--- # this toggle provides a dangerous way to quickly destroy an entire cluster # ansible-playbook -i prod/ site.yml --tags=k8s --extra-vars 'k8s_action=destroy' --limit=k3s_innocent_cluster # create | destroy k8s_action: create # k3s | rke2 k8s_type: k3s k8s_cluster_name: default k8s_cluster_url: localhost # Additionally define k8s_external_ip to provide a specific node an external route k8s_node_ip: "{{ ansible_host }}" # paths # used for placing nm related configs k8s_nm_path: /etc/NetworkManager/conf.d # used by k8s binaries, depends on installation method: rpm vs tar k8s_cmd_path: /usr/local/bin # location of install scripts and other tools k8s_install_path: /usr/local/bin k8s_install_script: "{{ k8s_install_path }}/{{ k8s_type }}-install.sh" k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/" k8s_config_path: "/etc/rancher/{{ k8s_type }}" k8s_helm_install_url: https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 k8s_helm_install_script: "{{ k8s_install_path }}/get_helm.sh" # apply CriticalAddonsOnly:NoExecute to control plane nodes k8s_taint_servers: false # apply label role=agent to agent nodes k8s_label_agents: false # fetch kubeconfig from the bootstrap node k8s_get_kubeconfig: true # shared k8s api port k8s_api_port: 6443 # rke2 server listens on a dedicatged port for new nodes to register k8s_supervisor_port: 9345 # sysctl set fs.inotify.max_user_instances k8s_inotify_max: 1024 # hardcoded kublet default value is 110 k8s_pod_limit: 110 # if the host is using an http proxy for external access k8s_http_proxy: false # kubeconfig chmod k8s_config_mode: 600 k8s_disable_kube_proxy: false k8s_debug: false k8s_kubelet_args: - "max-pods={{ k8s_pod_limit }}" # cluster issuers # k8s_cluster_issuers: # - name: letsencrypt-prod # url: https://acme-v02.api.letsencrypt.org/directory # solvers: # - type: http # ingress: nginx # - type: dns # provider: cloudflare # tokenref: apiTokenSecretRef # secret_name: cloudflare-api-token # secret_ley: api-token # cluster secrets # k8s_secrets: # - name: cloudflare-api-token # namespace: cert-manager # data: api-token # value: ZG9wX3Y... # k8s_kubelet_args # - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi" # - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi" # - "eviction-hard=memory.available<500Mi,nodefs.available<10%" # - "max-pods={{ k8s_pod_limit }}" # - "v=2" # Define # Default is assumed false, set by vars/sysetms/ # k8s_selinux: false # k8s_acme_email # you can pre-generate this ina vault with the token.sh script # k8s_cluster_token # stable, latest, testing, ... # k8s_channel: stable # k8s_version to deploy a specific version # k8s_version: v1.27.7+k3s2 # bootstrap | server | agent # k8s_node_type: bootstrap # if defined, install manifests from the supplied url, currently this task only supports fetching from a url # k8s_manifests: # - name: cert-manager # url: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml # k8s_node_taints # --node-taint CriticalAddonsOnly=true:NoExecute # k8s_node_taints: # - name: CriticalAddonsOnly # value: true # effect: NoExecute # K3S # flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none' # k8s_flannel_backend: vxlan # k8s_flannel_ipv6_masq: false # k8s_flannel_external_ip: false # k8s_disable_network_policy: true # disable builtin services # k8s_disable: # - traefik # - servicelb # RKE2 # Default is false, if the host is using network manager, overriden by vars/sysetms/ # k8s_has_nm: true # canal, cilium, calico, flannel # k8s_cni_type: canal # apply cni custom template # canal-config.yaml | cilium-config.yaml | calico-config.yaml # k8s_cni_custom_template: canal-config.yaml # when using canal enable wg backend # k8s_canal_wireguard: true # cilium # k8s_cilium_hubble: true # k8s_cilium_eni: true # disable builtin services # k8s_disable: # - rke2-coredns # - rke2-ingress-nginx # - rke2-metrics-server # - rke2-snapshot-controller # - rke2-snapshot-controller-crd # - rke2-snapshot-validation-webhook