--- # Set etcd user etcd_owner: etcd # Set to false to only do certificate management etcd_cluster_setup: true etcd_events_cluster_setup: false # Set to true to separate k8s events to a different etcd cluster etcd_events_cluster_enabled: false etcd_backup_prefix: "/var/backups" etcd_data_dir: "/var/lib/etcd" # Number of etcd backups to retain. Set to a value < 0 to retain all backups etcd_backup_retention_count: -1 force_etcd_cert_refresh: true etcd_config_dir: /etc/ssl/etcd etcd_cert_dir: "{{ etcd_config_dir }}/ssl" etcd_cert_dir_mode: "0700" etcd_cert_group: root # Note: This does not set up DNS entries. It simply adds the following DNS # entries to the certificate etcd_cert_alt_names: - "etcd.kube-system.svc.{{ dns_domain }}" - "etcd.kube-system.svc" - "etcd.kube-system" - "etcd" etcd_cert_alt_ips: [] etcd_script_dir: "{{ bin_dir }}/etcd-scripts" etcd_heartbeat_interval: "250" etcd_election_timeout: "5000" # etcd_snapshot_count: "10000" etcd_metrics: "basic" # Define in inventory to set a separate port for etcd to expose metrics on # etcd_metrics_port: 2381 ## A dictionary of extra environment variables to add to etcd.env, formatted like: ## etcd_extra_vars: ## ETCD_VAR1: "value1" ## ETCD_VAR2: "value2" etcd_extra_vars: {} # Limits # Limit memory only if <4GB memory on host. 0=unlimited # This value is only relevant when deploying etcd with `etcd_deployment_type: docker` etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}" # The default storage size limit is 2G. # 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it. # etcd_quota_backend_bytes: "2147483648" # Maximum client request size in bytes the server will accept. # etcd is designed to handle small key value pairs typical for metadata. # Larger requests will work, but may increase the latency of other requests # etcd_max_request_bytes: "1572864" # Uncomment to set CPU share for etcd # etcd_cpu_limit: 300m etcd_blkio_weight: 1000 etcd_node_cert_hosts: "{{ groups['k8s_cluster'] }}" etcd_compaction_retention: "8" # Force clients like etcdctl to use TLS certs (different than peer security) etcd_secure_client: true # Enable peer client cert authentication etcd_peer_client_auth: true # Maximum number of snapshot files to retain (0 is unlimited) # etcd_max_snapshots: 5 # Maximum number of wal files to retain (0 is unlimited) # etcd_max_wals: 5 # Number of loop retries etcd_retries: 4 ## Support tls cipher suites. # etcd_tls_cipher_suites: {} # - TLS_RSA_WITH_RC4_128_SHA # - TLS_RSA_WITH_3DES_EDE_CBC_SHA # - TLS_RSA_WITH_AES_128_CBC_SHA # - TLS_RSA_WITH_AES_256_CBC_SHA # - TLS_RSA_WITH_AES_128_CBC_SHA256 # - TLS_RSA_WITH_AES_128_GCM_SHA256 # - TLS_RSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA # - TLS_ECDHE_RSA_WITH_RC4_128_SHA # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 # ETCD 3.5.x issue # https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer etcd_experimental_initial_corrupt_check: true # If this is true, debug information will be displayed but # may contain some private data, so it is recommended to set it to false # in the production environment. unsafe_show_logs: false