mirror of https://github.com/easzlab/kubeasz.git
update calico v3.1.3
parent
30b6ebb59f
commit
7261653f03
|
@ -84,6 +84,7 @@
|
|||
- "/run/flannel/"
|
||||
- "/etc/calico/"
|
||||
- "/var/run/calico/"
|
||||
- "/var/lib/calico/"
|
||||
- "/var/log/calico/"
|
||||
- "/etc/cilium/"
|
||||
- "/var/run/cilium/"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# 部分calico相关配置,更全配置可以去roles/calico/templates/calico.yaml.j2自定义
|
||||
|
||||
# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 05.安装calico网络组件.md
|
||||
# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 docs/06.calico.md
|
||||
CALICO_IPV4POOL_IPIP: "always"
|
||||
|
||||
# 设置 Felix 日志级别
|
||||
|
@ -11,9 +11,9 @@ FELIX_LOG_LVL: "warning"
|
|||
IP_AUTODETECTION_METHOD: "can-reach={{ MASTER_IP }}"
|
||||
|
||||
# 镜像版本
|
||||
calico_node_ver: "v3.0.6"
|
||||
calico_cni_ver: "v2.0.5"
|
||||
calico_kube_controller_ver: "v2.0.4"
|
||||
calico_node_ver: "v3.1.3"
|
||||
calico_cni_ver: "v3.1.3"
|
||||
calico_kube_controller_ver: "v3.1.3"
|
||||
|
||||
# 离线镜像tar包
|
||||
calico_offline: "calico_{{ calico_node_ver }}.tar"
|
||||
|
|
|
@ -6,9 +6,6 @@
|
|||
- /opt/kube/kube-system/calico
|
||||
- /opt/kube/images
|
||||
|
||||
- name: 复制CA 证书到calico 证书目录
|
||||
shell: "cp {{ ca_dir }}/ca.pem /etc/calico/ssl/ca.pem"
|
||||
|
||||
- name: 创建calico 证书请求
|
||||
template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
|
||||
|
||||
|
@ -19,9 +16,14 @@
|
|||
-config={{ ca_dir }}/ca-config.json \
|
||||
-profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"
|
||||
|
||||
# 因官方calico.yaml文件中使用特定的证书名,所以要重命名
|
||||
- name: 重命名相关证书
|
||||
shell: "cd /etc/calico/ssl && cp ca.pem etcd-ca && cp calico.pem etcd-cert && cp calico-key.pem etcd-key"
|
||||
- name: 创建 calico-etcd-secrets
|
||||
shell: "cd /etc/calico/ssl && \
|
||||
{{ bin_dir }}/kubectl create secret generic -n kube-system calico-etcd-secrets \
|
||||
--from-file=etcd-ca={{ ca_dir }}/ca.pem \
|
||||
--from-file=etcd-key=calico-key.pem \
|
||||
--from-file=etcd-cert=calico.pem"
|
||||
ignore_errors: true
|
||||
run_once: true
|
||||
|
||||
- name: 准备 calico DaemonSet yaml文件
|
||||
template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
# Calico Version v2.6.5
|
||||
# https://docs.projectcalico.org/v2.6/releases#v2.6.5
|
||||
# Calico Version v3.1.3
|
||||
# https://docs.projectcalico.org/v3.1/releases#v3.1.3
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
rules:
|
||||
|
@ -19,9 +19,16 @@ rules:
|
|||
verbs:
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
- networkpolicies
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
roleRef:
|
||||
|
@ -36,7 +43,7 @@ subjects:
|
|||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-node
|
||||
rules:
|
||||
|
@ -49,7 +56,7 @@ rules:
|
|||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: calico-node
|
||||
|
@ -61,4 +68,3 @@ subjects:
|
|||
- kind: ServiceAccount
|
||||
name: calico-node
|
||||
namespace: kube-system
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Calico Version {{ calico_node_ver }}
|
||||
# https://docs.projectcalico.org/v3.0/releases#{{ calico_node_ver }}
|
||||
# https://docs.projectcalico.org/v3.1/releases#{{ calico_node_ver }}
|
||||
# This manifest includes the following component versions:
|
||||
# calico/node:{{ calico_node_ver }}
|
||||
# calico/cni:{{ calico_cni_ver }}
|
||||
|
@ -25,22 +25,22 @@ data:
|
|||
"cniVersion": "0.3.0",
|
||||
"plugins": [
|
||||
{
|
||||
"type": "calico",
|
||||
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
|
||||
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
|
||||
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
|
||||
"etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
|
||||
"log_level": "warning",
|
||||
"mtu": 1500,
|
||||
"ipam": {
|
||||
"type": "calico-ipam"
|
||||
},
|
||||
"policy": {
|
||||
"type": "k8s"
|
||||
},
|
||||
"kubernetes": {
|
||||
"kubeconfig": "/root/.kube/config"
|
||||
}
|
||||
"type": "calico",
|
||||
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
|
||||
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
|
||||
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
|
||||
"etcd_ca_cert_file": "/etc/kubernetes/ssl/ca.pem",
|
||||
"log_level": "warning",
|
||||
"mtu": 1500,
|
||||
"ipam": {
|
||||
"type": "calico-ipam"
|
||||
},
|
||||
"policy": {
|
||||
"type": "k8s"
|
||||
},
|
||||
"kubernetes": {
|
||||
"kubeconfig": "/root/.kube/config"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "portmap",
|
||||
|
@ -58,6 +58,11 @@ data:
|
|||
|
||||
---
|
||||
|
||||
# We use cmd-line-way( kubectl create) to create secrets 'calico-etcd-secrets',
|
||||
# refer to 'roles/calico/tasks/main.yml' for details.
|
||||
|
||||
---
|
||||
|
||||
# This manifest installs the calico/node container, as well
|
||||
# as the Calico CNI plugins and network config on
|
||||
# each master and worker node in a Kubernetes cluster.
|
||||
|
@ -102,7 +107,6 @@ spec:
|
|||
# container programs network policy and routes on each
|
||||
# host.
|
||||
- name: calico-node
|
||||
#image: quay.io/calico/node:{{ calico_node_ver }}
|
||||
image: calico/node:{{ calico_node_ver }}
|
||||
env:
|
||||
# The location of the Calico etcd cluster.
|
||||
|
@ -131,7 +135,9 @@ spec:
|
|||
# Set Felix endpoint to host default action to ACCEPT.
|
||||
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
|
||||
value: "ACCEPT"
|
||||
# Configure the IP Pool from which Pod IPs will be chosen.
|
||||
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
|
||||
# chosen from this range. Changing this value after installation will have
|
||||
# no effect. This should fall within `--cluster-cidr`.
|
||||
- name: CALICO_IPV4POOL_CIDR
|
||||
value: "{{ CLUSTER_CIDR }}"
|
||||
- name: CALICO_IPV4POOL_IPIP
|
||||
|
@ -139,9 +145,9 @@ spec:
|
|||
# Disable IPv6 on Kubernetes.
|
||||
- name: FELIX_IPV6SUPPORT
|
||||
value: "false"
|
||||
# Set Felix logging to "warning"
|
||||
# Set Felix logging
|
||||
- name: FELIX_LOGSEVERITYSCREEN
|
||||
value: {{ FELIX_LOG_LVL }}
|
||||
value: "{{ FELIX_LOG_LVL }}"
|
||||
# Set MTU for tunnel device used if ipip is enabled
|
||||
- name: FELIX_IPINIPMTU
|
||||
value: "1440"
|
||||
|
@ -194,12 +200,14 @@ spec:
|
|||
- mountPath: /var/run/calico
|
||||
name: var-run-calico
|
||||
readOnly: false
|
||||
- mountPath: /var/lib/calico
|
||||
name: var-lib-calico
|
||||
readOnly: false
|
||||
- mountPath: /calico-secrets
|
||||
name: etcd-certs
|
||||
# This container installs the Calico CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
#image: quay.io/calico/cni:{{ calico_cni_ver }}
|
||||
image: calico/cni:{{ calico_cni_ver }}
|
||||
command: ["/install-cni.sh"]
|
||||
env:
|
||||
|
@ -233,6 +241,9 @@ spec:
|
|||
- name: var-run-calico
|
||||
hostPath:
|
||||
path: /var/run/calico
|
||||
- name: var-lib-calico
|
||||
hostPath:
|
||||
path: /var/lib/calico
|
||||
# Used to install CNI.
|
||||
- name: cni-bin-dir
|
||||
hostPath:
|
||||
|
@ -240,10 +251,12 @@ spec:
|
|||
- name: cni-net-dir
|
||||
hostPath:
|
||||
path: /etc/cni/net.d
|
||||
# Mount in the etcd TLS secrets.
|
||||
# Mount in the etcd TLS secrets with mode 400.
|
||||
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||
- name: etcd-certs
|
||||
hostPath:
|
||||
path: /etc/calico/ssl
|
||||
secret:
|
||||
secretName: calico-etcd-secrets
|
||||
defaultMode: 0400
|
||||
|
||||
---
|
||||
|
||||
|
@ -258,9 +271,6 @@ metadata:
|
|||
k8s-app: calico-kube-controllers
|
||||
annotations:
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
scheduler.alpha.kubernetes.io/tolerations: |
|
||||
[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
|
||||
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
|
||||
spec:
|
||||
# The controllers can only have a single active instance.
|
||||
replicas: 1
|
||||
|
@ -279,10 +289,15 @@ spec:
|
|||
# The controllers must run in the host network namespace so that
|
||||
# it isn't governed by policy that would prevent it from working.
|
||||
hostNetwork: true
|
||||
tolerations:
|
||||
# Mark the pod as a critical add-on for rescheduling.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
serviceAccountName: calico-kube-controllers
|
||||
containers:
|
||||
- name: calico-kube-controllers
|
||||
#image: quay.io/calico/kube-controllers:{{ calico_kube_controller_ver }}
|
||||
image: calico/kube-controllers:{{ calico_kube_controller_ver }}
|
||||
env:
|
||||
# The location of the Calico etcd cluster.
|
||||
|
@ -312,7 +327,7 @@ spec:
|
|||
# Choose which controllers to run.
|
||||
- name: ENABLED_CONTROLLERS
|
||||
value: policy,profile,workloadendpoint,node
|
||||
# 多网卡服务器需要设置以下2个环境变量
|
||||
# if hosts have multiple net interfaces, set following two ENVs
|
||||
- name: KUBERNETES_SERVICE_HOST
|
||||
value: "{{ MASTER_IP }}"
|
||||
- name: KUBERNETES_SERVICE_PORT
|
||||
|
@ -322,10 +337,12 @@ spec:
|
|||
- mountPath: /calico-secrets
|
||||
name: etcd-certs
|
||||
volumes:
|
||||
# Mount in the etcd TLS secrets.
|
||||
# Mount in the etcd TLS secrets with mode 400.
|
||||
# See https://kubernetes.io/docs/concepts/configuration/secret/
|
||||
- name: etcd-certs
|
||||
hostPath:
|
||||
path: /etc/calico/ssl
|
||||
secret:
|
||||
secretName: calico-etcd-secrets
|
||||
defaultMode: 0400
|
||||
|
||||
---
|
||||
|
||||
|
|
|
@ -119,4 +119,5 @@
|
|||
|
||||
# 兼容ansible执行节点与deploy节点分离情况
|
||||
- name: 复制 manifests至 deploy节点
|
||||
copy: src={{ base_dir }}/manifests dest={{ base_dir }}/manifests
|
||||
copy: src={{ base_dir }}/manifests dest={{ base_dir }}
|
||||
when: "ansible_env['SSH_CLIENT'].split(' ')[0] != inventory_hostname"
|
||||
|
|
Loading…
Reference in New Issue