Decouple etcd defaults in a separate role

This allows us to reuse the defaults in other places without putting
everything in kubespray-defaults.

In that, for kubernetes/control-plane.

roles/etcd/defaults/main.yml

@@ -1,135 +0,0 @@
----
-# Set etcd user
-etcd_owner: etcd
-
-# Set to false to only do certificate management
-etcd_cluster_setup: true
-etcd_events_cluster_setup: false
-
-# Set to true to separate k8s events to a different etcd cluster
-etcd_events_cluster_enabled: false
-
-etcd_backup_prefix: "/var/backups"
-etcd_data_dir: "/var/lib/etcd"
-
-# Number of etcd backups to retain. Set to a value < 0 to retain all backups
-etcd_backup_retention_count: -1
-
-force_etcd_cert_refresh: true
-etcd_config_dir: /etc/ssl/etcd
-etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
-etcd_cert_dir_mode: "0700"
-etcd_cert_group: root
-# Note: This does not set up DNS entries. It simply adds the following DNS
-# entries to the certificate
-etcd_cert_alt_names:
-  - "etcd.kube-system.svc.{{ dns_domain }}"
-  - "etcd.kube-system.svc"
-  - "etcd.kube-system"
-  - "etcd"
-etcd_cert_alt_ips: []
-
-etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
-
-etcd_heartbeat_interval: "250"
-etcd_election_timeout: "5000"
-
-## Set level of detail for etcd exported metrics, specify 'extensive' to include histogram metrics.
-etcd_metrics: "basic"
-
-# Define in inventory to set a separate port for etcd to expose metrics on
-# etcd_metrics_port: 2381
-
-## A dictionary of extra environment variables to add to etcd.env, formatted like:
-##  etcd_extra_vars:
-##    ETCD_VAR1: "value1"
-##    ETCD_VAR2: "value2"
-etcd_extra_vars: {}
-
-# Limits
-## Etcd is restricted by default to 512M on systems under 4GB RAM, 512MB is not enough for much more than testing.
-## Set this if your etcd nodes have less than 4GB but you want more RAM for etcd. Set to 0 for unrestricted RAM.
-## This value is only relevant when deploying etcd with `etcd_deployment_type: docker`
-etcd_memory_limit: "{% if ansible_memtotal_mb < 4096 %}512M{% else %}0{% endif %}"
-
-## Etcd has a default of 2G for its space quota. If you put a value in etcd_memory_limit which is less than
-## etcd_quota_backend_bytes, you may encounter out of memory terminations of the etcd cluster. Please check
-## etcd documentation for more information.
-# 8G is a suggested maximum size for normal environments and etcd warns at startup if the configured value exceeds it.
-etcd_quota_backend_bytes: "2147483648"
-
-# Maximum client request size in bytes the server will accept.
-# etcd is designed to handle small key value pairs typical for metadata.
-# Larger requests will work, but may increase the latency of other requests
-etcd_max_request_bytes: "1572864"
-
-# Uncomment to set CPU share for etcd
-# etcd_cpu_limit: 300m
-
-etcd_blkio_weight: 1000
-
-etcd_node_cert_hosts: "{{ groups['k8s_cluster'] }}"
-
-## Etcd auto compaction retention for mvcc key value store in hour
-etcd_compaction_retention: "8"
-
-# Force clients like etcdctl to use TLS certs (different than peer security)
-etcd_secure_client: true
-
-# Enable peer client cert authentication
-etcd_peer_client_auth: true
-
-# Maximum number of snapshot files to retain (0 is unlimited)
-etcd_max_snapshots: 5
-
-# Maximum number of wal files to retain (0 is unlimited)
-etcd_max_wals: 5
-
-# Number of loop retries
-etcd_retries: 4
-
-## Support tls cipher suites.
-# etcd_tls_cipher_suites: {}
-#   - TLS_RSA_WITH_RC4_128_SHA
-#   - TLS_RSA_WITH_3DES_EDE_CBC_SHA
-#   - TLS_RSA_WITH_AES_128_CBC_SHA
-#   - TLS_RSA_WITH_AES_256_CBC_SHA
-#   - TLS_RSA_WITH_AES_128_CBC_SHA256
-#   - TLS_RSA_WITH_AES_128_GCM_SHA256
-#   - TLS_RSA_WITH_AES_256_GCM_SHA384
-#   - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-#   - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-#   - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-#   - TLS_ECDHE_RSA_WITH_RC4_128_SHA
-#   - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-#   - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-#   - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-#   - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-#   - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-#   - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-#   - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-#   - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-#   - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-#   - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-#   - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-
-# ETCD 3.5.x issue
-# https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ?utm_medium=email&utm_source=footer
-etcd_experimental_initial_corrupt_check: true
-
-# If this is true, debug information will be displayed but
-# may contain some private data, so it is recommended to set it to false
-# in the production environment.
-unsafe_show_logs: false
-
-# Enable distributed tracing
-# https://etcd.io/docs/v3.5/op-guide/monitoring/#distributed-tracing
-etcd_experimental_enable_distributed_tracing: false
-etcd_experimental_distributed_tracing_sample_rate: 100 # Per million spans
-etcd_experimental_distributed_tracing_address: "localhost:4317"
-etcd_experimental_distributed_tracing_service_name: etcd
-
-# The interval for etcd watch progress notify events
-etcd_experimental_watch_progress_notify_interval: 5s
-
-etcd_log_level: info

roles/etcd/meta/main.yml

@@ -6,3 +6,4 @@ dependencies:
   - role: adduser
     user: "{{ addusers.kube }}"
     when: not (ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_fedora_coreos)
+  - role: etcd_defaults

roles/etcd/vars/main.yml

@@ -1,10 +0,0 @@
----
-cert_files:
-  master:
-  - "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
-  - "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
-  - "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
-  - "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
-  node:
-  - "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}.pem"
-  - "{{ etcd_cert_dir }}/node-{{ inventory_hostname }}-key.pem"