richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5565 Commits
33 Branches
82 Tags
153 MiB
Tree: b2995e4ec4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b2995e4ec4'
${ noResults }
kubespray/roles/etcd/defaults/main.yml

95 lines
2.8 KiB
Raw Normal View History

etcd directly in host fix etcd configuration for nodes fix wrong calico checksums using a var name etcd_bin_dir fix etcd handlers for sysvinit using a var name etcd_bin_dir sysvinit script review etcd configuration
9 years ago
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role.
8 years ago
Etcd cluster setup makeover The current way to setup the etc cluster is messy and buggy. - It checks for cluster is healthy before the cluster is even created. - The unit files are started on handlers, not in the task, so you mess with "flush handlers". - The join_member.yml is not used. - etcd events cluster is not configured for kubeadm - remove duplicate runs between running the role on etcd nodes and k8s nodes
7 years ago
Remove standalone etcd specific play, cleanup host mode Now etcd role can optionally disable etcd cluster setup for faster deployment when it is combined with etcd role.
8 years ago
Improve variable handling for disabling etcd events cluster
6 years ago
move `etcd_backup_prefix` to new home.
7 years ago
Make etcd data dir configurable. Closes: #1073 Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
8 years ago
change /etc/ssl/etcd to etcd_config_dir param (#6408) * change /etc/ssl/etcd to etcd_config_dir param * add use etcd_events_data_dir param
4 years ago
Fixes 6621 etcd backup directory is consuming much rootfs disk space (#6836) * added an ansible var to manage retention of etcd backups * refactord ls/grep into find in etcd backup removal command
4 years ago
Add etcd TLS support
8 years ago
etcd: Fix permissions of /etc/ssl/etcd/ssl (#6908)
4 years ago
Revert "Drop linux capabilities and rework users/groups"
8 years ago
Add support for cert alt names for etcd (#2139) * Add support for cert alt names for etcd * Update gen_certs_vault.yml
7 years ago
Stop templating kube-system namespace and creating it (#2545) Kubernetes makes this namespace automatically, so there is no need for kubespray to manage it.
7 years ago
Add support for cert alt names for etcd (#2139) * Add support for cert alt names for etcd * Update gen_certs_vault.yml
7 years ago
Add documentation about having HA for etcd
6 years ago
Add etcd TLS support
8 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional.
8 years ago
Integrate jetstack/cert-manager 0.2.3 to Kubespray
7 years ago
add etc tunning options https://coreos.com/etcd/docs/latest/tuning.html etcd_snapshot_count and ionice priority
7 years ago
Add etcd metrics flag
7 years ago
Add option to expose metrics on separate port (#6092)
4 years ago
support custom env vars for etcd
6 years ago
Systemd units, limits, and bin path fixes * Add restart for weave service unit * Reuse docker_bin_dir everythere * Limit systemd managed docker containers by CPU/RAM. Do not configure native systemd limits due to the lack of consensus in the kernel community requires out-of-tree kernel patches. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Only limit etcd memory on small hosts (#1860) Also disable oom killer on etcd
7 years ago
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional.
8 years ago
Fix example value for etcd_quota_backend_bytes (#6724)
4 years ago
Add ETCD_QUOTA_BACKEND_BYTES environment variable
6 years ago
Re-tune ETCD performance params Reduce election timeout to 5000ms (was 10000ms) Raise heartbeat interval to 250ms (was 100ms) Remove etcd cpu share (was 300) Make etcd_cpu_limit and etcd_memory_limit optional.
8 years ago
Adding yamllinter to ci steps (#1556) * Adding yaml linter to ci check * Minor linting fixes from yamllint * Changing CI to install python pkgs from requirements.txt - adding in a secondary requirements.txt for tests - moving yamllint to tests requirements
7 years ago
Vault security hardening and role isolation
8 years ago
Add etcd_blkio_weight var (#1690)
7 years ago
Fixed generate front proxy client certs with vault (#2359) * Fixed generate front proxy client certs with vault * fix vault cert management * Distrebute etcd node certs to vault hosts
7 years ago
add configurable parameter for etcd_auto_compaction_retention
7 years ago
etcd_compaction_retention every 8 hour (#1527)
7 years ago
Change single Vault pki mount to multi pki mounts paths for etcd and kube CA`s (#1552) * Added update CA trust step for etcd and kube/secrets roles * Added load_balancer_domain_name to certificate alt names if defined. Reset CA's in RedHat os. * Rename kube-cluster-ca.crt to vault-ca.crt, we need separated CA`s for vault, etcd and kube. * Vault role refactoring, remove optional cert vault auth because not not used and worked. Create separate CA`s fro vault and etcd. * Fixed different certificates set for vault cert_managment * Update doc/vault.md * Fixed condition create vault CA, wrong group * Fixed missing etcd_cert_path mount for rkt deployment type. Distribute vault roles for all vault hosts * Removed wrong when condition in create etcd role vault tasks.
7 years ago
Add etcd key and cert environment variables for use with client auth
7 years ago
etcd: ability to enable/disable ETCD_PEER_CLIENT_CERT_AUTH Some installation are failing to authenticate with peers due to etcd picking up/resoling the wrong node. By setting 'etcd_peer_client_auth' to "False" you can disable peer client cert authentication. Signed-off-by: Sébastien Han <seb@redhat.com>
7 years ago
Fix recover-control-plane to work with etcd 3.3.x and add CI (#5500) * Fix recover-control-plane to work with etcd 3.3.x and add CI * Set default values for testcase * Add actual test jobs * Attempt to satisty gitlab ci linter * Fix ansible targets * Set etcd_member_name as stated in the docs... * Recovering from 0 masters is not supported yet * Add other master to broken_kube-master group as well * Increase number of retries to see if etcd needs more time to heal * Make number of retries for ETCD loops configurable, increase it for recovery CI and document it
5 years ago
Add etcd tls cipher suites (#7001) * Add etcd tls cipher suites * yamllint
4 years ago
  1. ---
  2. # Set to false to only do certificate management
  3. etcd_cluster_setup: true
  4. etcd_events_cluster_setup: false
  6. # Set to true to separate k8s events to a different etcd cluster
  7. etcd_events_cluster_enabled: false
  9. etcd_backup_prefix: "/var/backups"
  10. etcd_data_dir: "/var/lib/etcd"
  12. # Number of etcd backups to retain. Set to a value < 0 to retain all backups
  13. etcd_backup_retention_count: -1
  15. etcd_config_dir: /etc/ssl/etcd
  16. etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
  17. etcd_cert_dir_mode: "0700"
  18. etcd_cert_group: root
  19. # Note: This does not set up DNS entries. It simply adds the following DNS
  20. # entries to the certificate
  21. etcd_cert_alt_names:
  22. - "etcd.kube-system.svc.{{ dns_domain }}"
  23. - "etcd.kube-system.svc"
  24. - "etcd.kube-system"
  25. - "etcd"
  26. etcd_cert_alt_ips: []
  28. etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
  30. etcd_heartbeat_interval: "250"
  31. etcd_election_timeout: "5000"
  33. # etcd_snapshot_count: "10000"
  35. etcd_metrics: "basic"
  37. # Uncomment to set a separate port for etcd to expose metrics on
  38. # etcd_metrics_port: 2381
  40. ## A dictionary of extra environment variables to add to etcd.env, formatted like:
  41. ## etcd_extra_vars:
  42. ## ETCD_VAR1: "value1"
  43. ## ETCD_VAR2: "value2"
  44. etcd_extra_vars: {}
  46. # Limits
  47. # Limit memory only if <4GB memory on host. 0=unlimited
  48. etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
  50. # etcd_quota_backend_bytes: "2147483648"
  52. # Uncomment to set CPU share for etcd
  53. # etcd_cpu_limit: 300m
  55. etcd_blkio_weight: 1000
  57. etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) | union(groups.get('vault', [])) }}"
  59. etcd_compaction_retention: "8"
  61. # Force clients like etcdctl to use TLS certs (different than peer security)
  62. etcd_secure_client: true
  64. # Enable peer client cert authentication
  65. etcd_peer_client_auth: true
  67. # Number of loop retries
  68. etcd_retries: 4
  70. ## Support tls cipher suites.
  71. # etcd_tls_cipher_suites: {}
  72. # - TLS_RSA_WITH_RC4_128_SHA
  73. # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
  74. # - TLS_RSA_WITH_AES_128_CBC_SHA
  75. # - TLS_RSA_WITH_AES_256_CBC_SHA
  76. # - TLS_RSA_WITH_AES_128_CBC_SHA256
  77. # - TLS_RSA_WITH_AES_128_GCM_SHA256
  78. # - TLS_RSA_WITH_AES_256_GCM_SHA384
  79. # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  80. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  81. # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  82. # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
  83. # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  84. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  85. # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  86. # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  87. # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  88. # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  89. # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  90. # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  91. # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  92. # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
  93. # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  94. # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  95. # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256