2ab2f3a0a3
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets * Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
155 lines
5.7 KiB
YAML
155 lines
5.7 KiB
YAML
---
|
|
- name: Contiv | Load openvswitch kernel module
|
|
copy:
|
|
dest: /etc/modules-load.d/openvswitch.conf
|
|
content: "openvswitch"
|
|
notify:
|
|
- Contiv | Reload kernel modules
|
|
|
|
- name: Contiv | Create contiv etcd directories
|
|
file:
|
|
dest: "{{ item }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: root
|
|
group: root
|
|
with_items:
|
|
- "{{ contiv_etcd_conf_dir }}"
|
|
- "{{ contiv_etcd_data_dir }}"
|
|
when: inventory_hostname in groups['kube-master']
|
|
|
|
- name: Contiv | Workaround https://github.com/contiv/netplugin/issues/1152
|
|
set_fact:
|
|
kube_apiserver_endpoint_for_contiv: |-
|
|
{% if not is_kube_master and loadbalancer_apiserver_localhost -%}
|
|
https://localhost:{{ nginx_kube_apiserver_port|default(kube_apiserver_port) }}
|
|
{%- elif loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
|
|
https://{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}
|
|
{%- if loadbalancer_apiserver.port|string != "443" -%}
|
|
:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
|
|
{%- endif -%}
|
|
{%- else -%}
|
|
https://{{ first_kube_master }}:{{ kube_apiserver_port }}
|
|
{%- endif %}
|
|
when: inventory_hostname in groups['kube-master']
|
|
|
|
- name: Contiv | Set necessary facts
|
|
set_fact:
|
|
contiv_config_dir: "{{ contiv_config_dir }}"
|
|
contiv_enable_api_proxy: "{{ contiv_enable_api_proxy }}"
|
|
contiv_fabric_mode: "{{ contiv_fabric_mode }}"
|
|
contiv_fwd_mode: "{{ contiv_fwd_mode }}"
|
|
contiv_netmaster_port: "{{ contiv_netmaster_port }}"
|
|
contiv_networks: "{{ contiv_networks }}"
|
|
contiv_manifests:
|
|
- {name: contiv-config, file: contiv-config.yml, type: configmap}
|
|
- {name: contiv-etcd, file: contiv-etcd.yml, type: daemonset}
|
|
- {name: contiv-etcd-proxy, file: contiv-etcd-proxy.yml, type: daemonset}
|
|
- {name: contiv-ovs, file: contiv-ovs.yml, type: daemonset}
|
|
- {name: contiv-netmaster, file: contiv-netmaster-clusterrolebinding.yml, type: clusterrolebinding}
|
|
- {name: contiv-netmaster, file: contiv-netmaster-clusterrole.yml, type: clusterrole}
|
|
- {name: contiv-netmaster, file: contiv-netmaster-serviceaccount.yml, type: serviceaccount}
|
|
- {name: contiv-netmaster, file: contiv-netmaster.yml, type: daemonset}
|
|
- {name: contiv-netplugin, file: contiv-netplugin-clusterrolebinding.yml, type: clusterrolebinding}
|
|
- {name: contiv-netplugin, file: contiv-netplugin-clusterrole.yml, type: clusterrole}
|
|
- {name: contiv-netplugin, file: contiv-netplugin-serviceaccount.yml, type: serviceaccount}
|
|
- {name: contiv-netplugin, file: contiv-netplugin.yml, type: daemonset}
|
|
when: inventory_hostname in groups['kube-master']
|
|
|
|
- set_fact:
|
|
contiv_manifests: |-
|
|
{% set _ = contiv_manifests.append({"name": "contiv-api-proxy", "file": "contiv-api-proxy.yml", "type": "daemonset"}) %}
|
|
{{ contiv_manifests }}
|
|
when:
|
|
- contiv_enable_api_proxy
|
|
- inventory_hostname in groups['kube-master']
|
|
|
|
- name: Contiv | Create /var/contiv
|
|
file:
|
|
path: /var/contiv
|
|
state: directory
|
|
|
|
- name: Contiv | Create contiv config directory
|
|
file:
|
|
dest: "{{ contiv_config_dir }}"
|
|
state: directory
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
when: inventory_hostname in groups['kube-master']
|
|
|
|
- name: Contiv | Install all Kubernetes resources
|
|
template:
|
|
src: "{{ item.file }}.j2"
|
|
dest: "{{ contiv_config_dir }}/{{ item.file }}"
|
|
with_items: "{{ contiv_manifests }}"
|
|
register: contiv_manifests_results
|
|
when: inventory_hostname in groups['kube-master']
|
|
|
|
- name: Contiv | Copy certs generation script
|
|
template:
|
|
src: "generate-certificate.sh.j2"
|
|
dest: "/var/contiv/generate-certificate.sh"
|
|
mode: 0700
|
|
when:
|
|
- contiv_enable_api_proxy
|
|
- contiv_generate_certificate
|
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
|
run_once: true
|
|
|
|
- name: Contiv | Generate contiv-api-proxy certificates
|
|
script: /var/contiv/generate-certificate.sh
|
|
args:
|
|
creates: /var/contiv/auth_proxy_key.pem
|
|
when:
|
|
- contiv_enable_api_proxy
|
|
- contiv_generate_certificate
|
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
|
run_once: true
|
|
|
|
- name: Contiv | Fetch the generated certificate
|
|
fetch:
|
|
src: "/var/contiv/{{ item }}"
|
|
dest: "/tmp/kubespray-contiv-{{ item }}"
|
|
flat: yes
|
|
with_items:
|
|
- auth_proxy_key.pem
|
|
- auth_proxy_cert.pem
|
|
when:
|
|
- contiv_enable_api_proxy
|
|
- contiv_generate_certificate
|
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
|
run_once: true
|
|
|
|
- name: Contiv | Copy the generated certificate on nodes
|
|
copy:
|
|
src: "/tmp/kubespray-contiv-{{ item }}"
|
|
dest: "/var/contiv/{{ item }}"
|
|
with_items:
|
|
- auth_proxy_key.pem
|
|
- auth_proxy_cert.pem
|
|
when:
|
|
- inventory_hostname != groups['kube-master'][0]
|
|
- inventory_hostname in groups['kube-master']
|
|
- contiv_enable_api_proxy
|
|
- contiv_generate_certificate
|
|
|
|
- name: Contiv | Copy cni plugins from hyperkube
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/bash -c '/bin/cp -fa /opt/cni/bin/* /cnibindir/'"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
tags: [hyperkube, upgrade]
|
|
|
|
- name: Contiv | Copy netctl binary from docker container
|
|
command: sh -c "{{ docker_bin_dir }}/docker rm -f netctl-binarycopy;
|
|
{{ docker_bin_dir }}/docker create --name netctl-binarycopy {{ contiv_image_repo }}:{{ contiv_image_tag }} &&
|
|
{{ docker_bin_dir }}/docker cp netctl-binarycopy:/contiv/bin/netctl {{ bin_dir }}/netctl &&
|
|
{{ docker_bin_dir }}/docker rm -f netctl-binarycopy"
|
|
register: contiv_task_result
|
|
until: contiv_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|