From 1e79c7b3cb89c59f2bf376a9370e55ca5b8f78f4 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Fri, 2 May 2025 14:21:05 +0200
Subject: [PATCH] Move package install to bootstrap-os

---
 roles/bootstrap-os/defaults/main.yml          |  3 +
 roles/bootstrap-os/tasks/main.yml             |  5 ++
 roles/kubernetes/preinstall/defaults/main.yml |  6 --
 roles/kubernetes/preinstall/tasks/main.yml    |  8 --
 roles/kubernetes/preinstall/vars/main.yml     | 75 -------------------
 .../kubespray-defaults/defaults/main/main.yml |  3 -
 roles/system_packages/defaults/main.yml       |  4 +
 .../tasks/main.yml}                           |  6 ++
 roles/system_packages/vars/main.yml           | 75 +++++++++++++++++++
 scripts/assert-sorted-checksums.yml           |  2 +-
 10 files changed, 94 insertions(+), 93 deletions(-)
 create mode 100644 roles/system_packages/defaults/main.yml
 rename roles/{kubernetes/preinstall/tasks/0070-system-packages.yml => system_packages/tasks/main.yml} (95%)
 create mode 100644 roles/system_packages/vars/main.yml

diff --git a/roles/bootstrap-os/defaults/main.yml b/roles/bootstrap-os/defaults/main.yml
index 13e8e718c..1bef39727 100644
--- a/roles/bootstrap-os/defaults/main.yml
+++ b/roles/bootstrap-os/defaults/main.yml
@@ -9,6 +9,9 @@ rh_subscription_check_timeout: 180
 # Disable locksmithd or leave it in its current state
 coreos_locksmithd_disable: false
 
+# Install epel repo on Centos/RHEL
+epel_enabled: false
+
 ## Oracle Linux specific variables
 # Install public repo on Oracle Linux
 use_oracle_public_repo: true
diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml
index 39939ff52..71620a461 100644
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@@ -31,6 +31,11 @@
     loop_control:
       loop_var: included_tasks_file
 
+- name: Install system packages
+  import_role:
+    name: system_packages
+  tags:
+  - system-packages
 
 - name: Create remote_tmp for it is used by another module
   file:
diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml
index 5d86f004e..cf31a9acf 100644
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -6,7 +6,6 @@ leave_etc_backup_files: true
 nameservers: []
 cloud_resolver: []
 disable_host_nameservers: false
-epel_enabled: false
 # Kubespray sets this to true after clusterDNS is running to apply changes to the host resolv.conf
 dns_late: false
 
@@ -55,11 +54,6 @@ etc_hosts_localhost_entries:
 minimal_node_memory_mb: 1024
 minimal_master_memory_mb: 1500
 
-yum_repo_dir: /etc/yum.repos.d
-
-# number of times package install task should be retried
-pkg_install_retries: 4
-
 # Check if access_ip responds to ping. Set false if your firewall blocks ICMP.
 ping_access_ip: true
 
diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml
index a6450808f..2341147ad 100644
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -62,14 +62,6 @@
     - bootstrap-os
     - resolvconf
 
-- name: Install required system packages
-  import_tasks: 0070-system-packages.yml
-  when:
-    - not dns_late
-  tags:
-    - bootstrap-os
-    - system-packages
-
 - name: Apply system configurations
   import_tasks: 0080-system-configurations.yml
   when:
diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml
index b47df9f46..b7da66595 100644
--- a/roles/kubernetes/preinstall/vars/main.yml
+++ b/roles/kubernetes/preinstall/vars/main.yml
@@ -1,79 +1,4 @@
 ---
-pkgs:
-  apparmor:
-    - "{{ ansible_os_family == 'Debian' }}"
-  apt-transport-https:
-    - "{{ ansible_os_family == 'Debian' }}"
-  aufs-tools:
-    - "{{ ansible_os_family == 'Debian' }}"
-    - "{{ ansible_distribution_major_version == '10' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  bash-completion: []
-  conntrack:
-    - "{{ ansible_os_family in ['Debian', 'RedHat'] }}"
-    - "{{ ansible_distribution != 'openEuler' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  conntrack-tools:
-    - "{{ ansible_os_family == 'Suse' or ansible_distribution in ['Amazon', 'openEuler'] }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  container-selinux:
-    - "{{ ansible_os_family == 'RedHat' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  curl: []
-  device-mapper:
-    - "{{ ansible_os_family == 'Suse' or ansible_distribution == 'openEuler' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  device-mapper-libs:
-    - "{{ ansible_os_family == 'RedHat' }}"
-    - "{{ ansible_distribution != 'openEuler' }}"
-  e2fsprogs: []
-  ebtables: []
-  gnupg:
-    - "{{ ansible_distribution == 'Debian' }}"
-    - "{{ ansible_distribution_major_version in ['11', '12'] }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  ipset:
-    - "{{ kube_proxy_mode != 'ipvs' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  iptables:
-    - "{{ ansible_os_family in ['Debian', 'RedHat'] }}"
-  ipvsadm:
-    - "{{ kube_proxy_mode == 'ipvs' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  libseccomp:
-    - "{{ ansible_os_family == 'RedHat' }}"
-  libseccomp2:
-    - "{{ ansible_os_family in ['Debian', 'Suse'] }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  libselinux-python:  # TODO: Handle rehat_family + major < 8
-    - "{{ ansible_distribution == 'Amazon' }}"
-  libselinux-python3:
-    - "{{ ansible_distribution == 'Fedora' }}"
-  mergerfs:
-    - "{{ ansible_distribution == 'Debian' }}"
-    - "{{ ansible_distribution_major_version == '12' }}"
-  nftables:
-    - "{{ kube_proxy_mode == 'nftables' }}"
-    - "{{ 'k8s_cluster' in group_names }}"
-  nss:
-    - "{{ ansible_os_family == 'RedHat' }}"
-  openssl: []
-  python-apt:
-    - "{{ ansible_os_family == 'Debian' }}"
-    - "{{ ansible_distribution_major_version == '10' }}"
-  python3-apt:
-    - "{{ ansible_os_family == 'Debian' }}"
-    - "{{ ansible_distribution_major_version != '10' }}"
-  python3-libselinux:
-    - "{{ ansible_distribution in ['RedHat', 'CentOS'] }}"
-  rsync: []
-  socat: []
-  software-properties-common:
-    - "{{ ansible_os_family == 'Debian' }}"
-  tar: []
-  unzip: []
-  xfsprogs: []
-
 coredns_server_by_mode:
   coredns: "{{ [skydns_server] }}"
   coredns_dual: "{{ [skydns_server, skydns_server_secondary] }}"
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index 3b99e425a..f71b92e27 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -101,9 +101,6 @@ local_release_dir: "/tmp/releases"
 # Random shifts for retrying failed ops like pushing/downloading
 retry_stagger: 5
 
-# Install epel repo on Centos/RHEL
-epel_enabled: false
-
 # DNS configuration.
 # Kubernetes cluster name, also will be used as DNS domain
 cluster_name: cluster.local
diff --git a/roles/system_packages/defaults/main.yml b/roles/system_packages/defaults/main.yml
new file mode 100644
index 000000000..62704067a
--- /dev/null
+++ b/roles/system_packages/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# number of times package install task should be retried
+pkg_install_retries: 4
+yum_repo_dir: /etc/yum.repos.d
diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/system_packages/tasks/main.yml
similarity index 95%
rename from roles/kubernetes/preinstall/tasks/0070-system-packages.yml
rename to roles/system_packages/tasks/main.yml
index 77f4c8686..ca8c73ef2 100644
--- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
+++ b/roles/system_packages/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: Gather OS information
+  setup:
+    gather_subset:
+      - distribution
+      - pkg_mgr
+
 - name: Update package management cache (zypper) - SUSE
   command: zypper -n --gpg-auto-import-keys ref
   register: make_cache_output
diff --git a/roles/system_packages/vars/main.yml b/roles/system_packages/vars/main.yml
new file mode 100644
index 000000000..bb98e58df
--- /dev/null
+++ b/roles/system_packages/vars/main.yml
@@ -0,0 +1,75 @@
+---
+pkgs:
+  apparmor:
+    - "{{ ansible_os_family == 'Debian' }}"
+  apt-transport-https:
+    - "{{ ansible_os_family == 'Debian' }}"
+  aufs-tools:
+    - "{{ ansible_os_family == 'Debian' }}"
+    - "{{ ansible_distribution_major_version == '10' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  bash-completion: []
+  conntrack:
+    - "{{ ansible_os_family in ['Debian', 'RedHat'] }}"
+    - "{{ ansible_distribution != 'openEuler' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  conntrack-tools:
+    - "{{ ansible_os_family == 'Suse' or ansible_distribution in ['Amazon', 'openEuler'] }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  container-selinux:
+    - "{{ ansible_os_family == 'RedHat' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  curl: []
+  device-mapper:
+    - "{{ ansible_os_family == 'Suse' or ansible_distribution == 'openEuler' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  device-mapper-libs:
+    - "{{ ansible_os_family == 'RedHat' }}"
+    - "{{ ansible_distribution != 'openEuler' }}"
+  e2fsprogs: []
+  ebtables: []
+  gnupg:
+    - "{{ ansible_distribution == 'Debian' }}"
+    - "{{ ansible_distribution_major_version in ['11', '12'] }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  ipset:
+    - "{{ kube_proxy_mode != 'ipvs' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  iptables:
+    - "{{ ansible_os_family in ['Debian', 'RedHat'] }}"
+  ipvsadm:
+    - "{{ kube_proxy_mode == 'ipvs' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  libseccomp:
+    - "{{ ansible_os_family == 'RedHat' }}"
+  libseccomp2:
+    - "{{ ansible_os_family in ['Debian', 'Suse'] }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  libselinux-python:  # TODO: Handle rehat_family + major < 8
+    - "{{ ansible_distribution == 'Amazon' }}"
+  libselinux-python3:
+    - "{{ ansible_distribution == 'Fedora' }}"
+  mergerfs:
+    - "{{ ansible_distribution == 'Debian' }}"
+    - "{{ ansible_distribution_major_version == '12' }}"
+  nftables:
+    - "{{ kube_proxy_mode == 'nftables' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
+  nss:
+    - "{{ ansible_os_family == 'RedHat' }}"
+  openssl: []
+  python-apt:
+    - "{{ ansible_os_family == 'Debian' }}"
+    - "{{ ansible_distribution_major_version == '10' }}"
+  python3-apt:
+    - "{{ ansible_os_family == 'Debian' }}"
+    - "{{ ansible_distribution_major_version != '10' }}"
+  python3-libselinux:
+    - "{{ ansible_distribution in ['RedHat', 'CentOS'] }}"
+  rsync: []
+  socat: []
+  software-properties-common:
+    - "{{ ansible_os_family == 'Debian' }}"
+  tar: []
+  unzip: []
+  xfsprogs: []
diff --git a/scripts/assert-sorted-checksums.yml b/scripts/assert-sorted-checksums.yml
index a24851e64..9cf80eb6d 100755
--- a/scripts/assert-sorted-checksums.yml
+++ b/scripts/assert-sorted-checksums.yml
@@ -37,7 +37,7 @@
       (item.1.value | dict2items)[0].value is number
     # only do list, the others are checksums with a different structure
   - name: Include the packages list variable
-    include_vars: ../roles/kubernetes/preinstall/vars/main.yml
+    include_vars: ../roles/system_packages/vars/main.yml
 
   - name: Verify that the packages list is sorted
     vars: