Ben Vincent
efbbb6bcb1
- only install a base config - wait for 3 masters before deploying helm charts - remove cluster-domain - manage nginx ingres via rke2 helmconfig Reviewed-on: #403
79 lines
2.2 KiB
YAML
79 lines
2.2 KiB
YAML
---
|
|
# manage rke2
|
|
rke2::node_type: server
|
|
rke2::helm_install: true
|
|
rke2::helm_repos:
|
|
rancher-stable: https://releases.rancher.com/server-charts/stable
|
|
purelb: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
|
|
jetstack: https://charts.jetstack.io
|
|
harbor: https://helm.goharbor.io
|
|
traefik: https://traefik.github.io/charts
|
|
hashicorp: https://helm.releases.hashicorp.com
|
|
rke2::extra_config_files:
|
|
- rke2-canal-config
|
|
- rke2-nginx-ingress-config
|
|
rke2::config_hash:
|
|
advertise-address: "%{hiera('networking_loopback0_ip')}"
|
|
tls-san:
|
|
- "join-k8s.service.consul"
|
|
- "api-k8s.service.consul"
|
|
- "api.k8s.unkin.net"
|
|
- "join.k8s.unkin.net"
|
|
cni: canal
|
|
cluster-cidr: 10.42.0.0/16
|
|
service-cidr: 10.43.0.0/16
|
|
cluster-dns: 10.43.0.10
|
|
etcd-arg: "--quota-backend-bytes 2048000000"
|
|
etcd-snapshot-schedule-cron: "0 3 * * *"
|
|
etcd-snapshot-retention: 10
|
|
kube-apiserver-arg:
|
|
- '--default-not-ready-toleration-seconds=30'
|
|
- '--default-unreachable-toleration-seconds=30'
|
|
kube-controller-manager-arg:
|
|
- '--node-monitor-period=4s'
|
|
protect-kernel-defaults: true
|
|
disable-kube-proxy: false
|
|
|
|
# configure consul service
|
|
consul::services:
|
|
api-k8s:
|
|
service_name: 'api-k8s'
|
|
address: "%{facts.networking.fqdn}"
|
|
port: 6443
|
|
checks:
|
|
- id: 'api-k8s_livez_check'
|
|
name: 'api-k8s livez Check'
|
|
args:
|
|
- sudo
|
|
- /usr/local/bin/check_k8s_api.sh
|
|
interval: '10s'
|
|
timeout: '1s'
|
|
join-k8s:
|
|
service_name: 'join-k8s'
|
|
address: "%{facts.networking.fqdn}"
|
|
port: 9345
|
|
checks:
|
|
- id: 'rke2_tcp_check_9345'
|
|
name: 'rke2 TCP Check 9345'
|
|
tcp: "%{hiera('networking_loopback0_ip')}:9345"
|
|
interval: '10s'
|
|
timeout: '1s'
|
|
profiles::consul::client::node_rules:
|
|
- resource: service
|
|
segment: api-k8s
|
|
disposition: write
|
|
- resource: service
|
|
segment: join-k8s
|
|
disposition: write
|
|
|
|
profiles::pki::vault::alt_names:
|
|
- api-k8s.service.consul
|
|
- api-k8s.query.consul
|
|
- "api-k8s.service.%{facts.country}-%{facts.region}.consul"
|
|
|
|
sudo::configs:
|
|
consul-checks:
|
|
priority: 20
|
|
content: |
|
|
consul ALL=(ALL) NOPASSWD: /usr/local/bin/check_k8s_api.sh
|