Add etcd TLS support

2026-02-12 06:54:46 -03:30 · 2016-11-09 13:44:41 +03:00
parent 95b460ae94
commit a32cd85eb7
25 changed files with 408 additions and 35 deletions
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -1,9 +1,11 @@
 ---
- name: Flannel | Write flannel configuration
-  template:
-    src: network.json
-    dest: /etc/flannel-network.json
-    backup: yes
+- name: Flannel | Set Flannel etcd configuration
+  command: |-
+    {{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \
+    set /{{ cluster_name }}/network/config \
+    '{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }'
+  delegate_to: "{{groups['etcd'][0]}}"
+  run_once: true

 - name: Flannel | Create flannel pod manifest
  template:
--- a/roles/network_plugin/flannel/templates/flannel-pod.yml
+++ b/roles/network_plugin/flannel/templates/flannel-pod.yml
@@ -12,26 +12,16 @@
      - name: "subnetenv"
        hostPath:
          path: "/run/flannel"
-      - name: "networkconfig"
+      - name: "etcd-certs"
        hostPath:
-          path: "/etc/flannel-network.json"
+          path: "{{ etcd_cert_dir }}"
    containers:
-      - name: "flannel-server-helper"
-        image: "{{ flannel_server_helper_image_repo }}:{{ flannel_server_helper_image_tag }}"
-        args:
-          - "--network-config=/etc/flannel-network.json"
-          - "--etcd-prefix=/{{ cluster_name }}/network"
-          - "--etcd-endpoints={{ etcd_access_endpoint }}"
-        volumeMounts:
-          - name: "networkconfig"
-            mountPath: "/etc/flannel-network.json"
-        imagePullPolicy: "Always"
      - name: "flannel-container"
        image: "{{ flannel_image_repo }}:{{ flannel_image_tag }}"
        command:
          - "/bin/sh"
          - "-c"
-          - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
+          - "/opt/bin/flanneld -etcd-endpoints {{ etcd_access_endpoint }} -etcd-prefix /{{ cluster_name }}/network -etcd-cafile {{ etcd_cert_dir }}/ca.pem -etcd-certfile {{ etcd_cert_dir }}/node.pem -etcd-keyfile {{ etcd_cert_dir }}/node-key.pem {% if flannel_interface is defined %}-iface {{ flannel_interface }}{% endif %} {% if flannel_public_ip is defined %}-public-ip {{ flannel_public_ip }}{% endif %}"
        ports:
          - hostPort: 10253
            containerPort: 10253
@@ -41,6 +31,8 @@
        volumeMounts:
          - name: "subnetenv"
            mountPath: "/run/flannel"
+          - name: "etcd-certs"
+            mountPath: "{{ etcd_cert_dir }}"
        securityContext:
          privileged: true
    hostNetwork: true
--- a/roles/network_plugin/flannel/templates/network.json
+++ b/roles/network_plugin/flannel/templates/network.json
@@ -1 +0,0 @@
-{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }
				`@@ -1 +0,0 @@`
				`{ "Network": "{{ kube_pods_subnet }}", "SubnetLen": {{ kube_network_node_prefix }}, "Backend": { "Type": "{{ flannel_backend_type }}" } }`