---
hiera_include:
  - profiles::k8s::controller

### K8S::Server
k8s::server::node_on_server: false
k8s::server::manage_kubeadm: true
k8s::server::etcd::generate_ca: true
#k8s::server::etcd::client_ca_cert: '/etc/pki/tls/vault/certificate.crt'
#k8s::server::etcd::client_ca_key: '/etc/pki/tls/vault/private.key'

### K8S::Server::Apiserver
# Choose an interface which is for cluster communications.
# The apiserver will expose a port on the controller
# and all the workers need to be able to reach it.
k8s::server::apiserver::advertise_address: "%{facts.networking.ip}"

### K8S::Server::Resources
k8s::server::resources::manage_flannel: false

consul::services:
  k8s:
    service_name: 'k8s'
    tags:
      - 'containers'
      - 'k8s'
      - 'kubernetes'
    address: "%{facts.networking.ip}"
    port: 6443
    checks:
      - id: 'k8s_tcp_check'
        name: 'K8S TCP Check'
        tcp: "%{facts.networking.fqdn}:6443"
        interval: '10s'
        timeout: '1s'
profiles::consul::client::node_rules:
  - resource: service
    segment: k8s
    disposition: write

# additional altnames
profiles::pki::vault::alt_names:
  - k8s.service.consul
  - k8s.query.consul