c1fd468687
Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job
89 lines
2.9 KiB
YAML
89 lines
2.9 KiB
YAML
---
|
|
- name: Canal | Write Canal cni config
|
|
template:
|
|
src: "cni-canal.conf.j2"
|
|
dest: "/etc/cni/net.d/10-canal.conf"
|
|
owner: kube
|
|
|
|
- name: Canal | Create canal certs directory
|
|
file:
|
|
dest: "{{ canal_cert_dir }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Canal | Link etcd certificates for canal-node
|
|
file:
|
|
src: "{{ etcd_cert_dir }}/{{ item.s }}"
|
|
dest: "{{ canal_cert_dir }}/{{ item.d }}"
|
|
state: hard
|
|
force: yes
|
|
with_items:
|
|
- {s: "ca.pem", d: "ca_cert.crt"}
|
|
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
|
|
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
|
|
|
|
- name: Canal | Set Flannel etcd configuration
|
|
command: |-
|
|
{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \
|
|
set /{{ cluster_name }}/network/config \
|
|
'{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
|
|
delegate_to: "{{groups['etcd'][0]}}"
|
|
run_once: true
|
|
|
|
- name: Canal | Create canal node rbac configuration
|
|
template:
|
|
src: "{{item.file}}.j2"
|
|
dest: "{{kube_config_dir}}/{{item.file}}"
|
|
with_items:
|
|
- {name: canal-config, file: canal-config.yml, type: cm}
|
|
- {name: canal-node, file: canal-node.yml, type: ds}
|
|
- {name: canal, file: canal-node-sa.yml, type: sa}
|
|
- {name: calico, file: canal-cr-calico.yml, type: clusterrole}
|
|
- {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
|
|
- {name: canal-calico, file: canal-cr-calico.yml, type: clusterrolebinding}
|
|
- {name: canal-flannel, file: canal-cr-flannel.yml, type: clusterrolebinding}
|
|
register: canal_manifests
|
|
when:
|
|
- rbac_enabled or item.type not in rbac_resources
|
|
|
|
- name: Canal | Copy cni plugins from hyperkube
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
tags: [hyperkube, upgrade]
|
|
|
|
- name: Canal | Copy cni plugins from calico/cni
|
|
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }} sh -c 'cp -a /opt/cni/bin/* /cnibindir/'"
|
|
register: cni_task_result
|
|
until: cni_task_result.rc == 0
|
|
retries: 4
|
|
delay: "{{ retry_stagger | random + 3 }}"
|
|
changed_when: false
|
|
tags: [hyperkube, upgrade]
|
|
|
|
- name: Canal | Set cni directory permissions
|
|
file:
|
|
path: /opt/cni/bin
|
|
state: directory
|
|
owner: kube
|
|
recurse: true
|
|
mode: 0755
|
|
|
|
- name: Canal | Install calicoctl container script
|
|
template:
|
|
src: calicoctl-container.j2
|
|
dest: "{{ bin_dir }}/calicoctl"
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
changed_when: false
|
|
|
|
- name: Canal | Create network policy directory
|
|
file:
|
|
path: "{{ canal_policy_dir }}"
|
|
state: directory
|