Fix calico-rr to use etcd certs instead of kube certs

8 years ago · 6d9cd2d720
5 changed files with 16 additions and 17 deletions
--- a/roles/etcd/tasks/check_certs.yml
+++ b/roles/etcd/tasks/check_certs.yml
@ -7,7 +7,7 @@
  run_once: true
  with_items: >-
       ['ca.pem',
-       {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
+       {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
       {% for host in all_etcd_hosts %}
       'node-{{ host }}-key.pem'
       {% if not loop.last %}{{','}}{% endif %}
@ -39,7 +39,7 @@
    sync_certs: true
  when: >-
      {%- set certs = {'sync': False} -%}
-      {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|unique %}
+      {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique %}
      {% for host in all_etcd_hosts %}
        {% if host == inventory_hostname %}
          {% if (not etcdcert.results[0].stat.exists|default(False)) or
--- a/roles/etcd/tasks/gen_certs.yml
+++ b/roles/etcd/tasks/gen_certs.yml
@ -40,7 +40,8 @@
                    {{ m }}
                  {% endif %}
                {% endfor %}"
-    - HOSTS: "{% for h in groups['k8s-cluster'] %}
+    - HOSTS: "{% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
+              {% for h in all_kube_hosts %}
                {% if hostvars[h].sync_certs|default(false) %}
                    {{ h }}
                {% endif %}
@ -65,7 +66,8 @@
                     'member-{{ inventory_hostname }}-key.pem'
                     ]
    all_node_certs: "['ca.pem',
-                    {% for node in groups['k8s-cluster'] %}
+                    {% set all_kube_hosts = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique %}
+                    {% for node in all_kube_hosts %}
                    'node-{{ node }}.pem',
                    'node-{{ node }}-key.pem',
                    {% endfor %}]"
@ -76,7 +78,6 @@
  shell: "tar cfz - -C {{ etcd_cert_dir }} {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }}| base64 --wrap=0"
  register: etcd_master_cert_data
  delegate_to: "{{groups['etcd'][0]}}"
-  #run_once: true
  when: sync_certs|default(false)
  notify: set etcd_secret_changed

@ -96,8 +97,7 @@
 - name: Gen_certs | Copy certs on nodes
  shell: "echo '{{etcd_node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ etcd_cert_dir }}"
  changed_when: false
-  when: inventory_hostname in groups['k8s-cluster'] and sync_certs|default(false) and
-        inventory_hostname not in groups['etcd']
+  when: sync_certs|default(false) and inventory_hostname not in groups['etcd']

 - name: Gen_certs | check certificate permissions
  file:
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@ -51,10 +51,9 @@
 - name: Gen_certs | Copy certs on nodes
  shell: "echo '{{node_cert_data.stdout|quote}}' | base64 -d | tar xz -C {{ kube_cert_dir }}"
  changed_when: false
-  when: (inventory_hostname in groups['kube-node'] or
-           (peer_with_calico_rr and inventory_hostname in groups['calico-rr'])) and
-         sync_certs|default(false) and
-         inventory_hostname != groups['kube-master'][0]
+  when: inventory_hostname in groups['kube-node'] and
+        sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]

 - name: Gen_certs | check certificate permissions
  file:
--- a/roles/network_plugin/calico/rr/meta/main.yml
+++ b/roles/network_plugin/calico/rr/meta/main.yml
@ -1,5 +1,5 @@
 dependencies:
-  - role: kubernetes/secrets
+  - role: etcd
  - role: docker
    when: ansible_os_family != "CoreOS"
  - role: download
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@ -7,7 +7,7 @@
  set_fact:
    rr_ip: "{{ calico_rr_ip | default(ip) | default(ansible_default_ipv4.address) }}"

- name: Calico | Create calico certs directory
+- name: Calico-rr | Create calico certs directory
  file:
    dest: "{{ calico_cert_dir }}"
    state: directory
@ -15,16 +15,16 @@
    owner: root
    group: root

- name: Calico | Link etcd certificates for calico-node
+- name: Calico-rr | Link etcd certificates for calico-node
  file:
-    src: "{{ kube_cert_dir }}/{{ item.s }}"
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
    dest: "{{ calico_cert_dir }}/{{ item.d }}"
    state: hard
    force: yes
  with_items:
    - {s: "ca.pem", d: "ca_cert.crt"}
-    - {s: "node.pem", d: "cert.crt"}
-    - {s: "node-key.pem", d: "key.pem"}
+    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
+    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}

 - name: Calico-rr | Create dir for logs
  file: