[DO-143] Final prepare for env k8s avroid_prod (!2)

DO-1431

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-deploy/pulls/2

env/avroid_prod/inventory/group_vars/all/all.yml

@@ -17,9 +17,9 @@ bin_dir: /usr/local/bin
 #   port: 1234
 
 ## Internal loadbalancers for apiservers
-# loadbalancer_apiserver_localhost: true
+loadbalancer_apiserver_localhost: true
 # valid options are "nginx" or "haproxy"
-# loadbalancer_apiserver_type: nginx  # valid values "nginx" or "haproxy"
+loadbalancer_apiserver_type: nginx
 
 ## Local loadbalancer should use this port
 ## And must be set port 6443
@@ -36,9 +36,10 @@ loadbalancer_apiserver_healthcheck_port: 8081
 # disable_host_nameservers: false
 
 ## Upstream dns servers
-# upstream_dns_servers:
-#   - 8.8.8.8
-#   - 8.8.4.4
+upstream_dns_servers:
+  - 10.2.4.10
+  - 10.2.4.20
+  - 10.3.0.101
 
 ## There are some changes specific to the cloud providers
 ## for instance we need to encapsulate packets with some network plugins
@@ -83,7 +84,7 @@ no_proxy_exclude_workers: false
 ## This setting determines whether certs are generated via scripts.
 ## Chose 'none' if you provide your own certificates.
 ## Option is  "script", "none"
-# cert_management: script
+cert_management: script
 
 ## Set to true to allow pre-checks to fail and continue deployment
 # ignore_assert_errors: false
@@ -92,7 +93,7 @@ no_proxy_exclude_workers: false
 # kube_read_only_port: 10255
 
 ## Set true to download and cache container
-# download_container: true
+download_container: true
 
 ## Deploy container engine
 # Set false if you want to deploy container engine manually.
@@ -124,13 +125,14 @@ kube_webhook_token_auth_url_skip_tls_verify: false
 
 ## NTP Settings
 # Start the ntpd or chrony service and enable it at system boot.
-ntp_enabled: false
-ntp_manage_config: false
+ntp_enabled: true
+ntp_manage_config: true
 ntp_servers:
-  - "0.pool.ntp.org iburst"
-  - "1.pool.ntp.org iburst"
-  - "2.pool.ntp.org iburst"
-  - "3.pool.ntp.org iburst"
+  - "ntp-01.avroid.tech iburst"
+  - "ntp-02.avroid.tech iburst"
+  - "ntp-03.avroid.tech iburst"
+# Set timezone
+ntp_timezone: Europe/Moscow
 
 ## Used to control no_log attribute
 unsafe_show_logs: false

env/avroid_prod/inventory/group_vars/all/aws.yml

@@ -1,9 +0,0 @@
-## To use AWS EBS CSI Driver to provision volumes, uncomment the first value
-## and configure the parameters below
-# aws_ebs_csi_enabled: true
-# aws_ebs_csi_enable_volume_scheduling: true
-# aws_ebs_csi_enable_volume_snapshot: false
-# aws_ebs_csi_enable_volume_resizing: false
-# aws_ebs_csi_controller_replicas: 1
-# aws_ebs_csi_plugin_image_tag: latest
-# aws_ebs_csi_extra_volume_tags: "Owner=owner,Team=team,Environment=environment'

env/avroid_prod/inventory/group_vars/all/azure.yml

@@ -1,40 +0,0 @@
-## When azure is used, you need to also set the following variables.
-## see docs/azure.md for details on how to get these values
-
-# azure_cloud:
-# azure_tenant_id:
-# azure_subscription_id:
-# azure_aad_client_id:
-# azure_aad_client_secret:
-# azure_resource_group:
-# azure_location:
-# azure_subnet_name:
-# azure_security_group_name:
-# azure_security_group_resource_group:
-# azure_vnet_name:
-# azure_vnet_resource_group:
-# azure_route_table_name:
-# azure_route_table_resource_group:
-# supported values are 'standard' or 'vmss'
-# azure_vmtype: standard
-
-## Azure Disk CSI credentials and parameters
-## see docs/azure-csi.md for details on how to get these values
-
-# azure_csi_tenant_id:
-# azure_csi_subscription_id:
-# azure_csi_aad_client_id:
-# azure_csi_aad_client_secret:
-# azure_csi_location:
-# azure_csi_resource_group:
-# azure_csi_vnet_name:
-# azure_csi_vnet_resource_group:
-# azure_csi_subnet_name:
-# azure_csi_security_group_name:
-# azure_csi_use_instance_metadata:
-# azure_csi_tags: "Owner=owner,Team=team,Environment=environment'
-
-## To enable Azure Disk CSI, uncomment below
-# azure_csi_enabled: true
-# azure_csi_controller_replicas: 1
-# azure_csi_plugin_image_tag: latest

env/avroid_prod/inventory/group_vars/all/containerd.yml

@@ -1,7 +1,7 @@
 ---
 # Please see roles/container-engine/containerd/defaults/main.yml for more configuration options
 
-# containerd_storage_dir: "/var/lib/containerd"
+containerd_storage_dir: "/var/lib/containerd"
 # containerd_state_dir: "/run/containerd"
 # containerd_oom_score: 0
 
@@ -24,19 +24,62 @@
 # containerd_grpc_max_recv_message_size: 16777216
 # containerd_grpc_max_send_message_size: 16777216
 
+# Containerd debug socket location: unix or tcp format
+# containerd_debug_address: ""
+
+# Containerd log level
 # containerd_debug_level: "info"
 
+# Containerd logs format, supported values: text, json
+# containerd_debug_format: ""
+
+# Containerd debug socket UID
+# containerd_debug_uid: 0
+
+# Containerd debug socket GID
+# containerd_debug_gid: 0
+
 # containerd_metrics_address: ""
 
 # containerd_metrics_grpc_histogram: false
 
 # Registries defined within containerd.
-# containerd_registries_mirrors:
-#  - prefix: docker.io
-#    mirrors:
-#     - host: https://registry-1.docker.io
-#       capabilities: ["pull", "resolve"]
-#       skip_verify: false
+containerd_registries_mirrors:
+  - prefix: docker.io
+    mirrors:
+     - host: https://mirror-gcr-io-proxy.avroid.tech
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+     - host: https://eu-central-1-mirror-aliyuncs-com-proxy.avroid.tech
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+     - host: https://registry-1.docker.io
+       capabilities: ["pull", "resolve"]
+       skip_verify: false
+  - prefix: quay.io
+    mirrors:
+     - host: https://quay-proxy.avroid.tech
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+     - host: https://quay.io
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+  - prefix: ghcr.io
+    mirrors:
+     - host: https://ghcr-proxy.avroid.tech
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+     - host: https://ghcr.io
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+  - prefix: registry.k8s.io
+    mirrors:
+     - host: https://registry-k8s-io-proxy.avroid.tech
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
+     - host: https://registry.k8s.io
+       capabilities: [ "pull", "resolve" ]
+       skip_verify: false
 
 # containerd_max_container_log_line_size: -1
 

env/avroid_prod/inventory/group_vars/all/coreos.yml

@@ -1,2 +0,0 @@
-## Does coreos need auto upgrade, default is true
-# coreos_auto_upgrade: true

env/avroid_prod/inventory/group_vars/all/cri-o.yml

@@ -1,9 +0,0 @@
-# Registries defined within cri-o.
-# crio_insecure_registries:
-#   - 10.0.0.2:5000
-
-# Auth config for the registries
-# crio_registry_auth:
-#   - registry: 10.0.0.2:5000
-#     username: user
-#     password: pass

env/avroid_prod/inventory/group_vars/all/docker.yml

@@ -1,59 +0,0 @@
----
-## Uncomment this if you want to force overlay/overlay2 as docker storage driver
-## Please note that overlay2 is only supported on newer kernels
-# docker_storage_options: -s overlay2
-
-## Enable docker_container_storage_setup, it will configure devicemapper driver on Centos7 or RedHat7.
-docker_container_storage_setup: false
-
-## It must be define a disk path for docker_container_storage_setup_devs.
-## Otherwise docker-storage-setup will be executed incorrectly.
-# docker_container_storage_setup_devs: /dev/vdb
-
-## Uncomment this if you want to change the Docker Cgroup driver (native.cgroupdriver)
-## Valid options are systemd or cgroupfs, default is systemd
-# docker_cgroup_driver: systemd
-
-## Only set this if you have more than 3 nameservers:
-## If true Kubespray will only use the first 3, otherwise it will fail
-docker_dns_servers_strict: false
-
-# Path used to store Docker data
-docker_daemon_graph: "/var/lib/docker"
-
-## Used to set docker daemon iptables options to true
-docker_iptables_enabled: "false"
-
-# Docker log options
-# Rotate container stderr/stdout logs at 50m and keep last 5
-docker_log_opts: "--log-opt max-size=50m --log-opt max-file=5"
-
-# define docker bin_dir
-docker_bin_dir: "/usr/bin"
-
-# keep docker packages after installation; speeds up repeated ansible provisioning runs when '1'
-# kubespray deletes the docker package on each run, so caching the package makes sense
-docker_rpm_keepcache: 1
-
-## An obvious use case is allowing insecure-registry access to self hosted registries.
-## Can be ipaddress and domain_name.
-## example define 172.19.16.11 or mirror.registry.io
-# docker_insecure_registries:
-#   - mirror.registry.io
-#   - 172.19.16.11
-
-## Add other registry,example China registry mirror.
-# docker_registry_mirrors:
-#   - https://registry.docker-cn.com
-#   - https://mirror.aliyuncs.com
-
-## If non-empty will override default system MountFlags value.
-## This option takes a mount propagation flag: shared, slave
-## or private, which control whether mounts in the file system
-## namespace set up for docker will receive or propagate mounts
-## and unmounts. Leave empty for system default
-# docker_mount_flags:
-
-## A string of extra options to pass to the docker daemon.
-## This string should be exactly as you wish it to appear.
-# docker_options: ""

env/avroid_prod/inventory/group_vars/all/etcd.yml

@@ -1,6 +1,6 @@
 ---
 ## Directory where etcd data stored
-etcd_data_dir: /var/lib/etcd
+etcd_data_dir: /data/etcd
 
 ## Container runtime
 ## docker for docker, crio for cri-o and containerd for containerd.

env/avroid_prod/inventory/group_vars/all/gcp.yml

@@ -1,10 +0,0 @@
-## GCP compute Persistent Disk CSI Driver credentials and parameters
-## See docs/gcp-pd-csi.md for information about the implementation
-
-## Specify the path to the file containing the service account credentials
-# gcp_pd_csi_sa_cred_file: "/my/safe/credentials/directory/cloud-sa.json"
-
-## To enable GCP Persistent Disk CSI driver, uncomment below
-# gcp_pd_csi_enabled: true
-# gcp_pd_csi_controller_replicas: 1
-# gcp_pd_csi_driver_image_tag: "v0.7.0-gke.0"

env/avroid_prod/inventory/group_vars/all/hcloud.yml

@@ -1,22 +0,0 @@
-## Values for the external Hcloud Cloud Controller
-# external_hcloud_cloud:
-#   hcloud_api_token: ""
-#   token_secret_name: hcloud
-#   with_networks: false # Use the hcloud controller-manager with networks support https://github.com/hetznercloud/hcloud-cloud-controller-manager#networks-support
-#   network_name: # network name/ID: If you manage the network yourself it might still be required to let the CCM know about private networks
-#   service_account_name: cloud-controller-manager
-#
-#   controller_image_tag: "latest"
-#   ## A dictionary of extra arguments to add to the openstack cloud controller manager daemonset
-#   ## Format:
-#   ##  external_hcloud_cloud.controller_extra_args:
-#   ##    arg1: "value1"
-#   ##    arg2: "value2"
-#   controller_extra_args: {}
-#
-#   load_balancers_location: # mutually exclusive with load_balancers_network_zone
-#   load_balancers_network_zone:
-#   load_balancers_disable_private_ingress: # set to true if using IPVS based plugins https://github.com/hetznercloud/hcloud-cloud-controller-manager/blob/main/docs/load_balancers.md#sample-service-with-networks
-#   load_balancers_use_private_ip: # set to true if using private networks
-#   load_balancers_enabled:
-#   network_routes_enabled:

env/avroid_prod/inventory/group_vars/all/huaweicloud.yml

@@ -1,17 +0,0 @@
-## Values for the external Huawei Cloud Controller
-# external_huaweicloud_lbaas_subnet_id: "Neutron subnet ID to create LBaaS VIP"
-# external_huaweicloud_lbaas_network_id: "Neutron network ID to create LBaaS VIP"
-
-## Credentials to authenticate against Keystone API
-## All of them are required Per default these values will be
-## read from the environment.
-# external_huaweicloud_auth_url: "{{ lookup('env','OS_AUTH_URL')  }}"
-# external_huaweicloud_access_key: "{{ lookup('env','OS_ACCESS_KEY')  }}"
-# external_huaweicloud_secret_key: "{{ lookup('env','OS_SECRET_KEY')  }}"
-# external_huaweicloud_region: "{{ lookup('env','OS_REGION_NAME')  }}"
-# external_huaweicloud_project_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_PROJECT_ID'),true) }}"
-# external_huaweicloud_cloud: "{{ lookup('env','OS_CLOUD') }}"
-
-## The repo and tag of the external Huawei Cloud Controller image
-# external_huawei_cloud_controller_image_repo: "swr.ap-southeast-1.myhuaweicloud.com"
-# external_huawei_cloud_controller_image_tag: "v0.26.8"

env/avroid_prod/inventory/group_vars/all/oci.yml

@@ -1,28 +0,0 @@
-## When Oracle Cloud Infrastructure is used, set these variables
-# oci_private_key:
-# oci_region_id:
-# oci_tenancy_id:
-# oci_user_id:
-# oci_user_fingerprint:
-# oci_compartment_id:
-# oci_vnc_id:
-# oci_subnet1_id:
-# oci_subnet2_id:
-## Override these default/optional behaviors if you wish
-# oci_security_list_management: All
-## If you would like the controller to manage specific lists per subnet. This is a mapping of subnet ocids to security list ocids. Below are examples.
-# oci_security_lists:
-#   ocid1.subnet.oc1.phx.aaaaaaaasa53hlkzk6nzksqfccegk2qnkxmphkblst3riclzs4rhwg7rg57q: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q
-#   ocid1.subnet.oc1.phx.aaaaaaaahuxrgvs65iwdz7ekwgg3l5gyah7ww5klkwjcso74u3e4i64hvtvq: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q
-## If oci_use_instance_principals is true, you do not need to set the region, tenancy, user, key, passphrase, or fingerprint
-# oci_use_instance_principals: false
-# oci_cloud_controller_version: 0.6.0
-## If you would like to control OCI query rate limits for the controller
-# oci_rate_limit:
-#   rate_limit_qps_read:
-#   rate_limit_qps_write:
-#   rate_limit_bucket_read:
-#   rate_limit_bucket_write:
-## Other optional variables
-# oci_cloud_controller_pull_source: (default iad.ocir.io/oracle/cloud-provider-oci)
-# oci_cloud_controller_pull_secret: (name of pull secret to use if you define your own mirror above)

env/avroid_prod/inventory/group_vars/all/offline.yml

@@ -18,7 +18,7 @@
 # quay_image_repo: "{{ registry_host }}"
 
 ## Kubernetes components
-# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kubeadm_version }}/bin/linux/{{ image_arch }}/kubeadm"
+# kubeadm_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubeadm"
 # kubectl_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubectl"
 # kubelet_download_url: "{{ files_repo }}/dl.k8s.io/release/{{ kube_version }}/bin/linux/{{ image_arch }}/kubelet"
 
@@ -82,7 +82,7 @@
 # krew_download_url: "{{ files_repo }}/github.com/kubernetes-sigs/krew/releases/download/{{ krew_version }}/krew-{{ host_os }}_{{ image_arch }}.tar.gz"
 
 ## CentOS/Redhat/AlmaLinux
-### For EL7, base and extras repo must be available, for EL8, baseos and appstream
+### For EL8, baseos and appstream must be available,
 ### By default we enable those repo automatically
 # rhel_enable_repos: false
 ### Docker / Containerd

env/avroid_prod/inventory/group_vars/all/openstack.yml

@@ -1,72 +0,0 @@
-## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461)
-# openstack_blockstorage_version: "v1/v2/auto (default)"
-# openstack_blockstorage_ignore_volume_az: yes
-## When OpenStack is used, if LBaaSv2 is available you can enable it with the following 2 variables.
-# openstack_lbaas_enabled: True
-# openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP"
-## To enable automatic floating ip provisioning, specify a subnet.
-# openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default"
-## Override default LBaaS behavior
-# openstack_lbaas_use_octavia: False
-# openstack_lbaas_method: "ROUND_ROBIN"
-# openstack_lbaas_provider: "haproxy"
-# openstack_lbaas_create_monitor: "yes"
-# openstack_lbaas_monitor_delay: "1m"
-# openstack_lbaas_monitor_timeout: "30s"
-# openstack_lbaas_monitor_max_retries: "3"
-
-## Values for the external OpenStack Cloud Controller
-# external_openstack_lbaas_enabled: true
-# external_openstack_lbaas_floating_network_id: "Neutron network ID to get floating IP from"
-# external_openstack_lbaas_floating_subnet_id: "Neutron subnet ID to get floating IP from"
-# external_openstack_lbaas_method: ROUND_ROBIN
-# external_openstack_lbaas_provider: amphora
-# external_openstack_lbaas_subnet_id: "Neutron subnet ID to create LBaaS VIP"
-# external_openstack_lbaas_network_id: "Neutron network ID to create LBaaS VIP"
-# external_openstack_lbaas_manage_security_groups: false
-# external_openstack_lbaas_create_monitor: false
-# external_openstack_lbaas_monitor_delay: 5s
-# external_openstack_lbaas_monitor_max_retries: 1
-# external_openstack_lbaas_monitor_timeout: 3s
-# external_openstack_lbaas_internal_lb: false
-# external_openstack_network_ipv6_disabled: false
-# external_openstack_network_internal_networks: []
-# external_openstack_network_public_networks: []
-# external_openstack_metadata_search_order: "configDrive,metadataService"
-
-## Application credentials to authenticate against Keystone API
-## Those settings will take precedence over username and password that might be set your environment
-## All of them are required
-# external_openstack_application_credential_name:
-# external_openstack_application_credential_id:
-# external_openstack_application_credential_secret:
-
-## The tag of the external OpenStack Cloud Controller image
-# external_openstack_cloud_controller_image_tag: "v1.28.2"
-
-## Tags for the Cinder CSI images
-## registry.k8s.io/sig-storage/csi-attacher
-# cinder_csi_attacher_image_tag: "v4.4.2"
-## registry.k8s.io/sig-storage/csi-provisioner
-# cinder_csi_provisioner_image_tag: "v3.6.2"
-## registry.k8s.io/sig-storage/csi-snapshotter
-# cinder_csi_snapshotter_image_tag: "v6.3.2"
-## registry.k8s.io/sig-storage/csi-resizer
-# cinder_csi_resizer_image_tag: "v1.9.2"
-## registry.k8s.io/sig-storage/livenessprobe
-# cinder_csi_livenessprobe_image_tag: "v2.11.0"
-
-## To use Cinder CSI plugin to provision volumes set this value to true
-## Make sure to source in the openstack credentials
-# cinder_csi_enabled: true
-# cinder_csi_controller_replicas: 1
-# storage_classes:
-#   - name: "cinder-csi"
-#     provisioner: "kubernetes.io/cinder"
-#     mount_options:
-#       - "discard"
-#     parameters:
-#       type: "thin"
-#       availability: "nova"
-#     reclaim_policy: "Delete"
-#     volume_binding_mode: "WaitForFirstConsumer"

env/avroid_prod/inventory/group_vars/all/upcloud.yml

@@ -1,24 +0,0 @@
-## Repo for UpClouds csi-driver: https://github.com/UpCloudLtd/upcloud-csi
-## To use UpClouds CSI plugin to provision volumes set this value to true
-## Remember to set UPCLOUD_USERNAME and UPCLOUD_PASSWORD
-# upcloud_csi_enabled: true
-# upcloud_csi_controller_replicas: 1
-## Override used image tags
-# upcloud_csi_provisioner_image_tag: "v3.1.0"
-# upcloud_csi_attacher_image_tag: "v3.4.0"
-# upcloud_csi_resizer_image_tag: "v1.4.0"
-# upcloud_csi_plugin_image_tag: "v0.3.3"
-# upcloud_csi_node_image_tag: "v2.5.0"
-# upcloud_tolerations: []
-## Storage class options
-# storage_classes:
-#   - name: standard
-#     is_default: true
-#     expand_persistent_volumes: true
-#     parameters:
-#       tier: maxiops
-#   - name: hdd
-#     is_default: false
-#     expand_persistent_volumes: true
-#     parameters:
-#       tier: hdd

env/avroid_prod/inventory/group_vars/all/vsphere.yml

@@ -1,32 +0,0 @@
-## Values for the external vSphere Cloud Provider
-# external_vsphere_vcenter_ip: "myvcenter.domain.com"
-# external_vsphere_vcenter_port: "443"
-# external_vsphere_insecure: "true"
-# external_vsphere_user: "administrator@vsphere.local" # Can also be set via the `VSPHERE_USER` environment variable
-# external_vsphere_password: "K8s_admin" # Can also be set via the `VSPHERE_PASSWORD` environment variable
-# external_vsphere_datacenter: "DATACENTER_name"
-# external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id"
-
-## Vsphere version where located VMs
-# external_vsphere_version: "6.7u3"
-
-## Tags for the external vSphere Cloud Provider images
-## gcr.io/cloud-provider-vsphere/cpi/release/manager
-# external_vsphere_cloud_controller_image_tag: "latest"
-## gcr.io/cloud-provider-vsphere/csi/release/syncer
-# vsphere_syncer_image_tag: "v2.5.1"
-## registry.k8s.io/sig-storage/csi-attacher
-# vsphere_csi_attacher_image_tag: "v3.4.0"
-## gcr.io/cloud-provider-vsphere/csi/release/driver
-# vsphere_csi_controller: "v2.5.1"
-## registry.k8s.io/sig-storage/livenessprobe
-# vsphere_csi_liveness_probe_image_tag: "v2.6.0"
-## registry.k8s.io/sig-storage/csi-provisioner
-# vsphere_csi_provisioner_image_tag: "v3.1.0"
-## registry.k8s.io/sig-storage/csi-resizer
-## makes sense only for vSphere version >=7.0
-# vsphere_csi_resizer_tag: "v1.3.0"
-
-## To use vSphere CSI plugin to provision volumes set this value to true
-# vsphere_csi_enabled: true
-# vsphere_csi_controller_replicas: 1