177 lines
4.6 KiB
YAML
177 lines
4.6 KiB
YAML
---
|
|
# this toggle provides a dangerous way to quickly destroy an entire cluster
|
|
# ansible-playbook -i prod/ site.yml --tags=k8s --extra-vars 'k8s_action=destroy' --limit=k3s_innocent_cluster
|
|
# create | destroy
|
|
k8s_action: create
|
|
|
|
# k3s | rke2
|
|
k8s_type: k3s
|
|
|
|
k8s_cluster_name: default
|
|
k8s_cluster_url: localhost
|
|
|
|
# Additionally define k8s_external_ip to provide a specific node an external route
|
|
k8s_node_ip: "{{ ansible_host }}"
|
|
|
|
# paths
|
|
# used for placing nm related configs
|
|
k8s_nm_path: /etc/NetworkManager/conf.d
|
|
|
|
# used by k8s binaries, depends on installation method: rpm vs tar
|
|
k8s_cmd_path: /usr/local/bin
|
|
|
|
# location of install scripts and other tools
|
|
k8s_install_path: /usr/local/bin
|
|
|
|
k8s_install_script: "{{ k8s_install_path }}/{{ k8s_type }}-install.sh"
|
|
k8s_manifests_path: "/var/lib/rancher/{{ k8s_type }}/server/manifests/"
|
|
k8s_config_path: "/etc/rancher/{{ k8s_type }}"
|
|
|
|
k8s_helm_install_url: https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
|
|
k8s_helm_install_script: "{{ k8s_install_path }}/get_helm.sh"
|
|
|
|
# automatically fetch kubeconfig and update context according to k8s_cluster_name
|
|
k8s_kubeconfig_fetch: true
|
|
k8s_kubeconfig_update_context: true
|
|
|
|
# apply CriticalAddonsOnly:NoExecute to control plane nodes
|
|
k8s_taint_servers: false
|
|
|
|
# apply label role=agent to agent nodes
|
|
k8s_label_agents: false
|
|
|
|
# shared k8s api port
|
|
k8s_api_port: 6443
|
|
|
|
# rke2 server listens on a dedicatged port for new nodes to register
|
|
k8s_supervisor_port: 9345
|
|
|
|
# sysctl set fs.inotify.max_user_instances
|
|
k8s_inotify_max: 1024
|
|
|
|
# hardcoded kublet default value is 110
|
|
k8s_pod_limit: 110
|
|
|
|
# if the host is using an http proxy for external access
|
|
k8s_http_proxy: false
|
|
|
|
# kubeconfig chmod
|
|
k8s_config_mode: 600
|
|
|
|
k8s_disable_kube_proxy: false
|
|
k8s_debug: false
|
|
|
|
k8s_kubelet_args:
|
|
- "max-pods={{ k8s_pod_limit }}"
|
|
|
|
# local-path-storage default settings, see templates/shared/local-path-storage.yaml.j2
|
|
# k8s_local_path_image: rancher/local-path-provisioner:master-head
|
|
# k8s_local_path_image_pull_policy: IfNotPresent
|
|
# k8s_local_path_default_class: true
|
|
# k8s_local_path_reclaim_policy: Retain
|
|
# k8s_local_path_bind_mode: WaitForFirstConsumer
|
|
# k8s_local_path_priority_class: system-node-critical
|
|
# k8s_local_path_dir: /opt/local-path-provisioner
|
|
|
|
# cluster issuers
|
|
# k8s_cluster_issuers:
|
|
# - name: letsencrypt-prod
|
|
# url: https://acme-v02.api.letsencrypt.org/directory
|
|
# solvers:
|
|
# - type: http
|
|
# ingress: nginx
|
|
# - type: dns
|
|
# provider: cloudflare
|
|
# tokenref: apiTokenSecretRef
|
|
# secret_name: cloudflare-api-token
|
|
# secret_ley: api-token
|
|
|
|
# cluster secrets
|
|
# k8s_secrets:
|
|
# - name: cloudflare-api-token
|
|
# namespace: cert-manager
|
|
# data: api-token
|
|
# value: ZG9wX3Y...
|
|
|
|
# k8s_kubelet_args
|
|
# - "kube-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
|
|
# - "system-reserved=cpu=500m,memory=1Gi,ephemeral-storage=2Gi"
|
|
# - "eviction-hard=memory.available<500Mi,nodefs.available<10%"
|
|
# - "max-pods={{ k8s_pod_limit }}"
|
|
# - "v=2"
|
|
|
|
# Define
|
|
|
|
# Default is assumed false, set by vars/sysetms/
|
|
# k8s_selinux: false
|
|
|
|
# k8s_acme_email
|
|
|
|
# you can pre-generate this ina vault with the token.sh script
|
|
# k8s_cluster_token
|
|
|
|
# stable, latest, testing, ...
|
|
# k8s_channel: stable
|
|
|
|
# k8s_version to deploy a specific version
|
|
# k8s_version: v1.27.7+k3s2
|
|
|
|
# bootstrap | server | agent
|
|
# k8s_node_type: bootstrap
|
|
|
|
# if defined, install manifests from the supplied url, currently this task only supports fetching from a url
|
|
# k8s_manifests:
|
|
# - name: cert-manager
|
|
# url: https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
|
|
|
|
# k8s_node_taints
|
|
# --node-taint CriticalAddonsOnly=true:NoExecute
|
|
# k8s_node_taints:
|
|
# - name: CriticalAddonsOnly
|
|
# value: true
|
|
# effect: NoExecute
|
|
|
|
|
|
# K3S
|
|
|
|
# flannel-backend: 'vxlan', 'host-gw', 'wireguard-native', 'none'
|
|
# k8s_flannel_backend: vxlan
|
|
# k8s_flannel_ipv6_masq: false
|
|
# k8s_flannel_external_ip: false
|
|
|
|
# k8s_disable_network_policy: true
|
|
|
|
# disable builtin services
|
|
# k8s_disable:
|
|
# - traefik
|
|
# - servicelb
|
|
|
|
|
|
# RKE2
|
|
|
|
# Default is false, if the host is using network manager, overriden by vars/sysetms/
|
|
# k8s_has_nm: true
|
|
|
|
# canal, cilium, calico, flannel
|
|
# k8s_cni_type: canal
|
|
|
|
# apply cni custom template
|
|
# canal-config.yaml | cilium-config.yaml | calico-config.yaml
|
|
# k8s_cni_custom_template: canal-config.yaml
|
|
|
|
# when using canal enable wg backend
|
|
# k8s_canal_wireguard: true
|
|
|
|
# cilium
|
|
# k8s_cilium_hubble: true
|
|
# k8s_cilium_eni: true
|
|
|
|
# disable builtin services
|
|
# k8s_disable:
|
|
# - rke2-coredns
|
|
# - rke2-ingress-nginx
|
|
# - rke2-metrics-server
|
|
# - rke2-snapshot-controller
|
|
# - rke2-snapshot-controller-crd
|
|
# - rke2-snapshot-validation-webhook
|