From 82a28d6bb305b57e8ca90523a44609b870b7b663 Mon Sep 17 00:00:00 2001
From: Erwan Miran <mirwan666@gmail.com>
Date: Fri, 31 Aug 2018 14:34:13 +0200
Subject: [PATCH] Add documentation about having HA for etcd
---
docs/ha-mode.md | 30 +++++++++++++++++++++++-----
inventory/sample/group_vars/all.yml | 6 ------
roles/etcd/defaults/main.yml | 1 +
roles/etcd/tasks/gen_certs_vault.yml | 3 +++
roles/etcd/templates/openssl.conf.j2 | 3 +++
5 files changed, 32 insertions(+), 11 deletions(-)
diff --git a/docs/ha-mode.md b/docs/ha-mode.md
index f3bc97e1c..619636633 100644
--- a/docs/ha-mode.md
+++ b/docs/ha-mode.md
@@ -11,12 +11,32 @@ achieve the same goal.
Etcd
----
-The `etcd_access_endpoint` fact provides an access pattern for clients. And the
-`etcd_multiaccess` (defaults to `True`) group var controls that behavior.
-It makes deployed components to access the etcd cluster members
-directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients
-do a loadbalancing and handle HA for connections.
+In order to use an external loadbalancing (L4/TCP or L7 w/ SSL Passthrough VIP), the following variables need to be overriden in group_vars
+* `etcd_access_addresses`
+* `etcd_client_url`
+* `etcd_cert_alt_names`
+* `etcd_cert_alt_ips`
+
+### Example of a VIP w/ FQDN
+```yaml
+etcd_access_addresses: https://etcd.example.com:2379
+etcd_client_url: https://etcd.example.com:2379
+etcd_cert_alt_names:
+ - "etcd.kube-system.svc.{{ dns_domain }}"
+ - "etcd.kube-system.svc"
+ - "etcd.kube-system"
+ - "etcd"
+ - "etcd.example.com" # This one needs to be added to the default etcd_cert_alt_names
+```
+
+### Example of a VIP w/o FQDN (IP only)
+```yaml
+etcd_access_addresses: https://2.3.7.9:2379
+etcd_client_url: https://2.3.7.9:2379
+etcd_cert_alt_ips:
+ - "2.3.7.9"
+```
Kube-apiserver
--------------
diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml
index e347f4f17..05d775f90 100644
--- a/inventory/sample/group_vars/all.yml
+++ b/inventory/sample/group_vars/all.yml
@@ -14,12 +14,6 @@ bin_dir: /usr/local/bin
## but don't know about that address themselves.
#access_ip: 1.1.1.1
-### LOADBALANCING AND ACCESS MODES
-## Enable multiaccess to configure etcd clients to access all of the etcd members directly
-## as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers.
-## This may be the case if clients support and loadbalance multiple etcd servers natively.
-#etcd_multiaccess: true
-
### ETCD: disable peer client cert authentication.
# This affects ETCD_PEER_CLIENT_CERT_AUTH variable
#etcd_peer_client_auth: true
diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index 8db1598ff..57e1bc078 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -20,6 +20,7 @@ etcd_cert_alt_names:
- "etcd.kube-system.svc"
- "etcd.kube-system"
- "etcd"
+etcd_cert_alt_ips: []
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/roles/etcd/tasks/gen_certs_vault.yml
index aa3274bd7..4e3325b4f 100644
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -26,6 +26,9 @@
"{{ hostvars[host]['ip'] }}",
{%- endif -%}
{%- endfor -%}
+ {%- for cert_alt_ip in etcd_cert_alt_ips -%}
+ "{{ cert_alt_ip }}",
+ {%- endfor -%}
"127.0.0.1","::1"
]
issue_cert_path: "{{ item }}"
diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2
index 2f4f7e262..402417827 100644
--- a/roles/etcd/templates/openssl.conf.j2
+++ b/roles/etcd/templates/openssl.conf.j2
@@ -39,4 +39,7 @@ IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter,
{% endif %}
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
{% endfor %}
+{% for cert_alt_ip in etcd_cert_alt_ips %}
+IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}
+{% endfor %}
IP.{{ counter["ip"] }} = 127.0.0.1
--
GitLab