kubespray/roles/network_plugin/calico/defaults/main.yml

---
# the default value of name
calico_cni_name: k8s-pod-network

# Enables Internet connectivity from containers
nat_outgoing: true

# add default ippool name
calico_pool_name: "default-pool"
calico_ipv4pool_ipip: "Off"

# Change encapsulation mode, by default we enable vxlan which is the most mature and well tested mode
calico_ipip_mode: Never  # valid values are 'Always', 'Never' and 'CrossSubnet'
calico_vxlan_mode: Always  # valid values are 'Always', 'Never' and 'CrossSubnet'

calico_cni_pool: true
calico_cni_pool_ipv6: true

# add default ippool blockSize (defaults kube_network_node_prefix)
calico_pool_blocksize: 26

# Calico doesn't support ipip tunneling for the IPv6.
calico_ipip_mode_ipv6: Never
calico_vxlan_mode_ipv6: Never

# add default ipv6 ippool blockSize (defaults kube_network_node_prefix_ipv6)
calico_pool_blocksize_ipv6: 122

# Calico network backend can be 'bird', 'vxlan' and 'none'
calico_network_backend: vxlan

calico_cert_dir: /etc/calico/certs

# Global as_num (/calico/bgp/v1/global/as_num)
global_as_num: "64512"

# You can set MTU value here. If left undefined or empty, it will
# not be specified in calico CNI config, so Calico will use built-in
# defaults. The value should be a number, not a string.
# calico_mtu: 1500

# Advertise Service External IPs
calico_advertise_service_external_ips: []

# Advertise Service LoadBalancer IPs
calico_advertise_service_loadbalancer_ips: []

# Calico eBPF support
calico_bpf_enabled: false
calico_bpf_log_level: ""
# Valid option for service mode: Tunnel (default), DSR=Direct Server Return
calico_bpf_service_mode: Tunnel

# Limits for apps
calico_node_memory_limit: 500M
calico_node_cpu_limit: 300m
calico_node_memory_requests: 64M
calico_node_cpu_requests: 150m
calico_felix_chaininsertmode: Insert

# Calico daemonset nodeselector
calico_ds_nodeselector: "kubernetes.io/os: linux"

# Virtual network ID to use for VXLAN traffic. A value of 0 means “use the kernel default”.
calico_vxlan_vni: 4096

# Port to use for VXLAN traffic. A value of 0 means “use the kernel default”.
calico_vxlan_port: 4789

# Enable Prometheus Metrics endpoint for felix
calico_felix_prometheusmetricsenabled: false
calico_felix_prometheusmetricsport: 9091
calico_felix_prometheusgometricsenabled: true
calico_felix_prometheusprocessmetricsenabled: true

# Set the agent log level. Can be debug, warning, info or fatal
calico_loglevel: info
calico_node_startup_loglevel: error

# Set log path for calico CNI plugin. Set to false to disable logging to disk.
calico_cni_log_file_path: /var/log/calico/cni/cni.log

# Enable or disable usage report to 'usage.projectcalico.org'
calico_usage_reporting: false

# Should calico ignore kernel's RPF check setting,
# see https://github.com/projectcalico/felix/blob/ab8799eaea66627e5db7717e62fca61fd9c08646/python/calico/felix/config.py#L198
calico_node_ignorelooserpf: false

# Define address on which Felix will respond to health requests
calico_healthhost: "localhost"

# Configure time in seconds that calico will wait for the iptables lock
calico_iptables_lock_timeout_secs: 10

# Choose Calico iptables backend: "Legacy", "Auto" or "NFT" (FELIX_IPTABLESBACKEND)
calico_iptables_backend: "Auto"

# Calico Wireguard support
calico_wireguard_enabled: false
calico_wireguard_packages: []
calico_wireguard_repo: https://download.copr.fedorainfracloud.org/results/jdoss/wireguard/epel-{{ ansible_distribution_major_version }}-$basearch/

# If you want to use non default IP_AUTODETECTION_METHOD, IP6_AUTODETECTION_METHOD for calico node set this option to one of:
# * can-reach=DESTINATION
# * interface=INTERFACE-REGEX
# see https://projectcalico.docs.tigera.io/reference/node/configuration#ip-autodetection-methods
# calico_ip_auto_method: "interface=eth.*"
# calico_ip6_auto_method: "interface=eth.*"

# Set FELIX_MTUIFACEPATTERN, Pattern used to discover the host’s interface for MTU auto-detection.
# see https://projectcalico.docs.tigera.io/reference/felix/configuration
# calico_felix_mtu_iface_pattern: "^((en|wl|ww|sl|ib)[opsx].*|(eth|wlan|wwan).*)"

calico_baremetal_nodename: "{{ kube_override_hostname | default(inventory_hostname) }}"

kube_etcd_cacert_file: ca.pem
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem

# Choose data store type for calico: "etcd" or "kdd" (kubernetes datastore)
# The default value for calico_datastore is set in role kubespray-default

# Use typha (only with kdd)
typha_enabled: false
typha_prometheusmetricsenabled: false
typha_prometheusmetricsport: 9093

# Scaling typha: 1 replica per 100 nodes is adequate
# Number of typha replicas
typha_replicas: 1

# Set max typha connections
typha_max_connections_lower_limit: 300

# Generate certifcates for typha<->calico-node communication
typha_secure: false

calico_feature_control: {}

# Calico default BGP port
calico_bgp_listen_port: 179

# Calico FelixConfiguration options
calico_felix_reporting_interval: 0s
calico_felix_log_severity_screen: Info

# Calico container settings
calico_allow_ip_forwarding: false

# Calico IPAM strictAffinity
calico_ipam_strictaffinity: false

# Calico IPAM autoAllocateBlocks
calico_ipam_autoallocateblocks: true

# Calico IPAM maxBlocksPerHost, default 0
calico_ipam_maxblocksperhost: 0

# Calico apiserver (only with kdd)
calico_apiserver_enabled: false

# Calico feature detect override
calico_feature_detect_override: ""