easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

修改calico与访问etcd的证书

pull/275/head
jmgao 2017-12-04 20:20:17 +08:00
parent 8342c325f9
commit 429bed5ce9
9 changed files with 40 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
roles/calico/tasks/main.yml
View File

@ -4,12 +4,18 @@
- /etc/calico/ssl - /etc/calico/ssl
- /etc/cni/net.d - /etc/cni/net.d
- name: 复制CA 证书和etcd 证书 - name: 复制CA 证书到calico 证书目录
copy: src={{ item }} dest=/etc/calico/ssl/{{ item }} copy: src=ca.pem dest=/etc/calico/ssl/ca.pem
with_items:
- ca.pem - name: 创建calico 证书请求
- etcd.pem template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
- etcd-key.pem
- name: 创建 calico证书和私钥
shell: "cd /etc/calico/ssl && {{ bin_dir }}/cfssl gencert \
-ca={{ ca_dir }}/ca.pem \
-ca-key={{ ca_dir }}/ca-key.pem \
-config={{ ca_dir }}/ca-config.json \
-profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"
- name: 创建 calico 的 systemd unit 文件 - name: 创建 calico 的 systemd unit 文件
template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service template: src=calico-node.service.j2 dest=/etc/systemd/system/calico-node.service

17
roles/calico/templates/calico-csr.json.j2 100644
View File

@ -0,0 +1,17 @@
{
"CN": "calico",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "XS",
"O": "k8s",
"OU": "System"
}
]
}

4
roles/calico/templates/calico-node.service.j2
View File

@ -9,8 +9,8 @@ PermissionsStartOnly=true
ExecStart={{ bin_dir }}/docker run --net=host --privileged --name=calico-node \ ExecStart={{ bin_dir }}/docker run --net=host --privileged --name=calico-node \
-e ETCD_ENDPOINTS={{ ETCD_ENDPOINTS }} \ -e ETCD_ENDPOINTS={{ ETCD_ENDPOINTS }} \
-e ETCD_CA_CERT_FILE=/etc/calico/ssl/ca.pem \ -e ETCD_CA_CERT_FILE=/etc/calico/ssl/ca.pem \
-e ETCD_CERT_FILE=/etc/calico/ssl//etcd.pem \ -e ETCD_CERT_FILE=/etc/calico/ssl/calico.pem \
-e ETCD_KEY_FILE=/etc/calico/ssl/etcd-key.pem \ -e ETCD_KEY_FILE=/etc/calico/ssl/calico-key.pem \
-e CALICO_LIBNETWORK_ENABLED=true \ -e CALICO_LIBNETWORK_ENABLED=true \
-e CALICO_NETWORKING_BACKEND=bird \ -e CALICO_NETWORKING_BACKEND=bird \
-e CALICO_DISABLE_FILE_LOGGING=true \ -e CALICO_DISABLE_FILE_LOGGING=true \

4
roles/calico/templates/calicoctl.cfg.j2
View File

@ -4,6 +4,6 @@ metadata:
spec: spec:
datastoreType: "etcdv2" datastoreType: "etcdv2"
etcdEndpoints: {{ ETCD_ENDPOINTS }} etcdEndpoints: {{ ETCD_ENDPOINTS }}
etcdKeyFile: /etc/calico/ssl/etcd-key.pem etcdKeyFile: /etc/calico/ssl/calico-key.pem
etcdCertFile: /etc/calico/ssl/etcd.pem etcdCertFile: /etc/calico/ssl/calico.pem
etcdCACertFile: /etc/calico/ssl/ca.pem etcdCACertFile: /etc/calico/ssl/ca.pem

4
roles/calico/templates/cni-calico.conf.j2
View File

@ -3,8 +3,8 @@
"cniVersion": "0.1.0", "cniVersion": "0.1.0",
"type": "calico", "type": "calico",
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}", "etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
"etcd_key_file": "/etc/calico/ssl/etcd-key.pem", "etcd_key_file": "/etc/calico/ssl/calico-key.pem",
"etcd_cert_file": "/etc/calico/ssl//etcd.pem", "etcd_cert_file": "/etc/calico/ssl/calico.pem",
"etcd_ca_cert_file": "/etc/calico/ssl/ca.pem", "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
"log_level": "info", "log_level": "info",
"mtu": 1500, "mtu": 1500,

14
roles/etcd/tasks/main.yml
View File

@ -17,20 +17,6 @@
-config={{ ca_dir }}/ca-config.json \ -config={{ ca_dir }}/ca-config.json \
-profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd" -profile=kubernetes etcd-csr.json | {{ bin_dir }}/cfssljson -bare etcd"
- name: 获取ectd.pem 供calico secrets使用
fetch:
src: /etc/etcd/ssl/etcd.pem
dest: /etc/ansible/roles/calico/files/
flat: yes
when: NODE_NAME is defined and NODE_NAME == "etcd1"
- name: 获取ectd-key.pem 供calico secrets使用
fetch:
src: /etc/etcd/ssl/etcd-key.pem
dest: /etc/ansible/roles/calico/files/
flat: yes
when: NODE_NAME is defined and NODE_NAME == "etcd1"
- name: 创建etcd工作目录 - name: 创建etcd工作目录
file: name=/var/lib/etcd state=directory file: name=/var/lib/etcd state=directory

2
roles/kube-master/templates/kube-apiserver.service.j2
View File

@ -12,7 +12,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \
--kubelet-https=true \ --kubelet-https=true \
--anonymous-auth=false \ --anonymous-auth=false \
--basic-auth-file={{ ca_dir }}/basic-auth.csv \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \
--experimental-bootstrap-token-auth \ --enable-bootstrap-token-auth \
--token-auth-file={{ ca_dir }}/token.csv \ --token-auth-file={{ ca_dir }}/token.csv \
--service-cluster-ip-range={{ SERVICE_CIDR }} \ --service-cluster-ip-range={{ SERVICE_CIDR }} \
--service-node-port-range={{ NODE_PORT_RANGE }} \ --service-node-port-range={{ NODE_PORT_RANGE }} \

4
roles/kube-node/templates/calico-kube-controllers.yaml.j2
View File

@ -42,10 +42,10 @@ spec:
value: "/calico-secrets/ca.pem" value: "/calico-secrets/ca.pem"
# Location of the client key for etcd. # Location of the client key for etcd.
- name: ETCD_KEY_FILE - name: ETCD_KEY_FILE
value: "/calico-secrets/etcd-key.pem" value: "/calico-secrets/calico-key.pem"
# Location of the client certificate for etcd. # Location of the client certificate for etcd.
- name: ETCD_CERT_FILE - name: ETCD_CERT_FILE
value: "/calico-secrets/etcd.pem" value: "/calico-secrets/calico.pem"
volumeMounts: volumeMounts:
# Mount in the etcd TLS secrets. # Mount in the etcd TLS secrets.
- mountPath: /calico-secrets - mountPath: /calico-secrets

3
roles/kube-node/templates/kubelet.service.j2
View File

@ -19,7 +19,8 @@ ExecStart={{ bin_dir }}/kubelet \
--cni-bin-dir={{ bin_dir }} \ --cni-bin-dir={{ bin_dir }} \
--cluster-dns={{ CLUSTER_DNS_SVC_IP }} \ --cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
--cluster-domain={{ CLUSTER_DNS_DOMAIN }} \ --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
--hairpin-mode promiscuous-bridge \ --cloud-provider='' \
--hairpin-mode hairpin-veth \
--allow-privileged=true \ --allow-privileged=true \
--fail-swap-on=false \ --fail-swap-on=false \
--logtostderr=true \ --logtostderr=true \