f0cdf71ccb
* Remove contrib/vault This is marked as broken since 2018 /3dcb914607
This still reference apiserver.pem, not used sinceddffdb63bf
Signed-off-by: Etienne Champetier <e.champetier@ateme.com> * Finish nuking vault from the codebase Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
102 lines
3 KiB
YAML
102 lines
3 KiB
YAML
---
|
|
# Set to false to only do certificate management
|
|
etcd_cluster_setup: true
|
|
etcd_events_cluster_setup: false
|
|
|
|
# Set to true to separate k8s events to a different etcd cluster
|
|
etcd_events_cluster_enabled: false
|
|
|
|
etcd_backup_prefix: "/var/backups"
|
|
etcd_data_dir: "/var/lib/etcd"
|
|
|
|
# Number of etcd backups to retain. Set to a value < 0 to retain all backups
|
|
etcd_backup_retention_count: -1
|
|
|
|
force_etcd_cert_refresh: true
|
|
etcd_config_dir: /etc/ssl/etcd
|
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
|
etcd_cert_dir_mode: "0700"
|
|
etcd_cert_group: root
|
|
# Note: This does not set up DNS entries. It simply adds the following DNS
|
|
# entries to the certificate
|
|
etcd_cert_alt_names:
|
|
- "etcd.kube-system.svc.{{ dns_domain }}"
|
|
- "etcd.kube-system.svc"
|
|
- "etcd.kube-system"
|
|
- "etcd"
|
|
etcd_cert_alt_ips: []
|
|
|
|
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
|
|
|
etcd_heartbeat_interval: "250"
|
|
etcd_election_timeout: "5000"
|
|
|
|
# etcd_snapshot_count: "10000"
|
|
|
|
etcd_metrics: "basic"
|
|
|
|
# Uncomment to set a separate port for etcd to expose metrics on
|
|
# etcd_metrics_port: 2381
|
|
|
|
## A dictionary of extra environment variables to add to etcd.env, formatted like:
|
|
## etcd_extra_vars:
|
|
## ETCD_VAR1: "value1"
|
|
## ETCD_VAR2: "value2"
|
|
etcd_extra_vars: {}
|
|
|
|
# Limits
|
|
# Limit memory only if <4GB memory on host. 0=unlimited
|
|
etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
|
|
|
|
# etcd_quota_backend_bytes: "2147483648"
|
|
|
|
# Uncomment to set CPU share for etcd
|
|
# etcd_cpu_limit: 300m
|
|
|
|
etcd_blkio_weight: 1000
|
|
|
|
etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) }}"
|
|
|
|
etcd_compaction_retention: "8"
|
|
|
|
# Force clients like etcdctl to use TLS certs (different than peer security)
|
|
etcd_secure_client: true
|
|
|
|
# Enable peer client cert authentication
|
|
etcd_peer_client_auth: true
|
|
|
|
# Maximum number of snapshot files to retain (0 is unlimited)
|
|
# etcd_max_snapshots: 5
|
|
|
|
# Maximum number of wal files to retain (0 is unlimited)
|
|
# etcd_max_wals: 5
|
|
|
|
# Number of loop retries
|
|
etcd_retries: 4
|
|
|
|
## Support tls cipher suites.
|
|
# etcd_tls_cipher_suites: {}
|
|
# - TLS_RSA_WITH_RC4_128_SHA
|
|
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
# - TLS_RSA_WITH_AES_128_CBC_SHA
|
|
# - TLS_RSA_WITH_AES_256_CBC_SHA
|
|
# - TLS_RSA_WITH_AES_128_CBC_SHA256
|
|
# - TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
# - TLS_RSA_WITH_AES_256_GCM_SHA384
|
|
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
|
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
|
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|