Use node cert for etcd tasks instead of delegating to first etcd (#2386)

For etcdctl commands, use admin cert instead of node because this file doesn't exist on etcd only hosts.

Use node cert for etcd tasks instead of delegating to first etcd (#2386)
bc0fc5df · Matthew Mosesohn · GitHub · 810c10a0 · bc0fc5df · bc0fc5df
Unverified Commit bc0fc5df authored 7 years ago by Matthew Mosesohn Committed by GitHub 7 years ago
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@@ -50,8 +50,8 @@
  command: |-
    {{ bin_dir }}/etcdctl \
    --peers={{ etcd_access_addresses }} \
-    --cert-file {{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem \
-    --key-file {{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem \
+    --cert-file {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem \
+    --key-file {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
    set /calico/bgp/v1/rr_v4/{{ rr_ip }} \
    '{
       "ip": "{{ rr_ip }}",

--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -83,26 +83,24 @@
  uri:
    url: https://localhost:2379/health
    validate_certs: no
-    client_cert: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem"
-    client_key: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem"
+    client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+    client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
  register: result
  until: result.status == 200 or result.status == 401
  retries: 10
  delay: 5
-  delegate_to: "{{groups['etcd'][0]}}"
  run_once: true

 - name: Calico | Check if calico network pool has already been configured
  command: |-
    curl \
      --cacert {{ etcd_cert_dir }}/ca.pem \
-      --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
-      --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
+      --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
+      --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
      https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
  register: calico_conf
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{groups['etcd'][0]}}"
  run_once: true
  changed_when: false

@@ -125,13 +123,12 @@
  command: |-
    curl \
      --cacert {{ etcd_cert_dir }}/ca.pem \
-      --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
-      --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
+      --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
+      --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
      https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
  register: calico_pools_raw
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
-  delegate_to: "{{groups['etcd'][0]}}"
  run_once: true

 - set_fact:

--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -35,8 +35,8 @@
  changed_when: false
  run_once: true
  environment:
-    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem"
-    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem"
+    ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem"
+    ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"

 - name: Canal | Create canal node manifests
  template: