Fix separate etcd nodes and calico
Admin certs are only available for kube-master nodes. When etcd nodes are separate, calico fails to access them with missing admin certs and etcd fails to configure ETCD_PEER_* env vars due to missing member certs. Fix this by switching curls to the first etcd node and delegate to the first master. This assumes only admin certs allow to get calico keys from etcd but not member/node certs. Also move member certs from master_certs to node_certs list as ETCD(_PEER)_CERT/KEY env vars expects. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
This commit is contained in:
parent
7484888e42
commit
d08d2fd808
2 changed files with 6 additions and 6 deletions
|
@ -40,8 +40,8 @@
|
||||||
notify: set etcd_secret_changed
|
notify: set etcd_secret_changed
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'member.pem', 'member-key.pem']
|
master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem']
|
||||||
node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
|
node_certs: ['ca.pem', 'node.pem', 'node-key.pem', 'member.pem', 'member-key.pem']
|
||||||
|
|
||||||
- name: Gen_certs | Gather etcd master certs
|
- name: Gen_certs | Gather etcd master certs
|
||||||
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }}| base64 --wrap=0"
|
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ master_certs|join(' ') }} {{ node_certs|join(' ') }}| base64 --wrap=0"
|
||||||
|
|
|
@ -78,9 +78,9 @@
|
||||||
--cacert {{ etcd_cert_dir }}/ca.pem \
|
--cacert {{ etcd_cert_dir }}/ca.pem \
|
||||||
--cert {{ etcd_cert_dir}}/admin.pem \
|
--cert {{ etcd_cert_dir}}/admin.pem \
|
||||||
--key {{ etcd_cert_dir }}/admin-key.pem \
|
--key {{ etcd_cert_dir }}/admin-key.pem \
|
||||||
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
|
https://{{groups['etcd'][0]}}:2379/v2/keys/calico/v1/ipam/v4/pool
|
||||||
register: calico_conf
|
register: calico_conf
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: Calico | Check calicoctl version
|
- name: Calico | Check calicoctl version
|
||||||
|
@ -138,9 +138,9 @@
|
||||||
--cacert {{ etcd_cert_dir }}/ca.pem \
|
--cacert {{ etcd_cert_dir }}/ca.pem \
|
||||||
--cert {{ etcd_cert_dir}}/admin.pem \
|
--cert {{ etcd_cert_dir}}/admin.pem \
|
||||||
--key {{ etcd_cert_dir }}/admin-key.pem \
|
--key {{ etcd_cert_dir }}/admin-key.pem \
|
||||||
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
|
https://{{groups['etcd'][0]}}:2379/v2/keys/calico/v1/ipam/v4/pool
|
||||||
register: calico_pools_raw
|
register: calico_pools_raw
|
||||||
delegate_to: "{{groups['etcd'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
|
|
Loading…
Reference in a new issue