ca9ea097df
Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks Cleanup some spacing in various files Rename some files named yaml to yml for consistancy
252 lines
8.7 KiB
YAML
252 lines
8.7 KiB
YAML
---
|
|
- name: Calico | Check calicoctl version
|
|
run_once: true
|
|
set_fact:
|
|
legacy_calicoctl: "{{ calicoctl_image_tag | version_compare('v1.0.0', '<') }}"
|
|
tags: facts
|
|
|
|
- name: Calico | Write Calico cni config
|
|
template:
|
|
src: "cni-calico.conf.j2"
|
|
dest: "/etc/cni/net.d/10-calico.conf"
|
|
owner: kube
|
|
|
|
- name: Calico | Create calico certs directory
|
|
file:
|
|
dest: "{{ calico_cert_dir }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Calico | Link etcd certificates for calico-node
|
|
file:
|
|
src: "{{ etcd_cert_dir }}/{{ item.s }}"
|
|
dest: "{{ calico_cert_dir }}/{{ item.d }}"
|
|
state: hard
|
|
force: yes
|
|
with_items:
|
|
- {s: "ca.pem", d: "ca_cert.crt"}
|
|
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
|
|
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
|
|
|
|
- name: Calico | Install calicoctl container script
|
|
template:
|
|
src: calicoctl-container.j2
|
|
dest: "{{ bin_dir }}/calicoctl"
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
changed_when: false
|
|
notify: restart calico-node
|
|
|
|
- name: Calico | Copy cni plugins from hyperkube
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
tags: [hyperkube, upgrade]
|
|
|
|
- name: Calico | Copy cni plugins from calico/cni container
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
when: "{{ overwrite_hyperkube_cni|bool }}"
|
|
tags: [hyperkube, upgrade]
|
|
|
|
- name: Calico | wait for etcd
|
|
uri:
|
|
url: https://localhost:2379/health
|
|
validate_certs: no
|
|
register: result
|
|
until: result.status == 200 or result.status == 401
|
|
retries: 10
|
|
delay: 5
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
|
|
- name: Calico | Check if calico network pool has already been configured
|
|
command: |-
|
|
curl \
|
|
--cacert {{ etcd_cert_dir }}/ca.pem \
|
|
--cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
|
|
--key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
|
|
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
|
|
register: calico_conf
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
|
|
- name: Calico | Configure calico network pool
|
|
shell: >
|
|
echo '{
|
|
"kind": "ipPool",
|
|
"spec": {"disabled": false, "ipip": {"enabled": {{ cloud_provider is defined or ipip }}},
|
|
"nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}},
|
|
"apiVersion": "v1",
|
|
"metadata": {"cidr": "{{ kube_pods_subnet }}"}
|
|
}'
|
|
| {{ bin_dir }}/calicoctl create -f -
|
|
environment:
|
|
NO_DEFAULT_POOLS: true
|
|
run_once: true
|
|
when: not legacy_calicoctl and
|
|
("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout)
|
|
|
|
- name: Calico (old) | Define ipip pool argument
|
|
run_once: true
|
|
set_fact:
|
|
ipip_arg: "--ipip"
|
|
when: (legacy_calicoctl and
|
|
cloud_provider is defined or ipip)
|
|
tags: facts
|
|
|
|
- name: Calico (old) | Define nat-outgoing pool argument
|
|
run_once: true
|
|
set_fact:
|
|
nat_arg: "--nat-outgoing"
|
|
when: (legacy_calicoctl and
|
|
nat_outgoing|default(false) and not peer_with_router|default(false))
|
|
tags: facts
|
|
|
|
- name: Calico (old) | Define calico pool task name
|
|
run_once: true
|
|
set_fact:
|
|
pool_task_name: "with options {{ ipip_arg|default('') }} {{ nat_arg|default('') }}"
|
|
when: (legacy_calicoctl and ipip_arg|default(false) or nat_arg|default(false))
|
|
tags: facts
|
|
|
|
- name: Calico (old) | Configure calico network pool {{ pool_task_name|default('') }}
|
|
command: "{{ bin_dir}}/calicoctl pool add {{ kube_pods_subnet }} {{ ipip_arg|default('') }} {{ nat_arg|default('') }}"
|
|
environment:
|
|
NO_DEFAULT_POOLS: true
|
|
run_once: true
|
|
when: legacy_calicoctl and
|
|
("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout)
|
|
|
|
- name: Calico | Get calico configuration from etcd
|
|
command: |-
|
|
curl \
|
|
--cacert {{ etcd_cert_dir }}/ca.pem \
|
|
--cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
|
|
--key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
|
|
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
|
|
register: calico_pools_raw
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
|
|
- set_fact:
|
|
calico_pools: "{{ calico_pools_raw.stdout | from_json }}"
|
|
run_once: true
|
|
|
|
- name: Calico | Check if calico pool is properly configured
|
|
fail:
|
|
msg: 'Only one network pool must be configured and it must be the subnet {{ kube_pods_subnet }}.
|
|
Please erase calico configuration and run the playbook again ("etcdctl rm --recursive /calico/v1/ipam/v4/pool")'
|
|
when: ( calico_pools['node']['nodes'] | length > 1 ) or
|
|
( not calico_pools['node']['nodes'][0]['key'] | search(".*{{ kube_pods_subnet | ipaddr('network') }}.*") )
|
|
run_once: true
|
|
|
|
- name: Calico | Set global as_num
|
|
command: "{{ bin_dir}}/calicoctl config set asNumber {{ global_as_num }}"
|
|
run_once: true
|
|
when: not legacy_calicoctl
|
|
|
|
- name: Calico (old) | Set global as_num
|
|
command: "{{ bin_dir}}/calicoctl bgp default-node-as {{ global_as_num }}"
|
|
run_once: true
|
|
when: legacy_calicoctl
|
|
|
|
- name: Calico (old) | Write calico-node systemd init file
|
|
template:
|
|
src: calico-node.service.legacy.j2
|
|
dest: /etc/systemd/system/calico-node.service
|
|
when: legacy_calicoctl
|
|
notify: restart calico-node
|
|
|
|
- name: Calico | Write calico.env for systemd init file
|
|
template:
|
|
src: calico.env.j2
|
|
dest: /etc/calico/calico.env
|
|
when: not legacy_calicoctl
|
|
notify: restart calico-node
|
|
|
|
- name: Calico | Write calico-node systemd init file
|
|
template:
|
|
src: calico-node.service.j2
|
|
dest: /etc/systemd/system/calico-node.service
|
|
when: not legacy_calicoctl
|
|
notify: restart calico-node
|
|
|
|
- name: Calico | Restart calico-node if secrets changed
|
|
command: /bin/true
|
|
when: secret_changed|default(false) or etcd_secret_changed|default(false)
|
|
notify: restart calico-node
|
|
|
|
- meta: flush_handlers
|
|
|
|
- name: Calico | Enable calico-node
|
|
service:
|
|
name: calico-node
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Calico | Disable node mesh
|
|
shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off"
|
|
when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false))
|
|
and inventory_hostname in groups['k8s-cluster']
|
|
and not legacy_calicoctl)
|
|
run_once: true
|
|
|
|
- name: Calico | Configure peering with router(s)
|
|
shell: >
|
|
echo '{
|
|
"kind": "bgpPeer",
|
|
"spec": {"asNumber": "{{ item.as }}"},
|
|
"apiVersion": "v1",
|
|
"metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ item.router_id }}"}
|
|
}'
|
|
| {{ bin_dir }}/calicoctl create -f -
|
|
with_items: "{{ peers|default([]) }}"
|
|
when: (not legacy_calicoctl and
|
|
peer_with_router|default(false) and inventory_hostname in groups['k8s-cluster'])
|
|
|
|
- name: Calico | Configure peering with route reflectors
|
|
shell: >
|
|
echo '{
|
|
"kind": "bgpPeer",
|
|
"spec": {"asNumber": "{{ local_as | default(global_as_num)}}"},
|
|
"apiVersion": "v1",
|
|
"metadata": {"node": "{{ inventory_hostname }}",
|
|
"scope": "node",
|
|
"peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"]) }}"}
|
|
}'
|
|
| {{ bin_dir }}/calicoctl create --skip-exists -f -
|
|
with_items: "{{ groups['calico-rr'] | default([]) }}"
|
|
when: (not legacy_calicoctl and
|
|
peer_with_calico_rr|default(false) and inventory_hostname in groups['k8s-cluster']
|
|
and hostvars[item]['cluster_id'] == cluster_id)
|
|
|
|
- name: Calico (old) | Disable node mesh
|
|
shell: "{{ bin_dir }}/calicoctl bgp node-mesh off"
|
|
when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false))
|
|
and inventory_hostname in groups['k8s-cluster']
|
|
and legacy_calicoctl)
|
|
run_once: true
|
|
|
|
- name: Calico (old) | Configure peering with router(s)
|
|
shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ item.router_id }} as {{ item.as }}"
|
|
with_items: "{{ peers|default([]) }}"
|
|
when: (legacy_calicoctl and
|
|
peer_with_router|default(false) and inventory_hostname in groups['k8s-cluster'])
|
|
|
|
- name: Calico (old) | Configure peering with route reflectors
|
|
shell: "{{ bin_dir }}/calicoctl node bgp peer add {{ hostvars[item]['calico_rr_ip']|default(hostvars[item]['ip']) }} as {{ local_as | default(global_as_num) }}"
|
|
with_items: "{{ groups['calico-rr'] | default([]) }}"
|
|
when: (legacy_calicoctl and
|
|
peer_with_calico_rr|default(false) and inventory_hostname in groups['k8s-cluster']
|
|
and hostvars[item]['cluster_id'] == cluster_id)
|