Fix calico-rr to use etcd certs instead of kube certs

pull/818/head
Matthew Mosesohn 2016-12-23 19:25:37 +03:00
parent 36a5143478
commit 6d9cd2d720
5 changed files with 16 additions and 17 deletions

View File

@ -7,7 +7,7 @@
run_once: true
with_items: >-
['ca.pem',
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
{% for host in all_etcd_hosts %}
'node-{{ host }}-key.pem'
{% if not loop.last %}{{','}}{% endif %}
@ -39,7 +39,7 @@
sync_certs: true
when: >-
{%- set certs = {'sync': False} -%}
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
{% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
{% for host in all_etcd_hosts %}
{% if host == inventory_hostname %}
{% if (not etcdcert.results[0].stat.exists|default(False)) or

View File

@ -40,7 +40,8 @@
{{ m }}
{% endif %}
{% endfor %}"
- HOSTS: "{% for h in groups['k8s-cluster'] %}
- HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
{% for h in all_kube_hosts %}
{% if hostvars[h].sync_certs|default(false) %}
{{ h }}
{% endif %}
@ -65,7 +66,8 @@
'member-{{ inventory_hostname }}-key.pem'
]
all_node_certs: "['ca.pem',
{% for node in groups['k8s-cluster'] %}
{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
{% for node in all_kube_hosts %}
'node-{{ node }}.pem',
'node-{{ node }}-key.pem',
{% endfor %}]"
@ -76,7 +78,6 @@
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
register: etcd_master_cert_data
delegate_to: "{{groups['etcd'][0]}}"
#run_once: true
when: sync_certs|default(false)
notify: set etcd_secret_changed
@ -96,8 +97,7 @@
- name: Gen_certs | Copy certs on nodes
shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
changed_when: false
when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and
inventory_hostname not in groups['etcd']
when: sync_certs|default(false) and inventory_hostname not in groups['etcd']
- name: Gen_certs | check certificate permissions
file:

View File

@ -51,10 +51,9 @@
- name: Gen_certs | Copy certs on nodes
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
changed_when: false
when: (inventory_hostname in groups['kube-node'] or
(peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and
sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0]
when: inventory_hostname in groups['kube-node'] and
sync_certs|default(false) and
inventory_hostname != groups['kube-master'][0]
- name: Gen_certs | check certificate permissions
file:

View File

@ -1,5 +1,5 @@
dependencies:
- role: kubernetes/secrets
- role: etcd
- role: docker
when: ansible_os_family != "CoreOS"
- role: download

View File

@ -7,7 +7,7 @@
set_fact:
rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"
- name: Calico | Create calico certs directory
- name: Calico-rr | Create calico certs directory
file:
dest: "{{ calico_cert_dir }}"
state: directory
@ -15,16 +15,16 @@
owner: root
group: root
- name: Calico | Link etcd certificates for calico-node
- name: Calico-rr | Link etcd certificates for calico-node
file:
src: "{{ kube_cert_dir }}/{{ item.s }}"
src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ calico_cert_dir }}/{{ item.d }}"
state: hard
force: yes
with_items:
- {s: "ca.pem", d: "ca_cert.crt"}
- {s: "node.pem", d: "cert.crt"}
- {s: "node-key.pem", d: "key.pem"}
- {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
- {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
- name: Calico-rr | Create dir for logs
file: