--- - name: Calico | Write Calico cni config template: src: "cni-calico.conf.j2" dest: "/etc/cni/net.d/10-calico.conf" owner: kube - name: Calico | Create calico certs directory file: dest: "{{ calico_cert_dir }}" state: directory mode: 0750 owner: root group: root - name: Calico | Link etcd certificates for calico-node file: src: "{{ etcd_cert_dir }}/{{ item.s }}" dest: "{{ calico_cert_dir }}/{{ item.d }}" state: hard force: yes with_items: - {s: "ca.pem", d: "ca_cert.crt"} - {s: "node.pem", d: "cert.crt"} - {s: "node-key.pem", d: "key.pem"} - name: Calico | Install calicoctl container script template: src: calicoctl-container.j2 dest: "{{ bin_dir }}/calicoctl" mode: 0755 owner: root group: root changed_when: false notify: restart calico-node - name: Calico | Copy cni plugins from hyperkube command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 delay: "{{ retry_stagger | random + 3 }}" changed_when: false - name: Calico | Copy cni plugins from calico/cni container command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 delay: "{{ retry_stagger | random + 3 }}" changed_when: false when: "{{ overwrite_hyperkube_cni|bool }}" - name: Calico | wait for etcd uri: url=https://localhost:2379/health validate_certs=no register: result until: result.status == 200 or result.status == 401 retries: 10 delay: 5 delegate_to: "{{groups['etcd'][0]}}" run_once: true - name: Calico | Check if calico network pool has already been configured command: |- curl \ --cacert {{ etcd_cert_dir }}/ca.pem \ --cert {{ etcd_cert_dir}}/admin.pem \ --key {{ etcd_cert_dir }}/admin-key.pem \ https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool register: calico_conf delegate_to: "{{groups['etcd'][0]}}" run_once: true - name: Calico | Check calicoctl version run_once: true set_fact: legacy_calicoctl: "{{ calicoctl_image_tag | version_compare('v1.0.0', '<') }}" - name: Calico | Configure calico network pool shell: > echo '{ "kind": "ipPool", "spec": {"disabled": false, "ipip": {"enabled": {{ cloud_provider is defined or ipip }}}, "nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}}, "apiVersion": "v1", "metadata": {"cidr": "{{ kube_pods_subnet }}"} }' | {{ bin_dir }}/calicoctl create -f - environment: NO_DEFAULT_POOLS: true run_once: true when: not legacy_calicoctl and ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) - name: Calico (old) | Define ipip pool argument run_once: true set_fact: ipip_arg: "--ipip" when: (legacy_calicoctl and cloud_provider is defined or ipip) - name: Calico (old) | Define nat-outgoing pool argument run_once: true set_fact: nat_arg: "--nat-outgoing" when: (legacy_calicoctl and nat_outgoing|default(false) and not peer_with_router|default(false)) - name: Calico (old) | Define calico pool task name run_once: true set_fact: pool_task_name: "with options {{ ipip_arg|default('') }} {{ nat_arg|default('') }}" when: (legacy_calicoctl and ipip_arg|default(false) or nat_arg|default(false)) - name: Calico (old) | Configure calico network pool {{ pool_task_name|default('') }} command: "{{ bin_dir}}/calicoctl pool add {{ kube_pods_subnet }} {{ ipip_arg|default('') }} {{ nat_arg|default('') }}" environment: NO_DEFAULT_POOLS: true run_once: true when: legacy_calicoctl and ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) - name: Calico | Get calico configuration from etcd command: |- curl \ --cacert {{ etcd_cert_dir }}/ca.pem \ --cert {{ etcd_cert_dir}}/admin.pem \ --key {{ etcd_cert_dir }}/admin-key.pem \ https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool register: calico_pools_raw delegate_to: "{{groups['etcd'][0]}}" run_once: true - set_fact: calico_pools: "{{ calico_pools_raw.stdout | from_json }}" run_once: true - name: Calico | Check if calico pool is properly configured fail: msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}. Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")' when: ( calico_pools['node']['nodes'] | length > 1 ) or ( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") ) run_once: true - name: Calico | Write /etc/network-environment template: src=network-environment.j2 dest=/etc/network-environment when: ansible_service_mgr in ["sysvinit","upstart"] - name: Calico (old) | Write calico-node systemd init file template: src=calico-node.service.legacy.j2 dest=/etc/systemd/system/calico-node.service when: ansible_service_mgr == "systemd" and legacy_calicoctl notify: restart calico-node - name: Calico | Write calico.env for systemd init file template: src=calico.env.j2 dest=/etc/calico/calico.env when: ansible_service_mgr == "systemd" and not legacy_calicoctl notify: restart calico-node - name: Calico | Write calico-node systemd init file template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service when: ansible_service_mgr == "systemd" and not legacy_calicoctl notify: restart calico-node - name: Calico | Write calico-node initd script template: src=deb-calico.initd.j2 dest=/etc/init.d/calico-node owner=root mode=0755 when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "Debian" notify: restart calico-node - name: Calico | Write calico-node initd script template: src=rh-calico.initd.j2 dest=/etc/init.d/calico-node owner=root mode=0755 when: ansible_service_mgr in ["sysvinit","upstart"] and ansible_os_family == "RedHat" notify: restart calico-node - meta: flush_handlers - name: Calico | Enable calico-node service: name: calico-node state: started enabled: yes - name: Calico | Disable node mesh shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off" when: (not legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['kube-node']) run_once: true - name: Calico | Configure peering with router(s) shell: > echo '{ "kind": "bgpPeer", "spec": {"asNumber": "{{ item.as }}"}, "apiVersion": "v1", "metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ item.router_id }}"} }' | {{ bin_dir }}/calicoctl create -f - with_items: "{{ peers|default([]) }}" when: (not legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['kube-node']) - name: Calico (old) | Disable node mesh shell: "{{ bin_dir }}/calicoctl bgp node-mesh off" when: (legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['kube-node']) run_once: true - name: Calico (old) | Configure peering with router(s) shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}" with_items: "{{ peers|default([]) }}" when: (legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['kube-node'])