---
# Additionally define node addresses as needed
# k8s_node_ip: "{{ ansible_host }}"
# k8s_external_ip:

# local-path-storage default settings, see templates/shared/local-path-storage.yaml.j2
# k8s_local_path_image: rancher/local-path-provisioner:master-head
# k8s_local_path_image_pull_policy: IfNotPresent
# k8s_local_path_default_class: true
# k8s_local_path_reclaim_policy: Retain
# k8s_local_path_bind_mode: WaitForFirstConsumer
# k8s_local_path_priority_class: system-node-critical
# k8s_local_path_dir: /opt/local-path-provisioner

# cluster issuers
# k8s_cluster_issuers:
#  - name: letsencrypt-prod
#    url: https://acme-v02.api.letsencrypt.org/directory
#    solvers:
#      - type: http
#        ingress: nginx
#      - type: dns
#        provider: cloudflare
#        tokenref: apiTokenSecretRef
#        secret_name: cloudflare-api-token
#        secret_ley: api-token

# cluster secrets
# k8s_secrets:
#  - name: cloudflare-api-token
#    namespace: cert-manager
#    data: api-token
#    value: ZG9wX3Y...

# k8s_kubelet_args
#  - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
#  - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
#  - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
#  - "max-pods={{ k8s_pod_limit }}"
#  - "v=2"

# Define

# Default is assumed false, set by vars/sysetms/
# k8s_selinux: false

# k8s_acme_email

# you can pre-generate this ina vault with the token.sh script
# k8s_cluster_token

# stable, latest, testing, ...
# k8s_channel: stable

# k8s_version to deploy a specific version
# k8s_version: v1.27.7+k3s2

# bootstrap | server | agent
# k8s_node_type: bootstrap

# if defined, install manifests from the supplied url, currently this task only supports fetching from a url
# k8s_manifests:
#  - name: cert-manager
#    url: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml

# k8s_node_taints
# --node-taint CriticalAddonsOnly=true:NoExecute
# k8s_node_taints:
#  - name: CriticalAddonsOnly
#    value: true
#    effect: NoExecute

# K3S

# flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none'
# k8s_flannel_backend: vxlan
# k8s_flannel_ipv6_masq: false
# k8s_flannel_external_ip: false

# k8s_disable_network_policy: true

# disable builtin services
# k8s_disable:
#  - traefik
#  - servicelb

# RKE2

# Default is false, if the host is using network manager, overriden by vars/sysetms/
# k8s_has_nm: true

# canal, cilium, calico, flannel
# k8s_cni_type: canal

# apply cni custom template
# canal-config.yaml | cilium-config.yaml | calico-config.yaml
# k8s_cni_custom_template: canal-config.yaml

# when using canal enable wg backend
# k8s_canal_wireguard: true

# cilium
# k8s_cilium_hubble: true
# k8s_cilium_eni: true

# disable builtin services
# k8s_disable:
#  - rke2-coredns
#  - rke2-ingress-nginx
#  - rke2-metrics-server
#  - rke2-snapshot-controller
#  - rke2-snapshot-controller-crd
#  - rke2-snapshot-validation-webhook