c12s-kubespray/roles/etcd/defaults/main.yml

---
# Set to false to only do certificate management
etcd_cluster_setup: true
etcd_events_cluster_setup: false

# Set to true to separate k8s events to a different etcd cluster
etcd_events_cluster_enabled: false

etcd_backup_prefix: "/var/backups"
etcd_data_dir: "/var/lib/etcd"

# Number of etcd backups to retain. Set to a value < 0 to retain all backups
etcd_backup_retention_count: -1

force_etcd_cert_refresh: true
etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
etcd_cert_dir_mode: "0700"
etcd_cert_group: root
# Note: This does not set up DNS entries. It simply adds the following DNS
# entries to the certificate
etcd_cert_alt_names:
  - "etcd.kube-system.svc.{{ dns_domain }}"
  - "etcd.kube-system.svc"
  - "etcd.kube-system"
  - "etcd"
etcd_cert_alt_ips: []

etcd_script_dir: "{{ bin_dir }}/etcd-scripts"

etcd_heartbeat_interval: "250"
etcd_election_timeout: "5000"

# etcd_snapshot_count: "10000"

etcd_metrics: "basic"

# Define in inventory to set a separate port for etcd to expose metrics on
# etcd_metrics_port: 2381

## A dictionary of extra environment variables to add to etcd.env, formatted like:
##  etcd_extra_vars:
##    ETCD_VAR1: "value1"
##    ETCD_VAR2: "value2"
etcd_extra_vars: {}

# Limits
# Limit memory only if <4GB memory on host. 0=unlimited
# This value is only relevant when deploying etcd with `etcd_deployment_type: docker`
etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"

# The default storage size limit is 2G.
# 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it.
# etcd_quota_backend_bytes: "2147483648"

# Maximum client request size in bytes the server will accept.
# etcd is designed to handle small key value pairs typical for metadata.
# Larger requests will work, but may increase the latency of other requests
# etcd_max_request_bytes: "1572864"

# Uncomment to set CPU share for etcd
# etcd_cpu_limit: 300m

etcd_blkio_weight: 1000

etcd_node_cert_hosts: "{{ groups['k8s_cluster'] | union(groups.get('calico_rr', [])) }}"

etcd_compaction_retention: "8"

# Force clients like etcdctl to use TLS certs (different than peer security)
etcd_secure_client: true

# Enable peer client cert authentication
etcd_peer_client_auth: true

# Maximum number of snapshot files to retain (0 is unlimited)
# etcd_max_snapshots: 5

# Maximum number of wal files to retain (0 is unlimited)
# etcd_max_wals: 5

# Number of loop retries
etcd_retries: 4

## Support tls cipher suites.
# etcd_tls_cipher_suites: {}
#   - TLS_RSA_WITH_RC4_128_SHA
#   - TLS_RSA_WITH_3DES_EDE_CBC_SHA
#   - TLS_RSA_WITH_AES_128_CBC_SHA
#   - TLS_RSA_WITH_AES_256_CBC_SHA
#   - TLS_RSA_WITH_AES_128_CBC_SHA256
#   - TLS_RSA_WITH_AES_128_GCM_SHA256
#   - TLS_RSA_WITH_AES_256_GCM_SHA384
#   - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
#   - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#   - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#   - TLS_ECDHE_RSA_WITH_RC4_128_SHA
#   - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
#   - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#   - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#   - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
#   - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
#   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
#   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
#   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

# ETCD 3.5.x issue
# https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
etcd_experimental_initial_corrupt_check: true
etcd directly in host fix etcd configuration for nodes fix wrong calico checksums using a var name etcd_bin_dir fix etcd handlers for sysvinit using a var name etcd_bin_dir sysvinit script review etcd configuration 2016-01-19 14:23:19 +00:00			`---`
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role. 2017-03-03 20:30:37 +00:00			`# Set to false to only do certificate management`
			`etcd_cluster_setup: true`
Etcd cluster setup makeover The current way to setup the etc cluster is messy and buggy. - It checks for cluster is healthy before the cluster is even created. - The unit files are started on handlers, not in the task, so you mess with "flush handlers". - The join_member.yml is not used. - etcd events cluster is not configured for kubeadm - remove duplicate runs between running the role on etcd nodes and k8s nodes 2018-04-01 16:58:08 +00:00			`etcd_events_cluster_setup: false`
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role. 2017-03-03 20:30:37 +00:00
Improve variable handling for disabling etcd events cluster 2018-06-18 13:19:12 +00:00			`# Set to true to separate k8s events to a different etcd cluster`
			`etcd_events_cluster_enabled: false`

move `etcd_backup_prefix` to new home. 2017-06-27 13:12:34 +00:00			`etcd_backup_prefix: "/var/backups"`
Make etcd data dir configurable. Closes: #1073 Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com> 2017-02-24 14:58:54 +00:00			`etcd_data_dir: "/var/lib/etcd"`
change /etc/ssl/etcd to etcd_config_dir param (#6408) * change /etc/ssl/etcd to etcd_config_dir param * add use etcd_events_data_dir param 2020-07-22 06:58:05 +00:00
Fixes 6621 etcd backup directory is consuming much rootfs disk space (#6836) * added an ansible var to manage retention of etcd backups * refactord ls/grep into find in etcd backup removal command 2020-10-23 14:09:57 +00:00			`# Number of etcd backups to retain. Set to a value < 0 to retain all backups`
			`etcd_backup_retention_count: -1`
Add etcd TLS support 2016-11-09 10:44:41 +00:00
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement 2021-02-09 09:53:22 +00:00			`force_etcd_cert_refresh: true`
Add etcd TLS support 2016-11-09 10:44:41 +00:00			`etcd_config_dir: /etc/ssl/etcd`
			`etcd_cert_dir: "{{ etcd_config_dir }}/ssl"`
etcd: Fix permissions of /etc/ssl/etcd/ssl (#6908) 2020-12-09 08:48:49 +00:00			`etcd_cert_dir_mode: "0700"`
Revert "Drop linux capabilities and rework users/groups" 2017-02-06 12:58:54 +00:00			`etcd_cert_group: root`
Add support for cert alt names for etcd (#2139) * Add support for cert alt names for etcd * Update gen_certs_vault.yml 2018-01-09 11:37:34 +00:00			`# Note: This does not set up DNS entries. It simply adds the following DNS`
			`# entries to the certificate`
			`etcd_cert_alt_names:`
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it. 2018-03-30 11:29:13 +00:00			`- "etcd.kube-system.svc.{{ dns_domain }}"`
			`- "etcd.kube-system.svc"`
			`- "etcd.kube-system"`
Add support for cert alt names for etcd (#2139) * Add support for cert alt names for etcd * Update gen_certs_vault.yml 2018-01-09 11:37:34 +00:00			`- "etcd"`
Add documentation about having HA for etcd 2018-08-31 12:34:13 +00:00			`etcd_cert_alt_ips: []`
Add etcd TLS support 2016-11-09 10:44:41 +00:00
			`etcd_script_dir: "{{ bin_dir }}/etcd-scripts"`
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-23 14:44:44 +00:00
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional. 2017-02-07 14:46:02 +00:00			`etcd_heartbeat_interval: "250"`
			`etcd_election_timeout: "5000"`

Integrate jetstack/cert-manager 0.2.3 to Kubespray 2018-03-28 14:30:00 +00:00			`# etcd_snapshot_count: "10000"`
add etc tunning options https://coreos.com/etcd/docs/latest/tuning.html etcd_snapshot_count and ionice priority 2018-03-26 14:25:51 +00:00
Add etcd metrics flag 2017-07-24 08:25:38 +00:00			`etcd_metrics: "basic"`

Allow to scrape etcd metrics using a service (#8203) Signed-off-by: Mathieu Parent <math.parent@gmail.com> 2021-11-18 07:53:01 +00:00			`# Define in inventory to set a separate port for etcd to expose metrics on`
Add option to expose metrics on separate port (#6092) 2020-05-10 19:21:51 +00:00			`# etcd_metrics_port: 2381`

support custom env vars for etcd 2018-04-18 17:16:42 +00:00			`## A dictionary of extra environment variables to add to etcd.env, formatted like:`
			`## etcd_extra_vars:`
			`## ETCD_VAR1: "value1"`
			`## ETCD_VAR2: "value2"`
			`etcd_extra_vars: {}`

Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> 2016-12-23 14:44:44 +00:00			`# Limits`
Only limit etcd memory on small hosts (#1860) Also disable oom killer on etcd 2017-10-25 09:25:15 +00:00			`# Limit memory only if <4GB memory on host. 0=unlimited`
[etcd] Add support for setting the request size limit (#8849) * [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes` Signed-off-by: necatican <necaticanyildirim@gmail.com> * [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES Signed-off-by: necatican <necaticanyildirim@gmail.com> 2022-05-23 16:36:03 +00:00			# This value is only relevant when deploying etcd with `etcd_deployment_type: docker`
Only limit etcd memory on small hosts (#1860) Also disable oom killer on etcd 2017-10-25 09:25:15 +00:00			`etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"`
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional. 2017-02-07 14:46:02 +00:00
[etcd] Add support for setting the request size limit (#8849) * [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes` Signed-off-by: necatican <necaticanyildirim@gmail.com> * [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES Signed-off-by: necatican <necaticanyildirim@gmail.com> 2022-05-23 16:36:03 +00:00			`# The default storage size limit is 2G.`
			`# 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it.`
Fix example value for etcd_quota_backend_bytes (#6724) 2020-09-21 12:42:31 +00:00			`# etcd_quota_backend_bytes: "2147483648"`
Add ETCD_QUOTA_BACKEND_BYTES environment variable 2018-08-04 11:56:25 +00:00
[etcd] Add support for setting the request size limit (#8849) * [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes` Signed-off-by: necatican <necaticanyildirim@gmail.com> * [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES Signed-off-by: necatican <necaticanyildirim@gmail.com> 2022-05-23 16:36:03 +00:00			`# Maximum client request size in bytes the server will accept.`
			`# etcd is designed to handle small key value pairs typical for metadata.`
			`# Larger requests will work, but may increase the latency of other requests`
			`# etcd_max_request_bytes: "1572864"`

Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional. 2017-02-07 14:46:02 +00:00			`# Uncomment to set CPU share for etcd`
Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements 2017-08-24 09:09:52 +00:00			`# etcd_cpu_limit: 300m`
Vault security hardening and role isolation 2017-02-08 21:41:36 +00:00
Add etcd_blkio_weight var (#1690) 2017-09-25 11:20:24 +00:00			`etcd_blkio_weight: 1000`

Rename ansible groups to use _ instead of - (#7552) * rename ansible groups to use _ instead of - k8s-cluster -> k8s_cluster k8s-node -> k8s_node calico-rr -> calico_rr no-floating -> no_floating Note: kube-node,k8s-cluster groups in upgrade CI need clean-up after v2.16 is tagged * ensure old groups are mapped to the new ones 2021-04-29 12:20:50 +00:00			`etcd_node_cert_hosts: "{{ groups['k8s_cluster'] \| union(groups.get('calico_rr', [])) }}"`
add configurable parameter for etcd_auto_compaction_retention 2017-06-14 08:39:38 +00:00
etcd_compaction_retention every 8 hour (#1527) 2017-08-20 10:55:48 +00:00			`etcd_compaction_retention: "8"`
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks. 2017-08-30 13:03:22 +00:00
Add etcd key and cert environment variables for use with client auth 2017-11-07 14:06:16 +00:00			`# Force clients like etcdctl to use TLS certs (different than peer security)`
			`etcd_secure_client: true`
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH Some installation are failing to authenticate with peers due to etcd picking up/resoling the wrong node. By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert authentication. Signed-off-by: Sébastien Han <seb@redhat.com> 2018-01-11 18:07:43 +00:00
			`# Enable peer client cert authentication`
			`etcd_peer_client_auth: true`
Fix recover-control-plane to work with etcd 3.3.x and add CI (#5500) * Fix recover-control-plane to work with etcd 3.3.x and add CI * Set default values for testcase * Add actual test jobs * Attempt to satisty gitlab ci linter * Fix ansible targets * Set etcd_member_name as stated in the docs... * Recovering from 0 masters is not supported yet * Add other master to broken_kube-master group as well * Increase number of retries to see if etcd needs more time to heal * Make number of retries for ETCD loops configurable, increase it for recovery CI and document it 2020-02-11 09:38:01 +00:00
add etcd max snapshot and wals (#7382) 2021-03-18 23:48:36 +00:00			`# Maximum number of snapshot files to retain (0 is unlimited)`
			`# etcd_max_snapshots: 5`

			`# Maximum number of wal files to retain (0 is unlimited)`
			`# etcd_max_wals: 5`

Fix recover-control-plane to work with etcd 3.3.x and add CI (#5500) * Fix recover-control-plane to work with etcd 3.3.x and add CI * Set default values for testcase * Add actual test jobs * Attempt to satisty gitlab ci linter * Fix ansible targets * Set etcd_member_name as stated in the docs... * Recovering from 0 masters is not supported yet * Add other master to broken_kube-master group as well * Increase number of retries to see if etcd needs more time to heal * Make number of retries for ETCD loops configurable, increase it for recovery CI and document it 2020-02-11 09:38:01 +00:00			`# Number of loop retries`
			`etcd_retries: 4`
Add etcd tls cipher suites (#7001) * Add etcd tls cipher suites * yamllint 2020-12-08 02:13:10 +00:00
			`## Support tls cipher suites.`
			`# etcd_tls_cipher_suites: {}`
			`# - TLS_RSA_WITH_RC4_128_SHA`
			`# - TLS_RSA_WITH_3DES_EDE_CBC_SHA`
			`# - TLS_RSA_WITH_AES_128_CBC_SHA`
			`# - TLS_RSA_WITH_AES_256_CBC_SHA`
			`# - TLS_RSA_WITH_AES_128_CBC_SHA256`
			`# - TLS_RSA_WITH_AES_128_GCM_SHA256`
			`# - TLS_RSA_WITH_AES_256_GCM_SHA384`
			`# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`
			`# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
			`# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
			`# - TLS_ECDHE_RSA_WITH_RC4_128_SHA`
			`# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`
			`# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
			`# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
			`# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
			`# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
			`# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
			`# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
			`# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
			`# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
			`# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`
			`# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
			`# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`
			`# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
Add ETCD_EXPERIMENTAL_INITIAL_CORRUPT_CHECK flag to etcd config (#8664) 2022-03-31 15:17:01 +00:00
			`# ETCD 3.5.x issue`
			`# https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer`
			`etcd_experimental_initial_corrupt_check: true`