-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
114 lines (104 loc) · 6.05 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
---
# common version for kubernetes related applications - kubelet, kubeadm, kubectl
k8s_cluster_kube_version: 1.28.8-1.1
# read more at the following sources:
# https://kubernetes.io/blog/2023/08/31/legacy-package-repository-deprecation/
# https://kubernetes.io/blog/2023/08/15/pkgs-k8s-io-introduction/
#
# 'k8s_cluster_apt_kubernetes_version' will be calculated during role execution using set_fact
k8s_cluster_apt_key_url: "https://pkgs.k8s.io/core:/stable:/{{ k8s_cluster_apt_kubernetes_version }}/deb/Release.key"
k8s_cluster_apt_key_file: "/usr/share/keyrings/kubernetes-archive-keyring.gpg"
k8s_cluster_apt_repository: 'deb [signed-by={{ k8s_cluster_apt_key_file }}] https://pkgs.k8s.io/core:/stable:/{{ k8s_cluster_apt_kubernetes_version }}/deb/ /'
# without leading 'v', numbers and dots only
k8s_cluster_kubernetes_version: 1.28.8
k8s_cluster_kubelet_config_root_dir: '/etc/kubernetes'
k8s_cluster_node_type: worker
k8s_cluster_node_name: "{{ inventory_hostname }}"
k8s_cluster_initial_master: false
# https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-InitConfiguration
k8s_cluster_init_configuration:
# holds fields that relate to registering the new node to the cluster; use it to customize
# the node name, the CRI socket to use or any other settings that should apply to this
# node only (e.g. the node ip)
nodeRegistration:
name: "{{ k8s_cluster_node_name }}"
ignorePreflightErrors:
- SystemVerification
# localAPIEndpoint represents the endpoint of the API server instance that's deployed on this
# control plane node. In HA setups, this differs from ClusterConfiguration.controlPlaneEndpoint
# in the sense that controlPlaneEndpoint is the global endpoint for the cluster, which then
# load-balances the requests to each individual API server. This configuration object lets you
# customize what IP/DNS name and port the local API server advertises it's accessible on.
# By default, kubeadm tries to auto-detect the IP of the default interface and use that, but in
# case that process fails you may set the desired value here.
localAPIEndpoint:
advertiseAddress: "{{ hostvars[inventory_hostname]['ansible_facts']['default_ipv4']['address'] }}"
bindPort: 6443 # default 6443
# https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration
k8s_cluster_cluster_configuration:
networking:
serviceSubnet: 10.96.0.0/12
podSubnet: 10.244.0.0/16
dnsDomain: cluster.local
kubernetesVersion: "{{ k8s_cluster_kubernetes_version }}"
# In a cluster with more than one control plane instances, this field should be assigned
# the address of the external load balancer in front of the control plane instances
controlPlaneEndpoint: "{{ hostvars[inventory_hostname]['ansible_facts']['default_ipv4']['address'] }}:6443"
# controller-manager and scheduler listen 127.0.0.1 address and respective port by default.
# it could be a problem if you are going to deploy monitoring stack because it would be
# scrapping <node_ip>:<port> (node_ip - because those manifests have 'hostNetwork: true')
#
# read more about kube-controller-manager options:
# https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/
controllerManager:
extraArgs:
bind-address: "0.0.0.0"
# https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
scheduler:
extraArgs:
bind-address: "0.0.0.0"
# https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
k8s_cluster_kubelet_configuration:
cgroupDriver: systemd
failSwapOn: false
# https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/
k8s_cluster_kubeproxy_configuration:
# monitoring tools can't scrape default bind address (127.0.0.1:10249)
# https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/README.md#kubeproxy
# https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/
metricsBindAddress: "0.0.0.0:10249"
# https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-JoinConfiguration
#
# configuration below is optimized to join worker nodes
# for master nodes it could be required to add JoinConfiguration.JoinControlPlane field
k8s_cluster_join_configuration:
# holds fields that relate to registering the new node to the cluster; use it to customize
# the node name, the CRI socket to use or any other settings that should apply to this
# node only (e.g. the node ip)
nodeRegistration:
name: "{{ k8s_cluster_node_name }}"
ignorePreflightErrors:
- SystemVerification
# options for the kubelet to use during the TLS bootstrap process
discovery:
bootstrapToken:
token: "{{ k8s_cluster_join_token }}"
apiServerEndpoint: "{{ k8s_cluster_api_server_ip }}:{{ k8s_cluster_init_configuration.localAPIEndpoint.bindPort }}"
# caCertHashes specifies a set of public key pins to verify when token-based discovery
# is used. The root CA found during discovery must match one of these values. Specifying
# an empty set disables root CA pinning, which can be unsafe. Each hash is specified
# as <type>:<value>, where the only currently supported type is "sha256". This is a hex-encoded
# SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded ASN.1.
#
# it could be obtained using the following command chain on the control-plane node:
# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
# openssl dgst -sha256 -hex | sed 's/^.* //'
#
# otherwise use "unsafeSkipCAVerification: true" but this can weaken the security of kubeadm
# since other nodes can impersonate the control-plane
caCertHashes:
- "sha256:{{ k8s_cluster_root_ca_hash }}"
unsafeSkipCAVerification: false
# https://github.com/flannel-io/flannel
k8s_cluster_flannel_apply: https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
k8s_cluster_custom_networking_tasks_path: ""