pbasov/k8s-cluster.yml

## k8s-cluster.yml
# Kubernetes configuration dirs and system namespace.
# Those are where all the additional config stuff goes
# the kubernetes normally puts in /srv/kubernetes.
# This puts them in a sane location and namespace.
# Editing those values will almost surely break something.
kube_config_dir: /etc/kubernetes
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
kube_manifest_dir: "{{ kube_config_dir }}/manifests"

# This is where all the cert scripts and certs will be located
kube_cert_dir: "{{ kube_config_dir }}/ssl"

# This is where all of the bearer tokens will be stored
kube_token_dir: "{{ kube_config_dir }}/tokens"

# This is where to save basic auth file
kube_users_dir: "{{ kube_config_dir }}/users"

kube_api_anonymous_auth: true

## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.11.3

# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
local_release_dir: "/tmp/releases"
# Random shifts for retrying failed ops like pushing/downloading
retry_stagger: 5

# This is the group that the cert creation scripts chgrp the
# cert files to. Not really changeable...
kube_cert_group: kube-cert

# Cluster Loglevel configuration
kube_log_level: 2

# Directory where credentials will be stored
credentials_dir: "{{ inventory_dir }}/credentials"

# Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user
kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
kube_users:
  kube:
    pass: "{{kube_api_pwd}}"
    role: admin
    groups:
      - system:masters

## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
#kube_basic_auth: false
#kube_token_auth: false


## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)

# kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes
## Optional settings for OIDC
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# kube_oidc_username_claim: sub
# kube_oidc_username_prefix: oidc:
# kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: oidc:


# Choose network plugin (cilium, calico, contiv, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico

# Weave deployment
# weave_password: ~
# weave_checkpoint_disable: false
# weave_conn_limit: 100
# weave_hairpin_mode: true
# weave_ipalloc_range: {{ kube_pods_subnet }}
# weave_expect_npc: {{ enable_network_policy }}
# weave_kube_peers: ~
# weave_ipalloc_init: ~
# weave_expose_ip: ~
# weave_metrics_addr: ~
# weave_status_addr: ~
# weave_mtu: 1376
# weave_no_masq_local: true
# weave_extra_args: ~

# Kubernetes internal network for services, unused block of space.
kube_service_addresses: 10.233.0.0/18

# internal network. When used, it will assign IP
# addresses from this range to individual pods.
# This network must be unused in your network infrastructure!
kube_pods_subnet: 10.233.64.0/18

# internal network node size allocation (optional). This is the size allocated
# to each node on your network.  With these defaults you should have
# room for 4096 nodes with 254 pods per node.
kube_network_node_prefix: 24

# The port the API Server will be listening on.
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
kube_apiserver_port: 6443 # (https)
kube_apiserver_insecure_port: 8080 # (http)
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
#kube_apiserver_insecure_port: 0 # (disabled)

# Kube-proxy proxyMode configuration.
# Can be ipvs, iptables
kube_proxy_mode: iptables

# Kube-proxy nodeport address.
# cidr to bind nodeport services. Flag --nodeport-addresses on kube-proxy manifest
kube_proxy_nodeport_addresses: false
# kube_proxy_nodeport_addresses_cidr: 10.0.1.0/24

## Encrypting Secret Data at Rest (experimental)
kube_encrypt_secret_data: false

# DNS configuration.
# Kubernetes cluster name, also will be used as DNS domain
cluster_name: cluster.local
# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
ndots: 2
# Can be dnsmasq_kubedns, kubedns, coredns, coredns_dual, manual or none
dns_mode: kubedns
# Set manual server if using a custom cluster DNS server
#manual_dns_server: 10.x.x.x

# Can be docker_dns, host_resolvconf or none
resolvconf_mode: docker_dns
# Deploy netchecker app to verify DNS resolve as an HTTP service
deploy_netchecker: false
# Ip address of the kubernetes skydns service
skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}"
skydns_server_secondary: "{{ kube_service_addresses|ipaddr('net')|ipaddr(4)|ipaddr('address') }}"
dnsmasq_dns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(2)|ipaddr('address') }}"
dns_domain: "{{ cluster_name }}"

## Container runtime
## docker for docker and crio for cri-o.
container_manager: docker

## Settings for containerized control plane (etcd/kubelet/secrets)
etcd_deployment_type: docker
kubelet_deployment_type: host
vault_deployment_type: docker
helm_deployment_type: host

# K8s image pull policy (imagePullPolicy)
k8s_image_pull_policy: IfNotPresent

# audit log for kubernetes
kubernetes_audit: false

# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
podsecuritypolicy_enabled: false

# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
# kubeconfig_localhost: false
# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
# kubectl_localhost: false

# dnsmasq
# dnsmasq_upstream_dns_servers:
#  - /resolvethiszone.with/10.0.4.250
#  - 8.8.8.8

#  Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
# kubelet_cgroups_per_qos: true

# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
# Acceptable options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
# kubelet_enforce_node_allocatable: pods

## Supplementary addresses that can be added in kubernetes ssl keys.
## That can be useful for example to setup a keepalived virtual IP
# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]

## Running on top of openstack vms with cinder enabled may lead to unschedulable pods due to NoVolumeZoneConflict restriction in kube-scheduler.
## See https://github.com/kubernetes-incubator/kubespray/issues/2141
## Set this variable to true to get rid of this issue
volume_cross_zone_attachment: true

# Add Persistent Volumes Storage Class for corresponding cloud provider ( OpenStack is only supported now )
persistent_volumes_enabled: true

# LBaaS
openstack_lbaas_enabled: true
openstack_lbaas_floating_network_id: 6c65a7fb-4233-4d39-9b2c-cf0b91dc61bd
openstack_lbaas_subnet_id: ff662e74-ebbb-4f22-b09f-81765ca16210
openstack_blockstorage_version: 2
openstack_blockstorage_ignore_az: true
	# Kubernetes configuration dirs and system namespace.
	# Those are where all the additional config stuff goes
	# the kubernetes normally puts in /srv/kubernetes.
	# This puts them in a sane location and namespace.
	# Editing those values will almost surely break something.
	kube_config_dir: /etc/kubernetes
	kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
	kube_manifest_dir: "{{ kube_config_dir }}/manifests"

	# This is where all the cert scripts and certs will be located
	kube_cert_dir: "{{ kube_config_dir }}/ssl"

	# This is where all of the bearer tokens will be stored
	kube_token_dir: "{{ kube_config_dir }}/tokens"

	# This is where to save basic auth file
	kube_users_dir: "{{ kube_config_dir }}/users"

	kube_api_anonymous_auth: true

	## Change this to use another Kubernetes version, e.g. a current beta release
	kube_version: v1.11.3

	# Where the binaries will be downloaded.
	# Note: ensure that you've enough disk space (about 1G)
	local_release_dir: "/tmp/releases"
	# Random shifts for retrying failed ops like pushing/downloading
	retry_stagger: 5

	# This is the group that the cert creation scripts chgrp the
	# cert files to. Not really changeable...
	kube_cert_group: kube-cert

	# Cluster Loglevel configuration
	kube_log_level: 2

	# Directory where credentials will be stored
	credentials_dir: "{{ inventory_dir }}/credentials"

	# Users to create for basic auth in Kubernetes API via HTTP
	# Optionally add groups for user
	kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
	kube_users:
	kube:
	pass: "{{kube_api_pwd}}"
	role: admin
	groups:
	- system:masters

	## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
	#kube_oidc_auth: false
	#kube_basic_auth: false
	#kube_token_auth: false


	## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
	## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)

	# kube_oidc_url: https:// ...
	# kube_oidc_client_id: kubernetes
	## Optional settings for OIDC
	# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
	# kube_oidc_username_claim: sub
	# kube_oidc_username_prefix: oidc:
	# kube_oidc_groups_claim: groups
	# kube_oidc_groups_prefix: oidc:


	# Choose network plugin (cilium, calico, contiv, weave or flannel)
	# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
	kube_network_plugin: calico

	# Weave deployment
	# weave_password: ~
	# weave_checkpoint_disable: false
	# weave_conn_limit: 100
	# weave_hairpin_mode: true
	# weave_ipalloc_range: {{ kube_pods_subnet }}
	# weave_expect_npc: {{ enable_network_policy }}
	# weave_kube_peers: ~
	# weave_ipalloc_init: ~
	# weave_expose_ip: ~
	# weave_metrics_addr: ~
	# weave_status_addr: ~
	# weave_mtu: 1376
	# weave_no_masq_local: true
	# weave_extra_args: ~

	# Kubernetes internal network for services, unused block of space.
	kube_service_addresses: 10.233.0.0/18

	# internal network. When used, it will assign IP
	# addresses from this range to individual pods.
	# This network must be unused in your network infrastructure!
	kube_pods_subnet: 10.233.64.0/18

	# internal network node size allocation (optional). This is the size allocated
	# to each node on your network. With these defaults you should have
	# room for 4096 nodes with 254 pods per node.
	kube_network_node_prefix: 24

	# The port the API Server will be listening on.
	kube_apiserver_ip: "{{ kube_service_addresses\|ipaddr('net')\|ipaddr(1)\|ipaddr('address') }}"
	kube_apiserver_port: 6443 # (https)
	kube_apiserver_insecure_port: 8080 # (http)
	# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
	#kube_apiserver_insecure_port: 0 # (disabled)

	# Kube-proxy proxyMode configuration.
	# Can be ipvs, iptables
	kube_proxy_mode: iptables

	# Kube-proxy nodeport address.
	# cidr to bind nodeport services. Flag --nodeport-addresses on kube-proxy manifest
	kube_proxy_nodeport_addresses: false
	# kube_proxy_nodeport_addresses_cidr: 10.0.1.0/24

	## Encrypting Secret Data at Rest (experimental)
	kube_encrypt_secret_data: false

	# DNS configuration.
	# Kubernetes cluster name, also will be used as DNS domain
	cluster_name: cluster.local
	# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
	ndots: 2
	# Can be dnsmasq_kubedns, kubedns, coredns, coredns_dual, manual or none
	dns_mode: kubedns
	# Set manual server if using a custom cluster DNS server
	#manual_dns_server: 10.x.x.x

	# Can be docker_dns, host_resolvconf or none
	resolvconf_mode: docker_dns
	# Deploy netchecker app to verify DNS resolve as an HTTP service
	deploy_netchecker: false
	# Ip address of the kubernetes skydns service
	skydns_server: "{{ kube_service_addresses\|ipaddr('net')\|ipaddr(3)\|ipaddr('address') }}"
	skydns_server_secondary: "{{ kube_service_addresses\|ipaddr('net')\|ipaddr(4)\|ipaddr('address') }}"
	dnsmasq_dns_server: "{{ kube_service_addresses\|ipaddr('net')\|ipaddr(2)\|ipaddr('address') }}"
	dns_domain: "{{ cluster_name }}"

	## Container runtime
	## docker for docker and crio for cri-o.
	container_manager: docker

	## Settings for containerized control plane (etcd/kubelet/secrets)
	etcd_deployment_type: docker
	kubelet_deployment_type: host
	vault_deployment_type: docker
	helm_deployment_type: host

	# K8s image pull policy (imagePullPolicy)
	k8s_image_pull_policy: IfNotPresent

	# audit log for kubernetes
	kubernetes_audit: false

	# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled)
	podsecuritypolicy_enabled: false

	# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
	# kubeconfig_localhost: false
	# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
	# kubectl_localhost: false

	# dnsmasq
	# dnsmasq_upstream_dns_servers:
	# - /resolvethiszone.with/10.0.4.250
	# - 8.8.8.8

	# Enable creation of QoS cgroup hierarchy, if true top level QoS and pod cgroups are created. (default true)
	# kubelet_cgroups_per_qos: true

	# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
	# Acceptable options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
	# kubelet_enforce_node_allocatable: pods

	## Supplementary addresses that can be added in kubernetes ssl keys.
	## That can be useful for example to setup a keepalived virtual IP
	# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]

	## Running on top of openstack vms with cinder enabled may lead to unschedulable pods due to NoVolumeZoneConflict restriction in kube-scheduler.
	## See https://github.com/kubernetes-incubator/kubespray/issues/2141
	## Set this variable to true to get rid of this issue
	volume_cross_zone_attachment: true

	# Add Persistent Volumes Storage Class for corresponding cloud provider ( OpenStack is only supported now )
	persistent_volumes_enabled: true

	# LBaaS
	openstack_lbaas_enabled: true
	openstack_lbaas_floating_network_id: 6c65a7fb-4233-4d39-9b2c-cf0b91dc61bd
	openstack_lbaas_subnet_id: ff662e74-ebbb-4f22-b09f-81765ca16210
	openstack_blockstorage_version: 2
	openstack_blockstorage_ignore_az: true