# Настройка кластера

Все параметры — в `group_vars/all/main.yml` и `group_vars/all/addons.yml`. Секреты — в `group_vars/all/vault.yml`.

## K3S

```yaml
k3s_version: "v1.29.3+k3s1"
k3s_cluster_cidr: "10.42.0.0/16"
k3s_service_cidr: "10.43.0.0/16"
k3s_flannel_backend: "vxlan"   # vxlan | wireguard-native | host-gw (только Flannel)
k3s_cni: "flannel"             # flannel | calico | cilium

# Пути (изменены с /var/lib/rancher):
k3s_config_dir: /etc/kubernetes/k3s
k3s_data_dir: /var/lib/kubernetes/k3s
```

## kube-vip

```yaml
kube_vip_address: "192.168.1.100"   # ОБЯЗАТЕЛЬНО: свободный IP
kube_vip_interface: ""              # пусто = авто через ansible_default_ipv4.interface
kube_vip_mode: "arp"                # arp (L2) | bgp (L3)
kube_vip_services_enable: true      # LoadBalancer сервисы
```

## NFS / CSI

```yaml
nfs_exports:
  - path: /storage/nfs
    options: "*(rw,sync,no_subtree_check,no_root_squash)"
nfs_allowed_network: "192.168.1.0/24"

csi_nfs_server: "{{ hostvars[groups['nfs_server'][0]]['ansible_host'] }}"
csi_nfs_share: "/storage/nfs"
csi_nfs_reclaim_policy: "Delete"   # Delete | Retain
```

## ingress-nginx

```yaml
ingress_nginx_service_type: "LoadBalancer"
ingress_nginx_load_balancer_ip: ""   # авто от kube-vip
ingress_nginx_class_name: "nginx"
ingress_nginx_set_default_class: true

# Кастомная страница ошибок:
ingress_nginx_custom_errors_enabled: true
ingress_nginx_error_cluster_name: "K3S Cluster"
```

## Bootstrap — первичная настройка нод

```yaml
k3s_admin_user: devops   # пользователь создаётся на всех нодах
ansible_user: "{{ k3s_admin_user }}"
ansible_ssh_private_key_file: "~/.ssh/id_rsa"

k3s_admin_ssh_public_key_files:
  - /root/.ssh/id_ed25519.pub
```

## Сервисные пользователи

```yaml
cluster_service_users:
  - name: devops
    sudo: true
    shell: /bin/bash
    key_type: rsa
    key_bits: 4096
```

Для каждого пользователя создаётся RSA 4096 пара, `authorized_keys`, sudo NOPASSWD. Ключи → `./keys/<user>_id_rsa`.

## Chrony — синхронизация времени

```yaml
chrony_timezone: "Europe/Moscow"
chrony_ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
```

## Ротация сертификатов K3S

```yaml
k3s_cert_auto_rotate: true
k3s_cert_validity_years: 5
k3s_cert_rotate_before_days: 90
k3s_cert_check_schedule: "monthly"
```

## Индивидуальные настройки нод (host_vars/)

**master01:**
```yaml
k3s_node_labels:
  - "node-role=master"
  - "disk-type=ssd"
```

**rpi01:**
```yaml
k3s_node_taints:
  - "node-type=raspberry-pi:NoSchedule"
k3s_extra_server_args: |
  kubelet-arg:
    - "kube-reserved=cpu=50m,memory=128Mi"
```

Снять taint с RPi:
```yaml
k3s_node_taints: []
```

## cert-manager

```yaml
addon_cert_manager: true
cert_manager_issuer: "letsencrypt"   # none | selfsigned | letsencrypt
cert_manager_acme_email: "admin@example.com"
cert_manager_default_issuer_name: "letsencrypt-prod"
```

Аннотация на Ingress:
```yaml
annotations:
  cert-manager.io/cluster-issuer: "letsencrypt-prod"
```

## Ansible Vault

```bash
make vault-create     # Создать
make vault-edit       # Редактировать
make vault-view       # Просмотреть
make vault-encrypt-string STR="токен" NAME="vault_my_var"
```

Обязательные секреты:
```yaml
vault_k3s_token: "xxx"
vault_grafana_user: "admin"
vault_grafana_password: "пароль"
```

## CNI — Calico

```yaml
k3s_cni: "calico"
calico_version: "v3.28.0"
calico_encapsulation: "VXLAN"   # VXLAN | IPIP | None
```

## CNI — Cilium

```yaml
k3s_cni: "cilium"
cilium_version: "1.15.5"
cilium_hubble_enabled: true
cilium_hubble_ui_enabled: false
```

## Примеры манифестов

### Приложение с Ingress + TLS + NFS

```yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: app-data
spec:
  accessModes: [ReadWriteMany]
  storageClassName: nfs-master01
  resources:
    requests:
      storage: 5Gi
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  ingressClassName: nginx
  tls:
    - hosts: [myapp.example.com]
      secretName: myapp-tls
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-app
                port:
                  number: 80
```

### Приложение только на x86 нодах

```yaml
spec:
  template:
    spec:
      nodeSelector:
        node-type: x86_64
```

### ServiceMonitor для Prometheus

```yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: my-app
  labels:
    release: prom
spec:
  selector:
    matchLabels:
      app: my-app
  endpoints:
    - port: metrics
      interval: 30s
```