From bc0fc5df98f49a80f4e38b2880b6e11d9a651dde Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Tue, 27 Feb 2018 22:23:51 +0300
Subject: [PATCH] Use node cert for etcd tasks instead of delegating to first
etcd (#2386)
For etcdctl commands, use admin cert instead of node because this file
doesn't exist on etcd only hosts.
---
roles/network_plugin/calico/rr/tasks/main.yml | 4 ++--
roles/network_plugin/calico/tasks/main.yml | 15 ++++++---------
roles/network_plugin/canal/tasks/main.yml | 4 ++--
3 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/roles/network_plugin/calico/rr/tasks/main.yml b/roles/network_plugin/calico/rr/tasks/main.yml
index 491065360..02cfce152 100644
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@@ -50,8 +50,8 @@
command: |-
{{ bin_dir }}/etcdctl \
--peers={{ etcd_access_addresses }} \
- --cert-file {{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem \
- --key-file {{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem \
+ --cert-file {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem \
+ --key-file {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
set /calico/bgp/v1/rr_v4/{{ rr_ip }} \
'{
"ip": "{{ rr_ip }}",
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index f3072d388..ccf54de4a 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -83,26 +83,24 @@
uri:
url: https://localhost:2379/health
validate_certs: no
- client_cert: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem"
- client_key: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem"
+ client_cert: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+ client_key: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
register: result
until: result.status == 200 or result.status == 401
retries: 10
delay: 5
- delegate_to: "{{groups['etcd'][0]}}"
run_once: true
- name: Calico | Check if calico network pool has already been configured
command: |-
curl \
--cacert {{ etcd_cert_dir }}/ca.pem \
- --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
- --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
+ --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
+ --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
register: calico_conf
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
- delegate_to: "{{groups['etcd'][0]}}"
run_once: true
changed_when: false
@@ -125,13 +123,12 @@
command: |-
curl \
--cacert {{ etcd_cert_dir }}/ca.pem \
- --cert {{ etcd_cert_dir}}/admin-{{ groups['etcd'][0] }}.pem \
- --key {{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem \
+ --cert {{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem \
+ --key {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
https://localhost:2379/v2/keys/calico/v1/ipam/v4/pool
register: calico_pools_raw
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
- delegate_to: "{{groups['etcd'][0]}}"
run_once: true
- set_fact:
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index d42f4ec56..a42c2cfa7 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -35,8 +35,8 @@
changed_when: false
run_once: true
environment:
- ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}.pem"
- ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/node-{{ groups['etcd'][0] }}-key.pem"
+ ETCDCTL_CERT_FILE: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}.pem"
+ ETCDCTL_KEY_FILE: "{{ etcd_cert_dir }}/admin-{{ groups['etcd'][0] }}-key.pem"
- name: Canal | Create canal node manifests
template:
--
GitLab