修改calico与访问etcd的证书

2017-12-04 20:20:17 +08:00 · 2017-12-04 20:20:17 +08:00 · 429bed5ce9
parent 8342c325f9
commit 429bed5ce9
9 changed files with 40 additions and 30 deletions
--- a/roles/calico/tasks/main.yml
+++ b/roles/calico/tasks/main.yml
@ -4,12 +4,18 @@
  - /etc/calico/ssl
  - /etc/cni/net.d

- name: 复制CA 证书和etcd 证书
-  copy: src={{ item }} dest=/etc/calico/ssl/{{ item }}
-  with_items:
-  - ca.pem
-  - etcd.pem
-  - etcd-key.pem
+- name: 复制CA 证书到calico 证书目录
+  copy: src=ca.pem dest=/etc/calico/ssl/ca.pem
+
+- name: 创建calico 证书请求
+  template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
+
+- name: 创建 calico证书和私钥
+  shell: "cd /etc/calico/ssl && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"

 - name: 创建 calico 的 systemd unit 文件
  template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service
--- a/roles/calico/templates/calico-csr.json.j2
+++ b/roles/calico/templates/calico-csr.json.j2
@ -0,0 +1,17 @@
+{
+  "CN": "calico",
+  "hosts": [],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CN",
+      "ST": "HangZhou",
+      "L": "XS",
+      "O": "k8s",
+      "OU": "System"
+    }
+  ]
+}
--- a/roles/calico/templates/calico-node.service.j2
+++ b/roles/calico/templates/calico-node.service.j2
@ -9,8 +9,8 @@ PermissionsStartOnly=true
 ExecStart={{ bin_dir }}/docker run --net=host --privileged --name=calico-node \
  -e ETCD_ENDPOINTS={{ ETCD_ENDPOINTS }} \
  -e ETCD_CA_CERT_FILE=/etc/calico/ssl/ca.pem \
-  -e ETCD_CERT_FILE=/etc/calico/ssl//etcd.pem \
-  -e ETCD_KEY_FILE=/etc/calico/ssl/etcd-key.pem \
+  -e ETCD_CERT_FILE=/etc/calico/ssl/calico.pem \
+  -e ETCD_KEY_FILE=/etc/calico/ssl/calico-key.pem \
  -e CALICO_LIBNETWORK_ENABLED=true \
  -e CALICO_NETWORKING_BACKEND=bird \
  -e CALICO_DISABLE_FILE_LOGGING=true \
--- a/roles/calico/templates/calicoctl.cfg.j2
+++ b/roles/calico/templates/calicoctl.cfg.j2
@ -4,6 +4,6 @@ metadata:
 spec:
  datastoreType: "etcdv2"
  etcdEndpoints: {{ ETCD_ENDPOINTS }}
-  etcdKeyFile: /etc/calico/ssl/etcd-key.pem
-  etcdCertFile: /etc/calico/ssl/etcd.pem
+  etcdKeyFile: /etc/calico/ssl/calico-key.pem
+  etcdCertFile: /etc/calico/ssl/calico.pem
  etcdCACertFile: /etc/calico/ssl/ca.pem
--- a/roles/calico/templates/cni-calico.conf.j2
+++ b/roles/calico/templates/cni-calico.conf.j2
@ -3,8 +3,8 @@
    "cniVersion": "0.1.0",
    "type": "calico",
    "etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
-    "etcd_key_file": "/etc/calico/ssl/etcd-key.pem",
-    "etcd_cert_file": "/etc/calico/ssl//etcd.pem",
+    "etcd_key_file": "/etc/calico/ssl/calico-key.pem",
+    "etcd_cert_file": "/etc/calico/ssl/calico.pem",
    "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
    "log_level": "info",
    "mtu": 1500,
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@ -17,20 +17,6 @@
        -config={{ ca_dir }}/ca-config.json \
        -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd"

- name: 获取ectd.pem 供calico secrets使用
-  fetch:
-    src: /etc/etcd/ssl/etcd.pem
-    dest: /etc/ansible/roles/calico/files/
-    flat: yes
-  when: NODE_NAME is defined and NODE_NAME == "etcd1"
-
- name: 获取ectd-key.pem 供calico secrets使用
-  fetch:
-    src: /etc/etcd/ssl/etcd-key.pem
-    dest: /etc/ansible/roles/calico/files/
-    flat: yes
-  when: NODE_NAME is defined and NODE_NAME == "etcd1"
-
 - name: 创建etcd工作目录
  file: name=/var/lib/etcd state=directory

--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -12,7 +12,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --kubelet-https=true \
  --anonymous-auth=false \
  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
-  --experimental-bootstrap-token-auth \
+  --enable-bootstrap-token-auth \
  --token-auth-file={{ ca_dir }}/token.csv \
  --service-cluster-ip-range={{ SERVICE_CIDR }} \
  --service-node-port-range={{ NODE_PORT_RANGE }} \
--- a/roles/kube-node/templates/calico-kube-controllers.yaml.j2
+++ b/roles/kube-node/templates/calico-kube-controllers.yaml.j2
@ -42,10 +42,10 @@ spec:
              value: "/calico-secrets/ca.pem"
            # Location of the client key for etcd.
            - name: ETCD_KEY_FILE
-              value: "/calico-secrets/etcd-key.pem"
+              value: "/calico-secrets/calico-key.pem"
            # Location of the client certificate for etcd.
            - name: ETCD_CERT_FILE
-              value: "/calico-secrets/etcd.pem"
+              value: "/calico-secrets/calico.pem"
          volumeMounts:
            # Mount in the etcd TLS secrets.
            - mountPath: /calico-secrets
--- a/roles/kube-node/templates/kubelet.service.j2
+++ b/roles/kube-node/templates/kubelet.service.j2
@ -19,7 +19,8 @@ ExecStart={{ bin_dir }}/kubelet \
  --cni-bin-dir={{ bin_dir }} \
  --cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
  --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
-  --hairpin-mode promiscuous-bridge \
+  --cloud-provider='' \
+  --hairpin-mode hairpin-veth \
  --allow-privileged=true \
  --fail-swap-on=false \
  --logtostderr=true \