8 files changed, 246 insertions, 0 deletions

diff --git a/roles/calico/README.md b/roles/calico/README.md
new file mode 100644
index 000000000..10e5e4e0a
--- /dev/null
+++ b/roles/calico/README.md
@@ -0,0 +1,42 @@
+# Calico
+
+Configure Calico components for the Master host.
+
+## Requirements
+
+* Ansible 2.2
+
+## Installation
+
+To install, set the following inventory configuration parameters:
+
+* `openshift_use_calico=True`
+* `openshift_use_openshift_sdn=False`
+* `os_sdn_network_plugin_name='cni'`
+
+For more information, see [Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Improving security with BYO-etcd
+
+By default, Calico uses the etcd set up by OpenShift. To accomplish this, it generates and distributes client etcd certificates to each node.
+Distributing these certs across the cluster in this way weakens the overall security,
+so Calico should not be deployed in production in this mode.
+
+Instead, Calico can be installed in BYO-etcd mode, where it connects to an externally
+set up etcd. For information on deploying Calico in BYO-etcd mode, see 
+[Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Calico Configuration Options
+
+Additional parameters that can be defined in the inventory are:
+
+| Environment | Description | Schema | Default |   
+|---------|----------------------|---------|---------|
+| CALICO_IPV4POOL_IPIP | IPIP Mode to use for the IPv4 POOL created at start up.	| off, always, cross-subnet	| always |
+| CALICO_LOG_DIR | Directory on the host machine where Calico Logs are written.| String	| /var/log/calico |
+
+### Contact Information
+
+Author: Dan Osborne <dan@projectcalico.org>
+
+For support, join the `#openshift` channel on the [calico users slack](calicousers.slack.com).
diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml
new file mode 100644
index 000000000..be73e8a73
--- /dev/null
+++ b/roles/calico/defaults/main.yaml
@@ -0,0 +1,14 @@
+---
+kubeconfig: "{{  openshift.common.config_base }}/node/{{ 'system:node:' +  openshift.common.hostname }}.kubeconfig"
+
+cni_conf_dir: "/etc/cni/net.d/"
+cni_bin_dir: "/opt/cni/bin/"
+cni_url: "https://github.com/containernetworking/cni/releases/download/v0.5.2/cni-amd64-v0.5.2.tgz"
+
+calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico"
+calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico-ipam"
+
+calico_ipv4pool_ipip: "always"
+
+calico_log_dir: "/var/log/calico"
+calico_node_image: "calico/node:v2.5.0"
diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml
new file mode 100644
index 000000000..67fc0065f
--- /dev/null
+++ b/roles/calico/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: restart calico
+  become: yes
+  systemd: name=calico state=restarted
+
+- name: restart docker
+  become: yes
+  systemd:
+    name: "{{ openshift.docker.service_name }}"
+    state: restarted
+  register: l_docker_restart_docker_in_calico_result
+  until: not l_docker_restart_docker_in_calico_result | failed
+  retries: 3
+  delay: 30
diff --git a/roles/calico/meta/main.yml b/roles/calico/meta/main.yml
new file mode 100644
index 000000000..816c81369
--- /dev/null
+++ b/roles/calico/meta/main.yml
@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  author: Dan Osborne
+  description: Calico networking
+  company: Tigera, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+  - system
+dependencies:
+- role: openshift_facts
+- role: openshift_master_facts
diff --git a/roles/calico/tasks/main.yml b/roles/calico/tasks/main.yml
new file mode 100644
index 000000000..39f730462
--- /dev/null
+++ b/roles/calico/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+- name: Calico Node | Error if invalid cert arguments
+  fail:
+    msg: "Must provide all or none for the following etcd params: calico_etcd_cert_dir, calico_etcd_ca_cert_file, calico_etcd_cert_file, calico_etcd_key_file, calico_etcd_endpoints"
+  when: (calico_etcd_cert_dir is defined or calico_etcd_ca_cert_file is defined or calico_etcd_cert_file is defined or calico_etcd_key_file is defined or calico_etcd_endpoints is defined) and not (calico_etcd_cert_dir is defined and calico_etcd_ca_cert_file is defined and calico_etcd_cert_file is defined and calico_etcd_key_file is defined and calico_etcd_endpoints is defined)
+
+- name: Calico Node | Generate OpenShift-etcd certs
+  include: ../../../roles/etcd_client_certificates/tasks/main.yml
+  when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
+  vars:
+    etcd_cert_prefix: calico.etcd-
+    etcd_cert_config_dir: "{{ openshift.common.config_base }}/calico"
+    embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}"
+    etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
+    etcd_cert_subdir: "openshift-calico-{{ openshift.common.hostname }}"
+
+- name: Calico Node | Set etcd cert location facts
+  when: calico_etcd_ca_cert_file is not defined or calico_etcd_cert_file is not defined or calico_etcd_key_file is not defined or calico_etcd_endpoints is not defined or calico_etcd_cert_dir is not defined
+  set_fact:
+    calico_etcd_ca_cert_file: "/etc/origin/calico/calico.etcd-ca.crt"
+    calico_etcd_cert_file: "/etc/origin/calico/calico.etcd-client.crt"
+    calico_etcd_key_file: "/etc/origin/calico/calico.etcd-client.key"
+    calico_etcd_endpoints: "{{ hostvars[groups.oo_first_master.0].openshift.master.etcd_urls | join(',') }}"
+    calico_etcd_cert_dir: "/etc/origin/calico/"
+
+- name: Calico Node | Error if no certs set.
+  fail:
+    msg: "Invalid etcd configuration for calico."
+  when: item is not defined or item == ''
+  with_items:
+    - calico_etcd_ca_cert_file
+    - calico_etcd_cert_file
+    - calico_etcd_key_file
+    - calico_etcd_endpoints
+
+- name: Calico Node | Assure the calico certs are present
+  stat:
+    path: "{{ item }}"
+  with_items:
+    - "{{ calico_etcd_ca_cert_file }}"
+    - "{{ calico_etcd_cert_file }}"
+    - "{{ calico_etcd_key_file }}"
+
+- name: Calico Node | Configure Calico service unit file
+  template:
+    dest: "/lib/systemd/system/calico.service"
+    src: calico.service.j2
+
+- name: Calico Node | Enable calico
+  become: yes
+  systemd:
+    name: calico
+    daemon_reload: yes
+    state: started
+    enabled: yes
+  register: start_result
+
+- name: Calico Node | Assure CNI conf dir exists
+  become: yes
+  file: path="{{ cni_conf_dir }}" state=directory
+
+- name: Calico Node | Generate Calico CNI config
+  become: yes
+  template:
+    src: "10-calico.conf.j2"
+    dest: "{{ cni_conf_dir }}/10-calico.conf"
+
+- name: Calico Node | Assures Kuberentes CNI bin dir exists
+  become: yes
+  file: path="{{ cni_bin_dir }}" state=directory
+
+- name: Calico Node | Download Calico CNI Plugin
+  become: yes
+  get_url:
+    url: "{{ calico_url_cni }}"
+    dest: "{{ cni_bin_dir }}"
+    mode: a+x
+
+- name: Calico Node | Download Calico IPAM Plugin
+  become: yes
+  get_url:
+    url: "{{ calico_url_ipam }}"
+    dest: "{{ cni_bin_dir }}"
+    mode: a+x
+
+- name: Calico Node | Download and extract standard CNI plugins
+  become: yes
+  unarchive:
+    remote_src: True
+    src: "{{ cni_url }}"
+    dest: "{{ cni_bin_dir }}"
+
+- name: Calico Node | Assure Calico conf dir exists
+  become: yes
+  file: path=/etc/calico/ state=directory
+
+- name: Calico Node | Set calicoctl.cfg
+  template:
+    src: calicoctl.cfg.j2
+    dest: "/etc/calico/calicoctl.cfg"
diff --git a/roles/calico/templates/10-calico.conf.j2 b/roles/calico/templates/10-calico.conf.j2
new file mode 100644
index 000000000..1ec569cff
--- /dev/null
+++ b/roles/calico/templates/10-calico.conf.j2
@@ -0,0 +1,18 @@
+{
+  "name": "calico",
+  "type": "calico",
+  "ipam": {
+    "type": "calico-ipam"
+  },
+  "etcd_endpoints": "{{ calico_etcd_endpoints }}",
+  "etcd_key_file": "{{ calico_etcd_key_file }}",
+  "etcd_cert_file": "{{ calico_etcd_cert_file }}",
+  "etcd_ca_cert_file": "{{ calico_etcd_ca_cert_file }}",
+  "kubernetes": {
+    "kubeconfig": "{{ kubeconfig }}"
+  },
+  "hostname": "{{ openshift.common.hostname }}",
+  "policy": {
+    "type": "k8s"
+  }
+}
diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2
new file mode 100644
index 000000000..7653e19b1
--- /dev/null
+++ b/roles/calico/templates/calico.service.j2
@@ -0,0 +1,32 @@
+[Unit]
+Description=calico
+After={{ openshift.docker.service_name }}.service
+Requires={{ openshift.docker.service_name }}.service
+
+[Service]
+Restart=always
+ExecStartPre=-/usr/bin/docker rm -f calico-node
+ExecStart=/usr/bin/docker run --net=host --privileged \
+ --name=calico-node \
+ -e WAIT_FOR_DATASTORE=true \
+ -e FELIX_DEFAULTENDPOINTTOHOSTACTION=ACCEPT \
+ -e CALICO_IPV4POOL_IPIP={{ calico_ipv4pool_ipip }} \
+ -e CALICO_IPV4POOL_CIDR={{ openshift.master.sdn_cluster_network_cidr }} \
+ -e FELIX_IPV6SUPPORT=false \
+ -e ETCD_ENDPOINTS={{ calico_etcd_endpoints }} \
+ -v {{ calico_etcd_cert_dir }}:{{ calico_etcd_cert_dir }}  \
+ -e ETCD_CA_CERT_FILE={{ calico_etcd_ca_cert_file }} \
+ -e ETCD_CERT_FILE={{ calico_etcd_cert_file }} \
+ -e ETCD_KEY_FILE={{ calico_etcd_key_file }} \
+ -e CLUSTER_TYPE=origin,bgp \
+ -e NODENAME={{ openshift.common.hostname }} \
+ -v {{ calico_log_dir }}:/var/log/calico\
+ -v /lib/modules:/lib/modules \
+ -v /var/run/calico:/var/run/calico \
+ {{ calico_node_image }}
+
+
+ExecStop=-/usr/bin/docker stop calico-node
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/calico/templates/calicoctl.cfg.j2 b/roles/calico/templates/calicoctl.cfg.j2
new file mode 100644
index 000000000..a00ea27dc
--- /dev/null
+++ b/roles/calico/templates/calicoctl.cfg.j2
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: calicoApiConfig
+metadata:
+spec:
+  datastoreType: "etcdv2"
+  etcdEndpoints: "{{ calico_etcd_endpoints }}"
+  etcdKeyFile: "{{ calico_etcd_key_file }}"
+  etcdCertFile: "{{ calico_etcd_cert_file }}"
+  etcdCaCertFile: "{{ calico_etcd_ca_cert_file }}"