provisioning/taskservs/etcd/default/etcd.yaml.j2

# This is the configuration file for the etcd server.

# Human-readable name for this member.
{% if taskserv.etcd_name == "$hostname" %}
name: '{{server.hostname}}'
{%- else %}
name: '{{taskserv.etcd_name}}'
{%- endif %}

# Path to the data directory.
data-dir: {{taskserv.data_dir}} 
#/var/lib/etcd

# Path to the dedicated wal directory.
wal-dir:

# Number of committed transactions to trigger a snapshot to disk.
snapshot-count: 10000

# Time (in milliseconds) of a heartbeat interval.
heartbeat-interval: 100

# Time (in milliseconds) for an election to timeout.
election-timeout: 1000

# Raise alarms when backend size exceeds the given quota. 0 means use the
# default quota.
quota-backend-bytes: 0

{% set str_peer_port = "" ~ taskserv.peer_port %}
{% set str_cli_port = "" ~ taskserv.cli_port %}
# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: "{%- if taskserv.listen_peers is containing("$network_private_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.listen_peers | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$peer_port", to=str_peer_port)}}
{%- elif taskserv.listen_peers is containing("$network_public_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.listen_peers | replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) | replace(from="$peer_port", to=str_peer_port)}}
{%- else -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.listen_peers | replace(from="$servers",to=server.hostname) | replace(from="$peer_port", to=str_peer_port)}}
{%- endif %}"

# List of comma separated URLs to listen on for client traffic.

listen-client-urls: "{%- if taskserv.listen_clients is containing("$network_private_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.listen_clients | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$cli_port", to=str_cli_port)}}
{%- elif taskserv.listen_clients is containing("$network_public_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.listen_clients | replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) | replace(from="$cli_port", to=str_cli_port)}}
{%- else -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.listen_clients | replace(from="$servers",to=server.hostname) | replace(from="$cli_port", to=str_cli_port)}}
{%- endif %}"

# Maximum number of snapshot files to retain (0 is unlimited).
max-snapshots: 5

# Maximum number of wal files to retain (0 is unlimited).
max-wals: 5

# Comma-separated white list of origins for CORS (cross-origin resource sharing).
cors:

# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.

initial-advertise-peer-urls: "{%- if taskserv.adv_listen_peers is containing("$network_private_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$peer_port", to=str_peer_port)}}
{%- elif taskserv.adv_listen_peers is containing("$network_public_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers | replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) | replace(from="$peer_port", to=str_peer_port)}}
{%- else -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers | replace(from="$servers",to=server.hostname) | replace(from="$peer_port", to=str_peer_port)}}
{%- endif %}"

# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: "{%- if taskserv.adv_listen_clients is containing("$network_private_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers:$network_private_ip",to=server.network_private_ip) | replace(from="$cli_port", to=str_cli_port)}}
{%- elif taskserv.adv_listen_clients is containing("$network_public_ip") -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) | replace(from="$cli_port", to=str_cli_port)}}
{%- else -%}
  {{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients | replace(from="$servers",to=server.hostname) | replace(from="$cli_port", to=str_cli_port)}}
{%- endif %}"

# Discovery URL used to bootstrap the cluster.
discovery: {{discovery_url | default(value="")}}

# Valid values include 'exit', 'proxy'
discovery-fallback: 'proxy'

# HTTP proxy to use for traffic to discovery service.
discovery-proxy:

# DNS domain used to bootstrap initial cluster.
discovery-srv: {{taskserv.discovery_srv | default(value="")}}

# Initial cluster configuration for bootstrapping.
initial-cluster: "{%- if taskserv.initial_peers is starting_with("$servers") -%}
  {%- for srv in defs.servers %} 
    {%- set srv_index = loop.index -%}
    {%- for task in srv.taskservs -%}
      {%- if task.name != "etcd" -%}{% continue %}{% endif %}
      {%- if srv_index > 1 -%},{%- endif -%}
      {%- if taskserv.initial_peers is containing("$network_private_ip") -%}
      {{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers | replace(from="$servers:$network_private_ip",to=srv.network_private_ip) | replace(from="$peer_port", to=str_peer_port)}}
      {%- elif task.initial_peers is containing("$network_public_ip") -%}
      {{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers | replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) | replace(from="$peer_port", to=str_peer_port)}}
      {%- else -%}
        {%- set full_hostname = srv.hostname ~ "." ~ taskserv.domain_name -%}
      {{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers | replace(from="$servers",to=full_hostname) | replace(from="$peer_port", to=str_peer_port)}}
      {%- endif -%}
      {% break %}
    {%- endfor -%}
  {%- endfor -%}
{%- else -%}
  {{taskserv.cluster_list}}
{%- endif -%}"
{# {%- endif %} #}

# Initial cluster token for the etcd cluster during bootstrap.
initial-cluster-token: 'etcd-{{taskserv.cluster_name}}-cluster'

# Initial cluster state ('new' or 'existing').
#initial-cluster-state: {% if pos.server == 0 %} 'new' {% else %} 'existing'{% endif %}
initial-cluster-state: new

# Reject reconfiguration requests that would cause quorum loss.
strict-reconfig-check: false

# Enable runtime profiling data via HTTP server
enable-pprof: true

# Valid values include 'on', 'readonly', 'off'
proxy: 'off'

# Time (in milliseconds) an endpoint will be held in a failed state.
proxy-failure-wait: 5000

# Time (in milliseconds) of the endpoints refresh interval.
proxy-refresh-interval: 30000

# Time (in milliseconds) for a dial to timeout.
proxy-dial-timeout: 1000

# Time (in milliseconds) for a write to timeout.
proxy-write-timeout: 5000

# Time (in milliseconds) for a read to timeout.
proxy-read-timeout: 0

{% if taskserv.ssl_mode != "" -%}
client-transport-security:
  # Path to the client server TLS cert file.
  cert-file: {{taskserv.certs_path}}/{{taskserv.cluster_name}}.crt

  # Path to the client server TLS key file.
  key-file: {{taskserv.certs_path}}/{{taskserv.cluster_name}}.key

  # Enable client cert authentication.
  client-cert-auth: false

  # Path to the client server TLS trusted CA cert file.
  trusted-ca-file: {{taskserv.certs_path}}/ca.crt

  # Client TLS using generated certificates
  auto-tls: false

peer-transport-security:
  {% if taskserv.hostname == "$hostname" %}
  # Path to the peer server TLS cert file.
  cert-file: {{taskserv.certs_path}}/{{server.hostname}}.crt
  # Path to the peer server TLS key file.
  key-file: {{taskserv.certs_path}}/{{server.hostname}}.key
  {%- else %}
  name: '{{taskserv.hostname}}'
  # Path to the peer server TLS cert file.
  cert-file: {{taskserv.certs_path}}/{{hostname}}.crt
  # Path to the peer server TLS key file.
  key-file: {{taskserv.certs_path}}/{{hostname}}.key
  {%- endif %}

  # Enable peer client cert authentication.
  client-cert-auth: false

  # Path to the peer server TLS trusted CA cert file.
  trusted-ca-file: {{taskserv.certs_path}}/ca.crt

  # Peer TLS using generated certificates.
  auto-tls: false

   # Allowed CN for inter peer authentication.
  allowed-cn:

  # Allowed TLS hostname for inter peer authentication.
  allowed-hostname:

  # The validity period of the self-signed certificate, the unit is year.
  self-signed-cert-validity: 1

{%- endif %}

# Enable debug-level logging for etcd.
debug: false

logger: zap

# Specify 'stdout' or 'stderr' to skip journald logging even when running under systemd.
log-outputs: ['{{taskserv.log_out| default(value="stdout")}}']
log-level: '{{taskserv.log_level | default(value="warn")}}'

# Force to create a new one member cluster.
force-new-cluster: false

auto-compaction-mode: periodic
auto-compaction-retention: "1"

# Limit etcd to a specific set of tls cipher suites
cipher-suites: [
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
]
chore: add current provisioning state before migration 2025-09-22 22:11:41 +00:00			`# This is the configuration file for the etcd server.`

			`# Human-readable name for this member.`
			`{% if taskserv.etcd_name == "$hostname" %}`
			`name: '{{server.hostname}}'`
			`{%- else %}`
			`name: '{{taskserv.etcd_name}}'`
			`{%- endif %}`

			`# Path to the data directory.`
			`data-dir: {{taskserv.data_dir}}`
			`#/var/lib/etcd`

			`# Path to the dedicated wal directory.`
			`wal-dir:`

			`# Number of committed transactions to trigger a snapshot to disk.`
			`snapshot-count: 10000`

			`# Time (in milliseconds) of a heartbeat interval.`
			`heartbeat-interval: 100`

			`# Time (in milliseconds) for an election to timeout.`
			`election-timeout: 1000`

			`# Raise alarms when backend size exceeds the given quota. 0 means use the`
			`# default quota.`
			`quota-backend-bytes: 0`

			`{% set str_peer_port = "" ~ taskserv.peer_port %}`
			`{% set str_cli_port = "" ~ taskserv.cli_port %}`
			`# List of comma separated URLs to listen on for peer traffic.`
			`listen-peer-urls: "{%- if taskserv.listen_peers is containing("$network_private_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.listen_peers \| replace(from="$servers:$network_private_ip",to=server.network_private_ip) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- elif taskserv.listen_peers is containing("$network_public_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.listen_peers \| replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- else -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.listen_peers \| replace(from="$servers",to=server.hostname) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- endif %}"`

			`# List of comma separated URLs to listen on for client traffic.`

			`listen-client-urls: "{%- if taskserv.listen_clients is containing("$network_private_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.listen_clients \| replace(from="$servers:$network_private_ip",to=server.network_private_ip) \| replace(from="$cli_port", to=str_cli_port)}}`
			`{%- elif taskserv.listen_clients is containing("$network_public_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.listen_clients \| replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) \| replace(from="$cli_port", to=str_cli_port)}}`
			`{%- else -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.listen_clients \| replace(from="$servers",to=server.hostname) \| replace(from="$cli_port", to=str_cli_port)}}`
			`{%- endif %}"`

			`# Maximum number of snapshot files to retain (0 is unlimited).`
			`max-snapshots: 5`

			`# Maximum number of wal files to retain (0 is unlimited).`
			`max-wals: 5`

			`# Comma-separated white list of origins for CORS (cross-origin resource sharing).`
			`cors:`

			`# List of this member's peer URLs to advertise to the rest of the cluster.`
			`# The URLs needed to be a comma-separated list.`

			`initial-advertise-peer-urls: "{%- if taskserv.adv_listen_peers is containing("$network_private_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers \| replace(from="$servers:$network_private_ip",to=server.network_private_ip) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- elif taskserv.adv_listen_peers is containing("$network_public_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers \| replace(from="$servers:$network_public_ip",to=server.ip_addresses.pub) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- else -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_peers \| replace(from="$servers",to=server.hostname) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- endif %}"`

			`# List of this member's client URLs to advertise to the public.`
			`# The URLs needed to be a comma-separated list.`
			`advertise-client-urls: "{%- if taskserv.adv_listen_clients is containing("$network_private_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients \| replace(from="$servers:$network_private_ip",to=server.network_private_ip) \| replace(from="$cli_port", to=str_cli_port)}}`
			`{%- elif taskserv.adv_listen_clients is containing("$network_public_ip") -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients \| replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) \| replace(from="$cli_port", to=str_cli_port)}}`
			`{%- else -%}`
			`{{taskserv.etcd_protocol}}://{{ taskserv.adv_listen_clients \| replace(from="$servers",to=server.hostname) \| replace(from="$cli_port", to=str_cli_port)}}`
			`{%- endif %}"`

			`# Discovery URL used to bootstrap the cluster.`
			`discovery: {{discovery_url \| default(value="")}}`

			`# Valid values include 'exit', 'proxy'`
			`discovery-fallback: 'proxy'`

			`# HTTP proxy to use for traffic to discovery service.`
			`discovery-proxy:`

			`# DNS domain used to bootstrap initial cluster.`
			`discovery-srv: {{taskserv.discovery_srv \| default(value="")}}`

			`# Initial cluster configuration for bootstrapping.`
			`initial-cluster: "{%- if taskserv.initial_peers is starting_with("$servers") -%}`
			`{%- for srv in defs.servers %}`
			`{%- set srv_index = loop.index -%}`
			`{%- for task in srv.taskservs -%}`
			`{%- if task.name != "etcd" -%}{% continue %}{% endif %}`
			`{%- if srv_index > 1 -%},{%- endif -%}`
			`{%- if taskserv.initial_peers is containing("$network_private_ip") -%}`
			`{{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers \| replace(from="$servers:$network_private_ip",to=srv.network_private_ip) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- elif task.initial_peers is containing("$network_public_ip") -%}`
			`{{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers \| replace(from="$servers:$network_public_ip",to=settings[loop.index0].ip_addresses.pub) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- else -%}`
			`{%- set full_hostname = srv.hostname ~ "." ~ taskserv.domain_name -%}`
			`{{ srv.hostname }}={{taskserv.etcd_protocol}}://{{ taskserv.initial_peers \| replace(from="$servers",to=full_hostname) \| replace(from="$peer_port", to=str_peer_port)}}`
			`{%- endif -%}`
			`{% break %}`
			`{%- endfor -%}`
			`{%- endfor -%}`
			`{%- else -%}`
			`{{taskserv.cluster_list}}`
			`{%- endif -%}"`
			`{# {%- endif %} #}`

			`# Initial cluster token for the etcd cluster during bootstrap.`
			`initial-cluster-token: 'etcd-{{taskserv.cluster_name}}-cluster'`

			`# Initial cluster state ('new' or 'existing').`
			`#initial-cluster-state: {% if pos.server == 0 %} 'new' {% else %} 'existing'{% endif %}`
			`initial-cluster-state: new`

			`# Reject reconfiguration requests that would cause quorum loss.`
			`strict-reconfig-check: false`

			`# Enable runtime profiling data via HTTP server`
			`enable-pprof: true`

			`# Valid values include 'on', 'readonly', 'off'`
			`proxy: 'off'`

			`# Time (in milliseconds) an endpoint will be held in a failed state.`
			`proxy-failure-wait: 5000`

			`# Time (in milliseconds) of the endpoints refresh interval.`
			`proxy-refresh-interval: 30000`

			`# Time (in milliseconds) for a dial to timeout.`
			`proxy-dial-timeout: 1000`

			`# Time (in milliseconds) for a write to timeout.`
			`proxy-write-timeout: 5000`

			`# Time (in milliseconds) for a read to timeout.`
			`proxy-read-timeout: 0`

			`{% if taskserv.ssl_mode != "" -%}`
			`client-transport-security:`
			`# Path to the client server TLS cert file.`
			`cert-file: {{taskserv.certs_path}}/{{taskserv.cluster_name}}.crt`

			`# Path to the client server TLS key file.`
			`key-file: {{taskserv.certs_path}}/{{taskserv.cluster_name}}.key`

			`# Enable client cert authentication.`
			`client-cert-auth: false`

			`# Path to the client server TLS trusted CA cert file.`
			`trusted-ca-file: {{taskserv.certs_path}}/ca.crt`

			`# Client TLS using generated certificates`
			`auto-tls: false`

			`peer-transport-security:`
			`{% if taskserv.hostname == "$hostname" %}`
			`# Path to the peer server TLS cert file.`
			`cert-file: {{taskserv.certs_path}}/{{server.hostname}}.crt`
			`# Path to the peer server TLS key file.`
			`key-file: {{taskserv.certs_path}}/{{server.hostname}}.key`
			`{%- else %}`
			`name: '{{taskserv.hostname}}'`
			`# Path to the peer server TLS cert file.`
			`cert-file: {{taskserv.certs_path}}/{{hostname}}.crt`
			`# Path to the peer server TLS key file.`
			`key-file: {{taskserv.certs_path}}/{{hostname}}.key`
			`{%- endif %}`

			`# Enable peer client cert authentication.`
			`client-cert-auth: false`

			`# Path to the peer server TLS trusted CA cert file.`
			`trusted-ca-file: {{taskserv.certs_path}}/ca.crt`

			`# Peer TLS using generated certificates.`
			`auto-tls: false`

			`# Allowed CN for inter peer authentication.`
			`allowed-cn:`

			`# Allowed TLS hostname for inter peer authentication.`
			`allowed-hostname:`

			`# The validity period of the self-signed certificate, the unit is year.`
			`self-signed-cert-validity: 1`

			`{%- endif %}`

			`# Enable debug-level logging for etcd.`
			`debug: false`

			`logger: zap`

			`# Specify 'stdout' or 'stderr' to skip journald logging even when running under systemd.`
			`log-outputs: ['{{taskserv.log_out\| default(value="stdout")}}']`
			`log-level: '{{taskserv.log_level \| default(value="warn")}}'`

			`# Force to create a new one member cluster.`
			`force-new-cluster: false`

			`auto-compaction-mode: periodic`
			`auto-compaction-retention: "1"`

			`# Limit etcd to a specific set of tls cipher suites`
			`cipher-suites: [`
			`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,`
			`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
			`]`