From a850af10c4d18934630b7f2ffcfae9a0d13192b0 Mon Sep 17 00:00:00 2001 From: jmgao Date: Wed, 22 Nov 2017 12:34:51 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0calicoctl=E5=AE=89=E8=A3=85?= =?UTF-8?q?=EF=BC=8C=E9=BB=98=E8=AE=A4=E5=85=B3=E9=97=ADIP-in-IP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 95.clean.yml | 2 +- roles/calico/files/rbac.yaml | 64 ---- roles/calico/tasks/main.yml | 14 +- roles/calico/templates/calico-node.service.j2 | 2 +- roles/calico/templates/calico.yaml | 358 ------------------ roles/calico/templates/calicoctl.cfg.j2 | 9 + roles/calico/templates/cni-calico.conf.j2 | 2 - 7 files changed, 20 insertions(+), 431 deletions(-) delete mode 100644 roles/calico/files/rbac.yaml delete mode 100644 roles/calico/templates/calico.yaml create mode 100644 roles/calico/templates/calicoctl.cfg.j2 diff --git a/95.clean.yml b/95.clean.yml index fc1f577..284a3a0 100644 --- a/95.clean.yml +++ b/95.clean.yml @@ -16,7 +16,7 @@ file: name={{ item }} state=absent with_items: - "/etc/cni/" - - "/etc/calico/ssl/" + - "/etc/calico/" - "/var/run/calico/" - "/var/log/calico/" - "/var/lib/docker/" diff --git a/roles/calico/files/rbac.yaml b/roles/calico/files/rbac.yaml deleted file mode 100644 index 3cbee3a..0000000 --- a/roles/calico/files/rbac.yaml +++ /dev/null @@ -1,64 +0,0 @@ -# Calico Version v2.6.2 -# https://docs.projectcalico.org/v2.6/releases#v2.6.2 - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: calico-kube-controllers - namespace: kube-system -rules: - - apiGroups: - - "" - - extensions - resources: - - pods - - namespaces - - networkpolicies - verbs: - - watch - - list ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: calico-kube-controllers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-kube-controllers -subjects: -- kind: ServiceAccount - name: calico-kube-controllers - namespace: kube-system - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: calico-node - namespace: kube-system -rules: - - apiGroups: [""] - resources: - - pods - - nodes - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index 134fdad..70eebf8 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -1,5 +1,8 @@ -- name: 创建calico证书目录 - file: name=/etc/calico/ssl state=directory +- name: 创建calico 相关目录 + file: name={{ item }} state=directory + with_items: + - /etc/calico/ssl + - /etc/cni/net.d - name: 复制CA 证书和etcd 证书 copy: src={{ item }} dest=/etc/calico/ssl/{{ item }} @@ -20,15 +23,16 @@ - name: 重新启动calico shell: systemctl restart calico-node -- name: 下载calico cni plugins +- name: 下载calico cni plugins和calicoctl 客户端 copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755 with_items: - calico - calico-ipam - loopback + - calicoctl -- name: 创建cni config 目录 - file: name=/etc/cni/net.d state=directory +- name: 准备 calicoctl配置文件 + template: src=calicoctl.cfg.j2 dest=/etc/calico/calicoctl.cfg - name: 准备 cni配置文件 template: src=cni-calico.conf.j2 dest=/etc/cni/net.d/10-calico.conf diff --git a/roles/calico/templates/calico-node.service.j2 b/roles/calico/templates/calico-node.service.j2 index 7c65df6..93239cd 100644 --- a/roles/calico/templates/calico-node.service.j2 +++ b/roles/calico/templates/calico-node.service.j2 @@ -15,7 +15,7 @@ ExecStart={{ bin_dir }}/docker run --net=host --privileged --name=calico-node \ -e CALICO_NETWORKING_BACKEND=bird \ -e CALICO_DISABLE_FILE_LOGGING=true \ -e CALICO_IPV4POOL_CIDR={{ CLUSTER_CIDR }} \ - -e CALICO_IPV4POOL_IPIP=always \ + -e CALICO_IPV4POOL_IPIP=off \ -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \ -e FELIX_IPV6SUPPORT=false \ -e FELIX_LOGSEVERITYSCREEN=info \ diff --git a/roles/calico/templates/calico.yaml b/roles/calico/templates/calico.yaml deleted file mode 100644 index ec9db95..0000000 --- a/roles/calico/templates/calico.yaml +++ /dev/null @@ -1,358 +0,0 @@ -# Calico Version v2.6.2 -# https://docs.projectcalico.org/v2.6/releases#v2.6.2 -# This manifest includes the following component versions: -# calico/node:v2.6.2 -# calico/cni:v1.11.0 -# calico/kube-controllers:v1.0.0 - -# This ConfigMap is used to configure a self-hosted Calico installation. -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-config - namespace: kube-system -data: - # Configure this with the location of your etcd cluster. - etcd_endpoints: "http://127.0.0.1:2379" - - # Configure the Calico backend to use. - calico_backend: "bird" - - # The CNI network configuration to install on each node. - cni_network_config: |- - { - "name": "k8s-pod-network", - "cniVersion": "0.1.0", - "type": "calico", - "etcd_endpoints": "__ETCD_ENDPOINTS__", - "etcd_key_file": "__ETCD_KEY_FILE__", - "etcd_cert_file": "__ETCD_CERT_FILE__", - "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__", - "log_level": "info", - "mtu": 1500, - "ipam": { - "type": "calico-ipam" - }, - "policy": { - "type": "k8s", - "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", - "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" - }, - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__" - } - } - - # If you're using TLS enabled etcd uncomment the following. - # You must also populate the Secret below with these files. - etcd_ca: "" # "/calico-secrets/etcd-ca" - etcd_cert: "" # "/calico-secrets/etcd-cert" - etcd_key: "" # "/calico-secrets/etcd-key" - ---- - -# The following contains k8s Secrets for use with a TLS enabled etcd cluster. -# For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: calico-etcd-secrets - namespace: kube-system -data: - # Populate the following files with etcd TLS configuration if desired, but leave blank if - # not using TLS for etcd. - # This self-hosted install expects three files with the following names. The values - # should be base64 encoded strings of the entire contents of each file. - # etcd-key: null - # etcd-cert: null - # etcd-ca: null - ---- - -# This manifest installs the calico/node container, as well -# as the Calico CNI plugins and network config on -# each master and worker node in a Kubernetes cluster. -kind: DaemonSet -apiVersion: extensions/v1beta1 -metadata: - name: calico-node - namespace: kube-system - labels: - k8s-app: calico-node -spec: - selector: - matchLabels: - k8s-app: calico-node - template: - metadata: - labels: - k8s-app: calico-node - annotations: - scheduler.alpha.kubernetes.io/critical-pod: '' - scheduler.alpha.kubernetes.io/tolerations: | - [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, - {"key":"CriticalAddonsOnly", "operator":"Exists"}] - spec: - hostNetwork: true - serviceAccountName: calico-node - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 0 - containers: - # Runs calico/node container on each Kubernetes node. This - # container programs network policy and routes on each - # host. - - name: calico-node - image: quay.io/calico/node:v2.6.2 - env: - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_endpoints - # Choose the backend to use. - - name: CALICO_NETWORKING_BACKEND - valueFrom: - configMapKeyRef: - name: calico-config - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE - value: "k8s,bgp" - # Disable file logging so `kubectl logs` works. - - name: CALICO_DISABLE_FILE_LOGGING - value: "true" - # Set Felix endpoint to host default action to ACCEPT. - - name: FELIX_DEFAULTENDPOINTTOHOSTACTION - value: "ACCEPT" - # Configure the IP Pool from which Pod IPs will be chosen. - - name: CALICO_IPV4POOL_CIDR - value: "192.168.0.0/16" - - name: CALICO_IPV4POOL_IPIP - value: "always" - # Disable IPv6 on Kubernetes. - - name: FELIX_IPV6SUPPORT - value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN - value: "info" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - value: "1440" - # Location of the CA certificate for etcd. - - name: ETCD_CA_CERT_FILE - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_ca - # Location of the client key for etcd. - - name: ETCD_KEY_FILE - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_key - # Location of the client certificate for etcd. - - name: ETCD_CERT_FILE - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_cert - # Auto-detect the BGP IP address. - - name: IP - value: "" - - name: FELIX_HEALTHENABLED - value: "true" - securityContext: - privileged: true - resources: - requests: - cpu: 250m - livenessProbe: - httpGet: - path: /liveness - port: 9099 - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - readinessProbe: - httpGet: - path: /readiness - port: 9099 - periodSeconds: 10 - volumeMounts: - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - mountPath: /calico-secrets - name: etcd-certs - # This container installs the Calico CNI binaries - # and CNI network config file on each node. - - name: install-cni - image: quay.io/calico/cni:v1.11.0 - command: ["/install-cni.sh"] - env: - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_endpoints - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: calico-config - key: cni_network_config - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /calico-secrets - name: etcd-certs - volumes: - # Used by calico/node. - - name: lib-modules - hostPath: - path: /lib/modules - - name: var-run-calico - hostPath: - path: /var/run/calico - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: /opt/cni/bin - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - # Mount in the etcd TLS secrets. - - name: etcd-certs - secret: - secretName: calico-etcd-secrets - ---- - -# This manifest deploys the Calico Kubernetes controllers. -# See https://github.com/projectcalico/kube-controllers -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: calico-kube-controllers - namespace: kube-system - labels: - k8s-app: calico-kube-controllers - annotations: - scheduler.alpha.kubernetes.io/critical-pod: '' - scheduler.alpha.kubernetes.io/tolerations: | - [{"key": "dedicated", "value": "master", "effect": "NoSchedule" }, - {"key":"CriticalAddonsOnly", "operator":"Exists"}] -spec: - # The controllers can only have a single active instance. - replicas: 1 - strategy: - type: Recreate - template: - metadata: - name: calico-kube-controllers - namespace: kube-system - labels: - k8s-app: calico-kube-controllers - spec: - # The controllers must run in the host network namespace so that - # it isn't governed by policy that would prevent it from working. - hostNetwork: true - serviceAccountName: calico-kube-controllers - containers: - - name: calico-kube-controllers - image: quay.io/calico/kube-controllers:v1.0.0 - env: - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_endpoints - # Location of the CA certificate for etcd. - - name: ETCD_CA_CERT_FILE - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_ca - # Location of the client key for etcd. - - name: ETCD_KEY_FILE - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_key - # Location of the client certificate for etcd. - - name: ETCD_CERT_FILE - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_cert - volumeMounts: - # Mount in the etcd TLS secrets. - - mountPath: /calico-secrets - name: etcd-certs - volumes: - # Mount in the etcd TLS secrets. - - name: etcd-certs - secret: - secretName: calico-etcd-secrets - ---- - -# This deployment turns off the old "policy-controller". It should remain at 0 replicas, and then -# be removed entirely once the new kube-controllers deployment has been deployed above. -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: calico-policy-controller - namespace: kube-system - labels: - k8s-app: calico-policy -spec: - # Turn this deployment off in favor of the kube-controllers deployment above. - replicas: 0 - strategy: - type: Recreate - template: - metadata: - name: calico-policy-controller - namespace: kube-system - labels: - k8s-app: calico-policy - spec: - hostNetwork: true - serviceAccountName: calico-kube-controllers - containers: - - name: calico-policy-controller - image: quay.io/calico/kube-controllers:v1.0.0 - env: - # The location of the Calico etcd cluster. - - name: ETCD_ENDPOINTS - valueFrom: - configMapKeyRef: - name: calico-config - key: etcd_endpoints - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-kube-controllers - namespace: kube-system - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-node - namespace: kube-system diff --git a/roles/calico/templates/calicoctl.cfg.j2 b/roles/calico/templates/calicoctl.cfg.j2 new file mode 100644 index 0000000..00da116 --- /dev/null +++ b/roles/calico/templates/calicoctl.cfg.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: calicoApiConfig +metadata: +spec: + datastoreType: "etcdv2" + etcdEndpoints: {{ ETCD_ENDPOINTS }} + etcdKeyFile: /etc/calico/ssl/etcd-key.pem + etcdCertFile: /etc/calico/ssl/etcd.pem + etcdCACertFile: /etc/calico/ssl/ca.pem diff --git a/roles/calico/templates/cni-calico.conf.j2 b/roles/calico/templates/cni-calico.conf.j2 index 1287320..be24b26 100644 --- a/roles/calico/templates/cni-calico.conf.j2 +++ b/roles/calico/templates/cni-calico.conf.j2 @@ -13,8 +13,6 @@ }, "policy": { "type": "k8s", - "k8s_api_root": "{{ KUBE_APISERVER }}", - "k8s_auth_token": "{{ BOOTSTRAP_TOKEN }}" }, "kubernetes": { "kubeconfig": "/root/.kube/config"