DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb03975105c189b71e588115b8357cf728852875
K3S/docs/configuration.md
Sergey Antropoff eccc1c2a01 docs: полная документация проекта — docs/ и README.md для каждого аддона 
- README.md: перепиcан как компактный обзор (98 строк) с навигацией по docs/
- docs/: 13 файлов — getting-started, architecture, configuration, addons,
  storage, security, cicd, observability, networking, operations,
  make-reference, molecule-testing, troubleshooting
- addons/*/README.md: 31 новый файл — описание, параметры, примеры кода
  для каждого из 34 аддонов (vault и external-secrets уже существовали)
2026-04-26 00:22:06 +03:00

234 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Настройка кластера
Все параметры — в `group_vars/all/main.yml` и `group_vars/all/addons.yml`. Секреты — в `group_vars/all/vault.yml`.
## K3S
```yaml
k3s_version: "v1.29.3+k3s1"
k3s_cluster_cidr: "10.42.0.0/16"
k3s_service_cidr: "10.43.0.0/16"
k3s_flannel_backend: "vxlan" # vxlan | wireguard-native | host-gw (только Flannel)
k3s_cni: "flannel" # flannel | calico | cilium
# Пути (изменены с /var/lib/rancher):
k3s_config_dir: /etc/kubernetes/k3s
k3s_data_dir: /var/lib/kubernetes/k3s
```
## kube-vip
```yaml
kube_vip_address: "192.168.1.100" # ОБЯЗАТЕЛЬНО: свободный IP
kube_vip_interface: "" # пусто = авто через ansible_default_ipv4.interface
kube_vip_mode: "arp" # arp (L2) | bgp (L3)
kube_vip_services_enable: true # LoadBalancer сервисы
```
## NFS / CSI
```yaml
nfs_exports:
- path: /storage/nfs
options: "*(rw,sync,no_subtree_check,no_root_squash)"
nfs_allowed_network: "192.168.1.0/24"
csi_nfs_server: "{{ hostvars[groups['nfs_server'][0]]['ansible_host'] }}"
csi_nfs_share: "/storage/nfs"
csi_nfs_reclaim_policy: "Delete" # Delete | Retain
```
## ingress-nginx
```yaml
ingress_nginx_service_type: "LoadBalancer"
ingress_nginx_load_balancer_ip: "" # авто от kube-vip
ingress_nginx_class_name: "nginx"
ingress_nginx_set_default_class: true
# Кастомная страница ошибок:
ingress_nginx_custom_errors_enabled: true
ingress_nginx_error_cluster_name: "K3S Cluster"
```
## Bootstrap — первичная настройка нод
```yaml
k3s_admin_user: devops # пользователь создаётся на всех нодах
ansible_user: "{{ k3s_admin_user }}"
ansible_ssh_private_key_file: "~/.ssh/id_rsa"
k3s_admin_ssh_public_key_files:
- /root/.ssh/id_ed25519.pub
```
## Сервисные пользователи
```yaml
cluster_service_users:
- name: devops
sudo: true
shell: /bin/bash
key_type: rsa
key_bits: 4096
```
Для каждого пользователя создаётся RSA 4096 пара, `authorized_keys`, sudo NOPASSWD. Ключи → `./keys/<user>_id_rsa`.
## Chrony — синхронизация времени
```yaml
chrony_timezone: "Europe/Moscow"
chrony_ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
```
## Ротация сертификатов K3S
```yaml
k3s_cert_auto_rotate: true
k3s_cert_validity_years: 5
k3s_cert_rotate_before_days: 90
k3s_cert_check_schedule: "monthly"
```
## Индивидуальные настройки нод (host_vars/)
**master01:**
```yaml
k3s_node_labels:
- "node-role=master"
- "disk-type=ssd"
```
**rpi01:**
```yaml
k3s_node_taints:
- "node-type=raspberry-pi:NoSchedule"
k3s_extra_server_args: |
kubelet-arg:
- "kube-reserved=cpu=50m,memory=128Mi"
```
Снять taint с RPi:
```yaml
k3s_node_taints: []
```
## cert-manager
```yaml
addon_cert_manager: true
cert_manager_issuer: "letsencrypt" # none | selfsigned | letsencrypt
cert_manager_acme_email: "admin@example.com"
cert_manager_default_issuer_name: "letsencrypt-prod"
```
Аннотация на Ingress:
```yaml
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
```
## Ansible Vault
```bash
make vault-create # Создать
make vault-edit # Редактировать
make vault-view # Просмотреть
make vault-encrypt-string STR="токен" NAME="vault_my_var"
```
Обязательные секреты:
```yaml
vault_k3s_token: "xxx"
vault_grafana_user: "admin"
vault_grafana_password: "пароль"
```
## CNI — Calico
```yaml
k3s_cni: "calico"
calico_version: "v3.28.0"
calico_encapsulation: "VXLAN" # VXLAN | IPIP | None
```
## CNI — Cilium
```yaml
k3s_cni: "cilium"
cilium_version: "1.15.5"
cilium_hubble_enabled: true
cilium_hubble_ui_enabled: false
```
## Примеры манифестов
### Приложение с Ingress + TLS + NFS
```yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: app-data
spec:
accessModes: [ReadWriteMany]
storageClassName: nfs-master01
resources:
requests:
storage: 5Gi
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts: [myapp.example.com]
secretName: myapp-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80
```
### Приложение только на x86 нодах
```yaml
spec:
template:
spec:
nodeSelector:
node-type: x86_64
```
### ServiceMonitor для Prometheus
```yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: my-app
labels:
release: prom
spec:
selector:
matchLabels:
app: my-app
endpoints:
- port: metrics
interval: 30s
```
Reference in New Issue View Git Blame Copy Permalink