Fix calico-rr to use etcd certs instead of kube certs

This commit is contained in:
Matthew Mosesohn 2016-12-23 19:25:37 +03:00
parent 36a5143478
commit 6d9cd2d720
5 changed files with 16 additions and 17 deletions

View file

@ -7,7 +7,7 @@
run_once: true run_once: true
with_items: >- with_items: >-
['ca.pem', ['ca.pem',
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %} {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
{% for host in all_etcd_hosts %} {% for host in all_etcd_hosts %}
'node-{{ host }}-key.pem' 'node-{{ host }}-key.pem'
{% if not loop.last %}{{','}}{% endif %} {% if not loop.last %}{{','}}{% endif %}
@ -39,7 +39,7 @@
sync_certs: true sync_certs: true
when: >- when: >-
{%- set certs = {'sync': False} -%} {%- set certs = {'sync': False} -%}
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %} {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
{% for host in all_etcd_hosts %} {% for host in all_etcd_hosts %}
{% if host == inventory_hostname %} {% if host == inventory_hostname %}
{% if (not etcdcert.results[0].stat.exists|default(False)) or {% if (not etcdcert.results[0].stat.exists|default(False)) or

View file

@ -40,7 +40,8 @@
{{ m }} {{ m }}
{% endif %} {% endif %}
{% endfor %}" {% endfor %}"
- HOSTS: "{% for h in groups['k8s-cluster'] %} - HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
{% for h in all_kube_hosts %}
{% if hostvars[h].sync_certs|default(false) %} {% if hostvars[h].sync_certs|default(false) %}
{{ h }} {{ h }}
{% endif %} {% endif %}
@ -65,7 +66,8 @@
'member-{{ inventory_hostname }}-key.pem' 'member-{{ inventory_hostname }}-key.pem'
] ]
all_node_certs: "['ca.pem', all_node_certs: "['ca.pem',
{% for node in groups['k8s-cluster'] %} {% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
{% for node in all_kube_hosts %}
'node-{{ node }}.pem', 'node-{{ node }}.pem',
'node-{{ node }}-key.pem', 'node-{{ node }}-key.pem',
{% endfor %}]" {% endfor %}]"
@ -76,7 +78,6 @@
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0" shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
register: etcd_master_cert_data register: etcd_master_cert_data
delegate_to: "{{groups['etcd'][0]}}" delegate_to: "{{groups['etcd'][0]}}"
#run_once: true
when: sync_certs|default(false) when: sync_certs|default(false)
notify: set etcd_secret_changed notify: set etcd_secret_changed
@ -96,8 +97,7 @@
- name: Gen_certs | Copy certs on nodes - name: Gen_certs | Copy certs on nodes
shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}" shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
changed_when: false changed_when: false
when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and when: sync_certs|default(false) and inventory_hostname not in groups['etcd']
inventory_hostname not in groups['etcd']
- name: Gen_certs | check certificate permissions - name: Gen_certs | check certificate permissions
file: file:

View file

@ -51,8 +51,7 @@
- name: Gen_certs | Copy certs on nodes - name: Gen_certs | Copy certs on nodes
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}" shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
changed_when: false changed_when: false
when: (inventory_hostname in groups['kube-node'] or when: inventory_hostname in groups['kube-node'] and
(peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and
sync_certs|default(false) and sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]

View file

@ -1,5 +1,5 @@
dependencies: dependencies:
- role: kubernetes/secrets - role: etcd
- role: docker - role: docker
when: ansible_os_family != "CoreOS" when: ansible_os_family != "CoreOS"
- role: download - role: download

View file

@ -7,7 +7,7 @@
set_fact: set_fact:
rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}" rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"
- name: Calico | Create calico certs directory - name: Calico-rr | Create calico certs directory
file: file:
dest: "{{ calico_cert_dir }}" dest: "{{ calico_cert_dir }}"
state: directory state: directory
@ -15,16 +15,16 @@
owner: root owner: root
group: root group: root
- name: Calico | Link etcd certificates for calico-node - name: Calico-rr | Link etcd certificates for calico-node
file: file:
src: "{{ kube_cert_dir }}/{{ item.s }}" src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ calico_cert_dir }}/{{ item.d }}" dest: "{{ calico_cert_dir }}/{{ item.d }}"
state: hard state: hard
force: yes force: yes
with_items: with_items:
- {s: "ca.pem", d: "ca_cert.crt"} - {s: "ca.pem", d: "ca_cert.crt"}
- {s: "node.pem", d: "cert.crt"} - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
- {s: "node-key.pem", d: "key.pem"} - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
- name: Calico-rr | Create dir for logs - name: Calico-rr | Create dir for logs
file: file: