Add documentation about having HA for etcd
This commit is contained in:
parent
c87a373c53
commit
82a28d6bb3
5 changed files with 32 additions and 11 deletions
|
@ -11,12 +11,32 @@ achieve the same goal.
|
||||||
Etcd
|
Etcd
|
||||||
----
|
----
|
||||||
|
|
||||||
The `etcd_access_endpoint` fact provides an access pattern for clients. And the
|
In order to use an external loadbalancing (L4/TCP or L7 w/ SSL Passthrough VIP), the following variables need to be overriden in group_vars
|
||||||
`etcd_multiaccess` (defaults to `True`) group var controls that behavior.
|
* `etcd_access_addresses`
|
||||||
It makes deployed components to access the etcd cluster members
|
* `etcd_client_url`
|
||||||
directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients
|
* `etcd_cert_alt_names`
|
||||||
do a loadbalancing and handle HA for connections.
|
* `etcd_cert_alt_ips`
|
||||||
|
|
||||||
|
### Example of a VIP w/ FQDN
|
||||||
|
```yaml
|
||||||
|
etcd_access_addresses: https://etcd.example.com:2379
|
||||||
|
etcd_client_url: https://etcd.example.com:2379
|
||||||
|
etcd_cert_alt_names:
|
||||||
|
- "etcd.kube-system.svc.{{ dns_domain }}"
|
||||||
|
- "etcd.kube-system.svc"
|
||||||
|
- "etcd.kube-system"
|
||||||
|
- "etcd"
|
||||||
|
- "etcd.example.com" # This one needs to be added to the default etcd_cert_alt_names
|
||||||
|
```
|
||||||
|
|
||||||
|
### Example of a VIP w/o FQDN (IP only)
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
etcd_access_addresses: https://2.3.7.9:2379
|
||||||
|
etcd_client_url: https://2.3.7.9:2379
|
||||||
|
etcd_cert_alt_ips:
|
||||||
|
- "2.3.7.9"
|
||||||
|
```
|
||||||
|
|
||||||
Kube-apiserver
|
Kube-apiserver
|
||||||
--------------
|
--------------
|
||||||
|
|
|
@ -14,12 +14,6 @@ bin_dir: /usr/local/bin
|
||||||
## but don't know about that address themselves.
|
## but don't know about that address themselves.
|
||||||
#access_ip: 1.1.1.1
|
#access_ip: 1.1.1.1
|
||||||
|
|
||||||
### LOADBALANCING AND ACCESS MODES
|
|
||||||
## Enable multiaccess to configure etcd clients to access all of the etcd members directly
|
|
||||||
## as the "http://hostX:port, http://hostY:port, ..." and ignore the proxy loadbalancers.
|
|
||||||
## This may be the case if clients support and loadbalance multiple etcd servers natively.
|
|
||||||
#etcd_multiaccess: true
|
|
||||||
|
|
||||||
### ETCD: disable peer client cert authentication.
|
### ETCD: disable peer client cert authentication.
|
||||||
# This affects ETCD_PEER_CLIENT_CERT_AUTH variable
|
# This affects ETCD_PEER_CLIENT_CERT_AUTH variable
|
||||||
#etcd_peer_client_auth: true
|
#etcd_peer_client_auth: true
|
||||||
|
|
|
@ -20,6 +20,7 @@ etcd_cert_alt_names:
|
||||||
- "etcd.kube-system.svc"
|
- "etcd.kube-system.svc"
|
||||||
- "etcd.kube-system"
|
- "etcd.kube-system"
|
||||||
- "etcd"
|
- "etcd"
|
||||||
|
etcd_cert_alt_ips: []
|
||||||
|
|
||||||
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
||||||
|
|
||||||
|
|
|
@ -26,6 +26,9 @@
|
||||||
"{{ hostvars[host]['ip'] }}",
|
"{{ hostvars[host]['ip'] }}",
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
{%- endfor -%}
|
{%- endfor -%}
|
||||||
|
{%- for cert_alt_ip in etcd_cert_alt_ips -%}
|
||||||
|
"{{ cert_alt_ip }}",
|
||||||
|
{%- endfor -%}
|
||||||
"127.0.0.1","::1"
|
"127.0.0.1","::1"
|
||||||
]
|
]
|
||||||
issue_cert_path: "{{ item }}"
|
issue_cert_path: "{{ item }}"
|
||||||
|
|
|
@ -39,4 +39,7 @@ IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter,
|
||||||
{% endif %}
|
{% endif %}
|
||||||
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
|
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% for cert_alt_ip in etcd_cert_alt_ips %}
|
||||||
|
IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}
|
||||||
|
{% endfor %}
|
||||||
IP.{{ counter["ip"] }} = 127.0.0.1
|
IP.{{ counter["ip"] }} = 127.0.0.1
|
||||||
|
|
Loading…
Reference in a new issue