# Depreciated: # Calico is being migrated to use the calico operator. # in a near future release, this method of deploying calico # will be removed. use tag `operator_migrate_calico` to migrate calico_image_tag: v3.25.0 # Depreciated # EoF Depreciated # SoF New Variables nfc_kubernetes_calico_version: v3.27.0 nfc_kubernetes_tigera_operator_registry: quay.io nfc_kubernetes_tigera_operator_image: tigera/operator nfc_kubernetes_tigera_operator_tag: v1.32.3 # Calico v3.27.0 # EoF New Variables, EEoF Depreciated nfc_kubernetes_enable_metallb: false nfc_kubernetes_enable_servicelb: false nfc_role_kubernetes_container_images: kubevirt_operator: name: Kubevirt Operator registry: quay.io image: kubevirt/virt-operator tag: v1.2.0 nfc_role_kubernetes_cluster_domain: cluster.local nfc_role_kubernetes_etcd_enabled: false nfc_role_kubernetes_install_olm: false nfc_role_kubernetes_install_kubevirt: false nfc_role_kubernetes_kubevirt_operator_replicas: 1 nfc_role_kubernetes_oidc_enabled: false nfc_role_kubernetes_pod_subnet: 172.16.248.0/21 nfc_role_kubernetes_service_subnet: 172.16.244.0/22 nfc_role_kubernetes_prime: true nfc_role_kubernetes_master: true nfc_role_kubernetes_worker: false ############################################################################################################ # # Old Vars requiring refactoring # # ############################################################################################################ ContainerDioVersion: 1.6.20-1 KubernetesVersion: '1.26.2' # must match the repository release version kubernetes_version_olm: '0.26.0' KubernetesVersion_k3s_prefix: '+k3s1' kubernetes_private_container_registry: [] # Optional, Array. if none use `[]` kubernetes_etcd_snapshot_cron_schedule: '0 */12 * * *' kubernetes_etcd_snapshot_retention: 5 # host_external_ip: '' # Optional, String. External IP Address for host. kube_apiserver_arg_audit_log_maxage: 2 kubelet_arg_system_reserved_cpu: 450m kubelet_arg_system_reserved_memory: 512Mi kubelet_arg_system_reserved_storage: 8Gi nfc_kubernetes: enable_firewall: true # Optional, bool enable firewall rules from role 'nfc_firewall' nfc_kubernetes_no_restart: false # Set to true to prevent role from restarting kubernetes on the host(s) nfc_kubernetes_no_restart_master: false # Set to true to prevent role from restarting kubernetes on master host(s) nfc_kubernetes_no_restart_prime: false # Set to true to prevent role from restarting kubernetes on prime host nfc_kubernetes_no_restart_slave: false # Set to true to prevent role from restarting kubernetes on slave host(s) k3s: files: - name: audit.yaml path: /var/lib/rancher/k3s/server content: | apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Request when: "{{ nfc_role_kubernetes_master }}" - name: 90-kubelet.conf path: /etc/sysctl.d content: | vm.panic_on_oom=0 vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 - name: psa.yaml path: /var/lib/rancher/k3s/server content: "" # apiVersion: apiserver.conf0 */12 * * *ig.k8s.io/v1 # kind: AdmissionConfiguration # plugins: # - name: PodSecurity # configuration: # apiVersion: pod-security.admission.config.k8s.io/v1beta1 # kind: PodSecurityConfiguration # defaults: # enforce: "restricted" # enforce-version: "latest" # audit: "restricted" # audit-version: "latest" # warn: "restricted" # warn-version: "latest" # exemptions: # usernames: [] # runtimeClasses: [] # namespaces: [kube-system] when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}" ############################################################################################# # Cluster Config when stored in Inventory # # One required per cluster. recommend creating one ansible host group per cluster. ############################################################################################# # kubernetes_config: # Dict. Cluster Config # cluster: # access: # Mandatory. List, DNS host name or IPv4/IPv6 Address. # # if none use '[]' # - 'my.dnshostname.com' # - '2001:4860:4860::8888' # - '192.168.1.1' # Name: earth # Mandatory, String. Cluster Name # group_name: # Mandatory, String. name of the ansible inventory group containg all cluster hosts # prime: # name: k3s-prod # Mandatory, String. Ansible inventory_host that will # # act as the prime master node. # networking: # encrypt: true # Optional, Boolean. default `false`. Install wireguard for inter-node encryption # podSubnet: 172.16.70.0/24 # Mandatory, String. CIDR # ServiceSubnet: 172.16.72.0/24 # Mandatory, String. CIDR # # # kube_virt: # enabled: false # Optional, Boolean. default=false. Install KubeVirt # # nodes: [] # Optional, List of String. default=inventory_hostname. List of nodes to install kibevirt on. # # operator: # replicas: 2 # Optional, Integer. How many virt_operators to deploy. # # # oidc: # Used to configure Kubernetes with OIDC Authentication. # enabled: true # Mandatory, boolen. speaks for itself. # issuer_url: https://domainname.com/realms/realm-name # Mandatory, String. URL of OIDC Provider # client_id: kubernetes-test # Mandatory, string. OIDC Client ID # username_claim: preferred_username # Mandatory, String. Claim name containing username. # username_prefix: oidc # Optional, String. What to prefix to username # groups_claim: roles # Mandatory, String. Claim name containing groups # groups_prefix: '' # Optional, String. string to append to groups # # hosts: # # my-host-name: # labels: # mylabel: myvalue # # taints: # - effect: NoSchedule # key: taintkey # value: taintvalue