From 6d9cd2d720a2fbd8c24f809630e12ed7b0db0e6d Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Fri, 23 Dec 2016 19:25:37 +0300
Subject: [PATCH] Fix calico-rr to use etcd certs instead of kube certs
---
roles/etcd/tasks/check_certs.yml | 4 ++--
roles/etcd/tasks/gen_certs.yml | 10 +++++-----
roles/kubernetes/secrets/tasks/gen_certs.yml | 7 +++----
roles/network_plugin/calico/rr/meta/main.yml | 2 +-
roles/network_plugin/calico/rr/tasks/main.yml | 10 +++++-----
5 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/roles/etcd/tasks/check_certs.yml b/roles/etcd/tasks/check_certs.yml
index eeea8353e..1cf6524f4 100644
--- a/roles/etcd/tasks/check_certs.yml
+++ b/roles/etcd/tasks/check_certs.yml
@@ -7,7 +7,7 @@
run_once: true
with_items: >-
['ca.pem',
- {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
+ {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
{% for host in all_etcd_hosts %}
'node-{{ host }}-key.pem'
{% if not loop.last %}{{','}}{% endif %}
@@ -39,7 +39,7 @@
sync_certs: true
when: >-
{%- set certs = {'sync': False} -%}
- {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
+ {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
{% for host in all_etcd_hosts %}
{% if host == inventory_hostname %}
{% if (not etcdcert.results[0].stat.exists|default(False)) or
diff --git a/roles/etcd/tasks/gen_certs.yml b/roles/etcd/tasks/gen_certs.yml
index 29e6ee318..088371a87 100644
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@@ -40,7 +40,8 @@
{{ m }}
{% endif %}
{% endfor %}"
- - HOSTS: "{% for h in groups['k8s-cluster'] %}
+ - HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
+ {% for h in all_kube_hosts %}
{% if hostvars[h].sync_certs|default(false) %}
{{ h }}
{% endif %}
@@ -65,7 +66,8 @@
'member-{{ inventory_hostname }}-key.pem'
]
all_node_certs: "['ca.pem',
- {% for node in groups['k8s-cluster'] %}
+ {% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
+ {% for node in all_kube_hosts %}
'node-{{ node }}.pem',
'node-{{ node }}-key.pem',
{% endfor %}]"
@@ -76,7 +78,6 @@
shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
register: etcd_master_cert_data
delegate_to: "{{groups['etcd'][0]}}"
- #run_once: true
when: sync_certs|default(false)
notify: set etcd_secret_changed
@@ -96,8 +97,7 @@
- name: Gen_certs | Copy certs on nodes
shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
changed_when: false
- when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and
- inventory_hostname not in groups['etcd']
+ when: sync_certs|default(false) and inventory_hostname not in groups['etcd']
- name: Gen_certs | check certificate permissions
file:
diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
index f951bb368..6a841911f 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -51,10 +51,9 @@
- name: Gen_certs | Copy certs on nodes
shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
changed_when: false
- when: (inventory_hostname in groups['kube-node'] or
- (peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and
- sync_certs|default(false) and
- inventory_hostname != groups['kube-master'][0]
+ when: inventory_hostname in groups['kube-node'] and
+ sync_certs|default(false) and
+ inventory_hostname != groups['kube-master'][0]
- name: Gen_certs | check certificate permissions
file:
diff --git a/roles/network_plugin/calico/rr/meta/main.yml b/roles/network_plugin/calico/rr/meta/main.yml
index 38fc506cc..ef7986901 100644
--- a/roles/network_plugin/calico/rr/meta/main.yml
+++ b/roles/network_plugin/calico/rr/meta/main.yml
@@ -1,5 +1,5 @@
dependencies:
- - role: kubernetes/secrets
+ - role: etcd
- role: docker
when: ansible_os_family != "CoreOS"
- role: download
diff --git a/roles/network_plugin/calico/rr/tasks/main.yml b/roles/network_plugin/calico/rr/tasks/main.yml
index c43851f84..b5807632f 100644
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@@ -7,7 +7,7 @@
set_fact:
rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"
-- name: Calico | Create calico certs directory
+- name: Calico-rr | Create calico certs directory
file:
dest: "{{ calico_cert_dir }}"
state: directory
@@ -15,16 +15,16 @@
owner: root
group: root
-- name: Calico | Link etcd certificates for calico-node
+- name: Calico-rr | Link etcd certificates for calico-node
file:
- src: "{{ kube_cert_dir }}/{{ item.s }}"
+ src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ calico_cert_dir }}/{{ item.d }}"
state: hard
force: yes
with_items:
- {s: "ca.pem", d: "ca_cert.crt"}
- - {s: "node.pem", d: "cert.crt"}
- - {s: "node-key.pem", d: "key.pem"}
+ - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
+ - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
- name: Calico-rr | Create dir for logs
file:
--
GitLab