diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index 90a5702bbe289fd78fb70846d9450c7a0a08257d..0a4319baa6ad25725ec989e2dd6aefc4ba882214 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -51,3 +51,5 @@ netchecker_kubectl_memory_requests: 64M
# SSL
etcd_cert_dir: "/etc/ssl/etcd/ssl"
+calico_cert_dir: "/etc/calico/certs"
+canal_cert_dir: "/etc/canal/certs"
diff --git a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
index a3915f9ba53987d4f3d04987e61d593e2dd35284..447fb719f89f2eda1a9d1db72c34fe3a4661d6c8 100644
--- a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
+++ b/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml
@@ -1,8 +1,13 @@
+---
+- set_fact:
+ calico_cert_dir: "{{ canal_cert_dir }}"
+ when: kube_network_plugin == 'canal'
+ tags: facts
+
- name: Write calico-policy-controller yaml
template: src=calico-policy-controller.yml.j2 dest={{kube_config_dir}}/calico-policy-controller.yml
when: inventory_hostname == groups['kube-master'][0]
-
- name: Start of Calico policy controller
kube:
name: "calico-policy-controller"
diff --git a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
index c92328f15f08f8aa8b5f3157a6f0fc90fd16e6e1..06bb78b7c19d063010fcfde9cfad0852151a174c 100644
--- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2
@@ -36,11 +36,11 @@ spec:
- name: ETCD_ENDPOINTS
value: "{{ etcd_access_endpoint }}"
- name: ETCD_CA_CERT_FILE
- value: "{{ etcd_cert_dir }}/ca.pem"
+ value: "{{ calico_cert_dir }}/ca_cert.crt"
- name: ETCD_CERT_FILE
- value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
+ value: "{{ calico_cert_dir }}/cert.crt"
- name: ETCD_KEY_FILE
- value: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
+ value: "{{ calico_cert_dir }}/key.pem"
# Location of the Kubernetes API - this shouldn't need to be
# changed so long as it is used in conjunction with
# CONFIGURE_ETC_HOSTS="true".
@@ -53,10 +53,10 @@ spec:
- name: CONFIGURE_ETC_HOSTS
value: "true"
volumeMounts:
- - mountPath: {{ etcd_cert_dir }}
+ - mountPath: {{ calico_cert_dir }}
name: etcd-certs
readOnly: true
volumes:
- hostPath:
- path: {{ etcd_cert_dir }}
+ path: {{ calico_cert_dir }}
name: etcd-certs
diff --git a/roles/network_plugin/calico/templates/calicoctl-container.j2 b/roles/network_plugin/calico/templates/calicoctl-container.j2
index 0ecfba0c14bd261fc4f971a53af4792092eb4518..ec8642c011e1c35f30770c9b5c5888f3532ca594 100644
--- a/roles/network_plugin/calico/templates/calicoctl-container.j2
+++ b/roles/network_plugin/calico/templates/calicoctl-container.j2
@@ -2,13 +2,13 @@
{{ docker_bin_dir }}/docker run -i --privileged --rm \
--net=host --pid=host \
-e ETCD_ENDPOINTS={{ etcd_access_endpoint }} \
--e ETCD_CA_CERT_FILE=/etc/calico/certs/ca_cert.crt \
--e ETCD_CERT_FILE=/etc/calico/certs/cert.crt \
--e ETCD_KEY_FILE=/etc/calico/certs/key.pem \
+-e ETCD_CA_CERT_FILE={{ calico_cert_dir }}/ca_cert.crt \
+-e ETCD_CERT_FILE={{ calico_cert_dir }}/cert.crt \
+-e ETCD_KEY_FILE={{ calico_cert_dir }}/key.pem \
-v {{ docker_bin_dir }}/docker:{{ docker_bin_dir }}/docker \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/run/calico:/var/run/calico \
--v /etc/calico/certs:/etc/calico/certs:ro \
+-v {{ calico_cert_dir }}:{{ calico_cert_dir }}:ro \
--memory={{ calicoctl_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calicoctl_cpu_limit|regex_replace('m', '') }} \
{{ calicoctl_image_repo }}:{{ calicoctl_image_tag}} \
$@
diff --git a/roles/network_plugin/flannel/defaults/main.yml b/roles/network_plugin/flannel/defaults/main.yml
index b6768f1bd12c63aa64c69d6435323c32f323c942..f8be25969cc91f1c15a4dfb48defa7f90689acfb 100644
--- a/roles/network_plugin/flannel/defaults/main.yml
+++ b/roles/network_plugin/flannel/defaults/main.yml
@@ -16,3 +16,6 @@ flannel_memory_limit: 500M
flannel_cpu_limit: 300m
flannel_memory_requests: 256M
flannel_cpu_requests: 150m
+
+flannel_cert_dir: /etc/flannel/certs
+etcd_cert_dir: /etc/ssl/etcd/ssl
diff --git a/roles/network_plugin/flannel/tasks/main.yml b/roles/network_plugin/flannel/tasks/main.yml
index 47aec49d9f98873c375d05c7d1c89a45ff320349..4fb637975420587e0ade8249ba5d529309662b7e 100644
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -7,6 +7,25 @@
delegate_to: "{{groups['etcd'][0]}}"
run_once: true
+- name: Flannel | Create flannel certs directory
+ file:
+ dest: "{{ flannel_cert_dir }}"
+ state: directory
+ mode: 0750
+ owner: root
+ group: root
+
+- name: Flannel | Link etcd certificates for flanneld
+ file:
+ src: "{{ etcd_cert_dir }}/{{ item.s }}"
+ dest: "{{ flannel_cert_dir }}/{{ item.d }}"
+ state: hard
+ force: yes
+ with_items:
+ - {s: "ca.pem", d: "ca_cert.crt"}
+ - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
+ - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+
- name: Flannel | Create flannel pod manifest
template:
src: flannel-pod.yml
diff --git a/roles/network_plugin/flannel/templates/flannel-pod.yml b/roles/network_plugin/flannel/templates/flannel-pod.yml
index f9b76ce5f70e6726ba9c11d128fe9472e630345d..92ecada69a8265d7b8d02416275e3b85d4ed78d3 100644
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -14,7 +14,7 @@
path: "/run/flannel"
- name: "etcd-certs"
hostPath:
- path: "{{ etcd_cert_dir }}"
+ path: "{{ flannel_cert_dir }}"
containers:
- name: "flannel-container"
image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
@@ -29,7 +29,7 @@
command:
- "/bin/sh"
- "-c"
- - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ etcd_cert_dir }}/ca.pem -etcd-certfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem -etcd-keyfile {{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
+ - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ flannel_cert_dir }}/ca_cert.crt -etcd-certfile {{ flannel_cert_dir }}/cert.crt -etcd-keyfile {{ flannel_cert_dir }}/key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
ports:
- hostPort: 10253
containerPort: 10253
@@ -37,7 +37,7 @@
- name: "subnetenv"
mountPath: "/run/flannel"
- name: "etcd-certs"
- mountPath: "{{ etcd_cert_dir }}"
+ mountPath: "{{ flannel_cert_dir }}"
readOnly: true
securityContext:
privileged: true