summaryrefslogtreecommitdiffstats
path: root/roles/calico
diff options
context:
space:
mode:
Diffstat (limited to 'roles/calico')
-rw-r--r--roles/calico/README.md42
-rw-r--r--roles/calico/defaults/main.yaml14
-rw-r--r--roles/calico/handlers/main.yml14
-rw-r--r--roles/calico/meta/main.yml17
-rw-r--r--roles/calico/tasks/main.yml104
-rw-r--r--roles/calico/templates/10-calico.conf.j218
-rw-r--r--roles/calico/templates/calico.service.j232
-rw-r--r--roles/calico/templates/calicoctl.cfg.j29
8 files changed, 250 insertions, 0 deletions
diff --git a/roles/calico/README.md b/roles/calico/README.md
new file mode 100644
index 000000000..10e5e4e0a
--- /dev/null
+++ b/roles/calico/README.md
@@ -0,0 +1,42 @@
+# Calico
+
+Configure Calico components for the Master host.
+
+## Requirements
+
+* Ansible 2.2
+
+## Installation
+
+To install, set the following inventory configuration parameters:
+
+* `openshift_use_calico=True`
+* `openshift_use_openshift_sdn=False`
+* `os_sdn_network_plugin_name='cni'`
+
+For more information, see [Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Improving security with BYO-etcd
+
+By default, Calico uses the etcd set up by OpenShift. To accomplish this, it generates and distributes client etcd certificates to each node.
+Distributing these certs across the cluster in this way weakens the overall security,
+so Calico should not be deployed in production in this mode.
+
+Instead, Calico can be installed in BYO-etcd mode, where it connects to an externally
+set up etcd. For information on deploying Calico in BYO-etcd mode, see
+[Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Calico Configuration Options
+
+Additional parameters that can be defined in the inventory are:
+
+| Environment | Description | Schema | Default |
+|---------|----------------------|---------|---------|
+| CALICO_IPV4POOL_IPIP | IPIP Mode to use for the IPv4 POOL created at start up. | off, always, cross-subnet | always |
+| CALICO_LOG_DIR | Directory on the host machine where Calico Logs are written.| String | /var/log/calico |
+
+### Contact Information
+
+Author: Dan Osborne <dan@projectcalico.org>
+
+For support, join the `#openshift` channel on the [calico users slack](calicousers.slack.com).
diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml
new file mode 100644
index 000000000..be73e8a73
--- /dev/null
+++ b/roles/calico/defaults/main.yaml
@@ -0,0 +1,14 @@
+---
+kubeconfig: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname }}.kubeconfig"
+
+cni_conf_dir: "/etc/cni/net.d/"
+cni_bin_dir: "/opt/cni/bin/"
+cni_url: "https://github.com/containernetworking/cni/releases/download/v0.5.2/cni-amd64-v0.5.2.tgz"
+
+calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico"
+calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico-ipam"
+
+calico_ipv4pool_ipip: "always"
+
+calico_log_dir: "/var/log/calico"
+calico_node_image: "calico/node:v2.5.0"
diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml
new file mode 100644
index 000000000..67fc0065f
--- /dev/null
+++ b/roles/calico/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: restart calico
+ become: yes
+ systemd: name=calico state=restarted
+
+- name: restart docker
+ become: yes
+ systemd:
+ name: "{{ openshift.docker.service_name }}"
+ state: restarted
+ register: l_docker_restart_docker_in_calico_result
+ until: not l_docker_restart_docker_in_calico_result | failed
+ retries: 3
+ delay: 30
diff --git a/roles/calico/meta/main.yml b/roles/calico/meta/main.yml
new file mode 100644
index 000000000..816c81369
--- /dev/null
+++ b/roles/calico/meta/main.yml
@@ -0,0 +1,17 @@
+---
+galaxy_info:
+ author: Dan Osborne
+ description: Calico networking
+ company: Tigera, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- role: openshift_facts
+- role: openshift_master_facts
diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml
new file mode 100644
index 000000000..0e3863304
--- /dev/null
+++ b/roles/calico/tasks/main.yml
@@ -0,0 +1,104 @@
+---
+- name: Calico Node | Error if invalid cert arguments
+ fail:
+ msg: "Must provide all or none for the following etcd params: calico_etcd_cert_dir, calico_etcd_ca_cert_file, calico_etcd_cert_file, calico_etcd_key_file, calico_etcd_endpoints"
+ when:
+ - calico_etcd_cert_dir is defined or calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined
+ - not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined)
+
+- name: Calico Node | Generate OpenShift-etcd certs
+ include_role:
+ name: etcd
+ tasks_from: client_certificates
+ when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
+ vars:
+ etcd_cert_prefix: calico.etcd-
+ etcd_cert_config_dir: "{{ openshift.common.config_base }}/calico"
+ embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
+ etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+ etcd_cert_subdir: "openshift-calico-{{ openshift.common.hostname }}"
+
+- name: Calico Node | Set etcd cert location facts
+ when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
+ set_fact:
+ calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt"
+ calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt"
+ calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key"
+ calico_etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}"
+ calico_etcd_cert_dir: "/etc/origin/calico/"
+
+- name: Calico Node | Error if no certs set.
+ fail:
+ msg: "Invalid etcd configuration for calico."
+ when: item is not defined or item == ''
+ with_items:
+ - calico_etcd_ca_cert_file
+ - calico_etcd_cert_file
+ - calico_etcd_key_file
+ - calico_etcd_endpoints
+
+- name: Calico Node | Assure the calico certs are present
+ stat:
+ path: "{{ item }}"
+ with_items:
+ - "{{ calico_etcd_ca_cert_file }}"
+ - "{{ calico_etcd_cert_file }}"
+ - "{{ calico_etcd_key_file }}"
+
+- name: Calico Node | Configure Calico service unit file
+ template:
+ dest: "/lib/systemd/system/calico.service"
+ src: calico.service.j2
+
+- name: Calico Node | Enable calico
+ become: yes
+ systemd:
+ name: calico
+ daemon_reload: yes
+ state: started
+ enabled: yes
+ register: start_result
+
+- name: Calico Node | Assure CNI conf dir exists
+ become: yes
+ file: path="{{ cni_conf_dir }}" state=directory
+
+- name: Calico Node | Generate Calico CNI config
+ become: yes
+ template:
+ src: "10-calico.conf.j2"
+ dest: "{{ cni_conf_dir }}/10-calico.conf"
+
+- name: Calico Node | Assures Kuberentes CNI bin dir exists
+ become: yes
+ file: path="{{ cni_bin_dir }}" state=directory
+
+- name: Calico Node | Download Calico CNI Plugin
+ become: yes
+ get_url:
+ url: "{{ calico_url_cni }}"
+ dest: "{{ cni_bin_dir }}"
+ mode: a+x
+
+- name: Calico Node | Download Calico IPAM Plugin
+ become: yes
+ get_url:
+ url: "{{ calico_url_ipam }}"
+ dest: "{{ cni_bin_dir }}"
+ mode: a+x
+
+- name: Calico Node | Download and extract standard CNI plugins
+ become: yes
+ unarchive:
+ remote_src: True
+ src: "{{ cni_url }}"
+ dest: "{{ cni_bin_dir }}"
+
+- name: Calico Node | Assure Calico conf dir exists
+ become: yes
+ file: path=/etc/calico/ state=directory
+
+- name: Calico Node | Set calicoctl.cfg
+ template:
+ src: calicoctl.cfg.j2
+ dest: "/etc/calico/calicoctl.cfg"
diff --git a/roles/calico/templates/10-calico.conf.j2 b/roles/calico/templates/10-calico.conf.j2
new file mode 100644
index 000000000..1ec569cff
--- /dev/null
+++ b/roles/calico/templates/10-calico.conf.j2
@@ -0,0 +1,18 @@
+{
+ "name": "calico",
+ "type": "calico",
+ "ipam": {
+ "type": "calico-ipam"
+ },
+ "etcd_endpoints": "{{ calico_etcd_endpoints }}",
+ "etcd_key_file": "{{ calico_etcd_key_file }}",
+ "etcd_cert_file": "{{ calico_etcd_cert_file }}",
+ "etcd_ca_cert_file": "{{ calico_etcd_ca_cert_file }}",
+ "kubernetes": {
+ "kubeconfig": "{{ kubeconfig }}"
+ },
+ "hostname": "{{ openshift.common.hostname }}",
+ "policy": {
+ "type": "k8s"
+ }
+}
diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2
new file mode 100644
index 000000000..7653e19b1
--- /dev/null
+++ b/roles/calico/templates/calico.service.j2
@@ -0,0 +1,32 @@
+[Unit]
+Description=calico
+After={{ openshift.docker.service_name }}.service
+Requires={{ openshift.docker.service_name }}.service
+
+[Service]
+Restart=always
+ExecStartPre=-/usr/bin/docker rm -f calico-node
+ExecStart=/usr/bin/docker run --net=host --privileged \
+ --name=calico-node \
+ -e WAIT_FOR_DATASTORE=true \
+ -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \
+ -e CALICO_IPV4POOL_IPIP={{ calico_ipv4pool_ipip }} \
+ -e CALICO_IPV4POOL_CIDR={{ openshift.master.sdn_cluster_network_cidr }} \
+ -e FELIX_IPV6SUPPORT=false \
+ -e ETCD_ENDPOINTS={{ calico_etcd_endpoints }} \
+ -v {{ calico_etcd_cert_dir }}:{{ calico_etcd_cert_dir }} \
+ -e ETCD_CA_CERT_FILE={{ calico_etcd_ca_cert_file }} \
+ -e ETCD_CERT_FILE={{ calico_etcd_cert_file }} \
+ -e ETCD_KEY_FILE={{ calico_etcd_key_file }} \
+ -e CLUSTER_TYPE=origin,bgp \
+ -e NODENAME={{ openshift.common.hostname }} \
+ -v {{ calico_log_dir }}:/var/log/calico\
+ -v /lib/modules:/lib/modules \
+ -v /var/run/calico:/var/run/calico \
+ {{ calico_node_image }}
+
+
+ExecStop=-/usr/bin/docker stop calico-node
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/calico/templates/calicoctl.cfg.j2 b/roles/calico/templates/calicoctl.cfg.j2
new file mode 100644
index 000000000..a00ea27dc
--- /dev/null
+++ b/roles/calico/templates/calicoctl.cfg.j2
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: calicoApiConfig
+metadata:
+spec:
+ datastoreType: "etcdv2"
+ etcdEndpoints: "{{ calico_etcd_endpoints }}"
+ etcdKeyFile: "{{ calico_etcd_key_file }}"
+ etcdCertFile: "{{ calico_etcd_cert_file }}"
+ etcdCaCertFile: "{{ calico_etcd_ca_cert_file }}"
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-06 09:54:15 +0000