35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
# K3s server configuration
|
|
# Enable secrets encryption at rest
|
|
secrets-encryption: true
|
|
|
|
# Node configuration - force k3s to use the physical NIC IP
|
|
# instead of auto-detecting interfaces like mac-shim
|
|
node-ip: "{{ ansible_host }}"
|
|
advertise-address: "{{ ansible_host }}"
|
|
bind-address: "{{ ansible_host }}"
|
|
{% if k3s_node_iface is defined and k3s_node_iface | length > 0 %}
|
|
flannel-iface: "{{ k3s_node_iface }}"
|
|
{% endif %}
|
|
|
|
# TLS configuration - add SANs for API server certificate
|
|
# This ensures the certificate is valid for these names/IPs
|
|
tls-san:
|
|
- "{{ k3s_first_server_ip }}"
|
|
- "{{ k3s_first_server_hostname }}"
|
|
- kubernetes.default.svc
|
|
- kubernetes.default.svc.cluster.local
|
|
|
|
# Additional kube-apiserver arguments for TLS hardening
|
|
kube-apiserver-arg:
|
|
- "tls-min-version=VersionTLS12"
|
|
- "tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
|
|
|
# Additional kubelet arguments for TLS
|
|
kubelet-arg:
|
|
- "tls-min-version=VersionTLS12"
|
|
|
|
# Disable unnecessary components (optional - adjust as needed)
|
|
# disable:
|
|
# - traefik
|
|
# - servicelb
|