87f33a4644
Now calico can be deployed if there are other existing pools and not confuse IPAM and end up with pods in the wrong pools.
197 lines
6.5 KiB
YAML
197 lines
6.5 KiB
YAML
---
|
|
- name: Calico | Disable calico-node service if it exists
|
|
service:
|
|
name: calico-node
|
|
state: stopped
|
|
enabled: yes
|
|
failed_when: false
|
|
|
|
- name: Calico | Get kubelet hostname
|
|
shell: >-
|
|
{{ bin_dir }}/kubectl get node -o custom-columns='NAME:.metadata.name,INTERNAL-IP:.status.addresses[?(@.type=="InternalIP")].address'
|
|
| egrep "{{ ansible_all_ipv4_addresses | join('$|') }}$" | cut -d" " -f1
|
|
register: calico_kubelet_name
|
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
|
when: cloud_provider is defined
|
|
|
|
- name: Calico | Write Calico cni config
|
|
template:
|
|
src: "cni-calico.conflist.j2"
|
|
dest: "/etc/cni/net.d/10-calico.conflist"
|
|
owner: kube
|
|
|
|
- name: Calico | Create calico certs directory
|
|
file:
|
|
dest: "{{ calico_cert_dir }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Calico | Link etcd certificates for calico-node
|
|
file:
|
|
src: "{{ etcd_cert_dir }}/{{ item.s }}"
|
|
dest: "{{ calico_cert_dir }}/{{ item.d }}"
|
|
state: hard
|
|
force: yes
|
|
with_items:
|
|
- {s: "ca.pem", d: "ca_cert.crt"}
|
|
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
|
|
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
|
|
|
|
- name: Calico | Install calicoctl container script
|
|
template:
|
|
src: calicoctl-container.j2
|
|
dest: "{{ bin_dir }}/calicoctl"
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
changed_when: false
|
|
|
|
- name: Calico | Copy cni plugins from hyperkube
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
tags:
|
|
- hyperkube
|
|
- upgrade
|
|
|
|
- name: Calico | Copy cni plugins from calico/cni container
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp /opt/cni/bin/* /cnibindir/'"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
when: overwrite_hyperkube_cni|bool
|
|
tags:
|
|
- hyperkube
|
|
- upgrade
|
|
|
|
- name: Calico | Set cni directory permissions
|
|
file:
|
|
path: /opt/cni/bin
|
|
state: directory
|
|
owner: kube
|
|
recurse: true
|
|
mode: 0755
|
|
|
|
- name: Calico | wait for etcd
|
|
uri:
|
|
url: https://localhost:2379/health
|
|
validate_certs: no
|
|
client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
|
|
client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
|
|
register: result
|
|
until: result.status == 200 or result.status == 401
|
|
retries: 10
|
|
delay: 5
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
|
|
- name: Calico | Check if calico network pool has already been configured
|
|
command: |-
|
|
curl \
|
|
--cacert {{ etcd_cert_dir }}/ca.pem \
|
|
--cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
|
|
--key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
|
|
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
|
|
register: calico_conf
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
changed_when: false
|
|
|
|
- name: Calico | Configure calico network pool
|
|
shell: >
|
|
echo '{
|
|
"kind": "ipPool",
|
|
"spec": {"disabled": false, "ipip": {"enabled": {{ ipip }}, "mode": "{{ ipip_mode }}"},
|
|
"nat-outgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }}},
|
|
"apiVersion": "v1",
|
|
"metadata": {"cidr": "{{ kube_pods_subnet }}"}
|
|
}'
|
|
| {{ bin_dir }}/calicoctl create -f -
|
|
environment:
|
|
NO_DEFAULT_POOLS: true
|
|
run_once: true
|
|
when: ("Key not found" in calico_conf.stdout or "nodes" not in calico_conf.stdout)
|
|
|
|
- name: Calico | Get calico configuration from etcd
|
|
command: |-
|
|
curl \
|
|
--cacert {{ etcd_cert_dir }}/ca.pem \
|
|
--cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
|
|
--key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
|
|
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
|
|
register: calico_pools_raw
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
|
|
- set_fact:
|
|
calico_pools: "{{ calico_pools_raw.stdout | from_json }}"
|
|
run_once: true
|
|
|
|
- name: Calico | Set global as_num
|
|
command: "{{ bin_dir}}/calicoctl config set asNumber {{ global_as_num }}"
|
|
run_once: true
|
|
|
|
- name: Calico | Disable node mesh
|
|
shell: "{{ bin_dir }}/calicoctl config set nodeToNodeMesh off"
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
when: ((peer_with_router|default(false) or peer_with_calico_rr|default(false))
|
|
and inventory_hostname in groups['k8s-cluster'])
|
|
run_once: true
|
|
|
|
- name: Calico | Configure peering with router(s)
|
|
shell: >
|
|
echo '{
|
|
"kind": "bgpPeer",
|
|
"spec": {"asNumber": "{{ item.as }}"},
|
|
"apiVersion": "v1",
|
|
"metadata": {"node": "{{ inventory_hostname }}", "scope": "node", "peerIP": "{{ item.router_id }}"}
|
|
}'
|
|
| {{ bin_dir }}/calicoctl create --skip-exists -f -
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
with_items: "{{ peers|default([]) }}"
|
|
when: peer_with_router|default(false) and inventory_hostname in groups['k8s-cluster']
|
|
|
|
- name: Calico | Configure peering with route reflectors
|
|
shell: >
|
|
echo '{
|
|
"kind": "bgpPeer",
|
|
"spec": {"asNumber": "{{ local_as | default(global_as_num)}}"},
|
|
"apiVersion": "v1",
|
|
"metadata": {"node": "{{ inventory_hostname }}",
|
|
"scope": "node",
|
|
"peerIP": "{{ hostvars[item]["calico_rr_ip"]|default(hostvars[item]["ip"])|default(hostvars[item]["ansible_default_ipv4"]["address"]) }}"}
|
|
}'
|
|
| {{ bin_dir }}/calicoctl create --skip-exists -f -
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
with_items: "{{ groups['calico-rr'] | default([]) }}"
|
|
when: (peer_with_calico_rr|default(false) and inventory_hostname in groups['k8s-cluster']
|
|
and hostvars[item]['cluster_id'] == cluster_id)
|
|
|
|
- name: Calico | Create calico manifests
|
|
template:
|
|
src: "{{item.file}}.j2"
|
|
dest: "{{kube_config_dir}}/{{item.file}}"
|
|
with_items:
|
|
- {name: calico-config, file: calico-config.yml, type: cm}
|
|
- {name: calico-node, file: calico-node.yml, type: ds}
|
|
- {name: calico, file: calico-node-sa.yml, type: sa}
|
|
- {name: calico, file: calico-cr.yml, type: clusterrole}
|
|
- {name: calico, file: calico-crb.yml, type: clusterrolebinding}
|
|
register: calico_node_manifests
|
|
when:
|
|
- inventory_hostname in groups['kube-master']
|
|
- rbac_enabled or item.type not in rbac_resources
|