--- - name: Calico | Check calicoctl version run_once: true set_fact: legacy_calicoctl: "{{ calicoctl_image_tag | version_compare('v1.0.0', '<') }}" tags: facts - name: Calico | Write Calico cni config template: src: "cni-calico.conf.j2" dest: "/etc/cni/net.d/10-calico.conf" owner: kube - name: Calico | Create calico certs directory file: dest: "{{ calico_cert_dir }}" state: directory mode: 0750 owner: root group: root - name: Calico | Link etcd certificates for calico-node file: src: "{{ network_plugin_etcd_cert_dir_real }}/{{ item.s }}" dest: "{{ calico_cert_dir }}/{{ item.d }}" state: hard force: yes with_items: - {s: "ca.pem", d: "ca_cert.crt"} - {s: "node.pem", d: "cert.crt"} - {s: "node-key.pem", d: "key.pem"} - name: Calico | Install calicoctl container script template: src: calicoctl-container.j2 dest: "{{ bin_dir }}/calicoctl" mode: 0755 owner: root group: root changed_when: false notify: restart calico-node - name: Calico | Copy cni plugins from hyperkube command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 delay: "{{ retry_stagger | random + 3 }}" changed_when: false tags: [hyperkube, upgrade] - name: Calico | Copy cni plugins from calico/cni container command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 delay: "{{ retry_stagger | random + 3 }}" changed_when: false when: "{{ overwrite_hyperkube_cni|bool }}" tags: [hyperkube, upgrade] - name: Calico | wait for etcd uri: url=https://localhost:2379/health validate_certs=no register: result until: result.status == 200 or result.status == 401 retries: 10 delay: 5 delegate_to: "{{groups['etcd'][0]}}" when: not network_plugin_etcd_access_endpoint.defined run_once: true - name: Calico | Check if calico network pool has already been configured command: |- curl \ --cacert {{ network_plugin_etcd_cert_dir_real }}/ca.pem \ --cert {{ network_plugin_etcd_cert_dir_real }}/admin.pem \ --key {{ network_plugin_etcd_cert_dir_real }}/admin-key.pem \ https://{%- if etcd_multiaccess -%}{{network_plugin_etcd_access_endpoint[0]}}{%- else -%}{{network_plugin_etcd_access_endpoint}}{%- endif -%}:2379/v2/keys/calico/v1/ipam/v4/pool register: calico_conf delegate_to: "{{network_plugins_etcd_access_delagate}}" run_once: true tags: facts - name: Calico | Configure calico network pool shell: > echo '{ "kind": "ipPool", "spec": {"disabled": false, "ipip": {"enabled": {{ cloud_provider is defined or ipip }}}, "nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}}, "apiVersion": "v1", "metadata": {"cidr": "{{ kube_pods_subnet }}"} }' | {{ bin_dir }}/calicoctl create -f - environment: NO_DEFAULT_POOLS: true run_once: true when: not legacy_calicoctl and ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) - name: Calico (old) | Define ipip pool argument run_once: true set_fact: ipip_arg: "--ipip" when: (legacy_calicoctl and cloud_provider is defined or ipip) tags: facts - name: Calico (old) | Define nat-outgoing pool argument run_once: true set_fact: nat_arg: "--nat-outgoing" when: (legacy_calicoctl and nat_outgoing|default(false) and not peer_with_router|default(false)) tags: facts - name: Calico (old) | Define calico pool task name run_once: true set_fact: pool_task_name: "with options {{ ipip_arg|default('') }} {{ nat_arg|default('') }}" when: (legacy_calicoctl and ipip_arg|default(false) or nat_arg|default(false)) tags: facts - name: Calico (old) | Configure calico network pool {{ pool_task_name|default('') }} command: "{{ bin_dir}}/calicoctl pool add {{ kube_pods_subnet }} {{ ipip_arg|default('') }} {{ nat_arg|default('') }}" environment: NO_DEFAULT_POOLS: true run_once: true when: legacy_calicoctl and ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) - name: Calico | Get calico configuration from etcd command: |- curl \ --cacert {{ network_plugins_etcd_cert_dir_real }}/ca.pem \ --cert {{ network_plugins_etcd_cert_dir_real }}/admin.pem \ --key {{ network_plugins_etcd_cert_dir_real }}/admin-key.pem \ https://{%- if etcd_multiaccess -%}{{network_plugin_etcd_access_endpoint[0]}}{%- else -%}{{network_plugin_etcd_access_endpoint}}{%- endif -%}:2379/v2/keys/calico/v1/ipam/v4/pool register: calico_pools_raw delegate_to: "{{network_plugins_etcd_access_delegate}}" run_once: true - set_fact: calico_pools: "{{ calico_pools_raw.stdout | from_json }}" run_once: true tags: facts - name: Calico | Check if calico pool is properly configured fail: msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}. Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")' when: ( calico_pools['node']['nodes'] | length > 1 ) or ( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") ) run_once: true tags: facts - name: Calico | Set global as_num command: "{{ bin_dir}}/calicoctl config set asNumber {{ global_as_num }}" run_once: true when: not legacy_calicoctl - name: Calico (old) | Set global as_num command: "{{ bin_dir}}/calicoctl bgp default-node-as {{ global_as_num }}" run_once: true when: legacy_calicoctl - name: Calico | Write /etc/network-environment template: src=network-environment.j2 dest=/etc/network-environment when: ansible_service_mgr in ["sysvinit","upstart"] - name: Calico (old) | Write calico-node systemd init file template: src=calico-node.service.legacy.j2 dest=/etc/systemd/system/calico-node.service when: ansible_service_mgr == "systemd" and legacy_calicoctl notify: restart calico-node - name: Calico | Write calico.env for systemd init file template: src=calico.env.j2 dest=/etc/calico/calico.env when: ansible_service_mgr == "systemd" and not legacy_calicoctl notify: restart calico-node - name: Calico | Write calico-node systemd init file template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service when: ansible_service_mgr == "systemd" and not legacy_calicoctl notify: restart calico-node - name: Calico | Write calico-node initd script template: src=deb-calico.initd.j2 dest=/etc/init.d/calico-node owner=root mode=0755 when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "Debian" notify: restart calico-node - name: Calico | Write calico-node initd script template: src=rh-calico.initd.j2 dest=/etc/init.d/calico-node owner=root mode=0755 when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "RedHat" notify: restart calico-node - meta: flush_handlers - name: Calico | Enable calico-node service: name: calico-node state: started enabled: yes - name: Calico | Disable node mesh shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off" when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false)) and inventory_hostname in groups['kube-node'] and not legacy_calicoctl) run_once: true - name: Calico | Configure peering with router(s) shell: > echo '{ "kind": "bgpPeer", "spec": {"asNumber": "{{ item.as }}"}, "apiVersion": "v1", "metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ item.router_id }}"} }' | {{ bin_dir }}/calicoctl create -f - with_items: "{{ peers|default([]) }}" when: (not legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['kube-node']) - name: Calico | Configure peering with route reflectors shell: > echo '{ "kind": "bgpPeer", "spec": {"asNumber": "{{ local_as | default(global_as_num)}}"}, "apiVersion": "v1", "metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"]) }}"} }' | {{ bin_dir }}/calicoctl create --skip-exists -f - with_items: "{{ groups['calico-rr'] | default([]) }}" when: (not legacy_calicoctl and peer_with_calico_rr|default(false) and inventory_hostname in groups['kube-node'] and hostvars[item]['cluster_id'] == cluster_id) - name: Calico (old) | Disable node mesh shell: "{{ bin_dir }}/calicoctl bgp node-mesh off" when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false)) and inventory_hostname in groups['kube-node'] and legacy_calicoctl) run_once: true - name: Calico (old) | Configure peering with router(s) shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}" with_items: "{{ peers|default([]) }}" when: (legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['kube-node']) - name: Calico (old) | Configure peering with route reflectors shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ hostvars[item]['calico_rr_ip']|default(hostvars[item]['ip']) }} as {{ local_as | default(global_as_num) }}" with_items: "{{ groups['calico-rr'] | default([]) }}" when: (legacy_calicoctl and peer_with_calico_rr|default(false) and inventory_hostname in groups['kube-node'] and hostvars[item]['cluster_id'] == cluster_id)