richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7975 Commits
29 Branches
81 Tags
150 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
kubespray/roles/etcd/defaults/main.yml

130 lines
4.2 KiB
Raw Permalink Normal View History

etcd directly in host fix etcd configuration for nodes fix wrong calico checksums using a var name etcd_bin_dir fix etcd handlers for sysvinit using a var name etcd_bin_dir sysvinit script review etcd configuration
8 years ago
feat: make kubernetes owner parametrized (#8952) * feat: make kubernetes owner parametrized * docs: update hardening guide with configuration for CIS 1.1.19 * fix: set etcd data directory permissions to be compliant to CIS 1.1.12
2 years ago
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role.
7 years ago
Etcd cluster setup makeover The current way to setup the etc cluster is messy and buggy. - It checks for cluster is healthy before the cluster is even created. - The unit files are started on handlers, not in the task, so you mess with "flush handlers". - The join_member.yml is not used. - etcd events cluster is not configured for kubeadm - remove duplicate runs between running the role on etcd nodes and k8s nodes
6 years ago
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role.
7 years ago
Improve variable handling for disabling etcd events cluster
6 years ago
move `etcd_backup_prefix` to new home.
7 years ago
Make etcd data dir configurable. Closes: #1073 Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
7 years ago
change /etc/ssl/etcd to etcd_config_dir param (#6408) * change /etc/ssl/etcd to etcd_config_dir param * add use etcd_events_data_dir param
4 years ago
Fixes 6621 etcd backup directory is consuming much rootfs disk space (#6836) * added an ansible var to manage retention of etcd backups * refactord ls/grep into find in etcd backup removal command
4 years ago
Add etcd TLS support
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
3 years ago
Add etcd TLS support
8 years ago
etcd: Fix permissions of /etc/ssl/etcd/ssl (#6908)
4 years ago
Revert "Drop linux capabilities and rework users/groups"
7 years ago
Add support for cert alt names for etcd (#2139) * Add support for cert alt names for etcd * Update gen_certs_vault.yml
6 years ago
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
6 years ago
Add support for cert alt names for etcd (#2139) * Add support for cert alt names for etcd * Update gen_certs_vault.yml
6 years ago
Add documentation about having HA for etcd
6 years ago
Add etcd TLS support
8 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional.
7 years ago
Integrate jetstack/cert-manager 0.2.3 to Kubespray
6 years ago
add etc tunning options https://coreos.com/etcd/docs/latest/tuning.html etcd_snapshot_count and ionice priority
6 years ago
Add etcd metrics flag
7 years ago
Allow to scrape etcd metrics using a service (#8203) Signed-off-by: Mathieu Parent <math.parent@gmail.com>
3 years ago
Add option to expose metrics on separate port (#6092)
4 years ago
support custom env vars for etcd
6 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Only limit etcd memory on small hosts (#1860) Also disable oom killer on etcd
7 years ago
[etcd] Add support for setting the request size limit (#8849) * [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes` Signed-off-by: necatican <necaticanyildirim@gmail.com> * [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES Signed-off-by: necatican <necaticanyildirim@gmail.com>
2 years ago
Only limit etcd memory on small hosts (#1860) Also disable oom killer on etcd
7 years ago
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional.
7 years ago
[etcd] Add support for setting the request size limit (#8849) * [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes` Signed-off-by: necatican <necaticanyildirim@gmail.com> * [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES Signed-off-by: necatican <necaticanyildirim@gmail.com>
2 years ago
Fix example value for etcd_quota_backend_bytes (#6724)
4 years ago
Add ETCD_QUOTA_BACKEND_BYTES environment variable
6 years ago
[etcd] Add support for setting the request size limit (#8849) * [etcd] Add extra documentation for `etcd_memory_limit` and `etcd_quota_backend_bytes` Signed-off-by: necatican <necaticanyildirim@gmail.com> * [etcd] Add support for setting ETCD_MAX_REQUEST_BYTES Signed-off-by: necatican <necaticanyildirim@gmail.com>
2 years ago
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional.
7 years ago
Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Vault security hardening and role isolation
7 years ago
Add etcd_blkio_weight var (#1690)
7 years ago
[etcd] Sometimes, we do not need to run etcd role on all nodes. (#9173) * WIP: sometimes,we not run etcd * fix ansible lint * like calico(kdd) cni, no need run etcd
2 years ago
add configurable parameter for etcd_auto_compaction_retention
7 years ago
etcd_compaction_retention every 8 hour (#1527)
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Add etcd key and cert environment variables for use with client auth
7 years ago
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH Some installation are failing to authenticate with peers due to etcd picking up/resoling the wrong node. By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert authentication. Signed-off-by: Sébastien Han <seb@redhat.com>
6 years ago
Fix recover-control-plane to work with etcd 3.3.x and add CI (#5500) * Fix recover-control-plane to work with etcd 3.3.x and add CI * Set default values for testcase * Add actual test jobs * Attempt to satisty gitlab ci linter * Fix ansible targets * Set etcd_member_name as stated in the docs... * Recovering from 0 masters is not supported yet * Add other master to broken_kube-master group as well * Increase number of retries to see if etcd needs more time to heal * Make number of retries for ETCD loops configurable, increase it for recovery CI and document it
4 years ago
add etcd max snapshot and wals (#7382)
3 years ago
Fix recover-control-plane to work with etcd 3.3.x and add CI (#5500) * Fix recover-control-plane to work with etcd 3.3.x and add CI * Set default values for testcase * Add actual test jobs * Attempt to satisty gitlab ci linter * Fix ansible targets * Set etcd_member_name as stated in the docs... * Recovering from 0 masters is not supported yet * Add other master to broken_kube-master group as well * Increase number of retries to see if etcd needs more time to heal * Make number of retries for ETCD loops configurable, increase it for recovery CI and document it
4 years ago
Add etcd tls cipher suites (#7001) * Add etcd tls cipher suites * yamllint
4 years ago
Add ETCD_EXPERIMENTAL_INITIAL_CORRUPT_CHECK flag to etcd config (#8664)
2 years ago
Add unsafe_show_logs switch (#9164) Signed-off-by: bo.jiang <bo.jiang@daocloud.io> Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
[etcd]: add etcd distributed tracing flags (#10666) * [etcd]: add etcd distributed tracing flags Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com> * [etcd]: add etcd distributed tracing flags - fix Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com> * [etcd]: add etcd distributed tracing flags - fix Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com> --------- Signed-off-by: Ugur Ozturk <ugurozturk918@gmail.com>
11 months ago
pre-commit: apply autofixes hooks and fix the rest manually - markdownlint (manual fix) - end-of-file-fixer - requirements-txt-fixer - trailing-whitespace
6 months ago
Allow for configuring etcd progress notify interval and default set to 5s (#11499)
2 months ago
  1. ---
  2. # Set etcd user
  3. etcd_owner: etcd
  5. # Set to false to only do certificate management
  6. etcd_cluster_setup: true
  7. etcd_events_cluster_setup: false
  9. # Set to true to separate k8s events to a different etcd cluster
  10. etcd_events_cluster_enabled: false
  12. etcd_backup_prefix: "/var/backups"
  13. etcd_data_dir: "/var/lib/etcd"
  15. # Number of etcd backups to retain. Set to a value < 0 to retain all backups
  16. etcd_backup_retention_count: -1
  18. force_etcd_cert_refresh: true
  19. etcd_config_dir: /etc/ssl/etcd
  20. etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
  21. etcd_cert_dir_mode: "0700"
  22. etcd_cert_group: root
  23. # Note: This does not set up DNS entries. It simply adds the following DNS
  24. # entries to the certificate
  25. etcd_cert_alt_names:
  26. - "etcd.kube-system.svc.{{ dns_domain }}"
  27. - "etcd.kube-system.svc"
  28. - "etcd.kube-system"
  29. - "etcd"
  30. etcd_cert_alt_ips: []
  32. etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
  34. etcd_heartbeat_interval: "250"
  35. etcd_election_timeout: "5000"
  37. # etcd_snapshot_count: "10000"
  39. etcd_metrics: "basic"
  41. # Define in inventory to set a separate port for etcd to expose metrics on
  42. # etcd_metrics_port: 2381
  44. ## A dictionary of extra environment variables to add to etcd.env, formatted like:
  45. ## etcd_extra_vars:
  46. ## ETCD_VAR1: "value1"
  47. ## ETCD_VAR2: "value2"
  48. etcd_extra_vars: {}
  50. # Limits
  51. # Limit memory only if <4GB memory on host. 0=unlimited
  52. # This value is only relevant when deploying etcd with `etcd_deployment_type: docker`
  53. etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
  55. # The default storage size limit is 2G.
  56. # 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it.
  57. # etcd_quota_backend_bytes: "2147483648"
  59. # Maximum client request size in bytes the server will accept.
  60. # etcd is designed to handle small key value pairs typical for metadata.
  61. # Larger requests will work, but may increase the latency of other requests
  62. # etcd_max_request_bytes: "1572864"
  64. # Uncomment to set CPU share for etcd
  65. # etcd_cpu_limit: 300m
  67. etcd_blkio_weight: 1000
  69. etcd_node_cert_hosts: "{{ groups['k8s_cluster'] }}"
  71. etcd_compaction_retention: "8"
  73. # Force clients like etcdctl to use TLS certs (different than peer security)
  74. etcd_secure_client: true
  76. # Enable peer client cert authentication
  77. etcd_peer_client_auth: true
  79. # Maximum number of snapshot files to retain (0 is unlimited)
  80. # etcd_max_snapshots: 5
  82. # Maximum number of wal files to retain (0 is unlimited)
  83. # etcd_max_wals: 5
  85. # Number of loop retries
  86. etcd_retries: 4
  88. ## Support tls cipher suites.
  89. # etcd_tls_cipher_suites: {}
  90. # - TLS_RSA_WITH_RC4_128_SHA
  91. # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  92. # - TLS_RSA_WITH_AES_128_CBC_SHA
  93. # - TLS_RSA_WITH_AES_256_CBC_SHA
  94. # - TLS_RSA_WITH_AES_128_CBC_SHA256
  95. # - TLS_RSA_WITH_AES_128_GCM_SHA256
  96. # - TLS_RSA_WITH_AES_256_GCM_SHA384
  97. # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  98. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  99. # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  100. # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  101. # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  102. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  103. # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  104. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  105. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  106. # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  107. # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  108. # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  109. # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  110. # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  111. # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  113. # ETCD 3.5.x issue
  114. # https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
  115. etcd_experimental_initial_corrupt_check: true
  117. # If this is true, debug information will be displayed but
  118. # may contain some private data, so it is recommended to set it to false
  119. # in the production environment.
  120. unsafe_show_logs: false
  122. # Enable distributed tracing
  123. # https://etcd.io/docs/v3.5/op-guide/monitoring/#distributed-tracing
  124. etcd_experimental_enable_distributed_tracing: false
  125. etcd_experimental_distributed_tracing_sample_rate: 100
  126. etcd_experimental_distributed_tracing_address: "localhost:4317"
  127. etcd_experimental_distributed_tracing_service_name: etcd
  129. # The interval for etcd watch progress notify events
  130. etcd_experimental_watch_progress_notify_interval: 5s