mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-01-09 23:12:10 -03:30
82f68ca395
This commit removes the variable `use_localhost_as_kubeapi_loadbalancer` and rather detects that we are in a situation where we can use the localhost apiserver loadbalancer (meaning that we use the localhost load balancer and that the same ports are used for both the load balancer and the kube-apiserver). This also cleanups the calico code to use `kube_apiserver_global_endpoint` rather than implementing the same logic all over again. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
136 lines
5.6 KiB
YAML
136 lines
5.6 KiB
YAML
---
|
|
## Directory where the binaries will be installed
|
|
bin_dir: /usr/local/bin
|
|
|
|
## The access_ip variable is used to define how other nodes should access
|
|
## the node. This is used in flannel to allow other flannel nodes to see
|
|
## this node for example. The access_ip is really useful AWS and Google
|
|
## environments where the nodes are accessed remotely by the "public" ip,
|
|
## but don't know about that address themselves.
|
|
# access_ip: 1.1.1.1
|
|
|
|
|
|
## External LB example config
|
|
## apiserver_loadbalancer_domain_name: "elb.some.domain"
|
|
# loadbalancer_apiserver:
|
|
# address: 1.2.3.4
|
|
# port: 1234
|
|
|
|
## Internal loadbalancers for apiservers
|
|
# loadbalancer_apiserver_localhost: true
|
|
# valid options are "nginx" or "haproxy"
|
|
# loadbalancer_apiserver_type: nginx # valid values "nginx" or "haproxy"
|
|
|
|
## Local loadbalancer should use this port
|
|
## And must be set port 6443
|
|
loadbalancer_apiserver_port: 6443
|
|
|
|
## If loadbalancer_apiserver_healthcheck_port variable defined, enables proxy liveness check for nginx.
|
|
loadbalancer_apiserver_healthcheck_port: 8081
|
|
|
|
### OTHER OPTIONAL VARIABLES
|
|
|
|
## By default, Kubespray collects nameservers on the host. It then adds the previously collected nameservers in nameserverentries.
|
|
## If true, Kubespray does not include host nameservers in nameserverentries in dns_late stage. However, It uses the nameserver to make sure cluster installed safely in dns_early stage.
|
|
## Use this option with caution, you may need to define your dns servers. Otherwise, the outbound queries such as www.google.com may fail.
|
|
# disable_host_nameservers: false
|
|
|
|
## Upstream dns servers
|
|
# upstream_dns_servers:
|
|
# - 8.8.8.8
|
|
# - 8.8.4.4
|
|
|
|
## There are some changes specific to the cloud providers
|
|
## for instance we need to encapsulate packets with some network plugins
|
|
## If set the possible values are either 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', or 'external'
|
|
## When openstack is used make sure to source in the openstack credentials
|
|
## like you would do when using openstack-client before starting the playbook.
|
|
# cloud_provider:
|
|
|
|
## When cloud_provider is set to 'external', you can set the cloud controller to deploy
|
|
## Supported cloud controllers are: 'openstack', 'vsphere' and 'hcloud'
|
|
## When openstack or vsphere are used make sure to source in the required fields
|
|
# external_cloud_provider:
|
|
|
|
## Set these proxy values in order to update package manager and docker daemon to use proxies
|
|
# http_proxy: ""
|
|
# https_proxy: ""
|
|
|
|
## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
|
|
# no_proxy: ""
|
|
|
|
## Some problems may occur when downloading files over https proxy due to ansible bug
|
|
## https://github.com/ansible/ansible/issues/32750. Set this variable to False to disable
|
|
## SSL validation of get_url module. Note that kubespray will still be performing checksum validation.
|
|
# download_validate_certs: False
|
|
|
|
## If you need exclude all cluster nodes from proxy and other resources, add other resources here.
|
|
# additional_no_proxy: ""
|
|
|
|
## If you need to disable proxying of os package repositories but are still behind an http_proxy set
|
|
## skip_http_proxy_on_os_packages to true
|
|
## This will cause kubespray not to set proxy environment in /etc/yum.conf for centos and in /etc/apt/apt.conf for debian/ubuntu
|
|
## Special information for debian/ubuntu - you have to set the no_proxy variable, then apt package will install from your source of wish
|
|
# skip_http_proxy_on_os_packages: false
|
|
|
|
## Since workers are included in the no_proxy variable by default, docker engine will be restarted on all nodes (all
|
|
## pods will restart) when adding or removing workers. To override this behaviour by only including master nodes in the
|
|
## no_proxy variable, set below to true:
|
|
no_proxy_exclude_workers: false
|
|
|
|
## Certificate Management
|
|
## This setting determines whether certs are generated via scripts.
|
|
## Chose 'none' if you provide your own certificates.
|
|
## Option is "script", "none"
|
|
# cert_management: script
|
|
|
|
## Set to true to allow pre-checks to fail and continue deployment
|
|
# ignore_assert_errors: false
|
|
|
|
## The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable.
|
|
# kube_read_only_port: 10255
|
|
|
|
## Set true to download and cache container
|
|
# download_container: true
|
|
|
|
## Deploy container engine
|
|
# Set false if you want to deploy container engine manually.
|
|
# deploy_container_engine: true
|
|
|
|
## Red Hat Enterprise Linux subscription registration
|
|
## Add either RHEL subscription Username/Password or Organization ID/Activation Key combination
|
|
## Update RHEL subscription purpose usage, role and SLA if necessary
|
|
# rh_subscription_username: ""
|
|
# rh_subscription_password: ""
|
|
# rh_subscription_org_id: ""
|
|
# rh_subscription_activation_key: ""
|
|
# rh_subscription_usage: "Development"
|
|
# rh_subscription_role: "Red Hat Enterprise Server"
|
|
# rh_subscription_sla: "Self-Support"
|
|
|
|
## Check if access_ip responds to ping. Set false if your firewall blocks ICMP.
|
|
# ping_access_ip: true
|
|
|
|
# sysctl_file_path to add sysctl conf to
|
|
# sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
|
|
|
|
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
|
|
kube_webhook_token_auth: false
|
|
kube_webhook_token_auth_url_skip_tls_verify: false
|
|
# kube_webhook_token_auth_url: https://...
|
|
## base64-encoded string of the webhook's CA certificate
|
|
# kube_webhook_token_auth_ca_data: "LS0t..."
|
|
|
|
## NTP Settings
|
|
# Start the ntpd or chrony service and enable it at system boot.
|
|
ntp_enabled: false
|
|
ntp_manage_config: false
|
|
ntp_servers:
|
|
- "0.pool.ntp.org iburst"
|
|
- "1.pool.ntp.org iburst"
|
|
- "2.pool.ntp.org iburst"
|
|
- "3.pool.ntp.org iburst"
|
|
|
|
## Used to control no_log attribute
|
|
unsafe_show_logs: false
|