From 82a28d6bb305b57e8ca90523a44609b870b7b663 Mon Sep 17 00:00:00 2001 From: Erwan Miran Date: Fri, 31 Aug 2018 14:34:13 +0200 Subject: [PATCH] Add documentation about having HA for etcd --- docs/ha-mode.md | 30 +++++++++++++++++++++++----- inventory/sample/group_vars/all.yml | 6 ------ roles/etcd/defaults/main.yml | 1 + roles/etcd/tasks/gen_certs_vault.yml | 3 +++ roles/etcd/templates/openssl.conf.j2 | 3 +++ 5 files changed, 32 insertions(+), 11 deletions(-) diff --git a/docs/ha-mode.md b/docs/ha-mode.md index f3bc97e1c..619636633 100644 --- a/docs/ha-mode.md +++ b/docs/ha-mode.md @@ -11,12 +11,32 @@ achieve the same goal. Etcd ---- -The `etcd_access_endpoint` fact provides an access pattern for clients. And the -`etcd_multiaccess` (defaults to `True`) group var controls that behavior. -It makes deployed components to access the etcd cluster members -directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients -do a loadbalancing and handle HA for connections. +In order to use an external loadbalancing (L4/TCP or L7 w/ SSL Passthrough VIP), the following variables need to be overriden in group_vars +* `etcd_access_addresses` +* `etcd_client_url` +* `etcd_cert_alt_names` +* `etcd_cert_alt_ips` + +### Example of a VIP w/ FQDN +```yaml +etcd_access_addresses: https://etcd.example.com:2379 +etcd_client_url: https://etcd.example.com:2379 +etcd_cert_alt_names: + - "etcd.kube-system.svc.{{ dns_domain }}" + - "etcd.kube-system.svc" + - "etcd.kube-system" + - "etcd" + - "etcd.example.com" # This one needs to be added to the default etcd_cert_alt_names +``` + +### Example of a VIP w/o FQDN (IP only) +```yaml +etcd_access_addresses: https://2.3.7.9:2379 +etcd_client_url: https://2.3.7.9:2379 +etcd_cert_alt_ips: + - "2.3.7.9" +``` Kube-apiserver -------------- diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml index e347f4f17..05d775f90 100644 --- a/inventory/sample/group_vars/all.yml +++ b/inventory/sample/group_vars/all.yml @@ -14,12 +14,6 @@ bin_dir: /usr/local/bin ## but don't know about that address themselves. #access_ip: 1.1.1.1 -### LOADBALANCING AND ACCESS MODES -## Enable multiaccess to configure etcd clients to access all of the etcd members directly -## as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers. -## This may be the case if clients support and loadbalance multiple etcd servers natively. -#etcd_multiaccess: true - ### ETCD: disable peer client cert authentication. # This affects ETCD_PEER_CLIENT_CERT_AUTH variable #etcd_peer_client_auth: true diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml index 8db1598ff..57e1bc078 100644 --- a/roles/etcd/defaults/main.yml +++ b/roles/etcd/defaults/main.yml @@ -20,6 +20,7 @@ etcd_cert_alt_names: - "etcd.kube-system.svc" - "etcd.kube-system" - "etcd" +etcd_cert_alt_ips: [] etcd_script_dir: "{{ bin_dir }}/etcd-scripts" diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/roles/etcd/tasks/gen_certs_vault.yml index aa3274bd7..4e3325b4f 100644 --- a/roles/etcd/tasks/gen_certs_vault.yml +++ b/roles/etcd/tasks/gen_certs_vault.yml @@ -26,6 +26,9 @@ "{{ hostvars[host]['ip'] }}", {%- endif -%} {%- endfor -%} + {%- for cert_alt_ip in etcd_cert_alt_ips -%} + "{{ cert_alt_ip }}", + {%- endfor -%} "127.0.0.1","::1" ] issue_cert_path: "{{ item }}" diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2 index 2f4f7e262..402417827 100644 --- a/roles/etcd/templates/openssl.conf.j2 +++ b/roles/etcd/templates/openssl.conf.j2 @@ -39,4 +39,7 @@ IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, {% endif %} IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }} {% endfor %} +{% for cert_alt_ip in etcd_cert_alt_ips %} +IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }} +{% endfor %} IP.{{ counter["ip"] }} = 127.0.0.1