Fix calico-rr to use etcd certs instead of kube certs
This commit is contained in:
parent
4ea0cbb2d0
commit
716b590f3b
5 changed files with 16 additions and 17 deletions
|
@ -7,7 +7,7 @@
|
|||
run_once: true
|
||||
with_items: >-
|
||||
['ca.pem',
|
||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
|
||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
|
||||
{% for host in all_etcd_hosts %}
|
||||
'node-{{ host }}-key.pem'
|
||||
{% if not loop.last %}{{','}}{% endif %}
|
||||
|
@ -39,7 +39,7 @@
|
|||
sync_certs: true
|
||||
when: >-
|
||||
{%- set certs = {'sync': False} -%}
|
||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
|
||||
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
|
||||
{% for host in all_etcd_hosts %}
|
||||
{% if host == inventory_hostname %}
|
||||
{% if (not etcdcert.results[0].stat.exists|default(False)) or
|
||||
|
|
|
@ -40,7 +40,8 @@
|
|||
{{ m }}
|
||||
{% endif %}
|
||||
{% endfor %}"
|
||||
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
||||
- HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
|
||||
{% for h in all_kube_hosts %}
|
||||
{% if hostvars[h].sync_certs|default(false) %}
|
||||
{{ h }}
|
||||
{% endif %}
|
||||
|
@ -65,7 +66,8 @@
|
|||
'member-{{ inventory_hostname }}-key.pem'
|
||||
]
|
||||
all_node_certs: "['ca.pem',
|
||||
{% for node in groups['k8s-cluster'] %}
|
||||
{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
|
||||
{% for node in all_kube_hosts %}
|
||||
'node-{{ node }}.pem',
|
||||
'node-{{ node }}-key.pem',
|
||||
{% endfor %}]"
|
||||
|
@ -76,7 +78,6 @@
|
|||
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
|
||||
register: etcd_master_cert_data
|
||||
delegate_to: "{{groups['etcd'][0]}}"
|
||||
#run_once: true
|
||||
when: sync_certs|default(false)
|
||||
notify: set etcd_secret_changed
|
||||
|
||||
|
@ -96,8 +97,7 @@
|
|||
- name: Gen_certs | Copy certs on nodes
|
||||
shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
|
||||
changed_when: false
|
||||
when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and
|
||||
inventory_hostname not in groups['etcd']
|
||||
when: sync_certs|default(false) and inventory_hostname not in groups['etcd']
|
||||
|
||||
- name: Gen_certs | check certificate permissions
|
||||
file:
|
||||
|
|
|
@ -51,8 +51,7 @@
|
|||
- name: Gen_certs | Copy certs on nodes
|
||||
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
|
||||
changed_when: false
|
||||
when: (inventory_hostname in groups['kube-node'] or
|
||||
(peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and
|
||||
when: inventory_hostname in groups['kube-node'] and
|
||||
sync_certs|default(false) and
|
||||
inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
dependencies:
|
||||
- role: kubernetes/secrets
|
||||
- role: etcd
|
||||
- role: docker
|
||||
when: ansible_os_family != "CoreOS"
|
||||
- role: download
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
set_fact:
|
||||
rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"
|
||||
|
||||
- name: Calico | Create calico certs directory
|
||||
- name: Calico-rr | Create calico certs directory
|
||||
file:
|
||||
dest: "{{ calico_cert_dir }}"
|
||||
state: directory
|
||||
|
@ -15,16 +15,16 @@
|
|||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Calico | Link etcd certificates for calico-node
|
||||
- name: Calico-rr | Link etcd certificates for calico-node
|
||||
file:
|
||||
src: "{{ kube_cert_dir }}/{{ item.s }}"
|
||||
src: "{{ etcd_cert_dir }}/{{ item.s }}"
|
||||
dest: "{{ calico_cert_dir }}/{{ item.d }}"
|
||||
state: hard
|
||||
force: yes
|
||||
with_items:
|
||||
- {s: "ca.pem", d: "ca_cert.crt"}
|
||||
- {s: "node.pem", d: "cert.crt"}
|
||||
- {s: "node-key.pem", d: "key.pem"}
|
||||
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
|
||||
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
|
||||
|
||||
- name: Calico-rr | Create dir for logs
|
||||
file:
|
||||
|
|
Loading…
Reference in a new issue