update calico v3.1.3

pull/294/head
gjmzj 2018-08-11 15:26:44 +08:00
parent 30b6ebb59f
commit 7261653f03
6 changed files with 81 additions and 54 deletions

View File

@ -84,6 +84,7 @@
- "/run/flannel/"
- "/etc/calico/"
- "/var/run/calico/"
- "/var/lib/calico/"
- "/var/log/calico/"
- "/etc/cilium/"
- "/var/run/cilium/"

View File

@ -1,6 +1,6 @@
# 部分calico相关配置更全配置可以去roles/calico/templates/calico.yaml.j2自定义
# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 05.安装calico网络组件.md
# 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能,条件限制详见 docs/06.calico.md
CALICO_IPV4POOL_IPIP: "always"
# 设置 Felix 日志级别
@ -11,9 +11,9 @@ FELIX_LOG_LVL: "warning"
IP_AUTODETECTION_METHOD: "can-reach={{ MASTER_IP }}"
# 镜像版本
calico_node_ver: "v3.0.6"
calico_cni_ver: "v2.0.5"
calico_kube_controller_ver: "v2.0.4"
calico_node_ver: "v3.1.3"
calico_cni_ver: "v3.1.3"
calico_kube_controller_ver: "v3.1.3"
# 离线镜像tar包
calico_offline: "calico_{{ calico_node_ver }}.tar"

View File

@ -6,9 +6,6 @@
- /opt/kube/kube-system/calico
- /opt/kube/images
- name: 复制CA 证书到calico 证书目录
shell: "cp {{ ca_dir }}/ca.pem /etc/calico/ssl/ca.pem"
- name: 创建calico 证书请求
template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json
@ -19,9 +16,14 @@
-config={{ ca_dir }}/ca-config.json \
-profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"
# 因官方calico.yaml文件中使用特定的证书名所以要重命名
- name: 重命名相关证书
shell: "cd /etc/calico/ssl && cp ca.pem etcd-ca && cp calico.pem etcd-cert && cp calico-key.pem etcd-key"
- name: 创建 calico-etcd-secrets
shell: "cd /etc/calico/ssl && \
{{ bin_dir }}/kubectl create secret generic -n kube-system calico-etcd-secrets \
--from-file=etcd-ca={{ ca_dir }}/ca.pem \
--from-file=etcd-key=calico-key.pem \
--from-file=etcd-cert=calico.pem"
ignore_errors: true
run_once: true
- name: 准备 calico DaemonSet yaml文件
template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml

View File

@ -1,10 +1,10 @@
# Calico Version v2.6.5
# https://docs.projectcalico.org/v2.6/releases#v2.6.5
# Calico Version v3.1.3
# https://docs.projectcalico.org/v3.1/releases#v3.1.3
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
rules:
@ -19,9 +19,16 @@ rules:
verbs:
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- watch
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
roleRef:
@ -36,7 +43,7 @@ subjects:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-node
rules:
@ -49,7 +56,7 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-node
@ -61,4 +68,3 @@ subjects:
- kind: ServiceAccount
name: calico-node
namespace: kube-system

View File

@ -1,5 +1,5 @@
# Calico Version {{ calico_node_ver }}
# https://docs.projectcalico.org/v3.0/releases#{{ calico_node_ver }}
# https://docs.projectcalico.org/v3.1/releases#{{ calico_node_ver }}
# This manifest includes the following component versions:
# calico/node:{{ calico_node_ver }}
# calico/cni:{{ calico_cni_ver }}
@ -25,22 +25,22 @@ data:
"cniVersion": "0.3.0",
"plugins": [
{
"type": "calico",
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
"etcd_ca_cert_file": "/etc/calico/ssl/ca.pem",
"log_level": "warning",
"mtu": 1500,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "/root/.kube/config"
}
"type": "calico",
"etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
"etcd_key_file": "/etc/calico/ssl/calico-key.pem",
"etcd_cert_file": "/etc/calico/ssl/calico.pem",
"etcd_ca_cert_file": "/etc/kubernetes/ssl/ca.pem",
"log_level": "warning",
"mtu": 1500,
"ipam": {
"type": "calico-ipam"
},
"policy": {
"type": "k8s"
},
"kubernetes": {
"kubeconfig": "/root/.kube/config"
}
},
{
"type": "portmap",
@ -58,6 +58,11 @@ data:
---
# We use cmd-line-way( kubectl create) to create secrets 'calico-etcd-secrets',
# refer to 'roles/calico/tasks/main.yml' for details.
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
@ -102,7 +107,6 @@ spec:
# container programs network policy and routes on each
# host.
- name: calico-node
#image: quay.io/calico/node:{{ calico_node_ver }}
image: calico/node:{{ calico_node_ver }}
env:
# The location of the Calico etcd cluster.
@ -131,7 +135,9 @@ spec:
# Set Felix endpoint to host default action to ACCEPT.
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION
value: "ACCEPT"
# Configure the IP Pool from which Pod IPs will be chosen.
# The default IPv4 pool to create on startup if none exists. Pod IPs will be
# chosen from this range. Changing this value after installation will have
# no effect. This should fall within `--cluster-cidr`.
- name: CALICO_IPV4POOL_CIDR
value: "{{ CLUSTER_CIDR }}"
- name: CALICO_IPV4POOL_IPIP
@ -139,9 +145,9 @@ spec:
# Disable IPv6 on Kubernetes.
- name: FELIX_IPV6SUPPORT
value: "false"
# Set Felix logging to "warning"
# Set Felix logging
- name: FELIX_LOGSEVERITYSCREEN
value: {{ FELIX_LOG_LVL }}
value: "{{ FELIX_LOG_LVL }}"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
value: "1440"
@ -194,12 +200,14 @@ spec:
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- mountPath: /calico-secrets
name: etcd-certs
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
#image: quay.io/calico/cni:{{ calico_cni_ver }}
image: calico/cni:{{ calico_cni_ver }}
command: ["/install-cni.sh"]
env:
@ -233,6 +241,9 @@ spec:
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
# Used to install CNI.
- name: cni-bin-dir
hostPath:
@ -240,10 +251,12 @@ spec:
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
# Mount in the etcd TLS secrets.
# Mount in the etcd TLS secrets with mode 400.
# See https://kubernetes.io/docs/concepts/configuration/secret/
- name: etcd-certs
hostPath:
path: /etc/calico/ssl
secret:
secretName: calico-etcd-secrets
defaultMode: 0400
---
@ -258,9 +271,6 @@ metadata:
k8s-app: calico-kube-controllers
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: |
[{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
spec:
# The controllers can only have a single active instance.
replicas: 1
@ -279,10 +289,15 @@ spec:
# The controllers must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
tolerations:
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
effect: NoSchedule
serviceAccountName: calico-kube-controllers
containers:
- name: calico-kube-controllers
#image: quay.io/calico/kube-controllers:{{ calico_kube_controller_ver }}
image: calico/kube-controllers:{{ calico_kube_controller_ver }}
env:
# The location of the Calico etcd cluster.
@ -312,7 +327,7 @@ spec:
# Choose which controllers to run.
- name: ENABLED_CONTROLLERS
value: policy,profile,workloadendpoint,node
# 多网卡服务器需要设置以下2个环境变量
# if hosts have multiple net interfaces, set following two ENVs
- name: KUBERNETES_SERVICE_HOST
value: "{{ MASTER_IP }}"
- name: KUBERNETES_SERVICE_PORT
@ -322,10 +337,12 @@ spec:
- mountPath: /calico-secrets
name: etcd-certs
volumes:
# Mount in the etcd TLS secrets.
# Mount in the etcd TLS secrets with mode 400.
# See https://kubernetes.io/docs/concepts/configuration/secret/
- name: etcd-certs
hostPath:
path: /etc/calico/ssl
secret:
secretName: calico-etcd-secrets
defaultMode: 0400
---

View File

@ -119,4 +119,5 @@
# 兼容ansible执行节点与deploy节点分离情况
- name: 复制 manifests至 deploy节点
copy: src={{ base_dir }}/manifests dest={{ base_dir }}/manifests
copy: src={{ base_dir }}/manifests dest={{ base_dir }}
when: "ansible_env['SSH_CLIENT'].split(' ')[0] != inventory_hostname"