name != inventory_hostname
+    nfc_role_kubernetes_prime | default(true) | bool
       and
     not node_k3s.installed
+      and
+    not nfc_role_kubernetes_worker
+
   -%}
 
+    {%- set ns = namespace(prime_name) -%}
+
+    {%- for hostname, values in hostvars.iteritems() -%}
+      
+      {%- if values.nfc_role_kubernetes_node_prime ==true -%}
+
+        {%- set ns.prime_name = hostname -%}
+
+      {%- endif -%}
+
+    {%- endfor -%}
+    
     {%- set server = (server | default([])) + [
-      "https://" + hostvars[kubernetes_config.cluster.prime.name].ansible_host + ":6443"
+      "https://" + ns.prime_name.ansible_host + ":6443"
     ] -%}
 
     {%- set all_nodes_config = all_nodes_config | combine({
@@ -235,13 +251,18 @@
 
 {%- endif -%}
 
+
 {# EoF All Nodes #}
 
 
 {%- if 
-  nfc_role_kubernetes_master
-    or
-  kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname
+  (
+    nfc_role_kubernetes_master
+      or
+    nfc_role_kubernetes_prime | default(true) | bool
+  )
+    and
+  not nfc_role_kubernetes_worker
 -%}
 
   {%- set servers_config = servers_config | combine( all_nodes_config ) -%}