2020-12-25 11:53:00 +08:00
|
|
|
|
############################
|
2021-01-19 23:35:31 +08:00
|
|
|
|
# prepare
|
2020-12-25 11:53:00 +08:00
|
|
|
|
############################
|
|
|
|
|
# 可选离线安装系统软件包 (offline|online)
|
|
|
|
|
INSTALL_SOURCE: "online"
|
|
|
|
|
|
2021-01-19 23:35:31 +08:00
|
|
|
|
# 可选进行系统安全加固 github.com/dev-sec/ansible-collection-hardening
|
|
|
|
|
OS_HARDEN: false
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
# role:deploy
|
|
|
|
|
############################
|
|
|
|
|
# default: ca will expire in 100 years
|
|
|
|
|
# default: certs issued by the ca will expire in 50 years
|
|
|
|
|
CA_EXPIRY: "876000h"
|
|
|
|
|
CERT_EXPIRY: "438000h"
|
|
|
|
|
|
2022-11-27 20:42:58 +08:00
|
|
|
|
# force to recreate CA and other certs, not suggested to set 'true'
|
|
|
|
|
CHANGE_CA: false
|
|
|
|
|
|
2021-01-17 23:59:40 +08:00
|
|
|
|
# kubeconfig 配置参数
|
2020-12-25 11:53:00 +08:00
|
|
|
|
CLUSTER_NAME: "cluster1"
|
2021-01-17 23:59:40 +08:00
|
|
|
|
CONTEXT_NAME: "context-{{ CLUSTER_NAME }}"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2021-10-26 19:24:25 +08:00
|
|
|
|
# k8s version
|
|
|
|
|
K8S_VER: "__k8s_ver__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2023-01-16 12:33:56 +08:00
|
|
|
|
# set unique 'k8s_nodename' for each node, if not set(default:'') ip add will be used
|
2023-01-17 16:48:02 +08:00
|
|
|
|
# CAUTION: 'k8s_nodename' must consist of lower case alphanumeric characters, '-' or '.',
|
|
|
|
|
# and must start and end with an alphanumeric character (e.g. 'example.com'),
|
|
|
|
|
# regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
|
2023-01-16 12:33:56 +08:00
|
|
|
|
K8S_NODENAME: "{%- if k8s_nodename != '' -%} \
|
2023-01-17 16:48:02 +08:00
|
|
|
|
{{ k8s_nodename|replace('_', '-')|lower }} \
|
2023-01-16 12:33:56 +08:00
|
|
|
|
{%- else -%} \
|
|
|
|
|
{{ inventory_hostname }} \
|
|
|
|
|
{%- endif -%}"
|
|
|
|
|
|
2021-02-09 17:40:04 +08:00
|
|
|
|
############################
|
|
|
|
|
# role:etcd
|
|
|
|
|
############################
|
|
|
|
|
# 设置不同的wal目录,可以避免磁盘io竞争,提高性能
|
|
|
|
|
ETCD_DATA_DIR: "/var/lib/etcd"
|
|
|
|
|
ETCD_WAL_DIR: ""
|
|
|
|
|
|
|
|
|
|
|
2020-12-25 11:53:00 +08:00
|
|
|
|
############################
|
|
|
|
|
# role:runtime [containerd,docker]
|
|
|
|
|
############################
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- containerd
|
2020-12-25 11:53:00 +08:00
|
|
|
|
# [.]启用容器仓库镜像
|
|
|
|
|
ENABLE_MIRROR_REGISTRY: true
|
|
|
|
|
|
|
|
|
|
# [containerd]基础容器镜像
|
2022-06-09 22:33:46 +08:00
|
|
|
|
SANDBOX_IMAGE: "easzlab.io.local:5000/easzlab/pause:__pause__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# [containerd]容器持久化存储目录
|
|
|
|
|
CONTAINERD_STORAGE_DIR: "/var/lib/containerd"
|
|
|
|
|
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- docker
|
2020-12-25 11:53:00 +08:00
|
|
|
|
# [docker]容器存储目录
|
|
|
|
|
DOCKER_STORAGE_DIR: "/var/lib/docker"
|
|
|
|
|
|
|
|
|
|
# [docker]开启Restful API
|
|
|
|
|
ENABLE_REMOTE_API: false
|
|
|
|
|
|
|
|
|
|
# [docker]信任的HTTP仓库
|
2023-05-02 17:11:18 +08:00
|
|
|
|
INSECURE_REG:
|
|
|
|
|
- "http://easzlab.io.local:5000"
|
|
|
|
|
- "https://{{ HARBOR_REGISTRY }}"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
# role:kube-master
|
|
|
|
|
############################
|
|
|
|
|
# k8s 集群 master 节点证书配置,可以添加多个ip和域名(比如增加公网ip和域名)
|
|
|
|
|
MASTER_CERT_HOSTS:
|
|
|
|
|
- "10.1.1.1"
|
2022-06-09 22:33:46 +08:00
|
|
|
|
- "k8s.easzlab.io"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
#- "www.test.com"
|
|
|
|
|
|
|
|
|
|
# node 节点上 pod 网段掩码长度(决定每个节点最多能分配的pod ip地址)
|
|
|
|
|
# 如果flannel 使用 --kube-subnet-mgr 参数,那么它将读取该设置为每个节点分配pod网段
|
|
|
|
|
# https://github.com/coreos/flannel/issues/847
|
|
|
|
|
NODE_CIDR_LEN: 24
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
# role:kube-node
|
|
|
|
|
############################
|
|
|
|
|
# Kubelet 根目录
|
|
|
|
|
KUBELET_ROOT_DIR: "/var/lib/kubelet"
|
|
|
|
|
|
|
|
|
|
# node节点最大pod 数
|
|
|
|
|
MAX_PODS: 110
|
|
|
|
|
|
|
|
|
|
# 配置为kube组件(kubelet,kube-proxy,dockerd等)预留的资源量
|
|
|
|
|
# 数值设置详见templates/kubelet-config.yaml.j2
|
2021-09-24 21:03:43 +08:00
|
|
|
|
KUBE_RESERVED_ENABLED: "no"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# k8s 官方不建议草率开启 system-reserved, 除非你基于长期监控,了解系统的资源占用状况;
|
|
|
|
|
# 并且随着系统运行时间,需要适当增加资源预留,数值设置详见templates/kubelet-config.yaml.j2
|
|
|
|
|
# 系统预留设置基于 4c/8g 虚机,最小化安装系统服务,如果使用高性能物理机可以适当增加预留
|
|
|
|
|
# 另外,集群安装时候apiserver等资源占用会短时较大,建议至少预留1g内存
|
|
|
|
|
SYS_RESERVED_ENABLED: "no"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
# role:network [flannel,calico,cilium,kube-ovn,kube-router]
|
|
|
|
|
############################
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- flannel
|
2020-12-25 11:53:00 +08:00
|
|
|
|
# [flannel]设置flannel 后端"host-gw","vxlan"等
|
|
|
|
|
FLANNEL_BACKEND: "vxlan"
|
|
|
|
|
DIRECT_ROUTING: false
|
|
|
|
|
|
2022-09-15 19:53:06 +08:00
|
|
|
|
# [flannel]
|
|
|
|
|
flannel_ver: "__flannel__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- calico
|
2022-08-25 10:53:54 +08:00
|
|
|
|
# [calico] IPIP隧道模式可选项有: [Always, CrossSubnet, Never],跨子网可以配置为Always与CrossSubnet(公有云建议使用always比较省事,其他的话需要修改各自公有云的网络配置,具体可以参考各个公有云说明)
|
|
|
|
|
# 其次CrossSubnet为隧道+BGP路由混合模式可以提升网络性能,同子网配置为Never即可.
|
2020-12-25 11:53:00 +08:00
|
|
|
|
CALICO_IPV4POOL_IPIP: "Always"
|
|
|
|
|
|
|
|
|
|
# [calico]设置 calico-node使用的host IP,bgp邻居通过该地址建立,可手工指定也可以自动发现
|
2021-01-19 17:41:00 +08:00
|
|
|
|
IP_AUTODETECTION_METHOD: "can-reach={{ groups['kube_master'][0] }}"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# [calico]设置calico 网络 backend: brid, vxlan, none
|
|
|
|
|
CALICO_NETWORKING_BACKEND: "brid"
|
|
|
|
|
|
2022-06-29 19:02:54 +08:00
|
|
|
|
# [calico]设置calico 是否使用route reflectors
|
|
|
|
|
# 如果集群规模超过50个节点,建议启用该特性
|
|
|
|
|
CALICO_RR_ENABLED: false
|
|
|
|
|
|
|
|
|
|
# CALICO_RR_NODES 配置route reflectors的节点,如果未设置默认使用集群master节点
|
|
|
|
|
# CALICO_RR_NODES: ["192.168.1.1", "192.168.1.2"]
|
|
|
|
|
CALICO_RR_NODES: []
|
|
|
|
|
|
2022-09-08 21:10:33 +08:00
|
|
|
|
# [calico]更新支持calico 版本: ["3.19", "3.23"]
|
2020-12-30 11:25:54 +08:00
|
|
|
|
calico_ver: "__calico__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# [calico]calico 主版本
|
|
|
|
|
calico_ver_main: "{{ calico_ver.split('.')[0] }}.{{ calico_ver.split('.')[1] }}"
|
|
|
|
|
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- cilium
|
2020-12-25 11:53:00 +08:00
|
|
|
|
# [cilium]镜像版本
|
2020-12-30 11:25:54 +08:00
|
|
|
|
cilium_ver: "__cilium__"
|
2022-06-18 08:27:12 +08:00
|
|
|
|
cilium_connectivity_check: true
|
2022-07-02 22:51:49 +08:00
|
|
|
|
cilium_hubble_enabled: false
|
2022-07-02 21:52:48 +08:00
|
|
|
|
cilium_hubble_ui_enabled: false
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- kube-ovn
|
2020-12-25 11:53:00 +08:00
|
|
|
|
# [kube-ovn]选择 OVN DB and OVN Control Plane 节点,默认为第一个master节点
|
2021-01-19 17:41:00 +08:00
|
|
|
|
OVN_DB_NODE: "{{ groups['kube_master'][0] }}"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# [kube-ovn]离线镜像tar包
|
2020-12-30 11:25:54 +08:00
|
|
|
|
kube_ovn_ver: "__kube_ovn__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# ------------------------------------------- kube-router
|
2020-12-25 11:53:00 +08:00
|
|
|
|
# [kube-router]公有云上存在限制,一般需要始终开启 ipinip;自有环境可以设置为 "subnet"
|
|
|
|
|
OVERLAY_TYPE: "full"
|
|
|
|
|
|
|
|
|
|
# [kube-router]NetworkPolicy 支持开关
|
2022-06-18 08:27:12 +08:00
|
|
|
|
FIREWALL_ENABLE: true
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# [kube-router]kube-router 镜像版本
|
2020-12-30 11:25:54 +08:00
|
|
|
|
kube_router_ver: "__kube_router__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
busybox_ver: "1.28.4"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
############################
|
|
|
|
|
# role:cluster-addon
|
|
|
|
|
############################
|
2020-12-30 11:25:54 +08:00
|
|
|
|
# coredns 自动安装
|
2020-12-25 11:53:00 +08:00
|
|
|
|
dns_install: "yes"
|
2020-12-30 11:25:54 +08:00
|
|
|
|
corednsVer: "__coredns__"
|
2021-01-13 21:27:18 +08:00
|
|
|
|
ENABLE_LOCAL_DNS_CACHE: true
|
|
|
|
|
dnsNodeCacheVer: "__dns_node_cache__"
|
|
|
|
|
# 设置 local dns cache 地址
|
|
|
|
|
LOCAL_DNS_CACHE: "169.254.20.10"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# metric server 自动安装
|
|
|
|
|
metricsserver_install: "yes"
|
2020-12-30 11:25:54 +08:00
|
|
|
|
metricsVer: "__metrics__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
|
|
|
|
# dashboard 自动安装
|
|
|
|
|
dashboard_install: "yes"
|
2020-12-30 11:25:54 +08:00
|
|
|
|
dashboardVer: "__dashboard__"
|
|
|
|
|
dashboardMetricsScraperVer: "__dash_metrics__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2021-01-11 11:12:14 +08:00
|
|
|
|
# prometheus 自动安装
|
|
|
|
|
prom_install: "no"
|
|
|
|
|
prom_namespace: "monitor"
|
|
|
|
|
prom_chart_ver: "__prom_chart__"
|
2020-12-25 11:53:00 +08:00
|
|
|
|
|
2021-03-27 00:09:42 +08:00
|
|
|
|
# nfs-provisioner 自动安装
|
|
|
|
|
nfs_provisioner_install: "no"
|
|
|
|
|
nfs_provisioner_namespace: "kube-system"
|
|
|
|
|
nfs_provisioner_ver: "__nfs_provisioner__"
|
|
|
|
|
nfs_storage_class: "managed-nfs-storage"
|
|
|
|
|
nfs_server: "192.168.1.10"
|
|
|
|
|
nfs_path: "/data/nfs"
|
|
|
|
|
|
2022-06-17 16:29:23 +08:00
|
|
|
|
# network-check 自动安装
|
2022-06-24 19:50:06 +08:00
|
|
|
|
network_check_enabled: false
|
2022-06-17 16:29:23 +08:00
|
|
|
|
network_check_schedule: "*/5 * * * *"
|
|
|
|
|
|
2020-12-25 11:53:00 +08:00
|
|
|
|
############################
|
|
|
|
|
# role:harbor
|
|
|
|
|
############################
|
|
|
|
|
# harbor version,完整版本号
|
2021-02-08 21:23:00 +08:00
|
|
|
|
HARBOR_VER: "__harbor__"
|
2022-06-09 22:33:46 +08:00
|
|
|
|
HARBOR_DOMAIN: "harbor.easzlab.io.local"
|
2022-12-16 09:24:25 +08:00
|
|
|
|
HARBOR_PATH: /var/data
|
2021-02-08 21:23:00 +08:00
|
|
|
|
HARBOR_TLS_PORT: 8443
|
2022-12-20 19:01:26 +08:00
|
|
|
|
HARBOR_REGISTRY: "{{ HARBOR_DOMAIN }}:{{ HARBOR_TLS_PORT }}"
|
2021-02-08 21:23:00 +08:00
|
|
|
|
|
|
|
|
|
# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
|
|
|
|
|
HARBOR_SELF_SIGNED_CERT: true
|
|
|
|
|
|
|
|
|
|
# install extra component
|
|
|
|
|
HARBOR_WITH_NOTARY: false
|
|
|
|
|
HARBOR_WITH_TRIVY: false
|
|
|
|
|
HARBOR_WITH_CHARTMUSEUM: true
|