2017-08-24 09:09:52 +00:00
|
|
|
---
|
2017-02-23 11:07:17 +00:00
|
|
|
## Required for bootstrap-os/preinstall/download roles and setting facts
|
|
|
|
# Valid bootstrap options (required): ubuntu, coreos, centos, none
|
|
|
|
bootstrap_os: none
|
|
|
|
kube_api_anonymous_auth: false
|
|
|
|
|
2017-09-08 12:00:57 +00:00
|
|
|
# Default value, but will be set to true automatically if detected
|
|
|
|
is_atomic: false
|
|
|
|
|
2017-02-23 11:07:17 +00:00
|
|
|
## Change this to use another Kubernetes version, e.g. a current beta release
|
2017-07-11 09:11:55 +00:00
|
|
|
kube_version: v1.6.7
|
2017-02-23 11:07:17 +00:00
|
|
|
|
2017-09-27 13:47:47 +00:00
|
|
|
# Set to true to allow pre-checks to fail and continue deployment
|
|
|
|
ignore_assert_errors: false
|
|
|
|
|
2017-02-23 11:07:17 +00:00
|
|
|
# Directory where the binaries will be installed
|
|
|
|
bin_dir: /usr/local/bin
|
|
|
|
docker_bin_dir: /usr/bin
|
2017-03-23 09:05:34 +00:00
|
|
|
etcd_data_dir: /var/lib/etcd
|
2017-02-23 11:07:17 +00:00
|
|
|
# Where the binaries will be downloaded.
|
|
|
|
# Note: ensure that you've enough disk space (about 1G)
|
|
|
|
local_release_dir: "/tmp/releases"
|
|
|
|
# Random shifts for retrying failed ops like pushing/downloading
|
|
|
|
retry_stagger: 5
|
|
|
|
|
|
|
|
# DNS configuration.
|
|
|
|
# Kubernetes cluster name, also will be used as DNS domain
|
|
|
|
cluster_name: cluster.local
|
|
|
|
# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
|
|
|
|
ndots: 2
|
|
|
|
# Can be dnsmasq_kubedns, kubedns or none
|
2017-07-07 17:13:12 +00:00
|
|
|
dns_mode: kubedns
|
2017-02-23 11:07:17 +00:00
|
|
|
# Can be docker_dns, host_resolvconf or none
|
|
|
|
resolvconf_mode: docker_dns
|
|
|
|
# Deploy netchecker app to verify DNS resolve as an HTTP service
|
|
|
|
deploy_netchecker: false
|
|
|
|
# Ip address of the kubernetes skydns service
|
|
|
|
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
|
|
|
dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
|
|
|
dns_domain: "{{ cluster_name }}"
|
|
|
|
|
|
|
|
# Kubernetes configuration dirs and system namespace.
|
|
|
|
# Those are where all the additional config stuff goes
|
|
|
|
# the kubernetes normally puts in /srv/kubernets.
|
|
|
|
# This puts them in a sane location and namespace.
|
|
|
|
# Editting those values will almost surely break something.
|
|
|
|
kube_config_dir: /etc/kubernetes
|
|
|
|
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
|
|
|
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
|
|
|
system_namespace: kube-system
|
|
|
|
|
|
|
|
# This is where all the cert scripts and certs will be located
|
|
|
|
kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
|
|
|
|
|
|
|
# This is where all of the bearer tokens will be stored
|
|
|
|
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
|
|
|
|
|
|
|
# This is where to save basic auth file
|
|
|
|
kube_users_dir: "{{ kube_config_dir }}/users"
|
|
|
|
|
|
|
|
|
|
|
|
# This is the group that the cert creation scripts chgrp the
|
|
|
|
# cert files to. Not really changable...
|
|
|
|
kube_cert_group: kube-cert
|
|
|
|
|
|
|
|
# Cluster Loglevel configuration
|
|
|
|
kube_log_level: 2
|
|
|
|
|
|
|
|
# Users to create for basic auth in Kubernetes API via HTTP
|
|
|
|
kube_api_pwd: "changeme"
|
|
|
|
kube_users:
|
|
|
|
kube:
|
|
|
|
pass: "{{kube_api_pwd}}"
|
|
|
|
role: admin
|
|
|
|
|
|
|
|
# Choose network plugin (calico, weave or flannel)
|
|
|
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
|
|
|
kube_network_plugin: calico
|
|
|
|
|
|
|
|
# Kubernetes internal network for services, unused block of space.
|
|
|
|
kube_service_addresses: 10.233.0.0/18
|
|
|
|
|
|
|
|
# internal network. When used, it will assign IP
|
|
|
|
# addresses from this range to individual pods.
|
|
|
|
# This network must be unused in your network infrastructure!
|
|
|
|
kube_pods_subnet: 10.233.64.0/18
|
|
|
|
|
|
|
|
# internal network node size allocation (optional). This is the size allocated
|
|
|
|
# to each node on your network. With these defaults you should have
|
|
|
|
# room for 4096 nodes with 254 pods per node.
|
|
|
|
kube_network_node_prefix: 24
|
|
|
|
|
|
|
|
# The port the API Server will be listening on.
|
|
|
|
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
2017-08-24 09:09:52 +00:00
|
|
|
# https
|
|
|
|
kube_apiserver_port: 6443
|
|
|
|
# http
|
2017-09-09 20:41:48 +00:00
|
|
|
kube_apiserver_insecure_bind_address: 127.0.0.1
|
2017-08-24 09:09:52 +00:00
|
|
|
kube_apiserver_insecure_port: 8080
|
2017-02-23 11:07:17 +00:00
|
|
|
|
|
|
|
# Path used to store Docker data
|
|
|
|
docker_daemon_graph: "/var/lib/docker"
|
|
|
|
|
2017-03-22 13:40:10 +00:00
|
|
|
# Docker log options
|
|
|
|
# Rotate container stderr/stdout logs at 50m and keep last 5
|
|
|
|
docker_log_opts: "--log-opt max-size=50m --log-opt max-file=5"
|
|
|
|
|
2017-02-23 11:07:17 +00:00
|
|
|
## A string of extra options to pass to the docker daemon.
|
|
|
|
## This string should be exactly as you wish it to appear.
|
|
|
|
## An obvious use case is allowing insecure-registry access
|
|
|
|
## to self hosted registries like so:
|
2017-03-22 13:40:10 +00:00
|
|
|
docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} {{ docker_log_opts }}"
|
2017-02-23 11:07:17 +00:00
|
|
|
|
|
|
|
# Settings for containerized control plane (etcd/kubelet/secrets)
|
|
|
|
etcd_deployment_type: docker
|
|
|
|
kubelet_deployment_type: docker
|
|
|
|
cert_management: script
|
|
|
|
vault_deployment_type: docker
|
|
|
|
|
2017-09-13 18:00:51 +00:00
|
|
|
# Enable kubeadm deployment (experimental)
|
|
|
|
kubeadm_enabled: false
|
|
|
|
kubeadm_token: "abcdef.0123456789abcdef"
|
|
|
|
|
2017-09-18 12:30:57 +00:00
|
|
|
# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
|
|
|
|
kubeconfig_localhost: false
|
|
|
|
# Download kubectl onto the host that runs Ansible in GITDIR/artifacts
|
|
|
|
kubectl_localhost: false
|
|
|
|
|
2017-02-23 11:07:17 +00:00
|
|
|
# K8s image pull policy (imagePullPolicy)
|
|
|
|
k8s_image_pull_policy: IfNotPresent
|
2017-02-23 11:10:54 +00:00
|
|
|
efk_enabled: false
|
2017-03-23 09:05:34 +00:00
|
|
|
enable_network_policy: false
|
2017-06-27 04:27:25 +00:00
|
|
|
|
2017-09-16 07:43:24 +00:00
|
|
|
## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (https://github.com/kubernetes/kubernetes/issues/50461)
|
2017-09-27 13:47:47 +00:00
|
|
|
# openstack_blockstorage_version: "v1/v2/auto (default)"
|
2017-08-20 10:59:15 +00:00
|
|
|
## When OpenStack is used, if LBaaSv2 is available you can enable it with the following variables.
|
|
|
|
openstack_lbaas_enabled: false
|
2017-09-27 13:47:47 +00:00
|
|
|
# openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
|
|
|
|
# openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
|
|
|
|
# openstack_lbaas_create_monitor: "yes"
|
|
|
|
# openstack_lbaas_monitor_delay: false
|
|
|
|
# openstack_lbaas_monitor_timeout: false
|
|
|
|
# openstack_lbaas_monitor_max_retries: false
|
2017-08-20 10:59:15 +00:00
|
|
|
|
2017-06-27 04:27:25 +00:00
|
|
|
## List of authorization modes that must be configured for
|
|
|
|
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
|
|
|
|
## 'RBAC' modes are tested.
|
2017-07-07 09:31:11 +00:00
|
|
|
authorization_modes: []
|
2017-06-27 04:27:25 +00:00
|
|
|
rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
|
2017-08-24 20:18:38 +00:00
|
|
|
|
|
|
|
## List of key=value pairs that describe feature gates for
|
|
|
|
## the k8s cluster.
|
|
|
|
kube_feature_gates: []
|
2017-09-01 19:51:37 +00:00
|
|
|
|
|
|
|
# Vault data dirs.
|
|
|
|
vault_base_dir: /etc/vault
|
|
|
|
vault_cert_dir: "{{ vault_base_dir }}/ssl"
|
|
|
|
vault_config_dir: "{{ vault_base_dir }}/config"
|
|
|
|
vault_roles_dir: "{{ vault_base_dir }}/roles"
|
|
|
|
vault_secrets_dir: "{{ vault_base_dir }}/secrets"
|