194 lines
7.1 KiB
YAML
194 lines
7.1 KiB
YAML
|
|
# Depreciated:
|
|
# Calico is being migrated to use the calico operator.
|
|
# in a near future release, this method of deploying calico
|
|
# will be removed. use tag `operator_migrate_calico` to migrate
|
|
calico_image_tag: v3.25.0 # Depreciated
|
|
# EoF Depreciated
|
|
# SoF New Variables
|
|
nfc_role_kubernetes_calico_version: v3.27.0
|
|
# nfc_kubernetes_tigera_operator_registry: quay.io
|
|
# nfc_kubernetes_tigera_operator_image: tigera/operator
|
|
# nfc_kubernetes_tigera_operator_tag: v1.32.3 # Calico v3.27.0
|
|
# EoF New Variables, EEoF Depreciated
|
|
|
|
|
|
nfc_kubernetes_enable_metallb: false
|
|
nfc_kubernetes_enable_servicelb: false
|
|
|
|
|
|
nfc_role_kubernetes_container_images:
|
|
|
|
kubevirt_operator:
|
|
name: Kubevirt Operator
|
|
registry: quay.io
|
|
image: kubevirt/virt-operator
|
|
tag: v1.2.0
|
|
|
|
tigera_operator:
|
|
name: Tigera Operator
|
|
registry: quay.io
|
|
image: tigera/operator
|
|
tag: v1.32.3 # Calico v3.27.0
|
|
|
|
|
|
nfc_role_kubernetes_cluster_domain: cluster.local
|
|
|
|
nfc_role_kubernetes_configure_firewall: true
|
|
|
|
nfc_role_kubernetes_etcd_enabled: false
|
|
|
|
nfc_role_kubernetes_install_olm: false
|
|
|
|
nfc_role_kubernetes_install_helm: true
|
|
|
|
nfc_role_kubernetes_install_kubevirt: false
|
|
|
|
nfc_role_kubernetes_kubevirt_operator_replicas: 1
|
|
|
|
nfc_role_kubernetes_oidc_enabled: false
|
|
|
|
nfc_role_kubernetes_pod_subnet: 172.16.248.0/21
|
|
nfc_role_kubernetes_service_subnet: 172.16.244.0/22
|
|
|
|
nfc_role_kubernetes_prime: true # Mandatory for a node designated as the prime master node
|
|
nfc_role_kubernetes_master: true # Mandatory for a node designated as a master node and the prime master node
|
|
nfc_role_kubernetes_worker: false # Mandatory for a node designated as a worker node
|
|
|
|
############################################################################################################
|
|
#
|
|
# Old Vars requiring refactoring
|
|
#
|
|
# ############################################################################################################
|
|
|
|
|
|
KubernetesVersion: '1.26.12' # must match the repository release version
|
|
kubernetes_version_olm: '0.27.0'
|
|
|
|
|
|
|
|
KubernetesVersion_k3s_prefix: '+k3s1'
|
|
|
|
kubernetes_private_container_registry: [] # Optional, Array. if none use `[]`
|
|
|
|
kubernetes_etcd_snapshot_cron_schedule: '0 */12 * * *'
|
|
kubernetes_etcd_snapshot_retention: 5
|
|
|
|
# host_external_ip: '' # Optional, String. External IP Address for host.
|
|
|
|
kube_apiserver_arg_audit_log_maxage: 2
|
|
|
|
kubelet_arg_system_reserved_cpu: 450m
|
|
kubelet_arg_system_reserved_memory: 512Mi
|
|
kubelet_arg_system_reserved_storage: 8Gi
|
|
|
|
|
|
nfc_kubernetes:
|
|
enable_firewall: false # Optional, bool enable firewall rules from role 'nfc_firewall'
|
|
|
|
nfc_kubernetes_no_restart: false # Set to true to prevent role from restarting kubernetes on the host(s)
|
|
nfc_kubernetes_no_restart_master: false # Set to true to prevent role from restarting kubernetes on master host(s)
|
|
nfc_kubernetes_no_restart_prime: false # Set to true to prevent role from restarting kubernetes on prime host
|
|
nfc_kubernetes_no_restart_slave: false # Set to true to prevent role from restarting kubernetes on slave host(s)
|
|
|
|
|
|
k3s:
|
|
files:
|
|
|
|
- name: audit.yaml
|
|
path: /var/lib/rancher/k3s/server
|
|
content: |
|
|
apiVersion: audit.k8s.io/v1
|
|
kind: Policy
|
|
rules:
|
|
- level: Request
|
|
when: "{{ nfc_role_kubernetes_master }}"
|
|
|
|
- name: 90-kubelet.conf
|
|
path: /etc/sysctl.d
|
|
content: |
|
|
vm.panic_on_oom=0
|
|
vm.overcommit_memory=1
|
|
kernel.panic=10
|
|
kernel.panic_on_oops=1
|
|
kernel.keys.root_maxbytes=25000000
|
|
|
|
- name: psa.yaml
|
|
path: /var/lib/rancher/k3s/server
|
|
content: ""
|
|
# apiVersion: apiserver.conf0 */12 * * *ig.k8s.io/v1
|
|
# kind: AdmissionConfiguration
|
|
# plugins:
|
|
# - name: PodSecurity
|
|
# configuration:
|
|
# apiVersion: pod-security.admission.config.k8s.io/v1beta1
|
|
# kind: PodSecurityConfiguration
|
|
# defaults:
|
|
# enforce: "restricted"
|
|
# enforce-version: "latest"
|
|
# audit: "restricted"
|
|
# audit-version: "latest"
|
|
# warn: "restricted"
|
|
# warn-version: "latest"
|
|
# exemptions:
|
|
# usernames: []
|
|
# runtimeClasses: []
|
|
# namespaces: [kube-system]
|
|
when: "{{ kubernetes_config.cluster.prime.name | default(inventory_hostname) == inventory_hostname }}"
|
|
|
|
|
|
#############################################################################################
|
|
# Cluster Config when stored in Inventory
|
|
#
|
|
# One required per cluster. recommend creating one ansible host group per cluster.
|
|
#############################################################################################
|
|
# kubernetes_config: # Dict. Cluster Config
|
|
# cluster:
|
|
# access: # Mandatory. List, DNS host name or IPv4/IPv6 Address.
|
|
# # if none use '[]'
|
|
# - 'my.dnshostname.com'
|
|
# - '2001:4860:4860::8888'
|
|
# - '192.168.1.1'
|
|
# domain_name: earth # Mandatory, String. Cluster Domain Name
|
|
# group_name: # Mandatory, String. name of the ansible inventory group containg all cluster hosts
|
|
# prime:
|
|
# name: k3s-prod # Mandatory, String. Ansible inventory_host that will
|
|
# # act as the prime master node.
|
|
# networking:
|
|
# encrypt: true # Optional, Boolean. default `false`. Install wireguard for inter-node encryption
|
|
# podSubnet: 172.16.70.0/24 # Mandatory, String. CIDR
|
|
# ServiceSubnet: 172.16.72.0/24 # Mandatory, String. CIDR
|
|
#
|
|
#
|
|
# helm:
|
|
# enabled: true # Optional, Boolean. default=false. Install Helm Binary
|
|
#
|
|
#
|
|
# kube_virt:
|
|
# enabled: false # Optional, Boolean. default=false. Install KubeVirt
|
|
#
|
|
# nodes: [] # Optional, List of String. default=inventory_hostname. List of nodes to install kibevirt on.
|
|
#
|
|
# operator:
|
|
# replicas: 2 # Optional, Integer. How many virt_operators to deploy.
|
|
#
|
|
#
|
|
# oidc: # Used to configure Kubernetes with OIDC Authentication.
|
|
# enabled: true # Mandatory, boolen. speaks for itself.
|
|
# issuer_url: https://domainname.com/realms/realm-name # Mandatory, String. URL of OIDC Provider
|
|
# client_id: kubernetes-test # Mandatory, string. OIDC Client ID
|
|
# username_claim: preferred_username # Mandatory, String. Claim name containing username.
|
|
# username_prefix: oidc # Optional, String. What to prefix to username
|
|
# groups_claim: roles # Mandatory, String. Claim name containing groups
|
|
# groups_prefix: '' # Optional, String. string to append to groups
|
|
#
|
|
# hosts:
|
|
#
|
|
# my-host-name:
|
|
# labels:
|
|
# mylabel: myvalue
|
|
#
|
|
# taints:
|
|
# - effect: NoSchedule
|
|
# key: taintkey
|
|
# value: taintvalue |