@ -21,6 +21,7 @@
mode : 0750
owner : root
group : root
when : calico_datastore == "etcd"
- name : Calico | Link etcd certificates for calico-node
file:
@ -32,6 +33,7 @@
- {s : "{{ kube_etcd_cacert_file }}" , d : "ca_cert.crt" }
- {s : "{{ kube_etcd_cert_file }}" , d : "cert.crt" }
- {s : "{{ kube_etcd_key_file }}" , d : "key.pem" }
when : calico_datastore == "etcd"
- name : Calico | Install calicoctl wrapper script
template:
@ -52,6 +54,7 @@
retries : 10
delay : 5
run_once : true
when : calico_datastore == "etcd"
- name : Calico | Check if calico network pool has already been configured
shell : >
@ -59,17 +62,16 @@
register : calico_conf
retries : 4
delay : "{{ retry_stagger | random + 3 }}"
delegate_to : "{{ groups['kube-master'][0] }}"
run_once : true
changed_when : false
when:
- inventory_hostname == groups['kube-master'][0]
- name : Calico | Ensure that calico_pool_cidr is within kube_pods_subnet when defined
assert:
that : "[calico_pool_cidr] | ipaddr(kube_pods_subnet) | length == 1"
msg : "{{ calico_pool_cidr }} is not within or equal to {{ kube_pods_subnet }}"
delegate_to : localhost
run_once : true
when:
- inventory_hostname == groups['kube-master'][0]
- 'calico_conf.stdout == "0"'
- calico_pool_cidr is defined
@ -84,7 +86,7 @@
- inventory_hostname in groups['kube-master']
- calico_datastore == "kdd"
- name : Start Calico resources
- name : Calico | Create Calico Kubernetes datastore resources
kube:
name : "{{ item.item.name }}"
namespace : "kube-system"
@ -95,7 +97,8 @@
with_items:
- "{{ calico_node_kdd_manifest.results }}"
when:
- inventory_hostname == groups['kube-master'][0] and not item is skipped
- inventory_hostname == groups['kube-master'][0]
- not item is skipped
loop_control:
label : "{{ item.item.file }}"
@ -111,9 +114,8 @@
"cidr": "{{ calico_pool_cidr | default(kube_pods_subnet) }}" ,
"ipipMode": "{{ ipip_mode }}" ,
"natOutgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }} }} " | {{ bin_dir }}/calicoctl.sh create -f -
run_once : true
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- inventory_hostname == groups['kube-master'][0]
- 'calico_conf.stdout == "0"'
- calico_version is version("v3.0.0", ">=")
- calico_version is version("v3.3.0", "<")
@ -131,9 +133,8 @@
"cidr": "{{ calico_pool_cidr | default(kube_pods_subnet) }}" ,
"ipipMode": "{{ ipip_mode }}" ,
"natOutgoing": {{ nat_outgoing|default(false) and not peer_with_router|default(false) }} }} " | {{ bin_dir }}/calicoctl.sh create -f -
run_once : true
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- inventory_hostname == groups['kube-master'][0]
- 'calico_conf.stdout == "0"'
- calico_version is version("v3.3.0", ">=")
@ -148,9 +149,8 @@
}' | {{ bin_dir }}/calicoctl.sh apply -f -
environment:
NO_DEFAULT_POOLS : true
run_once : true
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- inventory_hostname == groups['kube-master'][0]
- 'calico_conf.stdout == "0"'
- calico_version is version("v3.0.0", "<")
@ -174,25 +174,113 @@
"logSeverityScreen": "Info" ,
"nodeToNodeMeshEnabled": {{ nodeToNodeMeshEnabled|default('true') }} ,
"asNumber": {{ global_as_num }} }} ' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
run_once : true
delegate_to : "{{ groups['kube-master'][0] }}"
changed_when : false
when:
- inventory_hostname == groups['kube-master'][0]
- calico_version is version('v3.0.0', '>=')
- name : Calico | Set global as_num (legacy)
command : "{{ bin_dir }}/calicoctl.sh config set asNumber {{ global_as_num }}"
run_once : true
when:
- inventory_hostname == groups['kube-master'][0]
- calico_version is version('v3.0.0', '<')
- name : Calico | Disable node mesh (legacy)
command : "{{ bin_dir }}/calicoctl.sh config set nodeToNodeMesh off"
run_once : yes
when:
- inventory_hostname == groups['kube-master'][0]
- calico_version is version('v3.0.0', '<')
- nodeToMeshEnabled|default(True)
- name : Calico | Configure peering with router(s) at global scope
shell : >
echo '{
"apiVersion": "projectcalico.org/v3" ,
"kind": "BGPPeer" ,
"metadata": {
"name": "global-{{ item.router_id }}"
},
"spec": {
"asNumber": "{{ item.as }}" ,
"peerIP": "{{ item.router_id }}"
}}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
retries : 4
delay : "{{ retry_stagger | random + 3 }}"
with_items:
- "{{ peers|selectattr('scope','defined')|selectattr('scope','equalto', 'global')|list|default([]) }}"
when:
- inventory_hostname == groups['kube-master'][0]
- calico_version | version_compare('v3.0.0', '>=')
- peer_with_router|default(false)
- name : Calico | Configure peering with router(s) at global scope (legacy)
shell : >
echo '{
"kind": "bgpPeer" ,
"spec": {"asNumber": "{{ item.as }}" },
"apiVersion": "v1" ,
"metadata": {"scope": "global", "peerIP": "{{ item.router_id }}" }
}'
| {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
retries : 4
delay : "{{ retry_stagger | random + 3 }}"
with_items : "{{ peers|selectattr('scope','defined')|selectattr('scope','equalto', 'global')|default([]) }}"
when:
- inventory_hostname == groups['kube-master'][0]
- calico_version is version('v3.0.0', '<')
- peer_with_router|default(false)
- name : Calico | Create calico manifests
template:
src : "{{ item.file }}.j2"
dest : "{{ kube_config_dir }}/{{ item.file }}"
with_items:
- {name: calico-config, file: calico-config.yml, type : cm}
- {name: calico-node, file: calico-node.yml, type : ds}
- {name: calico, file: calico-node-sa.yml, type : sa}
- {name: calico, file: calico-cr.yml, type : clusterrole}
- {name: calico, file: calico-crb.yml, type : clusterrolebinding}
register : calico_node_manifests
when:
- inventory_hostname in groups['kube-master']
- rbac_enabled or item.type not in rbac_resources
- name : Calico | Create calico manifests for typha
template:
src : "{{ item.file }}.j2"
dest : "{{ kube_config_dir }}/{{ item.file }}"
with_items:
- {name: calico, file: calico-typha.yml, type : typha}
register : calico_node_typha_manifest
when:
- inventory_hostname in groups['kube-master']
- typha_enabled and calico_datastore == "kdd"
- name : Start Calico resources
kube:
name : "{{ item.item.name }}"
namespace : "kube-system"
kubectl : "{{ bin_dir }}/kubectl"
resource : "{{ item.item.type }}"
filename : "{{ kube_config_dir }}/{{ item.item.file }}"
state : "latest"
with_items:
- "{{ calico_node_manifests.results }}"
- "{{ calico_node_kdd_manifest.results }}"
- "{{ calico_node_typha_manifest.results }}"
when:
- inventory_hostname == groups['kube-master'][0]
- not item is skipped
loop_control:
label : "{{ item.item.file }}"
- name : Wait for calico kubeconfig to be created
wait_for:
path : /etc/cni/net.d/calico-kubeconfig
when:
- inventory_hostname not in groups['kube-master']
- calico_datastore == "kdd"
- name : Calico | Configure node asNumber for per node peering
shell : >
echo '{
@ -209,7 +297,6 @@
}}' | {{ bin_dir }}/calicoctl.sh {{ ' apply -f -' if calico_datastore == "kdd" else 'create --skip-exists -f -' }}
retries : 4
delay : "{{ retry_stagger | random + 3 }}"
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- calico_version is version('v3.0.0', '>=')
- peer_with_router|default(false)
@ -257,7 +344,6 @@
delay : "{{ retry_stagger | random + 3 }}"
with_items:
- "{{ peers|selectattr('scope','undefined')|list|default([]) | union(peers|selectattr('scope','defined')|selectattr('scope','equalto', 'node')|list|default([])) }}"
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- calico_version is version('v3.0.0', '>=')
- peer_with_router|default(false)
@ -280,46 +366,6 @@
- peer_with_router|default(false)
- inventory_hostname in groups['k8s-cluster']
- name : Calico | Configure peering with router(s) at global scope
shell : >
echo '{
"apiVersion": "projectcalico.org/v3" ,
"kind": "BGPPeer" ,
"metadata": {
"name": "global-{{ item.router_id }}"
},
"spec": {
"asNumber": "{{ item.as }}" ,
"peerIP": "{{ item.router_id }}"
}}' | {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
retries : 4
delay : "{{ retry_stagger | random + 3 }}"
with_items:
- "{{ peers|selectattr('scope','defined')|selectattr('scope','equalto', 'global')|list|default([]) }}"
run_once : true
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- calico_version | version_compare('v3.0.0', '>=')
- peer_with_router|default(false)
- inventory_hostname in groups['k8s-cluster']
- name : Calico | Configure peering with router(s) at global scope (legacy)
shell : >
echo '{
"kind": "bgpPeer" ,
"spec": {"asNumber": "{{ item.as }}" },
"apiVersion": "v1" ,
"metadata": {"scope": "global", "peerIP": "{{ item.router_id }}" }
}'
| {{ bin_dir }}/calicoctl.sh create --skip-exists -f -
retries : 4
delay : "{{ retry_stagger | random + 3 }}"
with_items : "{{ peers|selectattr('scope','defined')|selectattr('scope','equalto', 'global')|default([]) }}"
run_once : true
when:
- calico_version is version('v3.0.0', '<')
- peer_with_router|default(false)
- inventory_hostname in groups['k8s-cluster']
- name : Calico | Configure peering with route reflectors
shell : >
@ -338,7 +384,6 @@
delay : "{{ retry_stagger | random + 3 }}"
with_items:
- "{{ groups['calico-rr'] | default([]) }}"
delegate_to : "{{ groups['kube-master'][0] }}"
when:
- calico_version is version('v3.0.0', '>=')
- peer_with_calico_rr|default(false)
@ -364,30 +409,3 @@
- not calico_upgrade_enabled
- peer_with_calico_rr|default(false)
- hostvars[item]['cluster_id'] == cluster_id
- name : Calico | Create calico manifests
template:
src : "{{ item.file }}.j2"
dest : "{{ kube_config_dir }}/{{ item.file }}"
with_items:
- {name: calico-config, file: calico-config.yml, type : cm}
- {name: calico-node, file: calico-node.yml, type : ds}
- {name: calico, file: calico-node-sa.yml, type : sa}
- {name: calico, file: calico-cr.yml, type : clusterrole}
- {name: calico, file: calico-crb.yml, type : clusterrolebinding}
register : calico_node_manifests
when:
- inventory_hostname in groups['kube-master']
- rbac_enabled or item.type not in rbac_resources
- name : Calico | Create calico manifests for typha
template:
src : "{{ item.file }}.j2"
dest : "{{ kube_config_dir }}/{{ item.file }}"
with_items:
- {name: calico, file: calico-typha.yml, type : typha}
register : calico_node_typha_manifest
when:
- inventory_hostname in groups['kube-master']
- typha_enabled and calico_datastore == "kdd"
Matthew Mosesohn
5 years ago
Kubernetes Prow Robot