snel.kubernetes-cluster/roles/rancher/tasks/main.yml

---

- name: Helm add Rancher repo
  delegate_to: "{{ kubectl_host }}"
  run_once: true
  kubernetes.core.helm_repository:
    name: rancher
    repo_url: "https://releases.rancher.com/server-charts/latest"

- name: Verify Rancher hostname
  delegate_to: "{{ kubectl_host }}"
  ansible.builtin.set_fact:
    _dig_rancher_hostname: "{{ lookup('community.general.dig', '{{ rancher_hostname }}.', '@1.1.1.1') }}"

- name: "Verify Rancher hostname resolves: {{ rancher_hostname }}"
  ansible.builtin.assert:
    that: "_dig_rancher_hostname == '{{ ingress_ips[0] }}'"
    quiet: true

- name: Helm deploy Rancher
  delegate_to: "{{ kubectl_host }}"
  kubernetes.core.helm:
    kubeconfig: "{{ kubeconfig }}"
    chart_ref: rancher/rancher
    release_name: rancher
    release_namespace: cattle-system
    create_namespace: true
    wait: true
    # https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options
    # https://github.com/rancher/rancher/blob/release/v2.8/chart/values.yaml
    values:
      hostname: "{{ rancher_hostname }}"
      replicas: 2
      ingress:
        tls:
          source: letsEncrypt
      letsEncrypt:
        email: "{{ letsencrypt_email }}"
        ingress:
          class: traefik
      global:
        cattle:
          psp:
            enable: false

- name: Set name for Bitwarden secret
  ansible.builtin.set_fact:
    _bitwarden_password_item_name: "Rancher {{ cluster_name }}"

- name: "Get item from Bitwarden"
  ansible.builtin.set_fact:
    _rancher_password_item: >-
      {{ lookup('community.general.bitwarden', '{{ _bitwarden_password_item_name }}', field='password') }}      

- name: "Get password from Bitwarden"
  when: "_rancher_password_item | length"
  ansible.builtin.set_fact:
    _rancher_password: "{{ _rancher_password_item[0] }}"

- name: When Bitwarden item not found
  when: "not _rancher_password_item | length"
  block:
    - name: Create random password
      ansible.builtin.set_fact:
        _rancher_password: "{{ lookup('ansible.builtin.password', '/dev/null') }}"

    - name: Create password item
      ansible.builtin.set_fact:
        _bitwarden_password_item: {
          object: "item",
          folderId: "b1be156c-76b0-4ab6-bdd3-4181aca59cc8",
          # organizationId: "47551728-68ca-4267-acc7-c71898da28d3",
          type: 1,
          name: "{{ _bitwarden_password_item_name }}",
          login: {
            uris: [
              {
                "match": null,
                "uri": "https://{{ rancher_hostname }}/dashboard/"
              }
            ],
            username: "admin",
            password: "{{ _rancher_password }}",
          },
          collectionIds": [
            "82f4e18b-9de9-4d80-8f5c-2a4911b7f729"
          ],
        }

    - name: Create BW item
      delegate_to: localhost
      ansible.builtin.command:
        cmd: "bw create item {{ _bitwarden_password_item | ansible.builtin.to_json | ansible.builtin.b64encode }}"
      changed_when: true

- name: Rancher login
  delegate_to: "{{ kubectl_host }}"
  ansible.builtin.uri:
    url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
    method: POST
    body_format: json
    body:
      username: admin
      password: "{{ _rancher_password }}"
    status_code: [201,401]
  register: _rancher_login

- name: Rancher change password
  when: "_rancher_login.status == 401"
  block:
    - name: Get Rancher bootstrap secret
      delegate_to: "{{ kubectl_host }}"
      kubernetes.core.k8s_info:
        kubeconfig: "{{ kubeconfig }}"
        kind: Secret
        name: bootstrap-secret
        namespace: cattle-system
      register: _rancher_bootstrap_secret

    - name: Set rancher password fact
      ansible.builtin.set_fact:
        _rancher_bootstrap_password: "{{ _rancher_bootstrap_secret.resources[0].data.bootstrapPassword | ansible.builtin.b64decode }}"

    - name: Rancher login using bootstrap password
      delegate_to: "{{ kubectl_host }}"
      ansible.builtin.uri:
        url: "https://{{ rancher_hostname }}/v3-public/localProviders/local?action=login"
        method: POST
        body_format: json
        body:
          username: admin
          password: "{{ _rancher_bootstrap_password }}"
        status_code: [201]
      register: _rancher_pwchange_login

    - name: Rancher change password
      delegate_to: "{{ kubectl_host }}"
      ansible.builtin.uri:
        url: "https://{{ rancher_hostname }}/v3/users?action=changepassword"
        method: POST
        headers:
          Cookie: "R_SESS={{ _rancher_pwchange_login.json.token }}"
        body_format: json
        body:
          currentPassword: "{{ _rancher_bootstrap_password }}"
          newPassword: "{{ _rancher_password }}"
        status_code: [200]

- name: Rancher logout
  delegate_to: "{{ kubectl_host }}"
  ansible.builtin.uri:
    url: "https://{{ rancher_hostname }}/v3/tokens?action=logout"
    method: POST
    headers:
      Cookie: "R_SESS={{ _rancher_login.json.token }}"
    status_code: [200]