From d08d2fd8083d4b6ab392f99086b769a8167674f9 Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bdobrelia@mirantis.com>
Date: Fri, 25 Nov 2016 16:29:11 +0100
Subject: [PATCH] Fix separate etcd nodes and calico

Admin certs are only available for kube-master nodes.
When etcd nodes are separate, calico fails to access them with
missing admin certs and etcd fails to configure ETCD_PEER_* env
vars due to missing member certs.

Fix this by switching curls to the first etcd node
and delegate to the first master. This assumes only admin certs
allow to get calico keys from etcd but not member/node certs.
Also move member certs from master_certs to node_certs list as
ETCD(_PEER)_CERT/KEY env vars expects.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
---
 roles/etcd/tasks/gen_certs.yml             | 4 ++--
 roles/network_plugin/calico/tasks/main.yml | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/etcd/tasks/gen_certs.yml b/roles/etcd/tasks/gen_certs.yml
index 8d1d34b74..45a5c8f40 100644
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -40,8 +40,8 @@
   notify: set etcd_secret_changed
 
 - set_fact:
-    master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'member.pem', 'member-key.pem']
-    node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
+    master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem']
+    node_certs: ['ca.pem', 'node.pem', 'node-key.pem', 'member.pem', 'member-key.pem']
 
 - name: Gen_certs | Gather etcd master certs
   shell: "tar cfz - -C {{ etcd_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }}| base64 --wrap=0"
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index 189c6f370..757bc7f81 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -78,9 +78,9 @@
       --cacert {{ etcd_cert_dir }}/ca.pem \
       --cert {{ etcd_cert_dir}}/admin.pem \
       --key {{ etcd_cert_dir }}/admin-key.pem \
-      https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
+      https://{{groups['etcd'][0]}}:2379/v2/keys/calico/v1/ipam/v4/pool
   register: calico_conf
-  delegate_to: "{{groups['etcd'][0]}}"
+  delegate_to: "{{groups['kube-master'][0]}}"
   run_once: true
 
 - name: Calico | Check calicoctl version
@@ -138,9 +138,9 @@
       --cacert {{ etcd_cert_dir }}/ca.pem \
       --cert {{ etcd_cert_dir}}/admin.pem \
       --key {{ etcd_cert_dir }}/admin-key.pem \
-      https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
+      https://{{groups['etcd'][0]}}:2379/v2/keys/calico/v1/ipam/v4/pool
   register: calico_pools_raw
-  delegate_to: "{{groups['etcd'][0]}}"
+  delegate_to: "{{groups['kube-master'][0]}}"
   run_once: true
 
 - set_fact: