richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #602 from adidenko/fix-canal-ssl 

Fix etcd ssl for canal
pull/607/head
Matthew Mosesohn 8 years ago
committed by GitHub
parent
5cd65f9c45 caa81f3ac2
commit
ab0ff2ab3c
6 changed files with 73 additions and 8 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      roles/kubernetes/node/tasks/main.yml
  2. 4
      roles/network_plugin/canal/defaults/main.yml
  3. 24
      roles/network_plugin/canal/tasks/main.yml
  4. 5
      roles/network_plugin/canal/templates/canal-config.yml.j2
  5. 41
      roles/network_plugin/canal/templates/canal-node.yml.j2
  6. 0
      roles/network_plugin/canal/templates/cni-canal.conf.j2

7
roles/kubernetes/node/tasks/main.yml
View File

@ -11,13 +11,6 @@
owner: kube owner: kube
when: kube_network_plugin == "calico" when: kube_network_plugin == "calico"
- name: Write Canal cni config
template:
src: "cni-canal.conf.j2"
dest: "/etc/cni/net.d/10-canal.conf"
owner: kube
when: kube_network_plugin == "canal"
- name: Write kubelet config file - name: Write kubelet config file
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
notify: notify:

4
roles/network_plugin/canal/defaults/main.yml
View File

@ -9,3 +9,7 @@ canal_masquerade: "true"
# Log-level # Log-level
canal_log_level: "info" canal_log_level: "info"
# Etcd SSL dirs
canal_cert_dir: /etc/canal/certs
etcd_cert_dir: /etc/ssl/etcd/ssl

24
roles/network_plugin/canal/tasks/main.yml
View File

@ -1,4 +1,28 @@
--- ---
- name: Canal | Write Canal cni config
template:
src: "cni-canal.conf.j2"
dest: "/etc/cni/net.d/10-canal.conf"
owner: kube
- name: Canal | Create canal certs directory
file:
dest: "{{ canal_cert_dir }}"
state: directory
mode: 0750
owner: root
group: root
- name: Canal | Link etcd certificates for canal-node
file:
src: "{{ etcd_cert_dir }}/{{ item.s }}"
dest: "{{ canal_cert_dir }}/{{ item.d }}"
state: hard
with_items:
- {s: "ca.pem", d: "ca_cert.crt"}
- {s: "node.pem", d: "cert.crt"}
- {s: "node-key.pem", d: "key.pem"}
- name: Canal | Set Flannel etcd configuration - name: Canal | Set Flannel etcd configuration
command: |- command: |-
{{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \ {{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \

5
roles/network_plugin/canal/templates/canal-config.yml.j2
View File

@ -20,3 +20,8 @@ data:
# Cluster name for Flannel etcd path # Cluster name for Flannel etcd path
cluster_name: "{{ cluster_name }}" cluster_name: "{{ cluster_name }}"
# SSL Etcd configuration
etcd_cafile: "{{ canal_cert_dir }}/ca_cert.crt"
etcd_certfile: "{{ canal_cert_dir }}/cert.crt"
etcd_keyfile: "{{ canal_cert_dir }}/key.pem"

41
roles/network_plugin/canal/templates/canal-node.yml.j2
View File

@ -40,6 +40,9 @@ spec:
- name: resolv - name: resolv
hostPath: hostPath:
path: /etc/resolv.conf path: /etc/resolv.conf
- name: "canal-certs"
hostPath:
path: "{{ canal_cert_dir }}"
containers: containers:
# Runs the flannel daemon to enable vxlan networking between # Runs the flannel daemon to enable vxlan networking between
# container hosts. # container hosts.
@ -76,10 +79,26 @@ spec:
# Write the subnet.env file to the mounted directory. # Write the subnet.env file to the mounted directory.
- name: FLANNELD_SUBNET_FILE - name: FLANNELD_SUBNET_FILE
value: "/run/flannel/subnet.env" value: "/run/flannel/subnet.env"
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cafile
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_certfile
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
command: command:
- "/bin/sh" - "/bin/sh"
- "-c" - "-c"
- "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network"
- "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
ports: ports:
- hostPort: 10253 - hostPort: 10253
containerPort: 10253 containerPort: 10253
@ -90,6 +109,8 @@ spec:
mountPath: "/etc/resolv.conf" mountPath: "/etc/resolv.conf"
- name: "run-flannel" - name: "run-flannel"
mountPath: "/run/flannel" mountPath: "/run/flannel"
- name: "canal-certs"
mountPath: "{{ canal_cert_dir }}"
# Runs calico/node container on each Kubernetes node. This # Runs calico/node container on each Kubernetes node. This
# container programs network policy and local routes on each # container programs network policy and local routes on each
# host. # host.
@ -108,6 +129,22 @@ spec:
# Disable file logging so `kubectl logs` works. # Disable file logging so `kubectl logs` works.
- name: CALICO_DISABLE_FILE_LOGGING - name: CALICO_DISABLE_FILE_LOGGING
value: "true" value: "true"
# Etcd SSL vars
- name: ETCD_CA_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_cafile
- name: ETCD_CERT_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_certfile
- name: ETCD_KEY_FILE
valueFrom:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
securityContext: securityContext:
privileged: true privileged: true
volumeMounts: volumeMounts:
@ -117,3 +154,5 @@ spec:
- mountPath: /var/run/calico - mountPath: /var/run/calico
name: var-run-calico name: var-run-calico
readOnly: false readOnly: false
- name: "canal-certs"
mountPath: "{{ canal_cert_dir }}"

roles/kubernetes/node/templates/cni-canal.conf.j2 → roles/network_plugin/canal/templates/cni-canal.conf.j2
View File

Write Preview
Loading…
Cancel
Save