---
hiera_include:
  - profiles::etcd::node

profiles::etcd::node::members_lookup: true
profiles::etcd::node::members_role: roles::infra::etcd::k8s

profiles::etcd::node::config:
  data-dir: /data/etcd
  client-cert-auth: false
  client-transport-security:
    cert-file: /etc/pki/tls/vault/certificate.crt
    key-file: /etc/pki/tls/vault/private.key
    client-cert-auth: false
    auto-tls: false
  peer-transport-security:
    cert-file: /etc/pki/tls/vault/certificate.crt
    key-file: /etc/pki/tls/vault/private.key
    client-cert-auth: false
    auto-tls: false
  allowed-cn:
  max-wals: 5
  max-snapshots: 5
  snapshot-count: 10000
  heartbeat-interval: 100
  election-timeout: 1000
  cipher-suites: [
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  ]
  tls-min-version: 'TLS1.2'
  tls-max-version: 'TLS1.3'

profiles::pki::vault::alt_names:
  - etcd-k8s.service.consul
  - etcd-k8s.query.consul
  - "etcd-k8s.service.%{facts.country}-%{facts.region}.consul"

profiles::ssh::sign::principals:
  - etcd-k8s.query.consul
  - etcd-k8s.service.consul
  - etcd-k8s.service.%{facts.country}-%{facts.region}.consul

consul::services:
  etcd:
    service_name: 'etcd-k8s'
    tags:
      - 'etcd'
      - 'k8s'
      - 'etcd-k8s'
    address: "%{facts.networking.ip}"
    port: 2379
    checks:
      - id: 'etcd_http_health_check'
        name: 'ETCD HTTP Health Check'
        http: "https://%{facts.networking.ip}:2379/health"
        method: 'GET'
        interval: '10s'
        timeout: '1s'
        tls_skip_verify: true
profiles::consul::client::node_rules:
  - resource: service
    segment: etcd-k8s
    disposition: write