e5d353d0a7
* Add Contiv support Contiv is a network plugin for Kubernetes and Docker. It supports vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies, multiple networks and bridging pods onto physical networks. * Update contiv version to 1.1.4 Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config. * Load openvswitch module to workaround on CentOS7.4 * Set contiv cni version to 0.1.0 Correct contiv CNI version to 0.1.0. * Use kube_apiserver_endpoint for K8S_API_SERVER Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks to a available endpoint no matter if there's a loadbalancer or not. * Make contiv use its own etcd Before this commit, contiv is using a etcd proxy mode to k8s etcd, this work fine when the etcd hosts are co-located with contiv etcd proxy, however the k8s peering certs are only in etcd group, as a result the etcd-proxy is not able to peering with the k8s etcd on etcd group, plus the netplugin is always trying to find the etcd endpoint on localhost, this will cause problem for all netplugins not runnign on etcd group nodes. This commit make contiv uses its own etcd, separate from k8s one. on kube-master nodes (where net-master runs), it will run as leader mode and on all rest nodes it will run as proxy mode. * Use cp instead of rsync to copy cni binaries Since rsync has been removed from hyperkube, this commit changes it to use cp instead. * Make contiv-etcd able to run on master nodes * Add rbac_enabled flag for contiv pods * Add contiv into CNI network plugin lists * migrate contiv test to tests/files Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> * Add required rules for contiv netplugin * Better handling json return of fwdMode * Make contiv etcd port configurable * Use default var instead of templating * roles/download/defaults/main.yml: use contiv 1.1.7 Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
180 lines
6.2 KiB
YAML
180 lines
6.2 KiB
YAML
# Kubernetes configuration dirs and system namespace.
|
|
# Those are where all the additional config stuff goes
|
|
# the kubernetes normally puts in /srv/kubernets.
|
|
# This puts them in a sane location and namespace.
|
|
# Editting those values will almost surely break something.
|
|
kube_config_dir: /etc/kubernetes
|
|
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
|
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
|
system_namespace: kube-system
|
|
|
|
# Logging directory (sysvinit systems)
|
|
kube_log_dir: "/var/log/kubernetes"
|
|
|
|
# This is where all the cert scripts and certs will be located
|
|
kube_cert_dir: "{{ kube_config_dir }}/ssl"
|
|
|
|
# This is where all of the bearer tokens will be stored
|
|
kube_token_dir: "{{ kube_config_dir }}/tokens"
|
|
|
|
# This is where to save basic auth file
|
|
kube_users_dir: "{{ kube_config_dir }}/users"
|
|
|
|
kube_api_anonymous_auth: false
|
|
|
|
## Change this to use another Kubernetes version, e.g. a current beta release
|
|
kube_version: v1.8.3
|
|
|
|
# Where the binaries will be downloaded.
|
|
# Note: ensure that you've enough disk space (about 1G)
|
|
local_release_dir: "/tmp/releases"
|
|
# Random shifts for retrying failed ops like pushing/downloading
|
|
retry_stagger: 5
|
|
|
|
# This is the group that the cert creation scripts chgrp the
|
|
# cert files to. Not really changable...
|
|
kube_cert_group: kube-cert
|
|
|
|
# Cluster Loglevel configuration
|
|
kube_log_level: 2
|
|
|
|
# Users to create for basic auth in Kubernetes API via HTTP
|
|
# Optionally add groups for user
|
|
kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15 chars=ascii_letters,digits') }}"
|
|
kube_users:
|
|
kube:
|
|
pass: "{{kube_api_pwd}}"
|
|
role: admin
|
|
groups:
|
|
- system:masters
|
|
|
|
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
|
#kube_oidc_auth: false
|
|
#kube_basic_auth: false
|
|
#kube_token_auth: false
|
|
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
|
|
|
# kube_oidc_url: https:// ...
|
|
# kube_oidc_client_id: kubernetes
|
|
## Optional settings for OIDC
|
|
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
|
|
# kube_oidc_username_claim: sub
|
|
# kube_oidc_groups_claim: groups
|
|
|
|
|
|
# Choose network plugin (calico, contiv, weave or flannel)
|
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
|
kube_network_plugin: calico
|
|
|
|
# weave's network password for encryption
|
|
# if null then no network encryption
|
|
# you can use --extra-vars to pass the password in command line
|
|
weave_password: EnterPasswordHere
|
|
|
|
# Weave uses consensus mode by default
|
|
# Enabling seed mode allow to dynamically add or remove hosts
|
|
# https://www.weave.works/docs/net/latest/ipam/
|
|
weave_mode_seed: false
|
|
|
|
# This two variable are automatically changed by the weave's role, do not manually change these values
|
|
# To reset values :
|
|
# weave_seed: uninitialized
|
|
# weave_peers: uninitialized
|
|
weave_seed: uninitialized
|
|
weave_peers: uninitialized
|
|
|
|
# Enable kubernetes network policies
|
|
enable_network_policy: false
|
|
|
|
# Kubernetes internal network for services, unused block of space.
|
|
kube_service_addresses: 10.233.0.0/18
|
|
|
|
# internal network. When used, it will assign IP
|
|
# addresses from this range to individual pods.
|
|
# This network must be unused in your network infrastructure!
|
|
kube_pods_subnet: 10.233.64.0/18
|
|
|
|
# internal network node size allocation (optional). This is the size allocated
|
|
# to each node on your network. With these defaults you should have
|
|
# room for 4096 nodes with 254 pods per node.
|
|
kube_network_node_prefix: 24
|
|
|
|
# The port the API Server will be listening on.
|
|
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
|
kube_apiserver_port: 6443 # (https)
|
|
kube_apiserver_insecure_port: 8080 # (http)
|
|
|
|
# DNS configuration.
|
|
# Kubernetes cluster name, also will be used as DNS domain
|
|
cluster_name: cluster.local
|
|
# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
|
|
ndots: 2
|
|
# Can be dnsmasq_kubedns, kubedns or none
|
|
dns_mode: kubedns
|
|
# Can be docker_dns, host_resolvconf or none
|
|
resolvconf_mode: docker_dns
|
|
# Deploy netchecker app to verify DNS resolve as an HTTP service
|
|
deploy_netchecker: false
|
|
# Ip address of the kubernetes skydns service
|
|
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
|
|
dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
|
|
dns_domain: "{{ cluster_name }}"
|
|
|
|
# Path used to store Docker data
|
|
docker_daemon_graph: "/var/lib/docker"
|
|
|
|
## A string of extra options to pass to the docker daemon.
|
|
## This string should be exactly as you wish it to appear.
|
|
## An obvious use case is allowing insecure-registry access
|
|
## to self hosted registries like so:
|
|
|
|
docker_options: "--insecure-registry={{ kube_service_addresses }} --graph={{ docker_daemon_graph }} {{ docker_log_opts }}"
|
|
docker_bin_dir: "/usr/bin"
|
|
|
|
# Settings for containerized control plane (etcd/kubelet/secrets)
|
|
etcd_deployment_type: docker
|
|
kubelet_deployment_type: host
|
|
vault_deployment_type: docker
|
|
helm_deployment_type: docker
|
|
|
|
# K8s image pull policy (imagePullPolicy)
|
|
k8s_image_pull_policy: IfNotPresent
|
|
|
|
# Kubernetes dashboard (available at http://first_master:6443/ui by default)
|
|
dashboard_enabled: true
|
|
|
|
# Monitoring apps for k8s
|
|
efk_enabled: false
|
|
|
|
# Helm deployment
|
|
helm_enabled: false
|
|
|
|
# Istio deployment
|
|
istio_enabled: false
|
|
|
|
# Local volume provisioner deployment
|
|
local_volumes_enabled: false
|
|
|
|
# Make a copy of kubeconfig on the host that runs Ansible in GITDIR/artifacts
|
|
# kubeconfig_localhost: false
|
|
# Download kubectl onto the host that runs Ansible in GITDIR/artifacts
|
|
# kubectl_localhost: false
|
|
|
|
# dnsmasq
|
|
# dnsmasq_upstream_dns_servers:
|
|
# - /resolvethiszone.with/10.0.4.250
|
|
# - 8.8.8.8
|
|
|
|
# Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
|
|
# kubelet_cgroups_per_qos: true
|
|
|
|
# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
|
|
# Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
|
|
# kubelet_enforce_node_allocatable: pods
|
|
|
|
## Supplementary addresses that can be added in kubernetes ssl keys.
|
|
## That can be usefull for example to setup a keepalived virtual IP
|
|
# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]
|