Use K8s 1.14 and add kubeadm experimental control plane mode (#4514)

* Use K8s 1.14 and add kubeadm experimental control plane mode This reverts commit d39c273d96. * Cleanup kubeadm setup run on first master * pin kubeadm_certificate_key in test * Remove kubelet autolabel of kube-node, add symlink for pki dir Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca
2026-02-01 09:38:12 -03:30 · 2019-04-19 16:01:54 +03:00
parent d0e628911c
commit 05dc2b3a09
39 changed files with 319 additions and 409 deletions
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -61,3 +61,7 @@ calico_baremetal_nodename: "{{ kube_override_hostname | default(inventory_hostna

 ### do not enable this, this is detected in scope of tasks, this is just a default value
 calico_upgrade_needed: false
+
+kube_etcd_cacert_file: ca.pem
+kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
+kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
--- a/roles/network_plugin/calico/handlers/main.yml
+++ b/roles/network_plugin/calico/handlers/main.yml
@@ -1,15 +1,14 @@
 ---
- name: restart calico-node
+- name: reset_calico_cni
  command: /bin/true
  notify:
-    - Calico | reload systemd
-    - Calico | reload calico-node
+    - delete 10-calico.conflist
+    - delete calico-node containers

- name: Calico | reload systemd
-  shell: systemctl daemon-reload
+- name: delete 10-calico.conflist
+  file:
+    path: /etc/calico/10-calico.conflist
+    state: absent

- name: Calico | reload calico-node
-  service:
-    name: calico-node
-    state: restarted
-    sleep: 10
+- name: delete calico-node containers
+  shell: "docker ps -af name=k8s_POD_calico-node* -q | xargs --no-run-if-empty docker rm -f"
--- a/roles/network_plugin/calico/rr/defaults/main.yml
+++ b/roles/network_plugin/calico/rr/defaults/main.yml
@@ -10,3 +10,7 @@ calico_rr_memory_limit: 1000M
 calico_rr_cpu_limit: 300m
 calico_rr_memory_requests: 128M
 calico_rr_cpu_requests: 150m
+
+kube_etcd_cacert_file: ca.pem
+kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
+kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
--- a/roles/network_plugin/calico/rr/tasks/main.yml
+++ b/roles/network_plugin/calico/rr/tasks/main.yml
@@ -22,9 +22,9 @@
    state: hard
    force: yes
  with_items:
-    - {s: "ca.pem", d: "ca_cert.crt"}
-    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
-    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}

 - name: Calico-rr | Create dir for logs
  file:
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -11,6 +11,8 @@
    src: "cni-calico.conflist.j2"
    dest: "/etc/cni/net.d/{% if calico_version is version('v3.3.0', '>=') %}calico.conflist.template{% else %}10-calico.conflist{% endif %}"
    owner: kube
+  register: calico_conflist
+  notify: reset_calico_cni

 - name: Calico | Create calico certs directory
  file:
@@ -27,9 +29,9 @@
    state: hard
    force: yes
  with_items:
-    - {s: "ca.pem", d: "ca_cert.crt"}
-    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
-    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}

 - name: Calico | Install calicoctl wrapper script
  template:
--- a/roles/network_plugin/calico/tasks/pre.yml
+++ b/roles/network_plugin/calico/tasks/pre.yml
@@ -13,4 +13,4 @@
  register: calico_kubelet_name
  delegate_to: "{{ groups['kube-master'][0] }}"
  when:
-    - "cloud_provider is defined"
+    - "cloud_provider is defined"
--- a/roles/network_plugin/calico/templates/etcdv2-store.yml.j2
+++ b/roles/network_plugin/calico/templates/etcdv2-store.yml.j2
@@ -4,6 +4,6 @@ metadata:
 spec:
  datastoreType: "etcdv2"
  etcdEndpoints: "{{ etcd_access_addresses }}"
-  etcdKeyFile: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
-  etcdCertFile: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-  etcdCACertFile: "{{ etcd_cert_dir }}/ca.pem"
+  etcdKeyFile: "{{ etcd_cert_dir }}/{{ kube_etcd_key_file }}"
+  etcdCertFile: "{{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}"
+  etcdCACertFile: "{{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}"
--- a/roles/network_plugin/calico/templates/etcdv3-store.yml.j2
+++ b/roles/network_plugin/calico/templates/etcdv3-store.yml.j2
@@ -4,6 +4,6 @@ metadata:
 spec:
  datastoreType: "etcdv3"
  etcdEndpoints: "{{ etcd_access_addresses }}"
-  etcdKeyFile: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"
-  etcdCertFile: "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-  etcdCACertFile: "{{ etcd_cert_dir }}/ca.pem"
+  etcdKeyFile: "{{ etcd_cert_dir }}/{{ kube_etcd_key_file }}"
+  etcdCertFile: "{{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}"
+  etcdCACertFile: "{{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}"
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -30,3 +30,8 @@ calicoctl_memory_limit: 170M
 calicoctl_cpu_limit: 100m
 calicoctl_memory_requests: 32M
 calicoctl_cpu_requests: 25m
+
+# etcd cert filenames
+kube_etcd_cacert_file: ca.pem
+kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
+kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -20,9 +20,9 @@
    state: hard
    force: yes
  with_items:
-    - {s: "ca.pem", d: "ca_cert.crt"}
-    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
-    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}

 - name: Canal | Set Flannel etcd configuration
  command: |-
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -5,6 +5,9 @@ cilium_disable_ipv4: false

 # Etcd SSL dirs
 cilium_cert_dir: /etc/cilium/certs
+kube_etcd_cacert_file: ca.pem
+kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
+kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem

 # Cilium Network Policy directory
 cilium_policy_dir: /etc/kubernetes/policy
--- a/roles/network_plugin/cilium/handlers/main.yml
+++ b/roles/network_plugin/cilium/handlers/main.yml
@@ -11,4 +11,4 @@
 - name: Kubelet | reload kubelet
  service:
    name: kubelet
-    state: restarted
+    state: restarted
--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@@ -21,9 +21,9 @@
    state: hard
    force: yes
  with_items:
-    - {s: "ca.pem", d: "ca_cert.crt"}
-    - {s: "node-{{ inventory_hostname }}.pem", d: "cert.crt"}
-    - {s: "node-{{ inventory_hostname }}-key.pem", d: "key.pem"}
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}

 - name: Cilium | Create Cilium node manifests
  template: