Merge pull request #818 from mattymo/calico-rr-certs
Fix calico-rr to use etcd certs instead of kube certs
This commit is contained in:
commit
612c5bb5f1
5 changed files with 16 additions and 17 deletions
|
@ -7,7 +7,7 @@
|
||||||
run_once: true
|
run_once: true
|
||||||
with_items: >-
|
with_items: >-
|
||||||
['ca.pem',
|
['ca.pem',
|
||||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
|
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
|
||||||
{% for host in all_etcd_hosts %}
|
{% for host in all_etcd_hosts %}
|
||||||
'node-{{ host }}-key.pem'
|
'node-{{ host }}-key.pem'
|
||||||
{% if not loop.last %}{{','}}{% endif %}
|
{% if not loop.last %}{{','}}{% endif %}
|
||||||
|
@ -39,7 +39,7 @@
|
||||||
sync_certs: true
|
sync_certs: true
|
||||||
when: >-
|
when: >-
|
||||||
{%- set certs = {'sync': False} -%}
|
{%- set certs = {'sync': False} -%}
|
||||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
|
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
|
||||||
{% for host in all_etcd_hosts %}
|
{% for host in all_etcd_hosts %}
|
||||||
{% if host == inventory_hostname %}
|
{% if host == inventory_hostname %}
|
||||||
{% if (not etcdcert.results[0].stat.exists|default(False)) or
|
{% if (not etcdcert.results[0].stat.exists|default(False)) or
|
||||||
|
|
|
@ -40,7 +40,8 @@
|
||||||
{{ m }}
|
{{ m }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
- HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
|
||||||
|
{% for h in all_kube_hosts %}
|
||||||
{% if hostvars[h].sync_certs|default(false) %}
|
{% if hostvars[h].sync_certs|default(false) %}
|
||||||
{{ h }}
|
{{ h }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -65,7 +66,8 @@
|
||||||
'member-{{ inventory_hostname }}-key.pem'
|
'member-{{ inventory_hostname }}-key.pem'
|
||||||
]
|
]
|
||||||
all_node_certs: "['ca.pem',
|
all_node_certs: "['ca.pem',
|
||||||
{% for node in groups['k8s-cluster'] %}
|
{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
|
||||||
|
{% for node in all_kube_hosts %}
|
||||||
'node-{{ node }}.pem',
|
'node-{{ node }}.pem',
|
||||||
'node-{{ node }}-key.pem',
|
'node-{{ node }}-key.pem',
|
||||||
{% endfor %}]"
|
{% endfor %}]"
|
||||||
|
@ -76,7 +78,6 @@
|
||||||
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
|
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
|
||||||
register: etcd_master_cert_data
|
register: etcd_master_cert_data
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['etcd'][0]}}"
|
||||||
#run_once: true
|
|
||||||
when: sync_certs|default(false)
|
when: sync_certs|default(false)
|
||||||
notify: set etcd_secret_changed
|
notify: set etcd_secret_changed
|
||||||
|
|
||||||
|
@ -96,8 +97,7 @@
|
||||||
- name: Gen_certs | Copy certs on nodes
|
- name: Gen_certs | Copy certs on nodes
|
||||||
shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
|
shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and
|
when: sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
||||||
inventory_hostname not in groups['etcd']
|
|
||||||
|
|
||||||
- name: Gen_certs | check certificate permissions
|
- name: Gen_certs | check certificate permissions
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -51,10 +51,9 @@
|
||||||
- name: Gen_certs | Copy certs on nodes
|
- name: Gen_certs | Copy certs on nodes
|
||||||
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
when: (inventory_hostname in groups['kube-node'] or
|
when: inventory_hostname in groups['kube-node'] and
|
||||||
(peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and
|
sync_certs|default(false) and
|
||||||
sync_certs|default(false) and
|
inventory_hostname != groups['kube-master'][0]
|
||||||
inventory_hostname != groups['kube-master'][0]
|
|
||||||
|
|
||||||
- name: Gen_certs | check certificate permissions
|
- name: Gen_certs | check certificate permissions
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: kubernetes/secrets
|
- role: etcd
|
||||||
- role: docker
|
- role: docker
|
||||||
when: ansible_os_family != "CoreOS"
|
when: ansible_os_family != "CoreOS"
|
||||||
- role: download
|
- role: download
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"
|
rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"
|
||||||
|
|
||||||
- name: Calico | Create calico certs directory
|
- name: Calico-rr | Create calico certs directory
|
||||||
file:
|
file:
|
||||||
dest: "{{ calico_cert_dir }}"
|
dest: "{{ calico_cert_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
@ -15,16 +15,16 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
- name: Calico | Link etcd certificates for calico-node
|
- name: Calico-rr | Link etcd certificates for calico-node
|
||||||
file:
|
file:
|
||||||
src: "{{ kube_cert_dir }}/{{ item.s }}"
|
src: "{{ etcd_cert_dir }}/{{ item.s }}"
|
||||||
dest: "{{ calico_cert_dir }}/{{ item.d }}"
|
dest: "{{ calico_cert_dir }}/{{ item.d }}"
|
||||||
state: hard
|
state: hard
|
||||||
force: yes
|
force: yes
|
||||||
with_items:
|
with_items:
|
||||||
- {s: "ca.pem", d: "ca_cert.crt"}
|
- {s: "ca.pem", d: "ca_cert.crt"}
|
||||||
- {s: "node.pem", d: "cert.crt"}
|
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
|
||||||
- {s: "node-key.pem", d: "key.pem"}
|
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
|
||||||
|
|
||||||
- name: Calico-rr | Create dir for logs
|
- name: Calico-rr | Create dir for logs
|
||||||
file:
|
file:
|
||||||
|
|
Loading…
Reference in a new issue