ansible-role-k8s/defaults/main.yml

177 lines
4.6 KiB
YAML

---
# this toggle provides a dangerous way to quickly destroy an entire cluster
# ansible-playbook -i prod/ site.yml --tags=k8s --extra-vars 'k8s_action=destroy' --limit=k3s_innocent_cluster
# create | destroy
k8s_action: create
# k3s | rke2
k8s_type: k3s
k8s_cluster_name: default
k8s_cluster_url: localhost
# Additionally define k8s_external_ip to provide a specific node an external route
k8s_node_ip: "{{ ansible_host }}"
# paths
# used for placing nm related configs
k8s_nm_path: /etc/NetworkManager/conf.d
# used by k8s binaries, depends on installation method: rpm vs tar
k8s_cmd_path: /usr/local/bin
# location of install scripts and other tools
k8s_install_path: /usr/local/bin
k8s_install_script: "{{ k8s_install_path }}/{{ k8s_type }}-install.sh"
k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/"
k8s_config_path: "/etc/rancher/{{ k8s_type }}"
k8s_helm_install_url: https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
k8s_helm_install_script: "{{ k8s_install_path }}/get_helm.sh"
# automatically fetch kubeconfig and update context according to k8s_cluster_name
k8s_kubeconfig_fetch: true
k8s_kubeconfig_update_context: true
# apply CriticalAddonsOnly:NoExecute to control plane nodes
k8s_taint_servers: false
# apply label role=agent to agent nodes
k8s_label_agents: false
# shared k8s api port
k8s_api_port: 6443
# rke2 server listens on a dedicatged port for new nodes to register
k8s_supervisor_port: 9345
# sysctl set fs.inotify.max_user_instances
k8s_inotify_max: 1024
# hardcoded kublet default value is 110
k8s_pod_limit: 110
# if the host is using an http proxy for external access
k8s_http_proxy: false
# kubeconfig chmod
k8s_config_mode: 600
k8s_disable_kube_proxy: false
k8s_debug: false
k8s_kubelet_args:
- "max-pods={{ k8s_pod_limit }}"
# local-path-storage default settings, see templates/shared/local-path-storage.yaml.j2
# k8s_local_path_image: rancher/local-path-provisioner:master-head
# k8s_local_path_image_pull_policy: IfNotPresent
# k8s_local_path_default_class: true
# k8s_local_path_reclaim_policy: Retain
# k8s_local_path_bind_mode: WaitForFirstConsumer
# k8s_local_path_priority_class: system-node-critical
# k8s_local_path_dir: /opt/local-path-provisioner
# cluster issuers
# k8s_cluster_issuers:
# - name: letsencrypt-prod
# url: https://acme-v02.api.letsencrypt.org/directory
# solvers:
# - type: http
# ingress: nginx
# - type: dns
# provider: cloudflare
# tokenref: apiTokenSecretRef
# secret_name: cloudflare-api-token
# secret_ley: api-token
# cluster secrets
# k8s_secrets:
# - name: cloudflare-api-token
# namespace: cert-manager
# data: api-token
# value: ZG9wX3Y...
# k8s_kubelet_args
# - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
# - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
# - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
# - "max-pods={{ k8s_pod_limit }}"
# - "v=2"
# Define
# Default is assumed false, set by vars/sysetms/
# k8s_selinux: false
# k8s_acme_email
# you can pre-generate this ina vault with the token.sh script
# k8s_cluster_token
# stable, latest, testing, ...
# k8s_channel: stable
# k8s_version to deploy a specific version
# k8s_version: v1.27.7+k3s2
# bootstrap | server | agent
# k8s_node_type: bootstrap
# if defined, install manifests from the supplied url, currently this task only supports fetching from a url
# k8s_manifests:
# - name: cert-manager
# url: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
# k8s_node_taints
# --node-taint CriticalAddonsOnly=true:NoExecute
# k8s_node_taints:
# - name: CriticalAddonsOnly
# value: true
# effect: NoExecute
# K3S
# flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none'
# k8s_flannel_backend: vxlan
# k8s_flannel_ipv6_masq: false
# k8s_flannel_external_ip: false
# k8s_disable_network_policy: true
# disable builtin services
# k8s_disable:
# - traefik
# - servicelb
# RKE2
# Default is false, if the host is using network manager, overriden by vars/sysetms/
# k8s_has_nm: true
# canal, cilium, calico, flannel
# k8s_cni_type: canal
# apply cni custom template
# canal-config.yaml | cilium-config.yaml | calico-config.yaml
# k8s_cni_custom_template: canal-config.yaml
# when using canal enable wg backend
# k8s_canal_wireguard: true
# cilium
# k8s_cilium_hubble: true
# k8s_cilium_eni: true
# disable builtin services
# k8s_disable:
# - rke2-coredns
# - rke2-ingress-nginx
# - rke2-metrics-server
# - rke2-snapshot-controller
# - rke2-snapshot-controller-crd
# - rke2-snapshot-validation-webhook