diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 700f7eb7550c28b2fadcf3691792610993d587eb..a8cb6ce5aad9959adb38d26b009b992c0585036c 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -11,13 +11,6 @@
owner: kube
when: kube_network_plugin == "calico"
-- name: Write Canal cni config
- template:
- src: "cni-canal.conf.j2"
- dest: "/etc/cni/net.d/10-canal.conf"
- owner: kube
- when: kube_network_plugin == "canal"
-
- name: Write kubelet config file
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
notify:
diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index 24f7c789baf703d3bf11f28a78b2ac294967e84e..d67d593f5643fd25631a8dcef399ca908f8db1d9 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -9,3 +9,7 @@ canal_masquerade: "true"
# Log-level
canal_log_level: "info"
+
+# Etcd SSL dirs
+canal_cert_dir: /etc/canal/certs
+etcd_cert_dir: /etc/ssl/etcd/ssl
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index e88cfad7e024b017a83bca696e1ac0b3a706cc4d..1566362f1148b3f9f062f99b9a00a5ea35dce06b 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -1,4 +1,28 @@
---
+- name: Canal | Write Canal cni config
+ template:
+ src: "cni-canal.conf.j2"
+ dest: "/etc/cni/net.d/10-canal.conf"
+ owner: kube
+
+- name: Canal | Create canal certs directory
+ file:
+ dest: "{{ canal_cert_dir }}"
+ state: directory
+ mode: 0750
+ owner: root
+ group: root
+
+- name: Canal | Link etcd certificates for canal-node
+ file:
+ src: "{{ etcd_cert_dir }}/{{ item.s }}"
+ dest: "{{ canal_cert_dir }}/{{ item.d }}"
+ state: hard
+ with_items:
+ - {s: "ca.pem", d: "ca_cert.crt"}
+ - {s: "node.pem", d: "cert.crt"}
+ - {s: "node-key.pem", d: "key.pem"}
+
- name: Canal | Set Flannel etcd configuration
command: |-
{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \
diff --git a/roles/network_plugin/canal/templates/canal-config.yml.j2 b/roles/network_plugin/canal/templates/canal-config.yml.j2
index 34f3faedb1710cf0893906b86faea8ea694fdf93..1d0d3002a33cdfc2a72bf3c0af9e3a05219dcaad 100644
--- a/roles/network_plugin/canal/templates/canal-config.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-config.yml.j2
@@ -20,3 +20,8 @@ data:
# Cluster name for Flannel etcd path
cluster_name: "{{ cluster_name }}"
+
+ # SSL Etcd configuration
+ etcd_cafile: "{{ canal_cert_dir }}/ca_cert.crt"
+ etcd_certfile: "{{ canal_cert_dir }}/cert.crt"
+ etcd_keyfile: "{{ canal_cert_dir }}/key.pem"
diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2
index ef6793f30df19e4758e24ac3c481e47c6c709251..c3894d47fa4c987752330ce3bb5a2e7ccf02815b 100644
--- a/roles/network_plugin/canal/templates/canal-node.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yml.j2
@@ -40,6 +40,9 @@ spec:
- name: resolv
hostPath:
path: /etc/resolv.conf
+ - name: "canal-certs"
+ hostPath:
+ path: "{{ canal_cert_dir }}"
containers:
# Runs the flannel daemon to enable vxlan networking between
# container hosts.
@@ -76,10 +79,26 @@ spec:
# Write the subnet.env file to the mounted directory.
- name: FLANNELD_SUBNET_FILE
value: "/run/flannel/subnet.env"
+ # Etcd SSL vars
+ - name: ETCD_CA_CERT_FILE
+ valueFrom:
+ configMapKeyRef:
+ name: canal-config
+ key: etcd_cafile
+ - name: ETCD_CERT_FILE
+ valueFrom:
+ configMapKeyRef:
+ name: canal-config
+ key: etcd_certfile
+ - name: ETCD_KEY_FILE
+ valueFrom:
+ configMapKeyRef:
+ name: canal-config
+ key: etcd_keyfile
command:
- "/bin/sh"
- "-c"
- - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network"
+ - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
ports:
- hostPort: 10253
containerPort: 10253
@@ -90,6 +109,8 @@ spec:
mountPath: "/etc/resolv.conf"
- name: "run-flannel"
mountPath: "/run/flannel"
+ - name: "canal-certs"
+ mountPath: "{{ canal_cert_dir }}"
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and local routes on each
# host.
@@ -108,6 +129,22 @@ spec:
# Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING
value: "true"
+ # Etcd SSL vars
+ - name: ETCD_CA_CERT_FILE
+ valueFrom:
+ configMapKeyRef:
+ name: canal-config
+ key: etcd_cafile
+ - name: ETCD_CERT_FILE
+ valueFrom:
+ configMapKeyRef:
+ name: canal-config
+ key: etcd_certfile
+ - name: ETCD_KEY_FILE
+ valueFrom:
+ configMapKeyRef:
+ name: canal-config
+ key: etcd_keyfile
securityContext:
privileged: true
volumeMounts:
@@ -117,3 +154,5 @@ spec:
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
+ - name: "canal-certs"
+ mountPath: "{{ canal_cert_dir }}"
diff --git a/roles/kubernetes/node/templates/cni-canal.conf.j2 b/roles/network_plugin/canal/templates/cni-canal.conf.j2
similarity index 100%
rename from roles/kubernetes/node/templates/cni-canal.conf.j2
rename to roles/network_plugin/canal/templates/cni-canal.conf.j2