DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
K3S/docs/configuration.md
Sergey Antropoff 38aaadbfb1 docs: sync addon docs with explicit external/internal service modes 
Обновлена документация под новые аддоны (gitlab, redis, mongodb, kafka, kafka-ui, rabbitmq) и новую модель явного выбора зависимостей. Добавлены и унифицированы описания переключателей *_database_mode и *_redis_mode, обновлена таблица зависимостей аддонов, примеры конфигурации и список vault-секретов.
2026-04-29 23:21:04 +03:00

248 lines
5.6 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Настройка кластера
Все параметры — в `group_vars/all/main.yml` и `group_vars/all/addons.yml`. Секреты — в `group_vars/all/vault.yml`.
## K3S
```yaml
k3s_version: "v1.29.3+k3s1"
k3s_cluster_cidr: "10.42.0.0/16"
k3s_service_cidr: "10.43.0.0/16"
k3s_flannel_backend: "vxlan" # vxlan | wireguard-native | host-gw (только Flannel)
k3s_cni: "flannel" # flannel | calico | cilium
# Пути (изменены с /var/lib/rancher):
k3s_config_dir: /etc/kubernetes/k3s
k3s_data_dir: /var/lib/kubernetes/k3s
```
## kube-vip
```yaml
kube_vip_address: "192.168.1.100" # ОБЯЗАТЕЛЬНО: свободный IP
kube_vip_interface: "" # пусто = авто через ansible_default_ipv4.interface
kube_vip_mode: "arp" # arp (L2) | bgp (L3)
kube_vip_services_enable: true # LoadBalancer сервисы
```
## NFS / CSI
```yaml
nfs_exports:
- path: /storage/nfs
options: "*(rw,sync,no_subtree_check,no_root_squash)"
nfs_allowed_network: "192.168.1.0/24"
csi_nfs_server: "{{ hostvars[groups['nfs_server'][0]]['ansible_host'] }}"
csi_nfs_share: "/storage/nfs"
csi_nfs_reclaim_policy: "Delete" # Delete | Retain
```
## ingress-nginx
```yaml
ingress_nginx_service_type: "LoadBalancer"
ingress_nginx_load_balancer_ip: "" # авто от kube-vip
ingress_nginx_class_name: "nginx"
ingress_nginx_set_default_class: true
# Кастомная страница ошибок:
ingress_nginx_custom_errors_enabled: true
ingress_nginx_error_cluster_name: "K3S Cluster"
```
## Bootstrap — первичная настройка нод
```yaml
k3s_admin_user: devops # пользователь создаётся на всех нодах
ansible_user: "{{ k3s_admin_user }}"
ansible_ssh_private_key_file: "~/.ssh/id_rsa"
k3s_admin_ssh_public_key_files:
- /root/.ssh/id_ed25519.pub
```
## Сервисные пользователи
```yaml
cluster_service_users:
- name: devops
sudo: true
shell: /bin/bash
key_type: rsa
key_bits: 4096
```
Для каждого пользователя создаётся RSA 4096 пара, `authorized_keys`, sudo NOPASSWD. Ключи → `./keys/<user>_id_rsa`.
## Chrony — синхронизация времени
```yaml
chrony_timezone: "Europe/Moscow"
chrony_ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
```
## Ротация сертификатов K3S
```yaml
k3s_cert_auto_rotate: true
k3s_cert_validity_years: 5
k3s_cert_rotate_before_days: 90
k3s_cert_check_schedule: "monthly"
```
## Индивидуальные настройки нод (host_vars/)
**master01:**
```yaml
k3s_node_labels:
- "node-role=master"
- "disk-type=ssd"
```
**rpi01:**
```yaml
k3s_node_taints:
- "node-type=raspberry-pi:NoSchedule"
k3s_extra_server_args: |
kubelet-arg:
- "kube-reserved=cpu=50m,memory=128Mi"
```
Снять taint с RPi:
```yaml
k3s_node_taints: []
```
## cert-manager
```yaml
addon_cert_manager: true
cert_manager_issuer: "letsencrypt" # none | selfsigned | letsencrypt
cert_manager_acme_email: "admin@example.com"
cert_manager_default_issuer_name: "letsencrypt-prod"
```
Аннотация на Ingress:
```yaml
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
```
## Режимы встроенных/внешних БД и Redis
```yaml
# Приложения с PostgreSQL
gitea_database_mode: "auto" # auto | internal | external_postgresql
gitlab_database_mode: "auto" # auto | internal | external_postgresql
harbor_database_mode: "auto" # auto | internal | external_postgresql
nextcloud_database_mode: "external_postgresql" # auto | sqlite | external_postgresql
# Приложения с Redis
authelia_redis_mode: "auto" # auto | internal | external_redis | disabled
argocd_redis_mode: "auto" # auto | internal | external_redis
```
## Ansible Vault
```bash
make vault-create # Создать
make vault-edit # Редактировать
make vault-view # Просмотреть
make vault-encrypt-string STR="токен" NAME="vault_my_var"
```
Обязательные секреты:
```yaml
vault_k3s_token: "xxx"
vault_grafana_user: "admin"
vault_grafana_password: "пароль"
```
## CNI — Calico
```yaml
k3s_cni: "calico"
calico_version: "v3.28.0"
calico_encapsulation: "VXLAN" # VXLAN | IPIP | None
```
## CNI — Cilium
```yaml
k3s_cni: "cilium"
cilium_version: "1.15.5"
cilium_hubble_enabled: true
cilium_hubble_ui_enabled: false
```
## Примеры манифестов
### Приложение с Ingress + TLS + NFS
```yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: app-data
spec:
accessModes: [ReadWriteMany]
storageClassName: nfs-master01
resources:
requests:
storage: 5Gi
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts: [myapp.example.com]
secretName: myapp-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80
```
### Приложение только на x86 нодах
```yaml
spec:
template:
spec:
nodeSelector:
node-type: x86_64
```
### ServiceMonitor для Prometheus
```yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: my-app
labels:
release: prom
spec:
selector:
matchLabels:
app: my-app
endpoints:
- port: metrics
interval: 30s
```
Reference in New Issue View Git Blame Copy Permalink