kubeasz/roles/calico/tasks/main.yml

- name: 创建calico 相关目录
  file: name={{ item }} state=directory
  with_items:
  - /etc/calico/ssl
  - /opt/kube/kube-system/calico 

- name: 复制CA 证书到calico 证书目录
  copy: src={{ ca_dir }}/ca.pem dest=/etc/calico/ssl/ca.pem

- name: 创建calico 证书请求
  template: src=calico-csr.json.j2 dest=/etc/calico/ssl/calico-csr.json

- name: 创建 calico证书和私钥
  shell: "cd /etc/calico/ssl && {{ bin_dir }}/cfssl gencert \
        -ca={{ ca_dir }}/ca.pem \
        -ca-key={{ ca_dir }}/ca-key.pem \
        -config={{ ca_dir }}/ca-config.json \
        -profile=kubernetes calico-csr.json | {{ bin_dir }}/cfssljson -bare calico"

# 因官方calico.yaml文件中使用特定的证书名，所以要重命名
- name: 重命名相关证书
  shell: "cd /etc/calico/ssl && cp ca.pem etcd-ca && cp calico.pem etcd-cert && cp calico-key.pem etcd-key"

- name: 准备 calico DaemonSet yaml文件
  template: src=calico.yaml.j2 dest=/opt/kube/kube-system/calico/calico.yaml

- name: 准备 calico rbac文件 
  template: src=calico-rbac.yaml.j2 dest=/opt/kube/kube-system/calico/calico-rbac.yaml

- name: 获取所有已经创建的POD信息
  command: "{{ bin_dir }}/kubectl get daemonset -n kube-system"
  register: pod_info
  run_once: true

# 只需单节点执行一次
- name: 运行 calico网络
  shell: "{{ bin_dir }}/kubectl create -f /opt/kube/kube-system/calico/ && sleep 5"
  run_once: true
  when: '"calico-node" not in pod_info.stdout'

# 删除原有cni配置
- name: 删除默认cni配置
  file: path=/etc/cni/net.d/10-default.conf state=absent

# [可选]cni calico plugins 已经在calico.yaml完成自动安装
- name: 下载calicoctl 客户端
  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
  with_items:
  #- calico
  #- calico-ipam
  #- loopback
  - calicoctl

- name: 准备 calicoctl配置文件
  template: src=calicoctl.cfg.j2 dest=/etc/calico/calicoctl.cfg

# 等待网络插件部署成功，视下载镜像速度而定
- name: 轮询等待calico-node 运行，视下载镜像速度而定
  shell: "{{ bin_dir }}/kubectl get pod -n kube-system -o wide|grep 'calico-node'|grep ' {{ inventory_hostname }} '|awk '{print $3}'"
  register: pod_status
  until: pod_status.stdout == "Running"
  retries: 12
  delay: 8