summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorOpenShift Bot <eparis+openshiftbot@redhat.com>2017-03-27 22:28:40 -0500
committerGitHub <noreply@github.com>2017-03-27 22:28:40 -0500
commita502b675936b617515ae7a00228aa62f1ec5bc53 (patch)
treefac00fa6dee431cc92ac92610387def9b8aeb155 /roles
parenta22e780b21eacf9ae7fc067d9f26e1a01c1d4558 (diff)
parent7aa584b59baba5a7018d38aadd19aa7646702391 (diff)
downloadopenshift-a502b675936b617515ae7a00228aa62f1ec5bc53.tar.gz
openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.tar.bz2
openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.tar.xz
openshift-a502b675936b617515ae7a00228aa62f1ec5bc53.zip
Merge pull request #3038 from djosborne/calico
Merged by openshift-bot
Diffstat (limited to 'roles')
-rw-r--r--roles/calico/README.md28
-rw-r--r--roles/calico/defaults/main.yaml10
-rw-r--r--roles/calico/handlers/main.yml8
-rw-r--r--roles/calico/meta/main.yml16
-rw-r--r--roles/calico/tasks/main.yml74
-rw-r--r--roles/calico/templates/calico.cfg.j29
-rw-r--r--roles/calico/templates/calico.conf.j218
-rw-r--r--roles/calico/templates/calico.service.j229
-rw-r--r--roles/calico_master/README.md28
-rw-r--r--roles/calico_master/defaults/main.yaml2
-rw-r--r--roles/calico_master/meta/main.yml17
-rw-r--r--roles/calico_master/tasks/main.yml41
-rw-r--r--roles/calico_master/templates/calico-policy-controller.yml.j2105
-rw-r--r--roles/etcd_client_certificates/tasks/main.yml2
-rw-r--r--roles/etcd_server_certificates/tasks/main.yml4
-rw-r--r--roles/openshift_common/tasks/main.yml9
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py19
17 files changed, 416 insertions, 3 deletions
diff --git a/roles/calico/README.md b/roles/calico/README.md
new file mode 100644
index 000000000..99e870521
--- /dev/null
+++ b/roles/calico/README.md
@@ -0,0 +1,28 @@
+# Calico
+
+Configure Calico components for the Master host.
+
+## Requirements
+
+* Ansible 2.2
+
+## Warning: This Calico Integration is in Alpha
+
+Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node.
+For this reason, **we do not (yet) recommend running Calico on any production-like
+cluster, or using it for any purpose besides early access testing.**
+
+## Installation
+
+To install, set the following inventory configuration parameters:
+
+* `openshift_use_calico=True`
+* `openshift_use_openshift_sdn=False`
+* `os_sdn_network_plugin_name='cni'`
+
+
+### Contact Information
+
+Author: Dan Osborne <dan@projectcalico.org>
+
+For support, join the `#openshift` channel on the [calico users slack](calicousers.slack.com).
diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml
new file mode 100644
index 000000000..a81fc3af7
--- /dev/null
+++ b/roles/calico/defaults/main.yaml
@@ -0,0 +1,10 @@
+---
+kubeconfig: "{{openshift.common.config_base}}/node/{{ 'system:node:' + openshift.common.hostname }}.kubeconfig"
+etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}"
+
+cni_conf_dir: "/etc/cni/net.d/"
+cni_bin_dir: "/opt/cni/bin/"
+
+calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt"
+calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt"
+calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key"
diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml
new file mode 100644
index 000000000..65d75cf00
--- /dev/null
+++ b/roles/calico/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: restart calico
+ become: yes
+ systemd: name=calico state=restarted
+
+- name: restart docker
+ become: yes
+ systemd: name=docker state=restarted
diff --git a/roles/calico/meta/main.yml b/roles/calico/meta/main.yml
new file mode 100644
index 000000000..102b82bde
--- /dev/null
+++ b/roles/calico/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ author: Dan Osborne
+ description: Calico networking
+ company: Tigera, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- role: openshift_facts
diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml
new file mode 100644
index 000000000..287fed321
--- /dev/null
+++ b/roles/calico/tasks/main.yml
@@ -0,0 +1,74 @@
+---
+- include: ../../../roles/etcd_client_certificates/tasks/main.yml
+ vars:
+ etcd_cert_prefix: calico.etcd-
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/calico"
+ embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-calico-{{ openshift.common.hostname }}"
+
+- name: Assure the calico certs have been generated
+ stat:
+ path: "{{ item }}"
+ with_items:
+ - "{{ calico_etcd_ca_cert_file }}"
+ - "{{ calico_etcd_cert_file}}"
+ - "{{ calico_etcd_key_file }}"
+
+- name: Configure Calico service unit file
+ template:
+ dest: "/lib/systemd/system/calico.service"
+ src: calico.service.j2
+
+- name: Enable calico
+ become: yes
+ systemd:
+ name: calico
+ daemon_reload: yes
+ state: started
+ enabled: yes
+ register: start_result
+
+- name: Assure CNI conf dir exists
+ become: yes
+ file: path="{{ cni_conf_dir }}" state=directory
+
+- name: Generate Calico CNI config
+ become: yes
+ template:
+ src: "calico.conf.j2"
+ dest: "{{ cni_conf_dir }}/10-calico.conf"
+
+- name: Assures Kuberentes CNI bin dir exists
+ become: yes
+ file: path="{{ cni_bin_dir }}" state=directory
+
+- name: Download Calico CNI Plugin
+ become: yes
+ get_url:
+ url: https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico
+ dest: "{{ cni_bin_dir }}"
+ mode: a+x
+
+- name: Download Calico IPAM Plugin
+ become: yes
+ get_url:
+ url: https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico-ipam
+ dest: "{{ cni_bin_dir }}"
+ mode: a+x
+
+- name: Download and unzip standard CNI plugins
+ become: yes
+ unarchive:
+ remote_src: True
+ src: https://github.com/containernetworking/cni/releases/download/v0.4.0/cni-amd64-v0.4.0.tgz
+ dest: "{{ cni_bin_dir }}"
+
+- name: Assure Calico conf dir exists
+ become: yes
+ file: path=/etc/calico/ state=directory
+
+- name: Set calicoctl.cfg
+ template:
+ src: calico.cfg.j2
+ dest: "/etc/calico/calicoctl.cfg"
diff --git a/roles/calico/templates/calico.cfg.j2 b/roles/calico/templates/calico.cfg.j2
new file mode 100644
index 000000000..722385ed8
--- /dev/null
+++ b/roles/calico/templates/calico.cfg.j2
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: calicoApiConfig
+metadata:
+spec:
+ datastoreType: "etcdv2"
+ etcdEndpoints: "{{ etcd_endpoints }}"
+ etcdKeyFile: "{{ calico_etcd_key_file }}"
+ etcdCertFile: "{{ calico_etcd_cert_file }}"
+ etcdCaCertFile: "{{ calico_etcd_ca_cert_file }}"
diff --git a/roles/calico/templates/calico.conf.j2 b/roles/calico/templates/calico.conf.j2
new file mode 100644
index 000000000..3c8c6b046
--- /dev/null
+++ b/roles/calico/templates/calico.conf.j2
@@ -0,0 +1,18 @@
+{
+ "name": "calico",
+ "type": "calico",
+ "ipam": {
+ "type": "calico-ipam"
+ },
+ "etcd_endpoints": "{{ etcd_endpoints }}",
+ "etcd_key_file": "{{ calico_etcd_key_file }}",
+ "etcd_cert_file": "{{ calico_etcd_cert_file }}",
+ "etcd_ca_cert_file": "{{ calico_etcd_ca_cert_file }}",
+ "kubernetes": {
+ "kubeconfig": "{{ kubeconfig }}"
+ },
+ "hostname": "{{ openshift.common.hostname }}",
+ "policy": {
+ "type": "k8s"
+ }
+}
diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2
new file mode 100644
index 000000000..b882a5597
--- /dev/null
+++ b/roles/calico/templates/calico.service.j2
@@ -0,0 +1,29 @@
+[Unit]
+Description=calico
+After=docker.service
+Requires=docker.service
+
+[Service]
+Restart=always
+ExecStartPre=-/usr/bin/docker rm -f calico-node
+ExecStart=/usr/bin/docker run --net=host --privileged \
+ --name=calico-node \
+ -e WAIT_FOR_DATASTORE=true \
+ -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \
+ -e CALICO_IPV4POOL_IPIP=always \
+ -e FELIX_IPV6SUPPORT=false \
+ -e ETCD_ENDPOINTS={{ etcd_endpoints }} \
+ -v /etc/origin/calico:/etc/origin/calico \
+ -e ETCD_CA_CERT_FILE={{ calico_etcd_ca_cert_file }} \
+ -e ETCD_CERT_FILE={{ calico_etcd_cert_file }} \
+ -e ETCD_KEY_FILE={{ calico_etcd_key_file }} \
+ -e NODENAME={{ openshift.common.hostname }} \
+ -v /var/log/calico:/var/log/calico \
+ -v /lib/modules:/lib/modules \
+ -v /var/run/calico:/var/run/calico \
+ calico/node:v1.1.0
+
+ExecStop=-/usr/bin/docker stop calico-node
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/calico_master/README.md b/roles/calico_master/README.md
new file mode 100644
index 000000000..2d34a967c
--- /dev/null
+++ b/roles/calico_master/README.md
@@ -0,0 +1,28 @@
+# Calico (Master)
+
+Configure Calico components for the Master host.
+
+## Requirements
+
+* Ansible 2.2
+
+## Warning: This Calico Integration is in Alpha
+
+Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node.
+For this reason, **we do not (yet) recommend running Calico on any production-like
+cluster, or using it for any purpose besides early access testing.**
+
+## Installation
+
+To install, set the following inventory configuration parameters:
+
+* `openshift_use_calico=True`
+* `openshift_use_openshift_sdn=False`
+* `os_sdn_network_plugin_name='cni'`
+
+
+### Contact Information
+
+Author: Dan Osborne <dan@projectcalico.org>
+
+For support, join the `#openshift` channel on the [calico users slack](calicousers.slack.com).
diff --git a/roles/calico_master/defaults/main.yaml b/roles/calico_master/defaults/main.yaml
new file mode 100644
index 000000000..db0d17884
--- /dev/null
+++ b/roles/calico_master/defaults/main.yaml
@@ -0,0 +1,2 @@
+---
+kubeconfig: "{{ openshift.common.config_base }}/master/openshift-master.kubeconfig"
diff --git a/roles/calico_master/meta/main.yml b/roles/calico_master/meta/main.yml
new file mode 100644
index 000000000..4d70c79cf
--- /dev/null
+++ b/roles/calico_master/meta/main.yml
@@ -0,0 +1,17 @@
+---
+galaxy_info:
+ author: Dan Osborne
+ description: Calico networking
+ company: Tigera, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- role: calico
+- role: openshift_facts
diff --git a/roles/calico_master/tasks/main.yml b/roles/calico_master/tasks/main.yml
new file mode 100644
index 000000000..3358abe23
--- /dev/null
+++ b/roles/calico_master/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: Assure the calico certs have been generated
+ stat:
+ path: "{{ item }}"
+ with_items:
+ - "{{ calico_etcd_ca_cert_file }}"
+ - "{{ calico_etcd_cert_file}}"
+ - "{{ calico_etcd_key_file }}"
+
+- name: Create temp directory for policy controller definition
+ command: mktemp -d /tmp/openshift-ansible-XXXXXXX
+ register: mktemp
+ changed_when: False
+
+- name: Write Calico Policy Controller definition
+ template:
+ dest: "{{ mktemp.stdout }}/calico-policy-controller.yml"
+ src: calico-policy-controller.yml.j2
+
+- name: Launch Calico Policy Controller
+ command: >
+ {{ openshift.common.client_binary }} create
+ -f {{ mktemp.stdout }}/calico-policy-controller.yml
+ --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+ register: calico_create_output
+ failed_when: ('already exists' not in calico_create_output.stderr) and ('created' not in calico_create_output.stdout)
+ changed_when: ('created' in calico_create_output.stdout)
+
+- name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
+
+
+- name: oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico
+ oc_adm_policy_user:
+ user: system:serviceaccount:kube-system:calico
+ resource_kind: scc
+ resource_name: privileged
+ state: present
diff --git a/roles/calico_master/templates/calico-policy-controller.yml.j2 b/roles/calico_master/templates/calico-policy-controller.yml.j2
new file mode 100644
index 000000000..66c334ceb
--- /dev/null
+++ b/roles/calico_master/templates/calico-policy-controller.yml.j2
@@ -0,0 +1,105 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico
+ namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: v1
+metadata:
+ name: calico
+ namespace: kube-system
+rules:
+ - apiGroups: [""]
+ resources:
+ - pods
+ - namespaces
+ verbs:
+ - list
+ - get
+ - watch
+ - apiGroups: ["extensions"]
+ resources:
+ - networkpolicies
+ verbs:
+ - list
+ - get
+ - watch
+---
+apiVersion: v1
+kind: ClusterRoleBinding
+metadata:
+ name: calico
+roleRef:
+ name: calico
+subjects:
+- kind: SystemUser
+ name: kube-system:calico
+- kind: ServiceAccount
+ name: calico
+ namespace: kube-system
+userNames:
+ - system:serviceaccount:kube-system:calico
+---
+# This manifest deploys the Calico policy controller on Kubernetes.
+# See https://github.com/projectcalico/k8s-policy
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ name: calico-policy-controller
+ namespace: kube-system
+ labels:
+ k8s-app: calico-policy
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ''
+ scheduler.alpha.kubernetes.io/tolerations: |
+ [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
+ {"key":"CriticalAddonsOnly", "operator":"Exists"}]
+spec:
+ # The policy controller can only have a single active instance.
+ replicas: 1
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ name: calico-policy-controller
+ namespace: kube-system
+ labels:
+ k8s-app: calico-policy
+ spec:
+ # The policy controller must run in the host network namespace so that
+ # it isn't governed by policy that would prevent it from working.
+ hostNetwork: true
+ serviceAccountName: calico
+ containers:
+ - name: calico-policy-controller
+ image: quay.io/calico/kube-policy-controller:v0.5.3
+ env:
+ # The location of the Calico etcd cluster.
+ - name: ETCD_ENDPOINTS
+ value: {{ etcd_endpoints }}
+ # Location of the CA certificate for etcd.
+ - name: ETCD_CA_CERT_FILE
+ value: {{ calico_etcd_ca_cert_file }}
+ # Location of the client key for etcd.
+ - name: ETCD_KEY_FILE
+ value: {{ calico_etcd_key_file }}
+ # Location of the client certificate for etcd.
+ - name: ETCD_CERT_FILE
+ value: {{ calico_etcd_cert_file }}
+ # Since we're running in the host namespace and might not have KubeDNS
+ # access, configure the container's /etc/hosts to resolve
+ # kubernetes.default to the correct service clusterIP.
+ - name: CONFIGURE_ETC_HOSTS
+ value: "true"
+ volumeMounts:
+ # Mount in the etcd TLS secrets.
+ - name: certs
+ mountPath: /etc/origin/calico
+
+ volumes:
+ # Mount in the etcd TLS secrets.
+ - name: certs
+ hostPath:
+ path: /etc/origin/calico
diff --git a/roles/etcd_client_certificates/tasks/main.yml b/roles/etcd_client_certificates/tasks/main.yml
index 93f4fd53c..450b65209 100644
--- a/roles/etcd_client_certificates/tasks/main.yml
+++ b/roles/etcd_client_certificates/tasks/main.yml
@@ -51,7 +51,7 @@
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'client.csr' }}"
environment:
- SAN: "IP:{{ etcd_ip }}"
+ SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
when: etcd_client_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml
index 4ae9b79c4..956f5cc55 100644
--- a/roles/etcd_server_certificates/tasks/main.yml
+++ b/roles/etcd_server_certificates/tasks/main.yml
@@ -40,7 +40,7 @@
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'server.csr' }}"
environment:
- SAN: "IP:{{ etcd_ip }}"
+ SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
@@ -73,7 +73,7 @@
creates: "{{ etcd_generated_certs_dir ~ '/' ~ etcd_cert_subdir ~ '/'
~ etcd_cert_prefix ~ 'peer.csr' }}"
environment:
- SAN: "IP:{{ etcd_ip }}"
+ SAN: "IP:{{ etcd_ip }},DNS:{{ etcd_hostname }}"
when: etcd_server_certs_missing | bool
delegate_to: "{{ etcd_ca_host }}"
diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml
index e55c288a8..d9ccf87bc 100644
--- a/roles/openshift_common/tasks/main.yml
+++ b/roles/openshift_common/tasks/main.yml
@@ -24,6 +24,14 @@
when: openshift_use_nuage | default(false) | bool and openshift_use_contiv | default(false) | bool
- fail:
+ msg: Calico can not be used with openshift sdn, set openshift_use_openshift_sdn=false if you want to use Calico
+ when: openshift_use_openshift_sdn | default(true) | bool and openshift_use_calico | default(false) | bool
+
+- fail:
+ msg: Calico cannot currently be used with Flannel in Openshift. Set either openshift_use_calico or openshift_use_flannel, but not both
+ when: openshift_use_calico | default(false) | bool and openshift_use_flannel | default(false) | bool
+
+- fail:
msg: openshift_hostname must be 64 characters or less
when: openshift_hostname is defined and openshift_hostname | length > 64
@@ -35,6 +43,7 @@
use_openshift_sdn: "{{ openshift_use_openshift_sdn | default(None) }}"
sdn_network_plugin_name: "{{ os_sdn_network_plugin_name | default(None) }}"
use_flannel: "{{ openshift_use_flannel | default(None) }}"
+ use_calico: "{{openshift_use_calico | default(None) }}"
use_nuage: "{{ openshift_use_nuage | default(None) }}"
use_contiv: "{{ openshift_use_contiv | default(None) }}"
use_manageiq: "{{ openshift_use_manageiq | default(None) }}"
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index eeab8a99c..e1f4c4e6d 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -467,6 +467,24 @@ def set_flannel_facts_if_unset(facts):
return facts
+def set_calico_facts_if_unset(facts):
+ """ Set calico facts if not already present in facts dict
+ dict: the facts dict updated with the calico facts if
+ missing
+ Args:
+ facts (dict): existing facts
+ Returns:
+ dict: the facts dict updated with the calico
+ facts if they were not already present
+
+ """
+ if 'common' in facts:
+ if 'use_calico' not in facts['common']:
+ use_calico = False
+ facts['common']['use_calico'] = use_calico
+ return facts
+
+
def set_nuage_facts_if_unset(facts):
""" Set nuage facts if not already present in facts dict
dict: the facts dict updated with the nuage facts if
@@ -1953,6 +1971,7 @@ class OpenShiftFacts(object):
facts = set_url_facts_if_unset(facts)
facts = set_project_cfg_facts_if_unset(facts)
facts = set_flannel_facts_if_unset(facts)
+ facts = set_calico_facts_if_unset(facts)
facts = set_nuage_facts_if_unset(facts)
facts = set_contiv_facts_if_unset(facts)
facts = set_node_schedulability(facts)