Convert calico to self-hosted install

playbooks/byo/calico/legacy_upgrade.yml

@@ -0,0 +1,115 @@
+---
+- name: Calico Upgrade | Validate
+  hosts: nodes
+  tasks:
+  - name: Check legacy upgrade exists
+    stat:
+      path: /lib/systemd/system/calico.service
+    register: sym
+  - fail:
+      msg: No service to upgrade
+    when: not sym.stat.exists
+  - include_tasks: upgrade_versions.yml
+
+- import_playbook: ../../init/evaluate_groups.yml
+- import_playbook: ../../init/basic_facts.yml
+- import_playbook: ../../init/cluster_facts.yml
+
+- name: Calico Upgrade | Gather Facts
+  hosts: oo_first_master
+  gather_facts: no
+  pre_tasks:
+  - set_fact:
+      openshift_master_etcd_hosts: "{{ hostvars
+                                     | lib_utils_oo_select_keys(groups['oo_etcd_to_config'] | default([]))
+                                     | lib_utils_oo_collect('openshift.common.hostname')
+                                     | default(none, true) }}"
+      openshift_master_etcd_port: "{{ (etcd_client_port | default('2379')) if (groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config) else none }}"
+  roles:
+  - role: openshift_facts
+  - role: openshift_master_facts
+  - role: lib_openshift
+  tasks:
+  - include_tasks: ../roles/calico_master/tasks/certs.yml
+
+- name: Calico Upgrade | Prepare Nodes
+  hosts: nodes
+  gather_facts: no
+  tasks:
+  - name: Prepull Images
+    command: "docker pull {{ calico_node_image }}"
+
+- name: Calico Upgrade | Initiate
+  hosts: oo_first_master
+  roles:
+  - role: openshift_facts
+  tasks:
+  - name: Calico Master | Create temp directory
+    command: mktemp -d /tmp/openshift-ansible-XXXXXXX
+    register: mktemp
+    changed_when: False
+
+  - name: Calico Master | Write Calico install yaml
+    template:
+      dest: "{{ mktemp.stdout }}/calico.yml"
+      src: ../roles/calico_master/templates/calico.yml.j2
+
+  - name: Calico Master | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-node
+    oc_adm_policy_user:
+      user: system:serviceaccount:kube-system:calico-node
+      resource_kind: scc
+      resource_name: privileged
+      state: present
+
+  - name: Calico Master | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-kube-controllers
+    oc_adm_policy_user:
+      user: system:serviceaccount:kube-system:calico-kube-controllers
+      resource_kind: scc
+      resource_name: privileged
+      state: present
+
+  - name: Apply Calico manifest
+    command: >
+      {{ openshift_client_binary }} apply
+      -f {{ mktemp.stdout }}/calico.yml
+      --config={{ openshift.common.config_base }}/master/admin.kubeconfig
+    register: calico_create_output
+    failed_when: "('already exists' not in calico_create_output.stderr) and ('created' not in calico_create_output.stdout) and calico_create_output.rc != 0"
+    changed_when: ('created' in calico_create_output.stdout)
+
+  - name: Delete old policy controller
+    oc_obj:
+      name: calico-policy-controller
+      kind: deployment
+      state: absent
+      namespace: kube-system
+
+- name: Calico Upgrade | Upgrade nodes
+  hosts: nodes
+  serial: 1
+  any_errors_fatal: true
+  tasks:
+  - name: Stop legacy service
+    become: yes
+    systemd:
+      name: calico
+      state: stopped
+  - name: Apply node label
+    delegate_to: "{{ groups.oo_first_master.0 }}"
+    command: >
+      {{ openshift_client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig label node {{ openshift.node.nodename | lower }} --overwrite projectcalico.org/ds-ready=true
+  - name: Wait for node running
+    uri:
+      url: http://localhost:9099/readiness
+      status_code: 204
+    delay: 3
+    retries: 10
+    register: result
+    until: result.status == 204
+  - name: Disable legacy service
+    become: yes
+    systemd:
+      name: calico
+      enabled: no
+  - name: Rename legacy service
+    command: mv /lib/systemd/system/calico.service /lib/systemd/system/calico-legacy.service.bak

playbooks/byo/calico/roles

@@ -0,0 +1 @@
+../../../roles

playbooks/byo/calico/upgrade_versions.yml

@@ -0,0 +1,25 @@
+---
+# Default variables for the Calico self-hosted upgrade.
+- set_fact:
+    calico_node_image: quay.io/calico/node:v2.6.7
+  when: calico_node_image is not defined
+- set_fact:
+    calico_url_policy_controller: "quay.io/calico/kube-controllers:v1.0.3"
+  when: calico_url_policy_controller is not defined
+- set_fact:
+    calico_cni_image: "quay.io/calico/cni:v1.11.2"
+  when: calico_cni_image is not defined
+- set_fact:
+    calico_ipv4pool_ipip: "always"
+  when: calico_ipv4pool_ipip is not defined
+
+# TODO: move these variables into a calico_common role which only has default values
+- set_fact:
+    calico_ipv4pool_ipip: "always"
+  when: calico_ipv4pool_ipip is not defined
+- set_fact:
+    cni_conf_dir: "/etc/cni/net.d/"
+  when: cni_conf_dir is not defined
+- set_fact:
+    cni_bin_dir: "/opt/cni/bin/"
+  when: cni_bin_dir is not defined

roles/calico/README.md

@@ -1,42 +1,3 @@
 # Calico
 
-Configure Calico components for the Master host.
-
-## Requirements
-
-* Ansible 2.2
-
-## Installation
-
-To install, set the following inventory configuration parameters:
-
-* `openshift_use_calico=True`
-* `openshift_use_openshift_sdn=False`
-* `os_sdn_network_plugin_name='cni'`
-
-For more information, see [Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
-
-## Improving security with BYO-etcd
-
-By default, Calico uses the etcd set up by OpenShift. To accomplish this, it generates and distributes client etcd certificates to each node.
-Distributing these certs across the cluster in this way weakens the overall security,
-so Calico should not be deployed in production in this mode.
-
-Instead, Calico can be installed in BYO-etcd mode, where it connects to an externally
-set up etcd. For information on deploying Calico in BYO-etcd mode, see 
-[Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
-
-## Calico Configuration Options
-
-Additional parameters that can be defined in the inventory are:
-
-| Environment | Description | Schema | Default |   
-|---------|----------------------|---------|---------|
-| CALICO_IPV4POOL_IPIP | IPIP Mode to use for the IPv4 POOL created at start up.	| off, always, cross-subnet	| always |
-| CALICO_LOG_DIR | Directory on the host machine where Calico Logs are written.| String	| /var/log/calico |
-
-### Contact Information
-
-Author: Dan Osborne <dan@projectcalico.org>
-
-For support, join the `#openshift` channel on the [calico users slack](calicousers.slack.com).
+Please see [calico_master](../calico_master/README.md)

roles/calico/defaults/main.yaml

@@ -1,14 +0,0 @@
----
-kubeconfig: "{{  openshift.common.config_base }}/node/{{ 'system:node:' +  openshift.common.hostname }}.kubeconfig"
-
-cni_conf_dir: "/etc/cni/net.d/"
-cni_bin_dir: "/opt/cni/bin/"
-cni_url: "https://github.com/containernetworking/cni/releases/download/v0.5.2/cni-amd64-v0.5.2.tgz"
-
-calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico"
-calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico-ipam"
-
-calico_ipv4pool_ipip: "always"
-
-calico_log_dir: "/var/log/calico"
-calico_node_image: "calico/node:v2.5.0"

roles/calico/handlers/main.yml

@@ -1,14 +0,0 @@
----
-- name: restart calico
-  become: yes
-  systemd: name=calico state=restarted
-
-- name: restart container runtime
-  become: yes
-  systemd:
-    name: "{{ openshift_docker_service_name }}"
-    state: restarted
-  register: l_docker_restart_docker_in_calico_result
-  until: not (l_docker_restart_docker_in_calico_result is failed)
-  retries: 3
-  delay: 30

roles/calico/meta/main.yml

@@ -13,6 +13,4 @@ galaxy_info:
   - cloud
   - system
 dependencies:
-- role: lib_utils
 - role: openshift_facts
-- role: openshift_master_facts

roles/calico/tasks/main.yml

@@ -1,103 +1,31 @@
 ---
-- name: Calico Node | Error if invalid cert arguments
-  fail:
-    msg: "Must provide all or none for the following etcd params: calico_etcd_cert_dir, calico_etcd_ca_cert_file, calico_etcd_cert_file, calico_etcd_key_file, calico_etcd_endpoints"
-  when:
-  - calico_etcd_cert_dir is defined or calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined
-  - not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined)
-
-- name: Calico Node | Generate OpenShift-etcd certs
-  import_role:
-    name: etcd
-    tasks_from: client_certificates
-  when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
-  vars:
-    etcd_cert_prefix: calico.etcd-
-    etcd_cert_config_dir: "{{ openshift.common.config_base }}/calico"
-    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
-    etcd_cert_subdir: "openshift-calico-{{ openshift.common.hostname }}"
-
-- name: Calico Node | Set etcd cert location facts
-  when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
-  set_fact:
-    calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt"
-    calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt"
-    calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key"
-    calico_etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}"
-    calico_etcd_cert_dir: "/etc/origin/calico/"
-
-- name: Calico Node | Error if no certs set.
-  fail:
-    msg: "Invalid etcd configuration for calico."
-  when: item is not defined or item == ''
-  with_items:
-  - calico_etcd_ca_cert_file
-  - calico_etcd_cert_file
-  - calico_etcd_key_file
-  - calico_etcd_endpoints
-
-- name: Calico Node | Assure the calico certs are present
+- name: Check for legacy service
   stat:
-    path: "{{ item }}"
-  with_items:
-  - "{{ calico_etcd_ca_cert_file }}"
-  - "{{ calico_etcd_cert_file }}"
-  - "{{ calico_etcd_key_file }}"
-
-- name: Calico Node | Configure Calico service unit file
-  template:
-    dest: "/lib/systemd/system/calico.service"
-    src: calico.service.j2
-
-- name: Calico Node | Enable calico
-  become: yes
-  systemd:
-    name: calico
-    daemon_reload: yes
-    state: started
-    enabled: yes
-  register: start_result
-
-- name: Calico Node | Assure CNI conf dir exists
-  become: yes
-  file: path="{{ cni_conf_dir }}" state=directory
-
-- name: Calico Node | Generate Calico CNI config
-  become: yes
-  template:
-    src: "10-calico.conf.j2"
-    dest: "{{ cni_conf_dir }}/10-calico.conf"
-
-- name: Calico Node | Assures Kuberentes CNI bin dir exists
-  become: yes
-  file: path="{{ cni_bin_dir }}" state=directory
-
-- name: Calico Node | Download Calico CNI Plugin
-  become: yes
-  get_url:
-    url: "{{ calico_url_cni }}"
-    dest: "{{ cni_bin_dir }}"
-    mode: a+x
-
-- name: Calico Node | Download Calico IPAM Plugin
-  become: yes
-  get_url:
-    url: "{{ calico_url_ipam }}"
-    dest: "{{ cni_bin_dir }}"
-    mode: a+x
-
-- name: Calico Node | Download and extract standard CNI plugins
-  become: yes
-  unarchive:
-    remote_src: True
-    src: "{{ cni_url }}"
-    dest: "{{ cni_bin_dir }}"
-
-- name: Calico Node | Assure Calico conf dir exists
-  become: yes
-  file: path=/etc/calico/ state=directory
-
-- name: Calico Node | Set calicoctl.cfg
-  template:
-    src: calicoctl.cfg.j2
-    dest: "/etc/calico/calicoctl.cfg"
+    path: /lib/systemd/system/calico.service
+  register: sym
+- fail:
+    msg: You are running a systemd based installation of Calico. Please run the calico upgrade playbook to upgrade to a self-hosted installation.
+  when: sym.stat.exists
+
+# TODO: Move into shared vars file
+- name: Load default node image
+  set_fact:
+    calico_node_image: "quay.io/calico/node:v2.6.7"
+  when: calico_node_image is not defined
+
+- name: Prepull Images
+  command: "docker pull {{ calico_node_image }}"
+
+- name: Apply node label
+  delegate_to: "{{ groups.oo_first_master.0 }}"
+  command: >
+    {{ openshift_client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig label node {{ openshift.node.nodename | lower }} --overwrite projectcalico.org/ds-ready=true
+
+- name: Wait for node running
+  uri:
+    url: http://localhost:9099/readiness
+    status_code: 204
+  delay: 3
+  retries: 10
+  register: result
+  until: result.status == 204

roles/calico/templates/10-calico.conf.j2

@@ -1,18 +0,0 @@
-{
-  "name": "calico",
-  "type": "calico",
-  "ipam": {
-    "type": "calico-ipam"
-  },
-  "etcd_endpoints": "{{ calico_etcd_endpoints }}",
-  "etcd_key_file": "{{ calico_etcd_key_file }}",
-  "etcd_cert_file": "{{ calico_etcd_cert_file }}",
-  "etcd_ca_cert_file": "{{ calico_etcd_ca_cert_file }}",
-  "kubernetes": {
-    "kubeconfig": "{{ kubeconfig }}"
-  },
-  "hostname": "{{ openshift.common.hostname }}",
-  "policy": {
-    "type": "k8s"
-  }
-}

roles/calico/templates/calico.service.j2

@@ -1,32 +0,0 @@
-[Unit]
-Description=calico
-After={{ openshift_docker_service_name }}.service
-Requires={{ openshift_docker_service_name }}.service
-
-[Service]
-Restart=always
-ExecStartPre=-/usr/bin/docker rm -f calico-node
-ExecStart=/usr/bin/docker run --net=host --privileged \
- --name=calico-node \
- -e WAIT_FOR_DATASTORE=true \
- -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \
- -e CALICO_IPV4POOL_IPIP={{ calico_ipv4pool_ipip }} \
- -e CALICO_IPV4POOL_CIDR={{ openshift.master.sdn_cluster_network_cidr }} \
- -e FELIX_IPV6SUPPORT=false \
- -e ETCD_ENDPOINTS={{ calico_etcd_endpoints }} \
- -v {{ calico_etcd_cert_dir }}:{{ calico_etcd_cert_dir }}  \
- -e ETCD_CA_CERT_FILE={{ calico_etcd_ca_cert_file }} \
- -e ETCD_CERT_FILE={{ calico_etcd_cert_file }} \
- -e ETCD_KEY_FILE={{ calico_etcd_key_file }} \
- -e CLUSTER_TYPE=origin,bgp \
- -e NODENAME={{ openshift.common.hostname }} \
- -v {{ calico_log_dir }}:/var/log/calico\
- -v /lib/modules:/lib/modules \
- -v /var/run/calico:/var/run/calico \
- {{ calico_node_image }}
-
-
-ExecStop=-/usr/bin/docker stop calico-node
-
-[Install]
-WantedBy=multi-user.target

roles/calico/templates/calicoctl.cfg.j2

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: calicoApiConfig
-metadata:
-spec:
-  datastoreType: "etcdv2"
-  etcdEndpoints: "{{ calico_etcd_endpoints }}"
-  etcdKeyFile: "{{ calico_etcd_key_file }}"
-  etcdCertFile: "{{ calico_etcd_cert_file }}"
-  etcdCaCertFile: "{{ calico_etcd_ca_cert_file }}"

roles/calico_master/README.md

@@ -6,12 +6,6 @@ Configure Calico components for the Master host.
 
 * Ansible 2.2
 
-## Warning: This Calico Integration is in Alpha
-
-Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node.
-For this reason, **we do not (yet) recommend running Calico on any production-like
-cluster, or using it for any purpose besides early access testing.**
-
 ## Installation
 
 To install, set the following inventory configuration parameters:
@@ -20,7 +14,22 @@ To install, set the following inventory configuration parameters:
 * `openshift_use_openshift_sdn=False`
 * `os_sdn_network_plugin_name='cni'`
 
+By default, Calico will share the etcd used by OpenShift.
+To configure Calico to use a separate instance of etcd, place etcd SSL client certs on your master,
+then set the following variables in your inventory.ini:
+
+* `calico_etcd_ca_cert_file=/path/to/etcd-ca.crt`
+* `calico_etcd_cert_file=/path/to/etcd-client.crt`
+* `calico_etcd_key_file=/path/to/etcd-client.key`
+* `calico_etcd_endpoints=https://etcd:2379`
+
+## Upgrading
+
+OpenShift-Ansible installs Calico as a self-hosted install. Previously, Calico ran as a systemd service. Running Calico
+in this manner is now deprecated, and must be upgraded to a hosted cluster. Please run the Legacy Upgrade playbook to
+upgrade your existing Calico deployment to a hosted deployment:
 
+        ansible-playbook -i inventory.ini playbooks/byo/calico/legacy_upgrade.yml
 
 ## Additional Calico/Node and Felix Configuration Options
 

roles/calico_master/defaults/main.yaml

@@ -1,7 +1,8 @@
 ---
-kubeconfig: "{{ openshift.common.config_base }}/master/openshift-master.kubeconfig"
+cni_conf_dir: "/etc/cni/net.d/"
+cni_bin_dir: "/opt/cni/bin/"
 
-calicoctl_bin_dir: "/usr/local/bin/"
-
-calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.5.0/calicoctl"
-calico_url_policy_controller: "quay.io/calico/kube-policy-controller:v0.7.0"
+calico_url_policy_controller: "quay.io/calico/kube-controllers:v1.0.3"
+calico_node_image: "quay.io/calico/node:v2.6.7"
+calico_cni_image: "quay.io/calico/cni:v1.11.2"
+calico_ipv4pool_ipip: "always"

roles/calico_master/meta/main.yml

@@ -14,5 +14,4 @@ galaxy_info:
   - system
 dependencies:
 - role: lib_utils
-- role: calico
 - role: openshift_facts

roles/calico_master/tasks/certs.yml

@@ -0,0 +1,49 @@
+---
+- name: Calico Node | Set cert flag
+  set_fact:
+    calico_certs_provided: "{{ calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined | bool }}"
+
+- name: Calico Node | Error if invalid cert arguments
+  fail:
+    msg: "Must provide all or none for the following etcd params: calico_etcd_ca_cert_file, calico_etcd_cert_file, calico_etcd_key_file, calico_etcd_endpoints"
+  when:
+  - calico_certs_provided
+  - not (calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined)
+
+- name: Calico Node | Set etcd cert location facts
+  when: not calico_certs_provided
+  set_fact:
+    calico_etcd_ca_cert_file: "/etc/origin/master/master.etcd-ca.crt"
+    calico_etcd_cert_file: "/etc/origin/master/master.etcd-client.crt"
+    calico_etcd_key_file: "/etc/origin/master/master.etcd-client.key"
+    calico_etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}"
+
+- name: Calico Node | Error if no certs set.
+  fail:
+    msg: "Invalid etcd configuration for calico."
+  when: item is not defined or item == ''
+  with_items:
+  - calico_etcd_ca_cert_file
+  - calico_etcd_cert_file
+  - calico_etcd_key_file
+  - calico_etcd_endpoints
+
+- name: Calico Node | Assure the calico certs are present
+  stat:
+    path: "{{ item }}"
+  with_items:
+  - "{{ calico_etcd_ca_cert_file }}"
+  - "{{ calico_etcd_cert_file }}"
+  - "{{ calico_etcd_key_file }}"
+
+- name: Create secret
+  oc_secret:
+    name: calico-etcd-secrets
+    namespace: kube-system
+    files:
+    - name: etcd-key
+      path: "{{ calico_etcd_key_file }}"
+    - name: etcd-cert
+      path: "{{ calico_etcd_cert_file }}"
+    - name: etcd-ca
+      path: "{{ calico_etcd_ca_cert_file }}"

roles/calico_master/tasks/main.yml

@@ -1,26 +1,34 @@
 ---
-- name: Calico Master | Assure the calico certs have been generated
-  stat:
-    path: "{{ item }}"
-  with_items:
-  - "{{ calico_etcd_ca_cert_file }}"
-  - "{{ calico_etcd_cert_file }}"
-  - "{{ calico_etcd_key_file }}"
+- include_tasks: certs.yml
 
-- name: Calico Master | Create temp directory for policy controller definition
+- name: Calico Master | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-node
+  oc_adm_policy_user:
+    user: system:serviceaccount:kube-system:calico-node
+    resource_kind: scc
+    resource_name: privileged
+    state: present
+
+- name: Calico Master | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-kube-controllers
+  oc_adm_policy_user:
+    user: system:serviceaccount:kube-system:calico-kube-controllers
+    resource_kind: scc
+    resource_name: privileged
+    state: present
+
+- name: Calico Master | Create temp directory
   command: mktemp -d /tmp/openshift-ansible-XXXXXXX
   register: mktemp
   changed_when: False
 
-- name: Calico Master | Write Calico Policy Controller definition
+- name: Calico Master | Write Calico
   template:
-    dest: "{{ mktemp.stdout }}/calico-policy-controller.yml"
-    src: calico-policy-controller.yml.j2
+    dest: "{{ mktemp.stdout }}/calico.yml"
+    src: calico.yml.j2
 
-- name: Calico Master | Launch Calico Policy Controller
+- name: Calico Master | Launch Calico
   command: >
     {{ openshift_client_binary }} create
-    -f {{ mktemp.stdout }}/calico-policy-controller.yml
+    -f {{ mktemp.stdout }}/calico.yml
     --config={{ openshift.common.config_base }}/master/admin.kubeconfig
   register: calico_create_output
   failed_when: "('already exists' not in calico_create_output.stderr) and ('created' not in calico_create_output.stdout) and calico_create_output.rc != 0"
@@ -31,18 +39,3 @@
     name: "{{ mktemp.stdout }}"
     state: absent
   changed_when: False
-
-
-- name: Calico Master | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico
-  oc_adm_policy_user:
-    user: system:serviceaccount:kube-system:calico
-    resource_kind: scc
-    resource_name: privileged
-    state: present
-
-- name: Download Calicoctl
-  become: yes
-  get_url:
-    url: "{{ calico_url_calicoctl }}"
-    dest: "{{ calicoctl_bin_dir }}"
-    mode: a+x

roles/calico_master/templates/calico-policy-controller.yml.j2

@@ -1,105 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: calico
-  namespace: kube-system
----
-kind: ClusterRole
-apiVersion: v1
-metadata:
-  name: calico
-  namespace: kube-system
-rules:
-  - apiGroups: [""]
-    resources:
-      - pods
-      - namespaces
-    verbs:
-      - list
-      - get
-      - watch
-  - apiGroups: ["extensions"]
-    resources:
-      - networkpolicies
-    verbs:
-      - list
-      - get
-      - watch
----
-apiVersion: v1
-kind: ClusterRoleBinding
-metadata:
-  name: calico
-roleRef:
-  name: calico
-subjects:
-- kind: SystemUser
-  name: kube-system:calico
-- kind: ServiceAccount
-  name: calico
-  namespace: kube-system
-userNames:
-  - system:serviceaccount:kube-system:calico
----
-# This manifest deploys the Calico policy controller on Kubernetes.
-# See https://github.com/projectcalico/k8s-policy
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
-  name: calico-policy-controller
-  namespace: kube-system
-  labels:
-    k8s-app: calico-policy
-  annotations:
-    scheduler.alpha.kubernetes.io/critical-pod: ''
-    scheduler.alpha.kubernetes.io/tolerations: |
-      [{"key": "dedicated", "value": "master", "effect": "NoSchedule" },
-       {"key":"CriticalAddonsOnly", "operator":"Exists"}]
-spec:
-  # The policy controller can only have a single active instance.
-  replicas: 1
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      name: calico-policy-controller
-      namespace: kube-system
-      labels:
-        k8s-app: calico-policy
-    spec:
-      # The policy controller must run in the host network namespace so that
-      # it isn't governed by policy that would prevent it from working.
-      hostNetwork: true
-      serviceAccountName: calico
-      containers:
-        - name: calico-policy-controller
-          image: {{ calico_url_policy_controller }}
-          env:
-            # The location of the Calico etcd cluster.
-            - name: ETCD_ENDPOINTS
-              value: {{ calico_etcd_endpoints }}
-            # Location of the CA certificate for etcd.
-            - name: ETCD_CA_CERT_FILE
-              value: {{ calico_etcd_ca_cert_file }}
-            # Location of the client key for etcd.
-            - name: ETCD_KEY_FILE
-              value: {{ calico_etcd_key_file }}
-            # Location of the client certificate for etcd.
-            - name: ETCD_CERT_FILE
-              value: {{ calico_etcd_cert_file }}
-            # Since we're running in the host namespace and might not have KubeDNS
-            # access, configure the container's /etc/hosts to resolve
-            # kubernetes.default to the correct service clusterIP.
-            - name: CONFIGURE_ETC_HOSTS
-              value: "true"
-          volumeMounts:
-            # Mount in the etcd TLS secrets.
-            - name: certs
-              mountPath: {{ calico_etcd_cert_dir }}
-
-      volumes:
-        # Mount in the etcd TLS secrets.
-        - name: certs
-          hostPath:
-            path: {{ calico_etcd_cert_dir }}

roles/calico_master/templates/calico.yml.j2

@@ -0,0 +1,400 @@
+---
+kind: ClusterRole
+apiVersion: v1
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+      - nodes
+    verbs:
+      - watch
+      - list
+---
+kind: ClusterRoleBinding
+apiVersion: v1
+metadata:
+  name: calico-kube-controllers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+  name: calico-kube-controllers
+  namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: v1
+metadata:
+  name: calico-node
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get
+---
+apiVersion: v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: ServiceAccount
+  name: calico-node
+  namespace: kube-system
+
+---
+# This ConfigMap is used to configure a self-hosted Calico installation.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: calico-config
+  namespace: kube-system
+data:
+  # Configure this with the location of your etcd cluster.
+  etcd_endpoints: "{{ calico_etcd_endpoints }}"
+  
+  # Configure the Calico backend to use.
+  calico_backend: "bird"
+
+  # The CNI network configuration to install on each node.
+  cni_network_config: |-
+    {
+        "name": "k8s-pod-network",
+        "cniVersion": "0.1.0",
+        "type": "calico",
+        "etcd_endpoints": "__ETCD_ENDPOINTS__",
+        "etcd_key_file": "__ETCD_KEY_FILE__",
+        "etcd_cert_file": "__ETCD_CERT_FILE__",
+        "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__",
+        "log_level": "info",
+        "mtu": 1500,
+        "ipam": {
+            "type": "calico-ipam"
+        },
+        "policy": {
+            "type": "k8s",
+            "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
+            "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
+        },
+        "kubernetes": {
+            "kubeconfig": "__KUBECONFIG_FILEPATH__"
+        }
+    }
+
+  etcd_ca: "/calico-secrets/etcd-ca"
+  etcd_cert: "/calico-secrets/etcd-cert"
+  etcd_key: "/calico-secrets/etcd-key"
+
+---
+
+# This manifest installs the calico/node container, as well
+# as the Calico CNI plugins and network config on
+# each master and worker node in a Kubernetes cluster.
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: calico-node
+  namespace: kube-system
+  labels:
+    k8s-app: calico-node
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  selector:
+    matchLabels:
+      k8s-app: calico-node
+  template:
+    metadata:
+      labels:
+        k8s-app: calico-node
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      nodeSelector:
+        projectcalico.org/ds-ready: "true"
+      hostNetwork: true
+      tolerations:
+        # Make sure calico/node gets scheduled on all nodes.
+        - effect: NoSchedule
+          operator: Exists
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+      serviceAccountName: calico-node
+      # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
+      # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
+      terminationGracePeriodSeconds: 0
+      containers:
+        # Runs calico/node container on each Kubernetes node.  This
+        # container programs network policy and routes on each
+        # host.
+        - name: calico-node
+          image: {{ calico_node_image }}
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # Choose the backend to use.
+            - name: CALICO_NETWORKING_BACKEND
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: calico_backend
+            # Cluster type to identify the deployment type
+            - name: CLUSTER_TYPE
+              value: "origin,bgp"
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # Set noderef for node controller.
+            - name: CALICO_K8S_NODE_REF
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # Set Felix endpoint to host default action to ACCEPT.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: "ACCEPT"
+            # Configure the IP Pool from which Pod IPs will be chosen.
+            - name: CALICO_IPV4POOL_CIDR
+              value: "{{ openshift.master.sdn_cluster_network_cidr }}"
+            - name: CALICO_IPV4POOL_IPIP
+              value: "{{ calico_ipv4pool_ipip }}"
+            # Disable IPv6 on Kubernetes.
+            - name: FELIX_IPV6SUPPORT
+              value: "false"
+            # Set Felix logging to "info"
+            - name: FELIX_LOGSEVERITYSCREEN
+              value: "info"
+            # Set MTU for tunnel device used if ipip is enabled
+            - name: FELIX_IPINIPMTU
+              value: "1440"
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # Location of the CA certificate for etcd.
+            - name: ETCD_CA_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_ca
+            # Location of the client key for etcd.
+            - name: ETCD_KEY_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_key
+            # Location of the client certificate for etcd.
+            - name: ETCD_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_cert
+            # Auto-detect the BGP IP address.
+            - name: IP
+              value: ""
+            - name: FELIX_HEALTHENABLED
+              value: "true"
+          securityContext:
+            privileged: true
+          livenessProbe:
+            httpGet:
+              path: /liveness
+              port: 9099
+            periodSeconds: 10
+            initialDelaySeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /readiness
+              port: 9099
+            periodSeconds: 10
+          volumeMounts:
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /var/run/calico
+              name: var-run-calico
+              readOnly: false
+            - mountPath: /calico-secrets
+              name: etcd-certs
+        # This container installs the Calico CNI binaries
+        # and CNI network config file on each node.
+        - name: install-cni
+          securityContext:
+            privileged: true
+          image: {{ calico_cni_image }}
+          command: ["/install-cni.sh"]
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # The CNI network config to install on each node.
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: cni_network_config
+            # Location of the CA certificate for etcd.
+            - name: CNI_CONF_ETCD_CA
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_ca
+            # Location of the client key for etcd.
+            - name: CNI_CONF_ETCD_KEY
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_key
+            # Location of the client certificate for etcd.
+            - name: CNI_CONF_ETCD_CERT
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_cert
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /calico-secrets
+              name: etcd-certs
+      volumes:
+        # Used by calico/node.
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: var-run-calico
+          hostPath:
+            path: /var/run/calico
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: {{ cni_bin_dir }}
+        - name: cni-net-dir
+          hostPath:
+            path: {{ cni_conf_dir }}
+        # Mount in the etcd TLS secrets.
+        - name: etcd-certs
+          secret:
+            secretName: calico-etcd-secrets
+
+---
+
+# This manifest deploys the Calico Kubernetes controllers.
+# See https://github.com/projectcalico/kube-controllers
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+  labels:
+    k8s-app: calico-kube-controllers
+  annotations:
+    scheduler.alpha.kubernetes.io/critical-pod: ''
+spec:
+  # The controllers can only have a single active instance.
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      name: calico-kube-controllers
+      namespace: kube-system
+      labels:
+        k8s-app: calico-kube-controllers
+    spec:
+      # The controllers must run in the host network namespace so that
+      # it isn't governed by policy that would prevent it from working.
+      hostNetwork: true
+      tolerations:
+        # Mark the pod as a critical add-on for rescheduling.
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      serviceAccountName: calico-kube-controllers
+      containers:
+        - name: calico-kube-controllers
+          securityContext:
+            privileged: true
+          image: {{ calico_url_policy_controller }}
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_endpoints
+            # Location of the CA certificate for etcd.
+            - name: ETCD_CA_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_ca
+            # Location of the client key for etcd.
+            - name: ETCD_KEY_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_key
+            # Location of the client certificate for etcd.
+            - name: ETCD_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: etcd_cert
+            # Choose which controllers to run.
+            - name: ENABLED_CONTROLLERS
+              value: policy,profile,workloadendpoint,node
+          volumeMounts:
+            # Mount in the etcd TLS secrets.
+            - mountPath: /calico-secrets
+              name: etcd-certs
+      volumes:
+        # Mount in the etcd TLS secrets.
+        - name: etcd-certs
+          secret:
+            secretName: calico-etcd-secrets
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-node
+  namespace: kube-system