--- - name: Calico | Check calicoctl version run_once: true set_fact: legacy_calicoctl: "{{ calicoctl_image_tag | version_compare('v1.0.0', '<') }}" tags: facts - name: Calico | Write Calico cni config template: src: "cni-calico.conf.j2" dest: "/etc/cni/net.d/10-calico.conf" owner: kube - name: Calico | Create calico certs directory file: dest: "{{ calico_cert_dir }}" state: directory mode: 0750 owner: root group: root - name: Calico | Link etcd certificates for calico-node file: src: "{{ etcd_cert_dir }}/{{ item.s }}" dest: "{{ calico_cert_dir }}/{{ item.d }}" state: hard force: yes with_items: - {s: "ca.pem", d: "ca_cert.crt"} - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"} - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"} - name: Calico | Install calicoctl container script template: src: calicoctl-container.j2 dest: "{{ bin_dir }}/calicoctl" mode: 0755 owner: root group: root changed_when: false notify: restart calico-node - name: Calico | Copy cni plugins from hyperkube command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 delay: "{{ retry_stagger | random + 3 }}" changed_when: false ignore_errors: "{{ ansible_check_mode }}" tags: [hyperkube, upgrade] - name: Calico | Copy cni plugins from calico/cni container command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 delay: "{{ retry_stagger | random + 3 }}" changed_when: false ignore_errors: "{{ ansible_check_mode }}" when: overwrite_hyperkube_cni|bool tags: [hyperkube, upgrade] - name: Calico | Set cni directory permissions file: path: /opt/cni/bin state: directory owner: kube recurse: true mode: 0755 - name: Calico | wait for etcd uri: url: https://localhost:2379/health validate_certs: no register: result until: result.status == 200 or result.status == 401 retries: 10 delay: 5 delegate_to: "{{groups['etcd'][0]}}" run_once: true ignore_errors: "{{ ansible_check_mode }}" - name: Calico | Check if calico network pool has already been configured command: |- curl \ --cacert {{ etcd_cert_dir }}/ca.pem \ --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \ --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \ https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool register: calico_conf delegate_to: "{{groups['etcd'][0]}}" run_once: true changed_when: false - name: Calico | Configure calico network pool shell: > echo '{ "kind": "ipPool", "spec": {"disabled": false, "ipip": {"enabled": {{ ipip }}, "mode": "{{ ipip_mode }}"}, "nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}}, "apiVersion": "v1", "metadata": {"cidr": "{{ kube_pods_subnet }}"} }' | {{ bin_dir }}/calicoctl create -f - environment: NO_DEFAULT_POOLS: true run_once: true ignore_errors: "{{ ansible_check_mode }}" when: not legacy_calicoctl and ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) - name: Calico (old) | Define ipip pool argument run_once: true set_fact: ipip_arg: "--ipip" when: (legacy_calicoctl and ipip ) tags: facts - name: Calico (old) | Define nat-outgoing pool argument run_once: true set_fact: nat_arg: "--nat-outgoing" when: (legacy_calicoctl and nat_outgoing|default(false) and not peer_with_router|default(false)) tags: facts - name: Calico (old) | Define calico pool task name run_once: true set_fact: pool_task_name: "with options {{ ipip_arg|default('') }} {{ nat_arg|default('') }}" when: (legacy_calicoctl and ipip_arg|default(false) or nat_arg|default(false)) tags: facts - name: Calico (old) | Configure calico network pool {{ pool_task_name|default('') }} command: "{{ bin_dir}}/calicoctl pool add {{ kube_pods_subnet }} {{ ipip_arg|default('') }} {{ nat_arg|default('') }}" environment: NO_DEFAULT_POOLS: true run_once: true when: legacy_calicoctl and ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout) - name: Calico | Get calico configuration from etcd command: |- curl \ --cacert {{ etcd_cert_dir }}/ca.pem \ --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \ --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \ https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool register: calico_pools_raw delegate_to: "{{groups['etcd'][0]}}" run_once: true - set_fact: calico_pools: "{{ calico_pools_raw.stdout | from_json }}" run_once: true ignore_errors: "{{ ansible_check_mode }}" - name: Calico | Check if calico pool is properly configured fail: msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}. Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")' ignore_errors: "{{ ansible_check_mode }}" when: ( calico_pools['node']['nodes'] | length > 1 ) or ( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") ) run_once: true - name: Calico | Set global as_num command: "{{ bin_dir}}/calicoctl config set asNumber {{ global_as_num }}" run_once: true when: not legacy_calicoctl - name: Calico (old) | Set global as_num command: "{{ bin_dir}}/calicoctl bgp default-node-as {{ global_as_num }}" run_once: true when: legacy_calicoctl - name: Calico (old) | Write calico-node systemd init file template: src: calico-node.service.legacy.j2 dest: /etc/systemd/system/calico-node.service when: legacy_calicoctl notify: restart calico-node - name: Calico | Write calico.env for systemd init file template: src: calico.env.j2 dest: /etc/calico/calico.env when: not legacy_calicoctl notify: restart calico-node - name: Calico | Write calico-node systemd init file template: src: calico-node.service.j2 dest: /etc/systemd/system/calico-node.service when: not legacy_calicoctl notify: restart calico-node - name: Calico | Restart calico-node if secrets changed command: /bin/true when: secret_changed|default(false) or etcd_secret_changed|default(false) notify: restart calico-node - meta: flush_handlers - name: Calico | Enable calico-node service: name: calico-node state: started enabled: yes ignore_errors: "{{ ansible_check_mode }}" - name: Calico | Disable node mesh shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off" when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false)) and inventory_hostname in groups['k8s-cluster'] and not legacy_calicoctl) run_once: true - name: Calico | Configure peering with router(s) shell: > echo '{ "kind": "bgpPeer", "spec": {"asNumber": "{{ item.as }}"}, "apiVersion": "v1", "metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ item.router_id }}"} }' | {{ bin_dir }}/calicoctl create --skip-exists -f - with_items: "{{ peers|default([]) }}" when: (not legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['k8s-cluster']) - name: Calico | Configure peering with route reflectors shell: > echo '{ "kind": "bgpPeer", "spec": {"asNumber": "{{ local_as | default(global_as_num)}}"}, "apiVersion": "v1", "metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"])|default(hostvars[item]["ansible_default_ipv4.address"]) }}"} }' | {{ bin_dir }}/calicoctl create --skip-exists -f - with_items: "{{ groups['calico-rr'] | default([]) }}" when: (not legacy_calicoctl and peer_with_calico_rr|default(false) and inventory_hostname in groups['k8s-cluster'] and hostvars[item]['cluster_id'] == cluster_id) - name: Calico (old) | Disable node mesh shell: "{{ bin_dir }}/calicoctl bgp node-mesh off" when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false)) and inventory_hostname in groups['k8s-cluster'] and legacy_calicoctl) run_once: true - name: Calico (old) | Configure peering with router(s) shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}" with_items: "{{ peers|default([]) }}" when: (legacy_calicoctl and peer_with_router|default(false) and inventory_hostname in groups['k8s-cluster']) - name: Calico (old) | Configure peering with route reflectors shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ hostvars[item]['calico_rr_ip']|default(hostvars[item]['ip'])|default(hostvars[item]['ansible_default_ipv4.address']) }} as {{ local_as | default(global_as_num) }}" with_items: "{{ groups['calico-rr'] | default([]) }}" when: (legacy_calicoctl and peer_with_calico_rr|default(false) and inventory_hostname in groups['k8s-cluster'] and hostvars[item]['cluster_id'] == cluster_id)