diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index 70eebf8..e31ef6e 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -4,12 +4,18 @@ - /etc/calico/ssl - /etc/cni/net.d -- name: 复制CA 证书和etcd 证书 - copy: src={{ item }} dest=/etc/calico/ssl/{{ item }} - with_items: - - ca.pem - - etcd.pem - - etcd-key.pem +- name: 复制CA 证书到calico 证书目录 + copy: src=ca.pem dest=/etc/calico/ssl/ca.pem + +- name: 创建calico 证书请求 + template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json + +- name: 创建 calico证书和私钥 + shell: "cd /etc/calico/ssl && {{ bin_dir }}/cfssl gencert \ + -ca={{ ca_dir }}/ca.pem \ + -ca-key={{ ca_dir }}/ca-key.pem \ + -config={{ ca_dir }}/ca-config.json \ + -profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico" - name: 创建 calico 的 systemd unit 文件 template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service diff --git a/roles/calico/templates/calico-csr.json.j2 b/roles/calico/templates/calico-csr.json.j2 new file mode 100644 index 0000000..b3dd1ef --- /dev/null +++ b/roles/calico/templates/calico-csr.json.j2 @@ -0,0 +1,17 @@ +{ + "CN": "calico", + "hosts": [], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "ST": "HangZhou", + "L": "XS", + "O": "k8s", + "OU": "System" + } + ] +} diff --git a/roles/calico/templates/calico-node.service.j2 b/roles/calico/templates/calico-node.service.j2 index 93239cd..aa0c7f0 100644 --- a/roles/calico/templates/calico-node.service.j2 +++ b/roles/calico/templates/calico-node.service.j2 @@ -9,8 +9,8 @@ PermissionsStartOnly=true ExecStart={{ bin_dir }}/docker run --net=host --privileged --name=calico-node \ -e ETCD_ENDPOINTS={{ ETCD_ENDPOINTS }} \ -e ETCD_CA_CERT_FILE=/etc/calico/ssl/ca.pem \ - -e ETCD_CERT_FILE=/etc/calico/ssl//etcd.pem \ - -e ETCD_KEY_FILE=/etc/calico/ssl/etcd-key.pem \ + -e ETCD_CERT_FILE=/etc/calico/ssl/calico.pem \ + -e ETCD_KEY_FILE=/etc/calico/ssl/calico-key.pem \ -e CALICO_LIBNETWORK_ENABLED=true \ -e CALICO_NETWORKING_BACKEND=bird \ -e CALICO_DISABLE_FILE_LOGGING=true \ diff --git a/roles/calico/templates/calicoctl.cfg.j2 b/roles/calico/templates/calicoctl.cfg.j2 index 00da116..1c8f9cd 100644 --- a/roles/calico/templates/calicoctl.cfg.j2 +++ b/roles/calico/templates/calicoctl.cfg.j2 @@ -4,6 +4,6 @@ metadata: spec: datastoreType: "etcdv2" etcdEndpoints: {{ ETCD_ENDPOINTS }} - etcdKeyFile: /etc/calico/ssl/etcd-key.pem - etcdCertFile: /etc/calico/ssl/etcd.pem + etcdKeyFile: /etc/calico/ssl/calico-key.pem + etcdCertFile: /etc/calico/ssl/calico.pem etcdCACertFile: /etc/calico/ssl/ca.pem diff --git a/roles/calico/templates/cni-calico.conf.j2 b/roles/calico/templates/cni-calico.conf.j2 index 0216b01..4e71866 100644 --- a/roles/calico/templates/cni-calico.conf.j2 +++ b/roles/calico/templates/cni-calico.conf.j2 @@ -3,8 +3,8 @@ "cniVersion": "0.1.0", "type": "calico", "etcd_endpoints": "{{ ETCD_ENDPOINTS }}", - "etcd_key_file": "/etc/calico/ssl/etcd-key.pem", - "etcd_cert_file": "/etc/calico/ssl//etcd.pem", + "etcd_key_file": "/etc/calico/ssl/calico-key.pem", + "etcd_cert_file": "/etc/calico/ssl/calico.pem", "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem", "log_level": "info", "mtu": 1500, diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index c0e13d7..b00dcad 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -17,20 +17,6 @@ -config={{ ca_dir }}/ca-config.json \ -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd" -- name: 获取ectd.pem 供calico secrets使用 - fetch: - src: /etc/etcd/ssl/etcd.pem - dest: /etc/ansible/roles/calico/files/ - flat: yes - when: NODE_NAME is defined and NODE_NAME == "etcd1" - -- name: 获取ectd-key.pem 供calico secrets使用 - fetch: - src: /etc/etcd/ssl/etcd-key.pem - dest: /etc/ansible/roles/calico/files/ - flat: yes - when: NODE_NAME is defined and NODE_NAME == "etcd1" - - name: 创建etcd工作目录 file: name=/var/lib/etcd state=directory diff --git a/roles/kube-master/templates/kube-apiserver.service.j2 b/roles/kube-master/templates/kube-apiserver.service.j2 index 6380c72..5fc4e07 100644 --- a/roles/kube-master/templates/kube-apiserver.service.j2 +++ b/roles/kube-master/templates/kube-apiserver.service.j2 @@ -12,7 +12,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \ --kubelet-https=true \ --anonymous-auth=false \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \ - --experimental-bootstrap-token-auth \ + --enable-bootstrap-token-auth \ --token-auth-file={{ ca_dir }}/token.csv \ --service-cluster-ip-range={{ SERVICE_CIDR }} \ --service-node-port-range={{ NODE_PORT_RANGE }} \ diff --git a/roles/kube-node/templates/calico-kube-controllers.yaml.j2 b/roles/kube-node/templates/calico-kube-controllers.yaml.j2 index 57cbf1f..5854b0f 100644 --- a/roles/kube-node/templates/calico-kube-controllers.yaml.j2 +++ b/roles/kube-node/templates/calico-kube-controllers.yaml.j2 @@ -42,10 +42,10 @@ spec: value: "/calico-secrets/ca.pem" # Location of the client key for etcd. - name: ETCD_KEY_FILE - value: "/calico-secrets/etcd-key.pem" + value: "/calico-secrets/calico-key.pem" # Location of the client certificate for etcd. - name: ETCD_CERT_FILE - value: "/calico-secrets/etcd.pem" + value: "/calico-secrets/calico.pem" volumeMounts: # Mount in the etcd TLS secrets. - mountPath: /calico-secrets diff --git a/roles/kube-node/templates/kubelet.service.j2 b/roles/kube-node/templates/kubelet.service.j2 index c5f81ae..6fb0a36 100644 --- a/roles/kube-node/templates/kubelet.service.j2 +++ b/roles/kube-node/templates/kubelet.service.j2 @@ -19,7 +19,8 @@ ExecStart={{ bin_dir }}/kubelet \ --cni-bin-dir={{ bin_dir }} \ --cluster-dns={{ CLUSTER_DNS_SVC_IP }} \ --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \ - --hairpin-mode promiscuous-bridge \ + --cloud-provider='' \ + --hairpin-mode hairpin-veth \ --allow-privileged=true \ --fail-swap-on=false \ --logtostderr=true \