External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-02 01:58:12 -03:30
Code Issues Packages Projects Releases Wiki Activity
Files
5ee67297bc8bd2dadf8245d2596d9800ff6e5a48
kubespray/roles/etcd/defaults/main.yml
k8s-infra-cherrypick-robot 5ee67297bc etcd-certs: only change necessary permissions (#12915) 
We currently **recursively** set the permissions of /etc/ssl/etcd/ssl
(default path) to 700. But this removes group permission from the files
under it, and certain composents (like calio with etcd datastore) rely
on it ; thus, the upgrade of a cluster can fail because the
calico-kube-controller can't access the certs, and thus the etcd.

This works in other case because as far as I can tell, the apiserver
which do access the etcd run as root (the owner of the files, not just
the "group owner")

We also for some reasons do this twice.

Only create the etcd cert directory with the correct permissions once,
not recursively.

Co-authored-by: Max Gautier <mg@max.gautier.name>
2026-01-27 20:31:52 +05:30

123 lines
3.9 KiB
YAML
Raw Blame History

---
# Set etcd user
etcd_owner: etcd
# Set to false to only do certificate management
etcd_cluster_setup: true
etcd_events_cluster_setup: false
# Set to true to separate k8s events to a different etcd cluster
etcd_events_cluster_enabled: false
etcd_backup_prefix: "/var/backups"
etcd_data_dir: "/var/lib/etcd"
# Number of etcd backups to retain. Set to a value < 0 to retain all backups
etcd_backup_retention_count: -1
force_etcd_cert_refresh: true
etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
etcd_cert_group: root
# Note: This does not set up DNS entries. It simply adds the following DNS
# entries to the certificate
etcd_cert_alt_names:
- "etcd.kube-system.svc.{{ dns_domain }}"
- "etcd.kube-system.svc"
- "etcd.kube-system"
- "etcd"
etcd_cert_alt_ips: []
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
etcd_heartbeat_interval: "250"
etcd_election_timeout: "5000"
etcd_metrics: "basic"
# Define in inventory to set a separate port for etcd to expose metrics on
# etcd_metrics_port: 2381
## A dictionary of extra environment variables to add to etcd.env, formatted like:
## etcd_extra_vars:
## ETCD_VAR1: "value1"
## ETCD_VAR2: "value2"
etcd_extra_vars: {}
# Limits
# Limit memory only if <4GB memory on host. 0=unlimited
# This value is only relevant when deploying etcd with `etcd_deployment_type: docker`
etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
# The default storage size limit is 2G.
# 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it.
# etcd_quota_backend_bytes: "2147483648"
# Maximum client request size in bytes the server will accept.
# etcd is designed to handle small key value pairs typical for metadata.
# Larger requests will work, but may increase the latency of other requests
# etcd_max_request_bytes: "1572864"
# Uncomment to set CPU share for etcd
# etcd_cpu_limit: 300m
etcd_blkio_weight: 1000
etcd_node_cert_hosts: "{{ groups['k8s_cluster'] }}"
etcd_compaction_retention: "8"
# Force clients like etcdctl to use TLS certs (different than peer security)
etcd_secure_client: true
# Enable peer client cert authentication
etcd_peer_client_auth: true
# Maximum number of snapshot files to retain (0 is unlimited)
# etcd_max_snapshots: 5
# Maximum number of wal files to retain (0 is unlimited)
# etcd_max_wals: 5
# Number of loop retries
etcd_retries: 4
## Support tls cipher suites.
# etcd_tls_cipher_suites: {}
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# ETCD 3.5.x issue
# https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
etcd_experimental_initial_corrupt_check: true
# Enable distributed tracing
# https://etcd.io/docs/v3.5/op-guide/monitoring/#distributed-tracing
etcd_experimental_enable_distributed_tracing: false
etcd_experimental_distributed_tracing_sample_rate: 100
etcd_experimental_distributed_tracing_address: "localhost:4317"
etcd_experimental_distributed_tracing_service_name: etcd
# The interval for etcd watch progress notify events
etcd_experimental_watch_progress_notify_interval: 5s
Reference in New Issue View Git Blame Copy Permalink