delegated back the k3s selinux RPM to the install script with subsequent reboot

agents.tf

@@ -59,6 +59,19 @@ resource "null_resource" "agents" {
     inline = local.install_k3s_agent
   }
 
+  # Issue a reboot command and wait for MicroOS to reboot and be ready
+  # so that the new snapshot with k3s-selinux kicks in
+  provisioner "local-exec" {
+    command = <<-EOT
+      ssh ${local.ssh_args} root@${module.agents[each.key].ipv4_address} '(sleep 2; reboot)&'; sleep 3
+      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${module.agents[each.key].ipv4_address} true 2> /dev/null
+      do
+        echo "Waiting for MicroOS to reboot and become available..."
+        sleep 3
+      done
+    EOT
+  }
+
   # Start the k3s agent and wait for it to have started
   provisioner "remote-exec" {
     inline = [

control_planes.tf

@@ -65,6 +65,19 @@ resource "null_resource" "control_planes" {
     inline = local.install_k3s_server
   }
 
+  # Issue a reboot command and wait for MicroOS to reboot and be ready,
+  # so that the new snapshot with k3s-selinux kicks in, only if k3s has never been initialized on the node
+  provisioner "local-exec" {
+    command = <<-EOT
+      ssh ${local.ssh_args} root@${module.control_planes[count.index].ipv4_address} '[[ ! -f /etc/rancher/k3s/k3s.yaml ]] && (sleep 2; reboot)&'; sleep 3
+      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${module.control_planes[count.index].ipv4_address} true 2> /dev/null
+      do
+        echo "Waiting for MicroOS to reboot and become available..."
+        sleep 3
+      done
+    EOT
+  }
+
   # Start the k3s server and wait for it to have started correctly
   provisioner "remote-exec" {
     inline = [

init.tf

@@ -30,7 +30,20 @@ resource "null_resource" "first_control_plane" {
     inline = local.install_k3s_server
   }
 
-  # Upon reboot verify that the k3s server is starts, and wait for k3s to be ready to receive commands
+  # so that the new snapshot with k3s-selinux kicks in
+  # Issue a reboot command and wait for MicroOS to reboot and be ready
+  provisioner "local-exec" {
+    command = <<-EOT
+      ssh ${local.ssh_args} root@${module.control_planes[0].ipv4_address} '(sleep 2; reboot)&'; sleep 3
+      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${module.control_planes[0].ipv4_address} true 2> /dev/null
+      do
+        echo "Waiting for MicroOS to reboot and become available..."
+        sleep 3
+      done
+    EOT
+  }
+
+  # Upon reboot verify start k3s and wait for it to be ready to receive commands
   provisioner "remote-exec" {
     inline = [
       "systemctl start k3s",

kustomize/kured.yaml

@@ -18,4 +18,4 @@ spec:
           command:
             - /usr/bin/kured
             - --reboot-command=/usr/bin/systemctl reboot
-            - --reboot-sentinel=/var/run/reboot-needed
+            - --reboot-sentinel=/var/run/reboot-needed

locals.tf

@@ -145,10 +145,8 @@ locals {
     "[ -e /etc/rancher/k3s/k3s.yaml ] && exit 0",
   ]
 
-  k3s_selinux_apply = ["chcon -u system_u -r object_r -t container_runtime_exec_t /usr/local/bin/k3s"]
+  install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"])
-
+  install_k3s_agent  = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"])
-  install_k3s_server = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=server sh -"], local.k3s_selinux_apply)
-  install_k3s_agent  = concat(local.common_commands_install_k3s, ["curl -sfL https://get.k3s.io | INSTALL_K3S_SKIP_START=true INSTALL_K3S_SKIP_SELINUX_RPM=true INSTALL_K3S_CHANNEL=${var.initial_k3s_channel} INSTALL_K3S_EXEC=agent sh -"], local.k3s_selinux_apply)
 
   agent_nodepools = merge([
     for nodepool_name, nodepool_obj in var.agent_nodepools : {

modules/host/main.tf

@@ -35,41 +35,15 @@ resource "hcloud_server" "server" {
       "set -ex",
       "apt-get update",
       "apt-get install -y aria2",
-      "aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-OpenStack-Cloud.qcow2.meta4",
+      "aria2c --follow-metalink=mem https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-k3s-OpenStack-Cloud.qcow2.meta4",
       "qemu-img convert -p -f qcow2 -O host_device $(ls -a | grep -ie '^opensuse.*microos.*qcow2$') /dev/sda",
     ]
   }
 
-  # Issue a reboot command
+  # Issue a reboot command and wait for MicroOS to reboot and be ready
-  provisioner "local-exec" {
-    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
-  }
-  # Wait for MicroOS to reboot and be ready
-  provisioner "local-exec" {
-    command = <<-EOT
-      until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
-      do
-        echo "Waiting for MicroOS to reboot and become available..."
-        sleep 3
-      done
-    EOT
-  }
-
-  # We've rebooted into MicroOS, now we install the k3s-selinux RPM
-  provisioner "remote-exec" {
-    inline = [
-      "set -ex",
-      "transactional-update pkg install -y k3s-selinux"
-    ]
-  }
-
-  # Issue a reboot command
-  provisioner "local-exec" {
-    command = "ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3"
-  }
-  # Wait for MicroOS to reboot and be ready
   provisioner "local-exec" {
     command = <<-EOT
+      ssh ${local.ssh_args} root@${self.ipv4_address} '(sleep 2; reboot)&'; sleep 3
       until ssh ${local.ssh_args} -o ConnectTimeout=2 root@${self.ipv4_address} true 2> /dev/null
       do
         echo "Waiting for MicroOS to reboot and become available..."