From 6d9cd2d720a2fbd8c24f809630e12ed7b0db0e6d Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Fri, 23 Dec 2016 19:25:37 +0300 Subject: [PATCH] Fix calico-rr to use etcd certs instead of kube certs --- roles/etcd/tasks/check_certs.yml | 4 ++-- roles/etcd/tasks/gen_certs.yml | 10 +++++----- roles/kubernetes/secrets/tasks/gen_certs.yml | 7 +++---- roles/network_plugin/calico/rr/meta/main.yml | 2 +- roles/network_plugin/calico/rr/tasks/main.yml | 10 +++++----- 5 files changed, 16 insertions(+), 17 deletions(-) diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml index eeea8353e..1cf6524f4 100644 --- a/roles/etcd/tasks/check_certs.yml +++ b/roles/etcd/tasks/check_certs.yml @@ -7,7 +7,7 @@ run_once: true with_items: >- ['ca.pem', - {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %} + {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %} {% for host in all_etcd_hosts %} 'node-{{ host }}-key.pem' {% if not loop.last %}{{','}}{% endif %} @@ -39,7 +39,7 @@ sync_certs: true when: >- {%- set certs = {'sync': False} -%} - {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %} + {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %} {% for host in all_etcd_hosts %} {% if host == inventory_hostname %} {% if (not etcdcert.results[0].stat.exists|default(False)) or diff --git a/roles/etcd/tasks/gen_certs.yml b/roles/etcd/tasks/gen_certs.yml index 29e6ee318..088371a87 100644 --- a/roles/etcd/tasks/gen_certs.yml +++ b/roles/etcd/tasks/gen_certs.yml @@ -40,7 +40,8 @@ {{ m }} {% endif %} {% endfor %}" - - HOSTS: "{% for h in groups['k8s-cluster'] %} + - HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %} + {% for h in all_kube_hosts %} {% if hostvars[h].sync_certs|default(false) %} {{ h }} {% endif %} @@ -65,7 +66,8 @@ 'member-{{ inventory_hostname }}-key.pem' ] all_node_certs: "['ca.pem', - {% for node in groups['k8s-cluster'] %} + {% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %} + {% for node in all_kube_hosts %} 'node-{{ node }}.pem', 'node-{{ node }}-key.pem', {% endfor %}]" @@ -76,7 +78,6 @@ shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0" register: etcd_master_cert_data delegate_to: "{{groups['etcd'][0]}}" - #run_once: true when: sync_certs|default(false) notify: set etcd_secret_changed @@ -96,8 +97,7 @@ - name: Gen_certs | Copy certs on nodes shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}" changed_when: false - when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and - inventory_hostname not in groups['etcd'] + when: sync_certs|default(false) and inventory_hostname not in groups['etcd'] - name: Gen_certs | check certificate permissions file: diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml index f951bb368..6a841911f 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs.yml @@ -51,10 +51,9 @@ - name: Gen_certs | Copy certs on nodes shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}" changed_when: false - when: (inventory_hostname in groups['kube-node'] or - (peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and - sync_certs|default(false) and - inventory_hostname != groups['kube-master'][0] + when: inventory_hostname in groups['kube-node'] and + sync_certs|default(false) and + inventory_hostname != groups['kube-master'][0] - name: Gen_certs | check certificate permissions file: diff --git a/roles/network_plugin/calico/rr/meta/main.yml b/roles/network_plugin/calico/rr/meta/main.yml index 38fc506cc..ef7986901 100644 --- a/roles/network_plugin/calico/rr/meta/main.yml +++ b/roles/network_plugin/calico/rr/meta/main.yml @@ -1,5 +1,5 @@ dependencies: - - role: kubernetes/secrets + - role: etcd - role: docker when: ansible_os_family != "CoreOS" - role: download diff --git a/roles/network_plugin/calico/rr/tasks/main.yml b/roles/network_plugin/calico/rr/tasks/main.yml index c43851f84..b5807632f 100644 --- a/roles/network_plugin/calico/rr/tasks/main.yml +++ b/roles/network_plugin/calico/rr/tasks/main.yml @@ -7,7 +7,7 @@ set_fact: rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}" -- name: Calico | Create calico certs directory +- name: Calico-rr | Create calico certs directory file: dest: "{{ calico_cert_dir }}" state: directory @@ -15,16 +15,16 @@ owner: root group: root -- name: Calico | Link etcd certificates for calico-node +- name: Calico-rr | Link etcd certificates for calico-node file: - src: "{{ kube_cert_dir }}/{{ item.s }}" + src: "{{ etcd_cert_dir }}/{{ item.s }}" dest: "{{ calico_cert_dir }}/{{ item.d }}" state: hard force: yes with_items: - {s: "ca.pem", d: "ca_cert.crt"} - - {s: "node.pem", d: "cert.crt"} - - {s: "node-key.pem", d: "key.pem"} + - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"} + - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"} - name: Calico-rr | Create dir for logs file: