aad78840a0
* Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
96 lines
2.9 KiB
YAML
96 lines
2.9 KiB
YAML
---
|
|
# Set to false to only do certificate management
|
|
etcd_cluster_setup: true
|
|
etcd_events_cluster_setup: false
|
|
|
|
# Set to true to separate k8s events to a different etcd cluster
|
|
etcd_events_cluster_enabled: false
|
|
|
|
etcd_backup_prefix: "/var/backups"
|
|
etcd_data_dir: "/var/lib/etcd"
|
|
|
|
# Number of etcd backups to retain. Set to a value < 0 to retain all backups
|
|
etcd_backup_retention_count: -1
|
|
|
|
force_etcd_cert_refresh: true
|
|
etcd_config_dir: /etc/ssl/etcd
|
|
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
|
|
etcd_cert_dir_mode: "0700"
|
|
etcd_cert_group: root
|
|
# Note: This does not set up DNS entries. It simply adds the following DNS
|
|
# entries to the certificate
|
|
etcd_cert_alt_names:
|
|
- "etcd.kube-system.svc.{{ dns_domain }}"
|
|
- "etcd.kube-system.svc"
|
|
- "etcd.kube-system"
|
|
- "etcd"
|
|
etcd_cert_alt_ips: []
|
|
|
|
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
|
|
|
|
etcd_heartbeat_interval: "250"
|
|
etcd_election_timeout: "5000"
|
|
|
|
# etcd_snapshot_count: "10000"
|
|
|
|
etcd_metrics: "basic"
|
|
|
|
# Uncomment to set a separate port for etcd to expose metrics on
|
|
# etcd_metrics_port: 2381
|
|
|
|
## A dictionary of extra environment variables to add to etcd.env, formatted like:
|
|
## etcd_extra_vars:
|
|
## ETCD_VAR1: "value1"
|
|
## ETCD_VAR2: "value2"
|
|
etcd_extra_vars: {}
|
|
|
|
# Limits
|
|
# Limit memory only if <4GB memory on host. 0=unlimited
|
|
etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
|
|
|
|
# etcd_quota_backend_bytes: "2147483648"
|
|
|
|
# Uncomment to set CPU share for etcd
|
|
# etcd_cpu_limit: 300m
|
|
|
|
etcd_blkio_weight: 1000
|
|
|
|
etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) | union(groups.get('vault', [])) }}"
|
|
|
|
etcd_compaction_retention: "8"
|
|
|
|
# Force clients like etcdctl to use TLS certs (different than peer security)
|
|
etcd_secure_client: true
|
|
|
|
# Enable peer client cert authentication
|
|
etcd_peer_client_auth: true
|
|
|
|
# Number of loop retries
|
|
etcd_retries: 4
|
|
|
|
## Support tls cipher suites.
|
|
# etcd_tls_cipher_suites: {}
|
|
# - TLS_RSA_WITH_RC4_128_SHA
|
|
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
# - TLS_RSA_WITH_AES_128_CBC_SHA
|
|
# - TLS_RSA_WITH_AES_256_CBC_SHA
|
|
# - TLS_RSA_WITH_AES_128_CBC_SHA256
|
|
# - TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
# - TLS_RSA_WITH_AES_256_GCM_SHA384
|
|
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
|
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
|
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
|
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
|
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
|
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
|
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|