---
# this toggle provides a dangerous way to quickly destroy an entire cluster
# ansible-playbook -i prod/ site.yml --tags=k8s --extra-vars 'k8s_action=destroy' --limit=k3s_innocent_cluster
# create | destroy 
k8s_action: create

# k3s | rke2
k8s_type: k3s

k8s_cluster_name: default
k8s_cluster_url: localhost
k8s_node_ip: "{{ ansible_host }}"

# paths
k8s_install_script: /usr/local/bin/{{ k8s_type }}-install.sh
k8s_config_path: "/etc/rancher/{{ k8s_type }}"
k8s_cmd_path: /usr/local/bin
k8s_nm_path: /etc/NetworkManager/conf.d
k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/"

# sysctl set fs.inotify.max_user_instances
k8s_inotify_max: 1024

# hardcoded kublet default value is 110
k8s_pod_limit: 110

# overriden by vars/sysetms/
k8s_selinux: false

# if the host is using network manager, overriden by vars/sysetms/ 
k8s_has_nm: false

# if the host is using an http proxy for external access
k8s_http_proxy: false

# kubeconfig chmod
k8s_config_mode: 600

# rke2 server listens on a dedicatged port for new nodes to register
k8s_supervisor_port: 9345

# shared k8s api port
k8s_api_port: 6443

# misc options
k8s_debug: false
k8s_taint_servers: false
k8s_flannel_wireguard: false
k8s_disable_kube_proxy: false
k8s_disable_network_policy: false

# k8s_kubelet_args
#  - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
#  - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
#  - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
#  - "max-pods={{ k8s_pod_limit }}"
#  - "v=2"
k8s_kubelet_args:
 - "max-pods={{ k8s_pod_limit }}"

# Define

# you can pre-generate this ina vault with the token.sh script
# k8s_cluster_token

# stable, latest, testing, ...
# k8s_channel: stable

# k8s_version to deploy a specific version
# k8s_version: v1.27.7+k3s2

# bootstrap | server | agent
# k8s_node_type: bootstrap

# if defined, install manifests
# k8s_manifests:
#  - name: cert-manager
#    path: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml

# k8s_node_taints
# --node-taint CriticalAddonsOnly=true:NoExecute
# k8s_node_taints:
#  - name: CriticalAddonsOnly
#    value: true
#    effect: NoExecute


# K3S

# flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none'
# k8s_flannel_backend: vxlan
# k8s_flannel_ipv6_masq: false
# k8s_flannel_external_ip: false

# disable builtin services
# k8s_disable: 
#  - traefik
#  - servicelb


# RKE2

# canal, cilium, calico, flannel
# k8s_cni_type: canal

# disable builtin services
# k8s_disable: 
#  - rke2-coredns
#  - rke2-ingress-nginx
#  - rke2-metrics-server
#  - rke2-snapshot-controller
#  - rke2-snapshot-controller-crd
#  - rke2-snapshot-validation-webhook