mirror of https://github.com/easzlab/kubeasz.git
update calico v3.1.3
parent
30b6ebb59f
commit
7261653f03
|
@ -84,6 +84,7 @@
|
||||||
- "/run/flannel/"
|
- "/run/flannel/"
|
||||||
- "/etc/calico/"
|
- "/etc/calico/"
|
||||||
- "/var/run/calico/"
|
- "/var/run/calico/"
|
||||||
|
- "/var/lib/calico/"
|
||||||
- "/var/log/calico/"
|
- "/var/log/calico/"
|
||||||
- "/etc/cilium/"
|
- "/etc/cilium/"
|
||||||
- "/var/run/cilium/"
|
- "/var/run/cilium/"
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# 部分calico相关配置,更全配置可以去roles/calico/templates/calico.yaml.j2自定义
|
# 部分calico相关配置,更全配置可以去roles/calico/templates/calico.yaml.j2自定义
|
||||||
|
|
||||||
# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 05.安装calico网络组件.md
|
# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 docs/06.calico.md
|
||||||
CALICO_IPV4POOL_IPIP: "always"
|
CALICO_IPV4POOL_IPIP: "always"
|
||||||
|
|
||||||
# 设置 Felix 日志级别
|
# 设置 Felix 日志级别
|
||||||
|
@ -11,9 +11,9 @@ FELIX_LOG_LVL: "warning"
|
||||||
IP_AUTODETECTION_METHOD: "can-reach={{ MASTER_IP }}"
|
IP_AUTODETECTION_METHOD: "can-reach={{ MASTER_IP }}"
|
||||||
|
|
||||||
# 镜像版本
|
# 镜像版本
|
||||||
calico_node_ver: "v3.0.6"
|
calico_node_ver: "v3.1.3"
|
||||||
calico_cni_ver: "v2.0.5"
|
calico_cni_ver: "v3.1.3"
|
||||||
calico_kube_controller_ver: "v2.0.4"
|
calico_kube_controller_ver: "v3.1.3"
|
||||||
|
|
||||||
# 离线镜像tar包
|
# 离线镜像tar包
|
||||||
calico_offline: "calico_{{ calico_node_ver }}.tar"
|
calico_offline: "calico_{{ calico_node_ver }}.tar"
|
||||||
|
|
|
@ -6,9 +6,6 @@
|
||||||
- /opt/kube/kube-system/calico
|
- /opt/kube/kube-system/calico
|
||||||
- /opt/kube/images
|
- /opt/kube/images
|
||||||
|
|
||||||
- name: 复制CA 证书到calico 证书目录
|
|
||||||
shell: "cp {{ ca_dir }}/ca.pem /etc/calico/ssl/ca.pem"
|
|
||||||
|
|
||||||
- name: 创建calico 证书请求
|
- name: 创建calico 证书请求
|
||||||
template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
|
template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
|
||||||
|
|
||||||
|
@ -19,9 +16,14 @@
|
||||||
-config={{ ca_dir }}/ca-config.json \
|
-config={{ ca_dir }}/ca-config.json \
|
||||||
-profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"
|
-profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"
|
||||||
|
|
||||||
# 因官方calico.yaml文件中使用特定的证书名,所以要重命名
|
- name: 创建 calico-etcd-secrets
|
||||||
- name: 重命名相关证书
|
shell: "cd /etc/calico/ssl && \
|
||||||
shell: "cd /etc/calico/ssl && cp ca.pem etcd-ca && cp calico.pem etcd-cert && cp calico-key.pem etcd-key"
|
{{ bin_dir }}/kubectl create secret generic -n kube-system calico-etcd-secrets \
|
||||||
|
--from-file=etcd-ca={{ ca_dir }}/ca.pem \
|
||||||
|
--from-file=etcd-key=calico-key.pem \
|
||||||
|
--from-file=etcd-cert=calico.pem"
|
||||||
|
ignore_errors: true
|
||||||
|
run_once: true
|
||||||
|
|
||||||
- name: 准备 calico DaemonSet yaml文件
|
- name: 准备 calico DaemonSet yaml文件
|
||||||
template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml
|
template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
# Calico Version v2.6.5
|
# Calico Version v3.1.3
|
||||||
# https://docs.projectcalico.org/v2.6/releases#v2.6.5
|
# https://docs.projectcalico.org/v3.1/releases#v3.1.3
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-kube-controllers
|
name: calico-kube-controllers
|
||||||
rules:
|
rules:
|
||||||
|
@ -19,9 +19,16 @@ rules:
|
||||||
verbs:
|
verbs:
|
||||||
- watch
|
- watch
|
||||||
- list
|
- list
|
||||||
|
- apiGroups:
|
||||||
|
- networking.k8s.io
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
---
|
---
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-kube-controllers
|
name: calico-kube-controllers
|
||||||
roleRef:
|
roleRef:
|
||||||
|
@ -36,7 +43,7 @@ subjects:
|
||||||
---
|
---
|
||||||
|
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-node
|
name: calico-node
|
||||||
rules:
|
rules:
|
||||||
|
@ -49,7 +56,7 @@ rules:
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-node
|
name: calico-node
|
||||||
|
@ -61,4 +68,3 @@ subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: calico-node
|
name: calico-node
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# Calico Version {{ calico_node_ver }}
|
# Calico Version {{ calico_node_ver }}
|
||||||
# https://docs.projectcalico.org/v3.0/releases#{{ calico_node_ver }}
|
# https://docs.projectcalico.org/v3.1/releases#{{ calico_node_ver }}
|
||||||
# This manifest includes the following component versions:
|
# This manifest includes the following component versions:
|
||||||
# calico/node:{{ calico_node_ver }}
|
# calico/node:{{ calico_node_ver }}
|
||||||
# calico/cni:{{ calico_cni_ver }}
|
# calico/cni:{{ calico_cni_ver }}
|
||||||
|
@ -13,7 +13,7 @@ metadata:
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
data:
|
data:
|
||||||
# Configure this with the location of your etcd cluster.
|
# Configure this with the location of your etcd cluster.
|
||||||
etcd_endpoints: "{{ ETCD_ENDPOINTS }}"
|
etcd_endpoints: "{{ ETCD_ENDPOINTS }}"
|
||||||
|
|
||||||
# Configure the Calico backend to use.
|
# Configure the Calico backend to use.
|
||||||
calico_backend: "bird"
|
calico_backend: "bird"
|
||||||
|
@ -25,22 +25,22 @@ data:
|
||||||
"cniVersion": "0.3.0",
|
"cniVersion": "0.3.0",
|
||||||
"plugins": [
|
"plugins": [
|
||||||
{
|
{
|
||||||
"type": "calico",
|
"type": "calico",
|
||||||
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
|
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
|
||||||
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
|
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
|
||||||
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
|
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
|
||||||
"etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
|
"etcd_ca_cert_file": "/etc/kubernetes/ssl/ca.pem",
|
||||||
"log_level": "warning",
|
"log_level": "warning",
|
||||||
"mtu": 1500,
|
"mtu": 1500,
|
||||||
"ipam": {
|
"ipam": {
|
||||||
"type": "calico-ipam"
|
"type": "calico-ipam"
|
||||||
},
|
},
|
||||||
"policy": {
|
"policy": {
|
||||||
"type": "k8s"
|
"type": "k8s"
|
||||||
},
|
},
|
||||||
"kubernetes": {
|
"kubernetes": {
|
||||||
"kubeconfig": "/root/.kube/config"
|
"kubeconfig": "/root/.kube/config"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"type": "portmap",
|
"type": "portmap",
|
||||||
|
@ -52,12 +52,17 @@ data:
|
||||||
|
|
||||||
# If you're using TLS enabled etcd uncomment the following.
|
# If you're using TLS enabled etcd uncomment the following.
|
||||||
# You must also populate the Secret below with these files.
|
# You must also populate the Secret below with these files.
|
||||||
etcd_ca: "/calico-secrets/etcd-ca"
|
etcd_ca: "/calico-secrets/etcd-ca"
|
||||||
etcd_cert: "/calico-secrets/etcd-cert"
|
etcd_cert: "/calico-secrets/etcd-cert"
|
||||||
etcd_key: "/calico-secrets/etcd-key"
|
etcd_key: "/calico-secrets/etcd-key"
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# We use cmd-line-way( kubectl create) to create secrets 'calico-etcd-secrets',
|
||||||
|
# refer to 'roles/calico/tasks/main.yml' for details.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
# This manifest installs the calico/node container, as well
|
# This manifest installs the calico/node container, as well
|
||||||
# as the Calico CNI plugins and network config on
|
# as the Calico CNI plugins and network config on
|
||||||
# each master and worker node in a Kubernetes cluster.
|
# each master and worker node in a Kubernetes cluster.
|
||||||
|
@ -102,7 +107,6 @@ spec:
|
||||||
# container programs network policy and routes on each
|
# container programs network policy and routes on each
|
||||||
# host.
|
# host.
|
||||||
- name: calico-node
|
- name: calico-node
|
||||||
#image: quay.io/calico/node:{{ calico_node_ver }}
|
|
||||||
image: calico/node:{{ calico_node_ver }}
|
image: calico/node:{{ calico_node_ver }}
|
||||||
env:
|
env:
|
||||||
# The location of the Calico etcd cluster.
|
# The location of the Calico etcd cluster.
|
||||||
|
@ -131,7 +135,9 @@ spec:
|
||||||
# Set Felix endpoint to host default action to ACCEPT.
|
# Set Felix endpoint to host default action to ACCEPT.
|
||||||
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
|
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
|
||||||
value: "ACCEPT"
|
value: "ACCEPT"
|
||||||
# Configure the IP Pool from which Pod IPs will be chosen.
|
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
|
||||||
|
# chosen from this range. Changing this value after installation will have
|
||||||
|
# no effect. This should fall within `--cluster-cidr`.
|
||||||
- name: CALICO_IPV4POOL_CIDR
|
- name: CALICO_IPV4POOL_CIDR
|
||||||
value: "{{ CLUSTER_CIDR }}"
|
value: "{{ CLUSTER_CIDR }}"
|
||||||
- name: CALICO_IPV4POOL_IPIP
|
- name: CALICO_IPV4POOL_IPIP
|
||||||
|
@ -139,9 +145,9 @@ spec:
|
||||||
# Disable IPv6 on Kubernetes.
|
# Disable IPv6 on Kubernetes.
|
||||||
- name: FELIX_IPV6SUPPORT
|
- name: FELIX_IPV6SUPPORT
|
||||||
value: "false"
|
value: "false"
|
||||||
# Set Felix logging to "warning"
|
# Set Felix logging
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
- name: FELIX_LOGSEVERITYSCREEN
|
||||||
value: {{ FELIX_LOG_LVL }}
|
value: "{{ FELIX_LOG_LVL }}"
|
||||||
# Set MTU for tunnel device used if ipip is enabled
|
# Set MTU for tunnel device used if ipip is enabled
|
||||||
- name: FELIX_IPINIPMTU
|
- name: FELIX_IPINIPMTU
|
||||||
value: "1440"
|
value: "1440"
|
||||||
|
@ -194,12 +200,14 @@ spec:
|
||||||
- mountPath: /var/run/calico
|
- mountPath: /var/run/calico
|
||||||
name: var-run-calico
|
name: var-run-calico
|
||||||
readOnly: false
|
readOnly: false
|
||||||
|
- mountPath: /var/lib/calico
|
||||||
|
name: var-lib-calico
|
||||||
|
readOnly: false
|
||||||
- mountPath: /calico-secrets
|
- mountPath: /calico-secrets
|
||||||
name: etcd-certs
|
name: etcd-certs
|
||||||
# This container installs the Calico CNI binaries
|
# This container installs the Calico CNI binaries
|
||||||
# and CNI network config file on each node.
|
# and CNI network config file on each node.
|
||||||
- name: install-cni
|
- name: install-cni
|
||||||
#image: quay.io/calico/cni:{{ calico_cni_ver }}
|
|
||||||
image: calico/cni:{{ calico_cni_ver }}
|
image: calico/cni:{{ calico_cni_ver }}
|
||||||
command: ["/install-cni.sh"]
|
command: ["/install-cni.sh"]
|
||||||
env:
|
env:
|
||||||
|
@ -233,6 +241,9 @@ spec:
|
||||||
- name: var-run-calico
|
- name: var-run-calico
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/calico
|
path: /var/run/calico
|
||||||
|
- name: var-lib-calico
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/calico
|
||||||
# Used to install CNI.
|
# Used to install CNI.
|
||||||
- name: cni-bin-dir
|
- name: cni-bin-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
|
@ -240,10 +251,12 @@ spec:
|
||||||
- name: cni-net-dir
|
- name: cni-net-dir
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /etc/cni/net.d
|
path: /etc/cni/net.d
|
||||||
# Mount in the etcd TLS secrets.
|
# Mount in the etcd TLS secrets with mode 400.
|
||||||
|
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||||
- name: etcd-certs
|
- name: etcd-certs
|
||||||
hostPath:
|
secret:
|
||||||
path: /etc/calico/ssl
|
secretName: calico-etcd-secrets
|
||||||
|
defaultMode: 0400
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -258,9 +271,6 @@ metadata:
|
||||||
k8s-app: calico-kube-controllers
|
k8s-app: calico-kube-controllers
|
||||||
annotations:
|
annotations:
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
scheduler.alpha.kubernetes.io/tolerations: |
|
|
||||||
[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
|
|
||||||
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
|
|
||||||
spec:
|
spec:
|
||||||
# The controllers can only have a single active instance.
|
# The controllers can only have a single active instance.
|
||||||
replicas: 1
|
replicas: 1
|
||||||
|
@ -279,10 +289,15 @@ spec:
|
||||||
# The controllers must run in the host network namespace so that
|
# The controllers must run in the host network namespace so that
|
||||||
# it isn't governed by policy that would prevent it from working.
|
# it isn't governed by policy that would prevent it from working.
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
|
tolerations:
|
||||||
|
# Mark the pod as a critical add-on for rescheduling.
|
||||||
|
- key: CriticalAddonsOnly
|
||||||
|
operator: Exists
|
||||||
|
- key: node-role.kubernetes.io/master
|
||||||
|
effect: NoSchedule
|
||||||
serviceAccountName: calico-kube-controllers
|
serviceAccountName: calico-kube-controllers
|
||||||
containers:
|
containers:
|
||||||
- name: calico-kube-controllers
|
- name: calico-kube-controllers
|
||||||
#image: quay.io/calico/kube-controllers:{{ calico_kube_controller_ver }}
|
|
||||||
image: calico/kube-controllers:{{ calico_kube_controller_ver }}
|
image: calico/kube-controllers:{{ calico_kube_controller_ver }}
|
||||||
env:
|
env:
|
||||||
# The location of the Calico etcd cluster.
|
# The location of the Calico etcd cluster.
|
||||||
|
@ -312,7 +327,7 @@ spec:
|
||||||
# Choose which controllers to run.
|
# Choose which controllers to run.
|
||||||
- name: ENABLED_CONTROLLERS
|
- name: ENABLED_CONTROLLERS
|
||||||
value: policy,profile,workloadendpoint,node
|
value: policy,profile,workloadendpoint,node
|
||||||
# 多网卡服务器需要设置以下2个环境变量
|
# if hosts have multiple net interfaces, set following two ENVs
|
||||||
- name: KUBERNETES_SERVICE_HOST
|
- name: KUBERNETES_SERVICE_HOST
|
||||||
value: "{{ MASTER_IP }}"
|
value: "{{ MASTER_IP }}"
|
||||||
- name: KUBERNETES_SERVICE_PORT
|
- name: KUBERNETES_SERVICE_PORT
|
||||||
|
@ -322,10 +337,12 @@ spec:
|
||||||
- mountPath: /calico-secrets
|
- mountPath: /calico-secrets
|
||||||
name: etcd-certs
|
name: etcd-certs
|
||||||
volumes:
|
volumes:
|
||||||
# Mount in the etcd TLS secrets.
|
# Mount in the etcd TLS secrets with mode 400.
|
||||||
|
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||||
- name: etcd-certs
|
- name: etcd-certs
|
||||||
hostPath:
|
secret:
|
||||||
path: /etc/calico/ssl
|
secretName: calico-etcd-secrets
|
||||||
|
defaultMode: 0400
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
|
@ -119,4 +119,5 @@
|
||||||
|
|
||||||
# 兼容ansible执行节点与deploy节点分离情况
|
# 兼容ansible执行节点与deploy节点分离情况
|
||||||
- name: 复制 manifests至 deploy节点
|
- name: 复制 manifests至 deploy节点
|
||||||
copy: src={{ base_dir }}/manifests dest={{ base_dir }}/manifests
|
copy: src={{ base_dir }}/manifests dest={{ base_dir }}
|
||||||
|
when: "ansible_env['SSH_CLIENT'].split(' ')[0] != inventory_hostname"
|
||||||
|
|
Loading…
Reference in New Issue