update calico v3.1.3

99.clean.yml

@@ -84,6 +84,7 @@
     - "/run/flannel/"
     - "/etc/calico/"
     - "/var/run/calico/"
+    - "/var/lib/calico/"
     - "/var/log/calico/"
     - "/etc/cilium/"
     - "/var/run/cilium/"

roles/calico/defaults/main.yml

@@ -1,6 +1,6 @@
 # 部分calico相关配置，更全配置可以去roles/calico/templates/calico.yaml.j2自定义
 
-# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能，条件限制详见 05.安装calico网络组件.md
+# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能，条件限制详见 docs/06.calico.md
 CALICO_IPV4POOL_IPIP: "always"
 
 # 设置 Felix 日志级别
@@ -11,9 +11,9 @@ FELIX_LOG_LVL: "warning"
 IP_AUTODETECTION_METHOD: "can-reach={{ MASTER_IP }}"
 
 # 镜像版本
-calico_node_ver: "v3.0.6"
+calico_node_ver: "v3.1.3"
-calico_cni_ver: "v2.0.5"
+calico_cni_ver: "v3.1.3"
-calico_kube_controller_ver: "v2.0.4"
+calico_kube_controller_ver: "v3.1.3"
 
 # 离线镜像tar包
 calico_offline: "calico_{{ calico_node_ver }}.tar"

roles/calico/tasks/main.yml

@@ -6,9 +6,6 @@
   - /opt/kube/kube-system/calico
   - /opt/kube/images 
 
-- name: 复制CA 证书到calico 证书目录
-  shell: "cp {{ ca_dir }}/ca.pem /etc/calico/ssl/ca.pem"
-
 - name: 创建calico 证书请求
   template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
 
@@ -19,9 +16,14 @@
         -config={{ ca_dir }}/ca-config.json \
         -profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"
 
-# 因官方calico.yaml文件中使用特定的证书名，所以要重命名
+- name: 创建 calico-etcd-secrets
-- name: 重命名相关证书
+  shell: "cd /etc/calico/ssl && \
-  shell: "cd /etc/calico/ssl && cp ca.pem etcd-ca && cp calico.pem etcd-cert && cp calico-key.pem etcd-key"
+        {{ bin_dir }}/kubectl create secret generic -n kube-system calico-etcd-secrets \
+        --from-file=etcd-ca={{ ca_dir }}/ca.pem \
+        --from-file=etcd-key=calico-key.pem \
+        --from-file=etcd-cert=calico.pem"
+  ignore_errors: true
+  run_once: true
 
 - name: 准备 calico DaemonSet yaml文件
   template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml

roles/calico/templates/calico-rbac.yaml.j2

@@ -1,10 +1,10 @@
-# Calico Version v2.6.5
+# Calico Version v3.1.3
-# https://docs.projectcalico.org/v2.6/releases#v2.6.5
+# https://docs.projectcalico.org/v3.1/releases#v3.1.3
 
 ---
 
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: calico-kube-controllers
 rules:
@@ -19,9 +19,16 @@ rules:
     verbs:
       - watch
       - list
+  - apiGroups:
+    - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: calico-kube-controllers
 roleRef:
@@ -36,7 +43,7 @@ subjects:
 ---
 
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: calico-node
 rules:
@@ -49,7 +56,7 @@ rules:
 
 ---
 
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
   name: calico-node
@@ -61,4 +68,3 @@ subjects:
 - kind: ServiceAccount
   name: calico-node
   namespace: kube-system
-

roles/calico/templates/calico.yaml.j2

@@ -1,5 +1,5 @@
-# Calico Version {{ calico_node_ver }}
+# Calico Version {{ calico_node_ver }} 
-# https://docs.projectcalico.org/v3.0/releases#{{ calico_node_ver }}
+# https://docs.projectcalico.org/v3.1/releases#{{ calico_node_ver }}
 # This manifest includes the following component versions:
 #   calico/node:{{ calico_node_ver }}
 #   calico/cni:{{ calico_cni_ver }}
@@ -13,7 +13,7 @@ metadata:
   namespace: kube-system
 data:
   # Configure this with the location of your etcd cluster.
-  etcd_endpoints: "{{ ETCD_ENDPOINTS }}" 
+  etcd_endpoints: "{{ ETCD_ENDPOINTS }}"
 
   # Configure the Calico backend to use.
   calico_backend: "bird"
@@ -25,22 +25,22 @@ data:
       "cniVersion": "0.3.0",
       "plugins": [
         {
-            "type": "calico",
+          "type": "calico",
-            "etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
+          "etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
-            "etcd_key_file": "/etc/calico/ssl/calico-key.pem",
+          "etcd_key_file": "/etc/calico/ssl/calico-key.pem",
-            "etcd_cert_file": "/etc/calico/ssl/calico.pem",
+          "etcd_cert_file": "/etc/calico/ssl/calico.pem",
-            "etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
+          "etcd_ca_cert_file": "/etc/kubernetes/ssl/ca.pem",
-            "log_level": "warning",
+          "log_level": "warning",
-            "mtu": 1500,
+          "mtu": 1500,
-            "ipam": {
+          "ipam": {
-                "type": "calico-ipam"
+              "type": "calico-ipam"
-            },
+          },
-            "policy": {
+          "policy": {
-                "type": "k8s"
+              "type": "k8s"
-            },
+          },
-            "kubernetes": {
+          "kubernetes": {
-                "kubeconfig": "/root/.kube/config" 
+              "kubeconfig": "/root/.kube/config"
-            }
+          }
         },
         {
           "type": "portmap",
@@ -52,12 +52,17 @@ data:
 
   # If you're using TLS enabled etcd uncomment the following.
   # You must also populate the Secret below with these files.
-  etcd_ca: "/calico-secrets/etcd-ca" 
+  etcd_ca: "/calico-secrets/etcd-ca"
   etcd_cert: "/calico-secrets/etcd-cert"
   etcd_key: "/calico-secrets/etcd-key"
 
 ---
 
+# We use cmd-line-way( kubectl create) to create secrets 'calico-etcd-secrets',
+# refer to 'roles/calico/tasks/main.yml' for details.
+
+---
+
 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on
 # each master and worker node in a Kubernetes cluster.
@@ -102,7 +107,6 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          #image: quay.io/calico/node:{{ calico_node_ver }}
           image: calico/node:{{ calico_node_ver }}
           env:
             # The location of the Calico etcd cluster.
@@ -131,7 +135,9 @@ spec:
             # Set Felix endpoint to host default action to ACCEPT.
             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
               value: "ACCEPT"
-            # Configure the IP Pool from which Pod IPs will be chosen.
+            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
+            # chosen from this range. Changing this value after installation will have
+            # no effect. This should fall within `--cluster-cidr`.
             - name: CALICO_IPV4POOL_CIDR
               value: "{{ CLUSTER_CIDR }}"
             - name: CALICO_IPV4POOL_IPIP
@@ -139,9 +145,9 @@ spec:
             # Disable IPv6 on Kubernetes.
             - name: FELIX_IPV6SUPPORT
               value: "false"
-            # Set Felix logging to "warning"
+            # Set Felix logging 
             - name: FELIX_LOGSEVERITYSCREEN
-              value: {{ FELIX_LOG_LVL }}
+              value: "{{ FELIX_LOG_LVL }}"
             # Set MTU for tunnel device used if ipip is enabled
             - name: FELIX_IPINIPMTU
               value: "1440"
@@ -194,12 +200,14 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - mountPath: /var/lib/calico
+              name: var-lib-calico
+              readOnly: false
             - mountPath: /calico-secrets
               name: etcd-certs
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          #image: quay.io/calico/cni:{{ calico_cni_ver }}
           image: calico/cni:{{ calico_cni_ver }}
           command: ["/install-cni.sh"]
           env:
@@ -233,6 +241,9 @@ spec:
         - name: var-run-calico
           hostPath:
             path: /var/run/calico
+        - name: var-lib-calico
+          hostPath:
+            path: /var/lib/calico
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:
@@ -240,10 +251,12 @@ spec:
         - name: cni-net-dir
           hostPath:
             path: /etc/cni/net.d
-        # Mount in the etcd TLS secrets.
+        # Mount in the etcd TLS secrets with mode 400.
+        # See https://kubernetes.io/docs/concepts/configuration/secret/
         - name: etcd-certs
-          hostPath:
+          secret:
-            path: /etc/calico/ssl
+            secretName: calico-etcd-secrets
+            defaultMode: 0400
 
 ---
 
@@ -258,9 +271,6 @@ metadata:
     k8s-app: calico-kube-controllers
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ''
-    scheduler.alpha.kubernetes.io/tolerations: |
-      [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
-       {"key":"CriticalAddonsOnly", "operator":"Exists"}]
 spec:
   # The controllers can only have a single active instance.
   replicas: 1
@@ -279,10 +289,15 @@ spec:
       # The controllers must run in the host network namespace so that
       # it isn't governed by policy that would prevent it from working.
       hostNetwork: true
+      tolerations:
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
       serviceAccountName: calico-kube-controllers
       containers:
         - name: calico-kube-controllers
-          #image: quay.io/calico/kube-controllers:{{ calico_kube_controller_ver }}
           image: calico/kube-controllers:{{ calico_kube_controller_ver }}
           env:
             # The location of the Calico etcd cluster.
@@ -312,7 +327,7 @@ spec:
             # Choose which controllers to run.
             - name: ENABLED_CONTROLLERS
               value: policy,profile,workloadendpoint,node
-            # 多网卡服务器需要设置以下2个环境变量
+            # if hosts have multiple net interfaces, set following two ENVs
             - name: KUBERNETES_SERVICE_HOST
               value: "{{ MASTER_IP }}"
             - name: KUBERNETES_SERVICE_PORT
@@ -322,10 +337,12 @@ spec:
             - mountPath: /calico-secrets
               name: etcd-certs
       volumes:
-        # Mount in the etcd TLS secrets.
+        # Mount in the etcd TLS secrets with mode 400.
+        # See https://kubernetes.io/docs/concepts/configuration/secret/
         - name: etcd-certs
-          hostPath:
+          secret:
-            path: /etc/calico/ssl
+            secretName: calico-etcd-secrets
+            defaultMode: 0400
 
 ---
 

roles/deploy/tasks/main.yml

@@ -119,4 +119,5 @@
 
 # 兼容ansible执行节点与deploy节点分离情况
 - name: 复制 manifests至 deploy节点
-  copy: src={{ base_dir }}/manifests dest={{ base_dir }}/manifests
+  copy: src={{ base_dir }}/manifests dest={{ base_dir }}
+  when: "ansible_env['SSH_CLIENT'].split(' ')[0] != inventory_hostname"