-
Notifications
You must be signed in to change notification settings - Fork 67
/
main.yml
218 lines (202 loc) · 6.66 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
---
V4_CFG_TLS_MODE: full-stack # other valid values are front-door, ingress-only, and disabled
V4_CFG_RWX_FILESTORE_PATH: /export
V4_CFG_INGRESS_TYPE: ingress
V4_CFG_INGRESS_MODE: public
V4_CFG_MANAGE_STORAGE: true
V4_CFG_AWS_LB_SUBNETS: ""
## Cert-manager
CERT_MANAGER_NAME: cert-manager
CERT_MANAGER_NAMESPACE: cert-manager
CERT_MANAGER_CHART_NAME: cert-manager
CERT_MANAGER_CHART_URL: https://charts.jetstack.io/
CERT_MANAGER_CHART_VERSION: 1.14.4
CERT_MANAGER_CONFIG:
installCRDs: "true"
extraArgs:
- --enable-certificate-owner-ref=true
## Metrics-server
METRICS_SERVER_ENABLED: true
METRICS_SERVER_NAME: metrics-server
METRICS_SERVER_CHART_NAME: metrics-server
METRICS_SERVER_CHART_URL: https://charts.bitnami.com/bitnami/
METRICS_SERVER_CHART_VERSION: 6.6.5
METRICS_SERVER_CONFIG:
apiService:
create: true
## Ingress-nginx - Defaults
ingressVersions:
k8sMinorVersion:
value: 26
api:
chartVersion: 4.11.1
## Ingress-nginx - Ingress
##
## NOTE: Links on adding extra configuration options and on hardening ingress-nginx
##
## ConfigMaps - https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md
## Hardening Guide - https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/hardening-guide.md
##
INGRESS_NGINX_NAME: ingress-nginx
INGRESS_NGINX_NAMESPACE: ingress-nginx
INGRESS_NGINX_CHART_NAME: ingress-nginx
INGRESS_NGINX_CHART_URL: https://kubernetes.github.io/ingress-nginx
INGRESS_NGINX_CHART_VERSION: ""
INGRESS_NGINX_CONFIG:
controller:
service:
externalTrafficPolicy: Local
sessionAffinity: None
loadBalancerSourceRanges: "{{ LOADBALANCER_SOURCE_RANGES | default(['0.0.0.0/0'], -1) }}"
annotations:
config:
use-forwarded-headers: "false"
hsts-max-age: "63072000"
hide-headers: Server,X-Powered-By
tcp: {}
udp: {}
lifecycle:
preStop:
exec:
command: [/bin/sh, -c, sleep 5; /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep -x nginx; do sleep 1; done]
terminationGracePeriodSeconds: 600
# Add annotation to include Azure load-balancer health probe request path
INGRESS_NGINX_AZURE_LB_HEALTH_PROBE_CONFIG:
controller:
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
# Update default load-balancer for AWS to be NLB
INGRESS_NGINX_AWS_NLB_CONFIG:
controller:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
# Update LB for AWS, specify subnets to allocate internal IPs from
INGRESS_NGINX_AWS_LB_SUBNETS:
controller:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-subnets: "{{ V4_CFG_AWS_LB_SUBNETS }}"
# Ingress-nginx - CVE-2021-25742 Mitigation
INGRESS_NGINX_CVE_2021_25742_PATCH:
controller:
config:
allow-snippet-annotations: "true"
large-client-header-buffers: 4 32k
annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\
## Nfs-subdir-external-provisioner
NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas
NFS_CLIENT_NAMESPACE: nfs-client
NFS_CLIENT_CHART_NAME: nfs-subdir-external-provisioner
NFS_CLIENT_CHART_URL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
NFS_CLIENT_CHART_VERSION: 4.0.18
NFS_CLIENT_CONFIG:
nfs:
server: "{{ V4_CFG_RWX_FILESTORE_ENDPOINT }}"
path: "{{ V4_CFG_RWX_FILESTORE_PATH | replace('/$', '') }}/pvs"
mountOptions:
- noatime
- nodiratime
- rsize=262144
- wsize=262144
storageClass:
archiveOnDelete: "false"
name: sas
# EFS best practice NFS mount options for the aws provider
NFS_EFS_CLIENT_CONFIG:
nfs:
mountOptions:
- noresvport
- rsize=1048576
- wsize=1048576
- soft
- timeo=600
- retrans=2
- _netdev
## pg-storage storage class config
PG_NFS_CLIENT_NAME: nfs-subdir-external-provisioner-pg-storage
PG_NFS_CLIENT_NAMESPACE: nfs-client
PG_NFS_CLIENT_CHART_NAME: nfs-subdir-external-provisioner
PG_NFS_CLIENT_CHART_URL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
PG_NFS_CLIENT_CHART_VERSION: 4.0.18
PG_NFS_CLIENT_CONFIG:
nfs:
server: "{{ V4_CFG_RWX_FILESTORE_ENDPOINT }}"
path: "{{ V4_CFG_RWX_FILESTORE_PATH | replace('/$', '') }}/pvs"
mountOptions:
- noatime
- nodiratime
- rsize=262144
- wsize=262144
storageClass:
archiveOnDelete: "false"
reclaimPolicy: Retain
name: pg-storage
## Contour - Ingress
CONTOUR_NAME: contour
CONTOUR_NAMESPACE: contour
CONTOUR_CHART_NAME: contour
CONTOUR_CHART_URL: https://charts.bitnami.com/bitnami
CONTOUR_CHART_VERSION: 4.3.8
CONTOUR_CONFIG:
envoy:
service:
loadBalancerSourceRanges: "{{ LOADBALANCER_SOURCE_RANGES | default(['0.0.0.0/0'], -1) }}"
## Cluster Autoscaler
CLUSTER_AUTOSCALER_ENABLED: true
CLUSTER_AUTOSCALER_NAME: cluster-autoscaler
CLUSTER_AUTOSCALER_NAMESPACE: kube-system
CLUSTER_AUTOSCALER_CHART_NAME: cluster-autoscaler
CLUSTER_AUTOSCALER_CHART_URL: https://kubernetes.github.io/autoscaler
CLUSTER_AUTOSCALER_CHART_VERSION: 9.36.0
CLUSTER_AUTOSCALER_ACCOUNT: null
CLUSTER_AUTOSCALER_LOCATION: us-east-1
CLUSTER_AUTOSCALER_CONFIG:
awsRegion: "{{ CLUSTER_AUTOSCALER_LOCATION }}"
autoDiscovery:
clusterName: "{{ CLUSTER_NAME }}"
rbac:
serviceAccount:
name: cluster-autoscaler
annotations:
eks.amazonaws.com/role-arn: "{{ CLUSTER_AUTOSCALER_ACCOUNT }}"
## EBS CSI Driver
EBS_CSI_DRIVER_ENABLED: true
EBS_CSI_DRIVER_NAME: aws-ebs-csi-driver
EBS_CSI_DRIVER_NAMESPACE: kube-system
EBS_CSI_DRIVER_CHART_NAME: aws-ebs-csi-driver
EBS_CSI_DRIVER_CHART_URL: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
EBS_CSI_DRIVER_CHART_VERSION: 2.11.1
EBS_CSI_DRIVER_ACCOUNT: null
EBS_CSI_DRIVER_LOCATION: us-east-1
EBS_CSI_DRIVER_CONFIG:
controller:
k8sTagClusterId: "{{ CLUSTER_NAME }}"
region: "{{ EBS_CSI_DRIVER_LOCATION }}"
serviceAccount:
create: true
name: ebs-csi-controller-sa
annotations:
eks.amazonaws.com/role-arn: "{{ EBS_CSI_DRIVER_ACCOUNT }}"
private_ingress:
aws:
controller:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
azure:
controller:
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
gcp:
controller:
service:
annotations:
networking.gke.io/load-balancer-type: Internal
## NIST Features
V4_CFG_NIST_FEATURES_ENABLED: false