You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

330 lines
13 KiB

  1. apiVersion: kubeadm.k8s.io/v1beta1
  2. kind: InitConfiguration
  3. {% if kubeadm_token is defined %}
  4. bootstrapTokens:
  5. - token: "{{ kubeadm_token }}"
  6. description: "kubespray kubeadm bootstrap token"
  7. ttl: "24h"
  8. {% endif %}
  9. localAPIEndpoint:
  10. advertiseAddress: {{ ip | default(fallback_ips[inventory_hostname]) }}
  11. bindPort: {{ kube_apiserver_port }}
  12. nodeRegistration:
  13. {% if kube_override_hostname|default('') %}
  14. name: {{ kube_override_hostname }}
  15. {% endif %}
  16. {% if inventory_hostname in groups['kube-master'] and inventory_hostname not in groups['kube-node'] %}
  17. taints:
  18. - effect: NoSchedule
  19. key: node-role.kubernetes.io/master
  20. {% else %}
  21. taints: []
  22. {% endif %}
  23. criSocket: {{ cri_socket }}
  24. ---
  25. apiVersion: kubeadm.k8s.io/v1beta1
  26. kind: ClusterConfiguration
  27. clusterName: {{ cluster_name }}
  28. etcd:
  29. {% if not etcd_kubeadm_enabled %}
  30. external:
  31. endpoints:
  32. {% for endpoint in etcd_access_addresses.split(',') %}
  33. - {{ endpoint }}
  34. {% endfor %}
  35. caFile: {{ etcd_cert_dir }}/{{ kube_etcd_cacert_file }}
  36. certFile: {{ etcd_cert_dir }}/{{ kube_etcd_cert_file }}
  37. keyFile: {{ etcd_cert_dir }}/{{ kube_etcd_key_file }}
  38. {% elif etcd_kubeadm_enabled %}
  39. local:
  40. imageRepository: "{{ etcd_image_repo | regex_replace("/etcd$","") }}"
  41. imageTag: "{{ etcd_image_tag }}"
  42. dataDir: "/var/lib/etcd"
  43. extraArgs:
  44. metrics: {{ etcd_metrics }}
  45. election-timeout: "{{ etcd_election_timeout }}"
  46. heartbeat-interval: "{{ etcd_heartbeat_interval }}"
  47. auto-compaction-retention: "{{ etcd_compaction_retention }}"
  48. {% if etcd_snapshot_count is defined %}
  49. snapshot-count: "{{ etcd_snapshot_count }}"
  50. {% endif %}
  51. {% if etcd_quota_backend_bytes is defined %}
  52. quota-backend-bytes: "{{ etcd_quota_backend_bytes }}"
  53. {% endif %}
  54. {% if etcd_log_package_levels is defined %}
  55. log-package_levels: "{{ etcd_log_package_levels }}"
  56. {% endif %}
  57. {% for key, value in etcd_extra_vars.items() %}
  58. {{ key }}: "{{ value }}"
  59. {% endfor %}
  60. {% if host_architecture != "amd64" -%}
  61. etcd-unsupported-arch: {{host_architecture}}
  62. {% endif %}
  63. serverCertSANs:
  64. {% for san in etcd_cert_alt_names %}
  65. - {{ san }}
  66. {% endfor %}
  67. {% for san in etcd_cert_alt_ips %}
  68. - {{ san }}
  69. {% endfor %}
  70. peerCertSANs:
  71. {% for san in etcd_cert_alt_names %}
  72. - {{ san }}
  73. {% endfor %}
  74. {% for san in etcd_cert_alt_ips %}
  75. - {{ san }}
  76. {% endfor %}
  77. {% endif %}
  78. dns:
  79. type: CoreDNS
  80. imageRepository: {{ coredns_image_repo | regex_replace('/coredns$','') }}
  81. imageTag: {{ coredns_image_tag }}
  82. networking:
  83. dnsDomain: {{ dns_domain }}
  84. serviceSubnet: {{ kube_service_addresses }}
  85. podSubnet: {{ kube_pods_subnet }}
  86. kubernetesVersion: {{ kube_version }}
  87. {% if kubeadm_config_api_fqdn is defined %}
  88. controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
  89. {% else %}
  90. controlPlaneEndpoint: {{ ip | default(fallback_ips[inventory_hostname]) }}:{{ kube_apiserver_port }}
  91. {% endif %}
  92. certificatesDir: {{ kube_cert_dir }}
  93. imageRepository: {{ kube_image_repo }}
  94. useHyperKubeImage: false
  95. apiServer:
  96. extraArgs:
  97. {% if kube_api_anonymous_auth is defined %}
  98. anonymous-auth: "{{ kube_api_anonymous_auth }}"
  99. {% endif %}
  100. authorization-mode: {{ authorization_modes | join(',') }}
  101. bind-address: {{ kube_apiserver_bind_address }}
  102. {% if kube_apiserver_insecure_port|string != "0" %}
  103. insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
  104. {% endif %}
  105. insecure-port: "{{ kube_apiserver_insecure_port }}"
  106. {% if kube_apiserver_enable_admission_plugins|length > 0 %}
  107. enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
  108. {% endif %}
  109. {% if kube_apiserver_disable_admission_plugins|length > 0 %}
  110. disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
  111. {% endif %}
  112. apiserver-count: "{{ kube_apiserver_count }}"
  113. endpoint-reconciler-type: lease
  114. {% if etcd_events_cluster_enabled %}
  115. etcd-servers-overrides: "/events#{{ etcd_events_access_addresses_semicolon }}"
  116. {% endif %}
  117. service-node-port-range: {{ kube_apiserver_node_port_range }}
  118. kubelet-preferred-address-types: "{{ kubelet_preferred_address_types }}"
  119. profiling: "{{ kube_profiling }}"
  120. request-timeout: "{{ kube_apiserver_request_timeout }}"
  121. enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
  122. {% if kube_basic_auth|default(true) %}
  123. basic-auth-file: {{ kube_users_dir }}/known_users.csv
  124. {% endif %}
  125. {% if kube_token_auth|default(true) %}
  126. token-auth-file: {{ kube_token_dir }}/known_tokens.csv
  127. {% endif %}
  128. {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
  129. oidc-issuer-url: {{ kube_oidc_url }}
  130. oidc-client-id: {{ kube_oidc_client_id }}
  131. {% if kube_oidc_ca_file is defined %}
  132. oidc-ca-file: {{ kube_oidc_ca_file }}
  133. {% endif %}
  134. {% if kube_oidc_username_claim is defined %}
  135. oidc-username-claim: {{ kube_oidc_username_claim }}
  136. {% endif %}
  137. {% if kube_oidc_groups_claim is defined %}
  138. oidc-groups-claim: {{ kube_oidc_groups_claim }}
  139. {% endif %}
  140. {% if kube_oidc_username_prefix is defined %}
  141. oidc-username-prefix: "{{ kube_oidc_username_prefix }}"
  142. {% endif %}
  143. {% if kube_oidc_groups_prefix is defined %}
  144. oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
  145. {% endif %}
  146. {% endif %}
  147. {% if kube_webhook_token_auth|default(false) %}
  148. authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
  149. {% endif %}
  150. {% if kube_encrypt_secret_data %}
  151. encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
  152. {% endif %}
  153. storage-backend: {{ kube_apiserver_storage_backend }}
  154. {% if kube_api_runtime_config is defined %}
  155. runtime-config: {{ kube_api_runtime_config | join(',') }}
  156. {% endif %}
  157. allow-privileged: "true"
  158. {% if kubernetes_audit %}
  159. audit-log-path: "{{ audit_log_path }}"
  160. audit-log-maxage: "{{ audit_log_maxage }}"
  161. audit-log-maxbackup: "{{ audit_log_maxbackups }}"
  162. audit-log-maxsize: "{{ audit_log_maxsize }}"
  163. audit-policy-file: {{ audit_policy_file }}
  164. {% endif %}
  165. {% for key in kube_kubeadm_apiserver_extra_args %}
  166. {{ key }}: "{{ kube_kubeadm_apiserver_extra_args[key] }}"
  167. {% endfor %}
  168. {% if kube_feature_gates %}
  169. feature-gates: {{ kube_feature_gates|join(',') }}
  170. {% endif %}
  171. {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
  172. cloud-provider: {{cloud_provider}}
  173. cloud-config: {{ kube_config_dir }}/cloud_config
  174. {% elif cloud_provider is defined and cloud_provider in ["external"] %}
  175. cloud-config: {{ kube_config_dir }}/cloud_config
  176. {% endif %}
  177. {% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
  178. extraVolumes:
  179. {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
  180. - name: cloud-config
  181. hostPath: {{ kube_config_dir }}/cloud_config
  182. mountPath: {{ kube_config_dir }}/cloud_config
  183. {% endif %}
  184. {% if kube_basic_auth|default(true) %}
  185. - name: basic-auth-config
  186. hostPath: {{ kube_users_dir }}
  187. mountPath: {{ kube_users_dir }}
  188. {% endif %}
  189. {% if kube_token_auth|default(true) %}
  190. - name: token-auth-config
  191. hostPath: {{ kube_token_dir }}
  192. mountPath: {{ kube_token_dir }}
  193. {% endif %}
  194. {% if kube_webhook_token_auth|default(false) %}
  195. - name: webhook-token-auth-config
  196. hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
  197. mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
  198. {% endif %}
  199. {% if kubernetes_audit %}
  200. - name: {{ audit_policy_name }}
  201. hostPath: {{ audit_policy_hostpath }}
  202. mountPath: {{ audit_policy_mountpath }}
  203. {% if audit_log_path != "-" %}
  204. - name: {{ audit_log_name }}
  205. hostPath: {{ audit_log_hostpath }}
  206. mountPath: {{ audit_log_mountpath }}
  207. readOnly: false
  208. {% endif %}
  209. {% endif %}
  210. {% for volume in apiserver_extra_volumes %}
  211. - name: {{ volume.name }}
  212. hostPath: {{ volume.hostPath }}
  213. mountPath: {{ volume.mountPath }}
  214. readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
  215. {% endfor %}
  216. {% if ssl_ca_dirs|length %}
  217. {% for dir in ssl_ca_dirs %}
  218. - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
  219. hostPath: {{ dir }}
  220. mountPath: {{ dir }}
  221. readOnly: true
  222. {% endfor %}
  223. {% endif %}
  224. {% endif %}
  225. certSANs:
  226. {% for san in apiserver_sans %}
  227. - {{ san }}
  228. {% endfor %}
  229. timeoutForControlPlane: 5m0s
  230. controllerManager:
  231. extraArgs:
  232. node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
  233. node-monitor-period: {{ kube_controller_node_monitor_period }}
  234. pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
  235. node-cidr-mask-size: "{{ kube_network_node_prefix }}"
  236. profiling: "{{ kube_profiling }}"
  237. terminated-pod-gc-threshold: "{{ kube_controller_terminated_pod_gc_threshold }}"
  238. bind-address: {{ kube_controller_manager_bind_address }}
  239. {% if kube_feature_gates %}
  240. feature-gates: {{ kube_feature_gates|join(',') }}
  241. {% endif %}
  242. {% for key in kube_kubeadm_controller_extra_args %}
  243. {{ key }}: "{{ kube_kubeadm_controller_extra_args[key] }}"
  244. {% endfor %}
  245. {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
  246. cloud-provider: {{cloud_provider}}
  247. cloud-config: {{ kube_config_dir }}/cloud_config
  248. {% elif cloud_provider is defined and cloud_provider in ["external"] %}
  249. cloud-config: {{ kube_config_dir }}/cloud_config
  250. {% endif %}
  251. {% if kube_network_plugin is defined and kube_network_plugin not in ["cloud"] %}
  252. configure-cloud-routes: "false"
  253. {% endif %}
  254. {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] or controller_manager_extra_volumes %}
  255. extraVolumes:
  256. {% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
  257. - name: openstackcacert
  258. hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
  259. mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
  260. {% endif %}
  261. {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
  262. - name: cloud-config
  263. hostPath: {{ kube_config_dir }}/cloud_config
  264. mountPath: {{ kube_config_dir }}/cloud_config
  265. {% endif %}
  266. {% for volume in controller_manager_extra_volumes %}
  267. - name: {{ volume.name }}
  268. hostPath: {{ volume.hostPath }}
  269. mountPath: {{ volume.mountPath }}
  270. readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
  271. {% endfor %}
  272. {% endif %}
  273. scheduler:
  274. extraArgs:
  275. bind-address: {{ kube_scheduler_bind_address }}
  276. {% if kube_feature_gates %}
  277. feature-gates: {{ kube_feature_gates|join(',') }}
  278. {% endif %}
  279. {% if kube_kubeadm_scheduler_extra_args|length > 0 %}
  280. {% for key in kube_kubeadm_scheduler_extra_args %}
  281. {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
  282. {% endfor %}
  283. {% endif %}
  284. extraVolumes:
  285. {% if scheduler_extra_volumes %}
  286. extraVolumes:
  287. {% for volume in scheduler_extra_volumes %}
  288. - name: {{ volume.name }}
  289. hostPath: {{ volume.hostPath }}
  290. mountPath: {{ volume.mountPath }}
  291. readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
  292. {% endfor %}
  293. {% endif %}
  294. ---
  295. apiVersion: kubeproxy.config.k8s.io/v1alpha1
  296. kind: KubeProxyConfiguration
  297. bindAddress: {{ kube_proxy_bind_address }}
  298. clientConnection:
  299. acceptContentTypes: {{ kube_proxy_client_accept_content_types }}
  300. burst: {{ kube_proxy_client_burst }}
  301. contentType: {{ kube_proxy_client_content_type }}
  302. kubeconfig: {{ kube_proxy_client_kubeconfig }}
  303. qps: {{ kube_proxy_client_qps }}
  304. clusterCIDR: {{ kube_pods_subnet }}
  305. configSyncPeriod: {{ kube_proxy_config_sync_period }}
  306. conntrack:
  307. max: {{ kube_proxy_conntrack_max }}
  308. maxPerCore: {{ kube_proxy_conntrack_max_per_core }}
  309. min: {{ kube_proxy_conntrack_min }}
  310. tcpCloseWaitTimeout: {{ kube_proxy_conntrack_tcp_close_wait_timeout }}
  311. tcpEstablishedTimeout: {{ kube_proxy_conntrack_tcp_established_timeout }}
  312. enableProfiling: {{ kube_proxy_enable_profiling }}
  313. healthzBindAddress: {{ kube_proxy_healthz_bind_address }}
  314. hostnameOverride: {{ kube_override_hostname }}
  315. iptables:
  316. masqueradeAll: {{ kube_proxy_masquerade_all }}
  317. masqueradeBit: {{ kube_proxy_masquerade_bit }}
  318. minSyncPeriod: {{ kube_proxy_min_sync_period }}
  319. syncPeriod: {{ kube_proxy_sync_period }}
  320. ipvs:
  321. excludeCIDRs: {{ "[]" if kube_proxy_exclude_cidrs is not defined or kube_proxy_exclude_cidrs == "null" or kube_proxy_exclude_cidrs | length == 0 else (kube_proxy_exclude_cidrs if kube_proxy_exclude_cidrs[0] == '[' else ("[" + kube_proxy_exclude_cidrs + "]" if (kube_proxy_exclude_cidrs[0] | length) == 1 else "[" + kube_proxy_exclude_cidrs | join(",") + "]")) }}
  322. minSyncPeriod: {{ kube_proxy_min_sync_period }}
  323. scheduler: {{ kube_proxy_scheduler }}
  324. syncPeriod: {{ kube_proxy_sync_period }}
  325. metricsBindAddress: {{ kube_proxy_metrics_bind_address }}
  326. mode: {{ kube_proxy_mode }}
  327. nodePortAddresses: {{ kube_proxy_nodeport_addresses }}
  328. oomScoreAdj: {{ kube_proxy_oom_score_adj }}
  329. portRange: {{ kube_proxy_port_range }}
  330. udpIdleTimeout: {{ kube_proxy_udp_idle_timeout }}