From 7aa584b59baba5a7018d38aadd19aa7646702391 Mon Sep 17 00:00:00 2001 From: Dan Osborne Date: Fri, 10 Mar 2017 16:07:45 -0800 Subject: Add calico. --- roles/calico/README.md | 28 ++++++++++++ roles/calico/defaults/main.yaml | 10 +++++ roles/calico/handlers/main.yml | 8 ++++ roles/calico/meta/main.yml | 16 +++++++ roles/calico/tasks/main.yml | 74 ++++++++++++++++++++++++++++++++ roles/calico/templates/calico.cfg.j2 | 9 ++++ roles/calico/templates/calico.conf.j2 | 18 ++++++++ roles/calico/templates/calico.service.j2 | 29 +++++++++++++ 8 files changed, 192 insertions(+) create mode 100644 roles/calico/README.md create mode 100644 roles/calico/defaults/main.yaml create mode 100644 roles/calico/handlers/main.yml create mode 100644 roles/calico/meta/main.yml create mode 100644 roles/calico/tasks/main.yml create mode 100644 roles/calico/templates/calico.cfg.j2 create mode 100644 roles/calico/templates/calico.conf.j2 create mode 100644 roles/calico/templates/calico.service.j2 (limited to 'roles/calico') diff --git a/roles/calico/README.md b/roles/calico/README.md new file mode 100644 index 000000000..99e870521 --- /dev/null +++ b/roles/calico/README.md @@ -0,0 +1,28 @@ +# Calico + +Configure Calico components for the Master host. + +## Requirements + +* Ansible 2.2 + +## Warning: This Calico Integration is in Alpha + +Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node. +For this reason, **we do not (yet) recommend running Calico on any production-like +cluster, or using it for any purpose besides early access testing.** + +## Installation + +To install, set the following inventory configuration parameters: + +* `openshift_use_calico=True` +* `openshift_use_openshift_sdn=False` +* `os_sdn_network_plugin_name='cni'` + + +### Contact Information + +Author: Dan Osborne + +For support, join the `#openshift` channel on the [calico users slack](calicousers.slack.com). diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml new file mode 100644 index 000000000..a81fc3af7 --- /dev/null +++ b/roles/calico/defaults/main.yaml @@ -0,0 +1,10 @@ +--- +kubeconfig: "{{openshift.common.config_base}}/node/{{ 'system:node:' + openshift.common.hostname }}.kubeconfig" +etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}" + +cni_conf_dir: "/etc/cni/net.d/" +cni_bin_dir: "/opt/cni/bin/" + +calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt" +calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt" +calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key" diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml new file mode 100644 index 000000000..65d75cf00 --- /dev/null +++ b/roles/calico/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: restart calico + become: yes + systemd: name=calico state=restarted + +- name: restart docker + become: yes + systemd: name=docker state=restarted diff --git a/roles/calico/meta/main.yml b/roles/calico/meta/main.yml new file mode 100644 index 000000000..102b82bde --- /dev/null +++ b/roles/calico/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Dan Osborne + description: Calico networking + company: Tigera, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- role: openshift_facts diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml new file mode 100644 index 000000000..287fed321 --- /dev/null +++ b/roles/calico/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- include: ../../../roles/etcd_client_certificates/tasks/main.yml + vars: + etcd_cert_prefix: calico.etcd- + etcd_cert_config_dir: "{{ openshift.common.config_base }}/calico" + embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" + etcd_cert_subdir: "openshift-calico-{{ openshift.common.hostname }}" + +- name: Assure the calico certs have been generated + stat: + path: "{{ item }}" + with_items: + - "{{ calico_etcd_ca_cert_file }}" + - "{{ calico_etcd_cert_file}}" + - "{{ calico_etcd_key_file }}" + +- name: Configure Calico service unit file + template: + dest: "/lib/systemd/system/calico.service" + src: calico.service.j2 + +- name: Enable calico + become: yes + systemd: + name: calico + daemon_reload: yes + state: started + enabled: yes + register: start_result + +- name: Assure CNI conf dir exists + become: yes + file: path="{{ cni_conf_dir }}" state=directory + +- name: Generate Calico CNI config + become: yes + template: + src: "calico.conf.j2" + dest: "{{ cni_conf_dir }}/10-calico.conf" + +- name: Assures Kuberentes CNI bin dir exists + become: yes + file: path="{{ cni_bin_dir }}" state=directory + +- name: Download Calico CNI Plugin + become: yes + get_url: + url: https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico + dest: "{{ cni_bin_dir }}" + mode: a+x + +- name: Download Calico IPAM Plugin + become: yes + get_url: + url: https://github.com/projectcalico/cni-plugin/releases/download/v1.5.5/calico-ipam + dest: "{{ cni_bin_dir }}" + mode: a+x + +- name: Download and unzip standard CNI plugins + become: yes + unarchive: + remote_src: True + src: https://github.com/containernetworking/cni/releases/download/v0.4.0/cni-amd64-v0.4.0.tgz + dest: "{{ cni_bin_dir }}" + +- name: Assure Calico conf dir exists + become: yes + file: path=/etc/calico/ state=directory + +- name: Set calicoctl.cfg + template: + src: calico.cfg.j2 + dest: "/etc/calico/calicoctl.cfg" diff --git a/roles/calico/templates/calico.cfg.j2 b/roles/calico/templates/calico.cfg.j2 new file mode 100644 index 000000000..722385ed8 --- /dev/null +++ b/roles/calico/templates/calico.cfg.j2 @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: calicoApiConfig +metadata: +spec: + datastoreType: "etcdv2" + etcdEndpoints: "{{ etcd_endpoints }}" + etcdKeyFile: "{{ calico_etcd_key_file }}" + etcdCertFile: "{{ calico_etcd_cert_file }}" + etcdCaCertFile: "{{ calico_etcd_ca_cert_file }}" diff --git a/roles/calico/templates/calico.conf.j2 b/roles/calico/templates/calico.conf.j2 new file mode 100644 index 000000000..3c8c6b046 --- /dev/null +++ b/roles/calico/templates/calico.conf.j2 @@ -0,0 +1,18 @@ +{ + "name": "calico", + "type": "calico", + "ipam": { + "type": "calico-ipam" + }, + "etcd_endpoints": "{{ etcd_endpoints }}", + "etcd_key_file": "{{ calico_etcd_key_file }}", + "etcd_cert_file": "{{ calico_etcd_cert_file }}", + "etcd_ca_cert_file": "{{ calico_etcd_ca_cert_file }}", + "kubernetes": { + "kubeconfig": "{{ kubeconfig }}" + }, + "hostname": "{{ openshift.common.hostname }}", + "policy": { + "type": "k8s" + } +} diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2 new file mode 100644 index 000000000..b882a5597 --- /dev/null +++ b/roles/calico/templates/calico.service.j2 @@ -0,0 +1,29 @@ +[Unit] +Description=calico +After=docker.service +Requires=docker.service + +[Service] +Restart=always +ExecStartPre=-/usr/bin/docker rm -f calico-node +ExecStart=/usr/bin/docker run --net=host --privileged \ + --name=calico-node \ + -e WAIT_FOR_DATASTORE=true \ + -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \ + -e CALICO_IPV4POOL_IPIP=always \ + -e FELIX_IPV6SUPPORT=false \ + -e ETCD_ENDPOINTS={{ etcd_endpoints }} \ + -v /etc/origin/calico:/etc/origin/calico \ + -e ETCD_CA_CERT_FILE={{ calico_etcd_ca_cert_file }} \ + -e ETCD_CERT_FILE={{ calico_etcd_cert_file }} \ + -e ETCD_KEY_FILE={{ calico_etcd_key_file }} \ + -e NODENAME={{ openshift.common.hostname }} \ + -v /var/log/calico:/var/log/calico \ + -v /lib/modules:/lib/modules \ + -v /var/run/calico:/var/run/calico \ + calico/node:v1.1.0 + +ExecStop=-/usr/bin/docker stop calico-node + +[Install] +WantedBy=multi-user.target -- cgit v1.2.1