c12s-kubespray/roles/etcd/defaults/main.yml

---
# Set etcd user
etcd_owner: etcd

# Set to false to only do certificate management
etcd_cluster_setup: true
etcd_events_cluster_setup: false

# Set to true to separate k8s events to a different etcd cluster
etcd_events_cluster_enabled: false

etcd_backup_prefix: "/var/backups"
etcd_data_dir: "/var/lib/etcd"

# Number of etcd backups to retain. Set to a value < 0 to retain all backups
etcd_backup_retention_count: -1

force_etcd_cert_refresh: true
etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
etcd_cert_dir_mode: "0700"
etcd_cert_group: root
# Note: This does not set up DNS entries. It simply adds the following DNS
# entries to the certificate
etcd_cert_alt_names:
  - "etcd.kube-system.svc.{{ dns_domain }}"
  - "etcd.kube-system.svc"
  - "etcd.kube-system"
  - "etcd"
etcd_cert_alt_ips: []

etcd_script_dir: "{{ bin_dir }}/etcd-scripts"

etcd_heartbeat_interval: "250"
etcd_election_timeout: "5000"

# etcd_snapshot_count: "10000"

etcd_metrics: "basic"

# Define in inventory to set a separate port for etcd to expose metrics on
# etcd_metrics_port: 2381

## A dictionary of extra environment variables to add to etcd.env, formatted like:
##  etcd_extra_vars:
##    ETCD_VAR1: "value1"
##    ETCD_VAR2: "value2"
etcd_extra_vars: {}

# Limits
# Limit memory only if <4GB memory on host. 0=unlimited
# This value is only relevant when deploying etcd with `etcd_deployment_type: docker`
etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"

# The default storage size limit is 2G.
# 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it.
# etcd_quota_backend_bytes: "2147483648"

# Maximum client request size in bytes the server will accept.
# etcd is designed to handle small key value pairs typical for metadata.
# Larger requests will work, but may increase the latency of other requests
# etcd_max_request_bytes: "1572864"

# Uncomment to set CPU share for etcd
# etcd_cpu_limit: 300m

etcd_blkio_weight: 1000

etcd_node_cert_hosts: "{{ groups['k8s_cluster'] }}"

etcd_compaction_retention: "8"

# Force clients like etcdctl to use TLS certs (different than peer security)
etcd_secure_client: true

# Enable peer client cert authentication
etcd_peer_client_auth: true

# Maximum number of snapshot files to retain (0 is unlimited)
# etcd_max_snapshots: 5

# Maximum number of wal files to retain (0 is unlimited)
# etcd_max_wals: 5

# Number of loop retries
etcd_retries: 4

## Support tls cipher suites.
# etcd_tls_cipher_suites: {}
#   - TLS_RSA_WITH_RC4_128_SHA
#   - TLS_RSA_WITH_3DES_EDE_CBC_SHA
#   - TLS_RSA_WITH_AES_128_CBC_SHA
#   - TLS_RSA_WITH_AES_256_CBC_SHA
#   - TLS_RSA_WITH_AES_128_CBC_SHA256
#   - TLS_RSA_WITH_AES_128_GCM_SHA256
#   - TLS_RSA_WITH_AES_256_GCM_SHA384
#   - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
#   - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
#   - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
#   - TLS_ECDHE_RSA_WITH_RC4_128_SHA
#   - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
#   - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#   - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#   - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
#   - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
#   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
#   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
#   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

# ETCD 3.5.x issue
# https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
etcd_experimental_initial_corrupt_check: true

# If this is true, debug information will be displayed but
# may contain some private data, so it is recommended to set it to false
# in the production environment.
unsafe_show_logs: false