etcd role for controller nodes

roles/etcd/tasks/certs-controller.yml

@@ -0,0 +1,14 @@
+---
+- name: Copy controller certificates
+  copy:
+    src: "{{ playbook_dir }}/../../kazan-ssl/pki/{{ item }}"
+    dest: "/etc/etcd/"
+    owner: root
+    group: root
+    mode: 0644
+
+  become: true
+  with_items:
+    - ca/ca.pem
+    - api/kubernetes-key.pem
+    - api/kubernetes.pem

roles/etcd/tasks/certs-lb.yml

@@ -0,0 +1,14 @@
+---
+- name: Copy load-balancer certificates
+  copy:
+    src: "{{ playbook_dir }}/../../kazan-ssl/pki/{{ item }}"
+    dest: "/etc/etcd/"
+    owner: root
+    group: root
+    mode: 0644
+
+  become: true
+  with_items:
+    - ca/ca.pem
+    - api/kubernetes-key.pem
+    - api/kubernetes.pem

roles/etcd/tasks/certs-worker.yml

@@ -0,0 +1,18 @@
+---
+- name: Copy worker certificates
+  copy:
+    src: "{{ playbook_dir }}/../../kazan-ssl/pki/{{ item }}"
+    dest: "/etc/etcd/"
+    owner: root
+    group: root
+    mode: 0644
+
+  become: true
+  with_items:
+    - ca/ca.pem
+    - clients/w1.kazan.schleppe-key.pem
+    - clients/w1.kazan.schleppe.pem
+    - clients/w2.kazan.schleppe-key.pem
+    - clients/w2.kazan.schleppe.pem
+    - clients/w3.kazan.schleppe-key.pem
+    - clients/w3.kazan.schleppe.pem

roles/etcd/tasks/install.yml

@@ -0,0 +1,8 @@
+---
+- name: Create etcd config dir
+  file: path=/etc/etcd state=directory
+  become: true
+
+- name: Create etcd data dir
+  file: path=/var/lib/etcd state=directory
+  become: true

roles/etcd/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- include: install.yml
+
+- include: certs-controller.yml
+  when: "'controller' in group_names or 'load-balancer' in group_names"
+
+# - include: certs-lb.yml
+#   when: "'load-balancer' in group_names"
+
+- include: certs-worker.yml
+  when: "'worker' in group_names"
+
+- include: systemd-service.yml
+  when: "'controller' in group_names"

roles/etcd/tasks/systemd-service.yml

@@ -0,0 +1,32 @@
+---
+- name: Add etcd systemd unit
+  template:
+    src: etcd.service.j2
+    dest: /etc/systemd/system/etcd.service
+    mode: 700
+  become: true
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  become: true
+
+- name: Enable etcd service
+  command: systemctl enable etcd
+  become: true
+
+- name: Restart etcd
+  service:
+    name: etcd
+    state: restarted
+    enabled: yes
+  become: true
+
+- name: Wait for etcd listening
+  wait_for: port=2379 timeout=60
+
+# - name: Verify etcd cluster health
+#   shell: etcdctl --ca-file=/etc/etcd/ca.pem cluster-health
+#   register: cmd_result
+#   until: cmd_result.stdout.find("cluster is healthy") != -1
+#   retries: 5
+#   delay: 5

roles/etcd/templates/etcd.service.j2

@@ -0,0 +1,31 @@
+[Unit]
+Description=etcd
+Documentation=https://github.com/coreos
+
+[Service]
+Environment=ETCDCTL_API=3
+ExecStart=/usr/bin/etcd \
+  --name {{ inventory_hostname }} \
+  --data-dir=/var/lib/etcd \
+  --listen-peer-urls https://{{ ansible_default_ipv4.address }}:2380 \
+  --listen-client-urls https://{{ ansible_default_ipv4.address }}:2379,https://127.0.0.1:2379 \
+  --initial-advertise-peer-urls https://{{ ansible_default_ipv4.address }}:2380 \
+  --initial-cluster c1.kazan.schleppe=https://10.0.0.141:2380,c2.kazan.schleppe=https://10.0.0.142:2380,c3.kazan.schleppe=https://10.0.0.143:2380 \
+  --initial-cluster-state new \
+  --initial-cluster-token etcd-cluster-0 \
+  --advertise-client-urls https://{{ ansible_default_ipv4.address }}:2379 \
+  --cert-file=/etc/etcd/kubernetes.pem \
+  --key-file=/etc/etcd/kubernetes-key.pem \
+  --client-cert-auth \
+  --trusted-ca-file=/etc/etcd/ca.pem \
+  --peer-cert-file=/etc/etcd/kubernetes.pem \
+  --peer-key-file=/etc/etcd/kubernetes-key.pem \
+  --peer-client-cert-auth \
+  --peer-trusted-ca-file=/etc/etcd/ca.pem
+
+Type=notify
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target