c12s-kubespray/roles/network_plugin/canal/tasks/main.yml
Matthew Mosesohn c1fd468687 Add RBAC support for canal
Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
2017-09-01 10:45:37 +01:00

89 lines
2.9 KiB
YAML

---
- name: Canal | Write Canal cni config
template:
src: "cni-canal.conf.j2"
dest: "/etc/cni/net.d/10-canal.conf"
owner: kube
- name: Canal | Create canal certs directory
file:
dest: "{{ canal_cert_dir }}"
state: directory
mode: 0750
owner: root
group: root
- name: Canal | Link etcd certificates for canal-node
file:
src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ canal_cert_dir }}/{{ item.d }}"
state: hard
force: yes
with_items:
- {s: "ca.pem", d: "ca_cert.crt"}
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
- name: Canal | Set Flannel etcd configuration
command: |-
{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \
set /{{ cluster_name }}/network/config \
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
delegate_to: "{{groups['etcd'][0]}}"
run_once: true
- name: Canal | Create canal node rbac configuration
template:
src: "{{item.file}}.j2"
dest: "{{kube_config_dir}}/{{item.file}}"
with_items:
- {name: canal-config, file: canal-config.yml, type: cm}
- {name: canal-node, file: canal-node.yml, type: ds}
- {name: canal, file: canal-node-sa.yml, type: sa}
- {name: calico, file: canal-cr-calico.yml, type: clusterrole}
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
- {name: canal-calico, file: canal-cr-calico.yml, type: clusterrolebinding}
- {name: canal-flannel, file: canal-cr-flannel.yml, type: clusterrolebinding}
register: canal_manifests
when:
- rbac_enabled or item.type not in rbac_resources
- name: Canal | Copy cni plugins from hyperkube
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
register: cni_task_result
until: cni_task_result.rc == 0
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
- name: Canal | Copy cni plugins from calico/cni
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
register: cni_task_result
until: cni_task_result.rc == 0
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
changed_when: false
tags: [hyperkube, upgrade]
- name: Canal | Set cni directory permissions
file:
path: /opt/cni/bin
state: directory
owner: kube
recurse: true
mode: 0755
- name: Canal | Install calicoctl container script
template:
src: calicoctl-container.j2
dest: "{{ bin_dir }}/calicoctl"
mode: 0755
owner: root
group: root
changed_when: false
- name: Canal | Create network policy directory
file:
path: "{{ canal_policy_dir }}"
state: directory