update cilium v1.4.1

roles/cilium/cilium.yml

@@ -0,0 +1,5 @@
+- hosts:
+  - kube-master
+  - kube-node
+  roles:
+  - cilium

roles/cilium/defaults/main.yml

@@ -1,22 +1,14 @@
 # 部分cilium相关配置, Note: cilium 需要Linux kernel >= 4.9.17
 
 # 如果 node 节点有多块网卡，请设置 true
-# 另外发现设置为 true 时能够解决v1.10使用ipvs偶尔出现pod内‘dial tcp 10.68.0.1:443: i/o timeout’的 bug
+# 如果发现‘dial tcp 10.68.0.1:443: i/o timeout’的错误，请设置 true
 NODE_WITH_MULTIPLE_NETWORKS: "true"
 
-# debug mode
-Debug_Mode: "false"
-
-# Removes any Cilium state, e.g. BPF policy maps, before starting
-Clean_Start: "false"
-
-# If true, the policy with the entity 'reserved:host' allows traffic from 'world'
-Legacy_Host_Policy: "true"
-
 # 镜像版本
-busybox_ver: "1.28.4"
-cilium_ver: "v1.1.4"
+cilium_ver: "v1.4.1"
 
 # 离线镜像tar包
 cilium_offline: "cilium_{{ cilium_ver }}.tar"
-busybox_offline: "busybox_{{ busybox_ver }}.tar"
+
+# CILIUM_ETCD_OPERATOR 创建的 etcd 集群节点数 1,3,5,7...
+ETCD_CLUSTER_SIZE: 1

roles/cilium/tasks/main.yml

@@ -1,38 +1,18 @@
-- block:
-    - name: 在deploy 节点创建cilium 相关目录
-      file: name={{ item }} state=directory
-      with_items:
-      - /etc/cilium/ssl
-      - /opt/kube/kube-system/cilium
-
-    - name: 创建cilium 证书请求
-      template: src=cilium-csr.json.j2 dest=/etc/cilium/ssl/cilium-csr.json
-    
-    - name: 创建 cilium证书和私钥
-      shell: "cd /etc/cilium/ssl && {{ bin_dir }}/cfssl gencert \
-            -ca={{ ca_dir }}/ca.pem \
-            -ca-key={{ ca_dir }}/ca-key.pem \
-            -config={{ ca_dir }}/ca-config.json \
-            -profile=kubernetes cilium-csr.json | {{ bin_dir }}/cfssljson -bare cilium"
-    
-    - name: get cilium-etcd-secrets info
-      shell: "{{ bin_dir }}/kubectl get secrets -n kube-system"
-      register: secrets_info
-    
-    - name: 创建 cilium-etcd-secrets
-      shell: "cd /etc/cilium/ssl && \
-    	{{ bin_dir }}/kubectl create secret generic -n kube-system cilium-etcd-secrets \
-    	--from-file=etcd-ca={{ ca_dir }}/ca.pem \
-    	--from-file=etcd-client-key=cilium-key.pem \
-    	--from-file=etcd-client-crt=cilium.pem"
-      when: '"cilium-etcd-secrets" not in secrets_info.stdout'
-    
-    - name: 配置 cilium DaemonSet yaml文件
-      template: src=cilium.yaml.j2 dest=/opt/kube/kube-system/cilium/cilium.yaml
-      tags: reconf  
+- name: 在deploy 节点创建cilium 相关目录
+  file: name=/opt/kube/kube-system/cilium state=directory
   delegate_to: "{{ groups.deploy[0] }}"
   run_once: true
     
+- name: 配置 cilium DaemonSet yaml文件
+  template: src=cilium.yaml.j2 dest=/opt/kube/kube-system/cilium/cilium.yaml
+  tags: reconf  
+  delegate_to: "{{ groups.deploy[0] }}"
+  run_once: true
+
+- name: 检查内核版本>4.9
+  fail: msg="kernel {{ ansible_kernel }} is too old for cilium installing"
+  when: "ansible_kernel.split('-')[0].split('.')[0]|int < 4 or ansible_kernel.split('-')[0].split('.')[1]|int < 10"
+  
 - name: 检查是否已下载离线cilium镜像
   command: "ls {{ base_dir }}/down"
   register: download_info
@@ -42,7 +22,6 @@
 - name: node 节点创建cilium 相关目录
   file: name={{ item }} state=directory
   with_items:
-  - /etc/cilium/ssl
   - /etc/cni/net.d
   - /var/run/cilium
   - /opt/kube/images 
@@ -61,7 +40,6 @@
   with_items:
   - "pause_3.1.tar"
   - "{{ cilium_offline }}"
-  - "{{ busybox_offline }}"
   ignore_errors: true
 
 - name: 获取cilium离线镜像推送情况
@@ -75,7 +53,6 @@
   with_items:
   - "pause_3.1.tar"
   - "{{ cilium_offline }}"
-  - "{{ busybox_offline }}"
   ignore_errors: true
 
 # 只需单节点执行一次

roles/prepare/tasks/main.yml

@@ -21,8 +21,8 @@
   - cfssl-certinfo
   - cfssljson
 
-- name: 创建 kubeasz 工具的软连接
-  file: src={{ base_dir }}/tools/kubeasz dest=/usr/bin/kubeasz state=link
+- name: 创建 easzctl 工具的软连接
+  file: src={{ base_dir }}/tools/easzctl dest=/usr/bin/easzctl state=link
   connection: local
 
 - name: 写入环境变量$PATH