diff options
Diffstat (limited to 'roles/calico')
| -rw-r--r-- | roles/calico/README.md | 26 | ||||
| -rw-r--r-- | roles/calico/defaults/main.yaml | 16 | ||||
| -rw-r--r-- | roles/calico/handlers/main.yml | 4 | ||||
| -rw-r--r-- | roles/calico/meta/main.yml | 1 | ||||
| -rw-r--r-- | roles/calico/tasks/main.yml | 36 | ||||
| -rw-r--r-- | roles/calico/templates/10-calico.conf.j2 (renamed from roles/calico/templates/calicoctl.conf.j2) | 2 | ||||
| -rw-r--r-- | roles/calico/templates/calico.service.j2 | 13 | ||||
| -rw-r--r-- | roles/calico/templates/calicoctl.cfg.j2 (renamed from roles/calico/templates/10-calico.cfg.j2) | 2 |
8 files changed, 76 insertions, 24 deletions
diff --git a/roles/calico/README.md b/roles/calico/README.md index 99e870521..10e5e4e0a 100644 --- a/roles/calico/README.md +++ b/roles/calico/README.md @@ -6,12 +6,6 @@ Configure Calico components for the Master host. * Ansible 2.2 -## Warning: This Calico Integration is in Alpha - -Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node. -For this reason, **we do not (yet) recommend running Calico on any production-like -cluster, or using it for any purpose besides early access testing.** - ## Installation To install, set the following inventory configuration parameters: @@ -20,6 +14,26 @@ To install, set the following inventory configuration parameters: * `openshift_use_openshift_sdn=False` * `os_sdn_network_plugin_name='cni'` +For more information, see [Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd) + +## Improving security with BYO-etcd + +By default, Calico uses the etcd set up by OpenShift. To accomplish this, it generates and distributes client etcd certificates to each node. +Distributing these certs across the cluster in this way weakens the overall security, +so Calico should not be deployed in production in this mode. + +Instead, Calico can be installed in BYO-etcd mode, where it connects to an externally +set up etcd. For information on deploying Calico in BYO-etcd mode, see +[Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd) + +## Calico Configuration Options + +Additional parameters that can be defined in the inventory are: + +| Environment | Description | Schema | Default | +|---------|----------------------|---------|---------| +| CALICO_IPV4POOL_IPIP | IPIP Mode to use for the IPv4 POOL created at start up. | off, always, cross-subnet | always | +| CALICO_LOG_DIR | Directory on the host machine where Calico Logs are written.| String | /var/log/calico | ### Contact Information diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml index a16a7da71..be73e8a73 100644 --- a/roles/calico/defaults/main.yaml +++ b/roles/calico/defaults/main.yaml @@ -1,14 +1,14 @@ --- -kubeconfig: "{{openshift.common.config_base}}/node/{{ 'system:node:' + openshift.common.hostname }}.kubeconfig" -etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}" +kubeconfig: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname }}.kubeconfig" cni_conf_dir: "/etc/cni/net.d/" cni_bin_dir: "/opt/cni/bin/" -cni_url: "https://github.com/containernetworking/cni/releases/download/v0.4.0/cni-amd64-v0.4.0.tgz" +cni_url: "https://github.com/containernetworking/cni/releases/download/v0.5.2/cni-amd64-v0.5.2.tgz" -calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt" -calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt" -calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key" +calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico" +calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico-ipam" -calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico" -calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico-ipam" +calico_ipv4pool_ipip: "always" + +calico_log_dir: "/var/log/calico" +calico_node_image: "calico/node:v2.5.0" diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml index 53cecfcc3..67fc0065f 100644 --- a/roles/calico/handlers/main.yml +++ b/roles/calico/handlers/main.yml @@ -8,3 +8,7 @@ systemd: name: "{{ openshift.docker.service_name }}" state: restarted + register: l_docker_restart_docker_in_calico_result + until: not l_docker_restart_docker_in_calico_result | failed + retries: 3 + delay: 30 diff --git a/roles/calico/meta/main.yml b/roles/calico/meta/main.yml index 102b82bde..816c81369 100644 --- a/roles/calico/meta/main.yml +++ b/roles/calico/meta/main.yml @@ -14,3 +14,4 @@ galaxy_info: - system dependencies: - role: openshift_facts +- role: openshift_master_facts diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml index fa5e338b3..0e3863304 100644 --- a/roles/calico/tasks/main.yml +++ b/roles/calico/tasks/main.yml @@ -1,5 +1,16 @@ --- -- include: ../../../roles/etcd_client_certificates/tasks/main.yml +- name: Calico Node | Error if invalid cert arguments + fail: + msg: "Must provide all or none for the following etcd params: calico_etcd_cert_dir, calico_etcd_ca_cert_file, calico_etcd_cert_file, calico_etcd_key_file, calico_etcd_endpoints" + when: + - calico_etcd_cert_dir is defined or calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined + - not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined) + +- name: Calico Node | Generate OpenShift-etcd certs + include_role: + name: etcd + tasks_from: client_certificates + when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined vars: etcd_cert_prefix: calico.etcd- etcd_cert_config_dir: "{{ openshift.common.config_base }}/calico" @@ -7,12 +18,31 @@ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-calico-{{ openshift.common.hostname }}" -- name: Calico Node | Assure the calico certs have been generated +- name: Calico Node | Set etcd cert location facts + when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined + set_fact: + calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt" + calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt" + calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key" + calico_etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}" + calico_etcd_cert_dir: "/etc/origin/calico/" + +- name: Calico Node | Error if no certs set. + fail: + msg: "Invalid etcd configuration for calico." + when: item is not defined or item == '' + with_items: + - calico_etcd_ca_cert_file + - calico_etcd_cert_file + - calico_etcd_key_file + - calico_etcd_endpoints + +- name: Calico Node | Assure the calico certs are present stat: path: "{{ item }}" with_items: - "{{ calico_etcd_ca_cert_file }}" - - "{{ calico_etcd_cert_file}}" + - "{{ calico_etcd_cert_file }}" - "{{ calico_etcd_key_file }}" - name: Calico Node | Configure Calico service unit file diff --git a/roles/calico/templates/calicoctl.conf.j2 b/roles/calico/templates/10-calico.conf.j2 index 3c8c6b046..1ec569cff 100644 --- a/roles/calico/templates/calicoctl.conf.j2 +++ b/roles/calico/templates/10-calico.conf.j2 @@ -4,7 +4,7 @@ "ipam": { "type": "calico-ipam" }, - "etcd_endpoints": "{{ etcd_endpoints }}", + "etcd_endpoints": "{{ calico_etcd_endpoints }}", "etcd_key_file": "{{ calico_etcd_key_file }}", "etcd_cert_file": "{{ calico_etcd_cert_file }}", "etcd_ca_cert_file": "{{ calico_etcd_ca_cert_file }}", diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2 index 7a1236392..7653e19b1 100644 --- a/roles/calico/templates/calico.service.j2 +++ b/roles/calico/templates/calico.service.j2 @@ -10,18 +10,21 @@ ExecStart=/usr/bin/docker run --net=host --privileged \ --name=calico-node \ -e WAIT_FOR_DATASTORE=true \ -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \ - -e CALICO_IPV4POOL_IPIP=always \ + -e CALICO_IPV4POOL_IPIP={{ calico_ipv4pool_ipip }} \ + -e CALICO_IPV4POOL_CIDR={{ openshift.master.sdn_cluster_network_cidr }} \ -e FELIX_IPV6SUPPORT=false \ - -e ETCD_ENDPOINTS={{ etcd_endpoints }} \ - -v /etc/origin/calico:/etc/origin/calico \ + -e ETCD_ENDPOINTS={{ calico_etcd_endpoints }} \ + -v {{ calico_etcd_cert_dir }}:{{ calico_etcd_cert_dir }} \ -e ETCD_CA_CERT_FILE={{ calico_etcd_ca_cert_file }} \ -e ETCD_CERT_FILE={{ calico_etcd_cert_file }} \ -e ETCD_KEY_FILE={{ calico_etcd_key_file }} \ + -e CLUSTER_TYPE=origin,bgp \ -e NODENAME={{ openshift.common.hostname }} \ - -v /var/log/calico:/var/log/calico \ + -v {{ calico_log_dir }}:/var/log/calico\ -v /lib/modules:/lib/modules \ -v /var/run/calico:/var/run/calico \ - calico/node:v1.1.0 + {{ calico_node_image }} + ExecStop=-/usr/bin/docker stop calico-node diff --git a/roles/calico/templates/10-calico.cfg.j2 b/roles/calico/templates/calicoctl.cfg.j2 index 722385ed8..a00ea27dc 100644 --- a/roles/calico/templates/10-calico.cfg.j2 +++ b/roles/calico/templates/calicoctl.cfg.j2 @@ -3,7 +3,7 @@ kind: calicoApiConfig metadata: spec: datastoreType: "etcdv2" - etcdEndpoints: "{{ etcd_endpoints }}" + etcdEndpoints: "{{ calico_etcd_endpoints }}" etcdKeyFile: "{{ calico_etcd_key_file }}" etcdCertFile: "{{ calico_etcd_cert_file }}" etcdCaCertFile: "{{ calico_etcd_ca_cert_file }}" |