marco/veda
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Changed Talos configuration structure

Browse Source
This commit is contained in:
Marco van Zijl 2025-05-03 20:47:44 +02:00
parent d81ed5e2d5
commit 944383e42b
17 changed files with 99 additions and 1238 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
readme.md
View File

@ -38,7 +38,62 @@ The new setup of my homelab will be based on Kubernetes, which will prevent all
## Bootstrapping
TODO
```bash
export CLUSTER_NAME="veda"
export API_ENDPOINT="https://192.168.0.1:6443"
```
```bash
talosctl gen secrets --output-file secrets.yaml
```
```bash
talosctl gen config \
--with-secrets secrets.yaml \
--output-types talosconfig \
--output talosconfig \
$CLUSTER_NAME \
$API_ENDPOINT
```
```bash
talosctl config merge ./talosconfig
```
For controlplane nodes:
```bash
talosctl gen config \
--output rendered/master1.yaml \
--output-types controlplane \
--with-secrets secrets.yaml \
--config-patch @nodes/master1.yaml \
--config-patch @patches/argocd.yaml \
--config-patch @patches/cilium.yaml \
--config-patch @patches/scheduling.yaml \
--config-patch @patches/discovery.yaml \
--config-patch @patches/diskselector.yaml \
--config-patch @patches/vip.yaml \
$CLUSTER_NAME \
$API_ENDPOINT
```
For worker nodes:
```bash
talosctl gen config \
--output rendered/worker1.yaml \
--output-types controlplane \
--with-secrets secrets.yaml \
--config-patch @nodes/worker1.yaml \
--config-patch @patches/argocd.yaml \
--config-patch @patches/cilium.yaml \
--config-patch @patches/scheduling.yaml \
--config-patch @patches/discovery.yaml \
--config-patch @patches/diskselector.yaml \
$CLUSTER_NAME \
$API_ENDPOINT
```
## TODO
@ -65,3 +120,13 @@ User: admin, password can be retrieved with (ignore the '%' at the end):
```bash
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
```
### Certificate lifetimes
Talos Linux automatically manages and rotates all server side certificates for etcd, Kubernetes, and the Talos API. Note however that the kubelet needs to be restarted at least once a year in order for the certificates to be rotated. Any upgrade/reboot of the node will suffice for this effect.
You can check the Kubernetes certificates with the command `talosctl get KubernetesDynamicCerts -o yaml` on the controlplane.
Client certificates (talosconfig and kubeconfig) are the users responsibility. Each time you download the kubeconfig file from a Talos Linux cluster, the client certificate is regenerated giving you a kubeconfig which is valid for a year.
The talosconfig file should be renewed at least once a year, using the `talosctl config new` command.

2
talos/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
secrets.yaml
talosconfig

598
talos/controlplane.yaml
View File

@ -1,598 +0,0 @@
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: false # Enable verbose logging to the console.
persist: true
# Provides machine specific configuration options.
machine:
type: controlplane # Defines the role of the machine within the cluster.
token: 3uidom.1vcwkierii21gxy7 # The `token` is used by a machine to join the PKI of the cluster.
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc2NKK2QydlFtaFRSZFZGdTBydzdoVEFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdOVEF4TVRBeE16QTJXaGNOTXpVd05ESTVNVEF4TXpBMldqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUIvZ3lFSHlMRDNJTzZTazdwaUZva0Jwc21obkxwckJMTll3Cno3K1pMbXdlbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkozUFM4YTR2NEtHd2srbQpOb0V0elpEcTlaYmFNQVVHQXl0bGNBTkJBTFo2SGZPS3A5c3kzbkcxL1Z1bVhuM2hWQjd1bGpZeW95Mkh3Qm5QClpLNFo3Sk1Yb3NEMVJOY05KdGUxQUp2Tm5NaElxbVMvamhXbjZQdCtLN1YxbWcwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJSXZLSWJITXBNNDU4SDgvY2lHUG9MRWxWdlRhV2VrNHBzM3lCYkVoUkt5WgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
# Extra certificate subject alternative names for the machine's certificate.
certSANs: []
# # Uncomment this to enable SANs.
# - 10.0.0.10
# - 172.16.0.10
# - 192.168.0.10
# Used to provide additional options to the kubelet.
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.32.0 # The `image` field is an optional reference to an alternative kubelet image.
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraArgs` field is used to provide additional flags to the kubelet.
# extraArgs:
# key: value
# # The `extraMounts` field is used to add additional mounts to the kubelet container.
# extraMounts:
# - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
# type: bind # Type specifies the mount kind.
# source: /var/lib/example # Source specifies the source path of the mount.
# # Options are fstab style mount options.
# options:
# - bind
# - rshared
# - rw
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
# Provides machine specific network configuration options.
network: {}
# # `interfaces` is used to define the network interface configuration.
# interfaces:
# - interface: enp0s1 # The interface name.
# # Assigns static IP addresses to the interface.
# addresses:
# - 192.168.2.0/24
# # A list of routes associated with the interface.
# routes:
# - network: 0.0.0.0/0 # The route's network (destination).
# gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
# metric: 1024 # The optional metric for the route.
# mtu: 1500 # The interface's MTU.
#
# # # Picks a network device using the selector.
# # # select a device with bus prefix 00:*.
# # deviceSelector:
# # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # # Bond specific options.
# # bond:
# # # The interfaces that make up the bond.
# # interfaces:
# # - enp2s0
# # - enp2s1
# # # Picks a network device using the selector.
# # deviceSelectors:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # mode: 802.3ad # A bond option.
# # lacpRate: fast # A bond option.
# # # Bridge specific options.
# # bridge:
# # # The interfaces that make up the bridge.
# # interfaces:
# # - enxda4042ca9a51
# # - enxae2a6774c259
# # # Enable STP on this bridge.
# # stp:
# # enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # # Configure this device as a bridge port.
# # bridgePort:
# # master: br0 # The name of the bridge master interface
# # # Indicates if DHCP should be used to configure the interface.
# # dhcp: true
# # # DHCP specific options.
# # dhcpOptions:
# # routeMetric: 1024 # The priority of all routes received via DHCP.
# # # Wireguard specific configuration.
# # # wireguard server example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # listenPort: 51111 # Specifies a device's listening port.
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # wireguard peer example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # Virtual (shared) IP address configuration.
# # # layer2 vip example
# # vip:
# # ip: 172.16.199.55 # Specifies the IP address to be used.
# # Used to statically set the nameservers for the machine.
# nameservers:
# - 8.8.8.8
# - 1.1.1.1
# # Used to statically set arbitrary search domains.
# searchDomains:
# - example.org
# - example.com
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
# Used to provide instructions for installations.
install:
# disk: /dev/sda # The disk used for installations.
image: ghcr.io/siderolabs/installer:v1.9.0 # Allows for supplying the image used to perform the installation.
wipe: true # Indicates if the installation disk should be wiped at installation time.
# # Look up disk using disk attributes like model, size, serial and others.
diskSelector:
size: <= 1TiB # Disk size.
type: ssd
# model: WDC* # Disk model `/sys/block/<dev>/device/model`.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
# # Allows for supplying extra kernel args via the bootloader.
# extraKernelArgs:
# - talos.platform=metal
# - reboot=k
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
# Used to configure the machine's container image registry mirrors.
registries: {}
# # Specifies mirror configuration for each registry host namespace.
# mirrors:
# ghcr.io:
# # List of endpoints (URLs) for registry mirrors to use.
# endpoints:
# - https://registry.insecure
# - https://ghcr.io/v2/
# # Specifies TLS & auth configuration for HTTPS image registries.
# config:
# registry.insecure:
# # The TLS configuration for the registry.
# tls:
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
#
# # # Enable mutual TLS authentication with the registry.
# # clientIdentity:
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
#
# # # The auth configuration for this registry.
# # auth:
# # username: username # Optional registry authentication.
# # password: password # Optional registry authentication.
# Features describe individual Talos features that can be switched on or off.
features:
rbac: true # Enable role-based access control (RBAC).
stableHostname: true # Enable stable default hostname.
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
enabled: true # Enable KubePrism support - will start local load balancing proxy.
port: 7445 # KubePrism port.
# Configures host DNS caching resolver.
hostDNS:
enabled: true # Enable host DNS caching resolver.
forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
# Configures the node labels for the machine.
nodeLabels:
node.kubernetes.io/exclude-from-external-load-balancers: ""
# # Provides machine specific control plane configuration options.
# # ControlPlane definition example.
# controlPlane:
# # Controller manager machine specific configuration options.
# controllerManager:
# disabled: false # Disable kube-controller-manager on the node.
# # Scheduler machine specific configuration options.
# scheduler:
# disabled: true # Disable kube-scheduler on the node.
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
# # nginx static pod.
# pods:
# - apiVersion: v1
# kind: pod
# metadata:
# name: nginx
# spec:
# containers:
# - image: nginx
# name: nginx
# # Used to partition, format and mount additional disks.
# # MachineDisks list example.
# disks:
# - device: /dev/sdb # The name of the disk to use.
# # A list of partitions to create on the disk.
# partitions:
# - mountpoint: /var/mnt/extra # Where to mount the partition.
#
# # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
# # # Human readable representation.
# # size: 100 MB
# # # Precise value in bytes.
# # size: 1073741824
# # Allows the addition of user specified files.
# # MachineFiles usage example.
# files:
# - content: '...' # The contents of the file.
# permissions: 0o666 # The file's permissions in octal.
# path: /tmp/file.txt # The path of the file.
# op: append # The operation to use
# # The `env` field allows for the addition of environment variables.
# # Environment variables definition examples.
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: info
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
# https_proxy: http://SERVER:PORT/
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: error
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
# env:
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
# # Used to configure the machine's time settings.
# # Example configuration for cloudflare ntp server.
# time:
# disabled: false # Indicates if the time service is disabled for the machine.
# # description: |
# servers:
# - time.cloudflare.com
# bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
# # Used to configure the machine's sysctls.
# # MachineSysctls usage example.
# sysctls:
# kernel.domainname: talos.dev
# net.ipv4.ip_forward: "0"
# net/ipv6/conf/eth0.100/disable_ipv6: "1"
# # Used to configure the machine's sysfs.
# # MachineSysfs usage example.
# sysfs:
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
# # Machine system disk encryption configuration.
# systemDiskEncryption:
# # Ephemeral partition encryption.
# ephemeral:
# provider: luks2 # Encryption provider to use for the encryption.
# # Defines the encryption keys generation and storage method.
# keys:
# - # Deterministically generated key from the node UUID and PartitionLabel.
# nodeID: {}
# slot: 0 # Key slot number for LUKS2 encryption.
#
# # # KMS managed encryption key.
# # kms:
# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#
# # # Cipher kind to use for the encryption. Depends on the encryption provider.
# # cipher: aes-xts-plain64
# # # Defines the encryption sector size.
# # blockSize: 4096
# # # Additional --perf parameters for the LUKS2 encryption.
# # options:
# # - no_read_workqueue
# # - no_write_workqueue
# # Configures the udev system.
# udev:
# # List of udev rules to apply to the udev system
# rules:
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
# # Configures the logging system.
# logging:
# # Logging destination.
# destinations:
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
# format: json_lines # Logs format.
# # Configures the kernel.
# kernel:
# # Kernel modules to load.
# modules:
# - name: brtfs # Module name.
# # Configures the seccomp profiles for the machine.
# seccompProfiles:
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# # The `value` field is used to provide the seccomp profile.
# value:
# defaultAction: SCMP_ACT_LOG
# # Override (patch) settings in the default OCI runtime spec for CRI containers.
# # override default open file limit
# baseRuntimeSpecOverrides:
# process:
# rlimits:
# - hard: 1024
# soft: 1024
# type: RLIMIT_NOFILE
# # Configures the node annotations for the machine.
# # node annotations example.
# nodeAnnotations:
# customer.io/rack: r13a25
# # Configures the node taints for the machine. Effect is optional.
# # node taints example.
# nodeTaints:
# exampleTaint: exampleTaintValue:NoSchedule
# Provides cluster specific configuration options.
cluster:
id: 2nhlmlYevQvBg_85ycRHU6k13EQuzD7E23appM63huk= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
secret: Vp2u9OUmz+tAUBbMk0PKrL0QTLHZpKny5AD4L4l7RYw= # Shared secret of cluster (base64 encoded random 32 bytes).
# Provides control plane specific configuration options.
controlPlane:
endpoint: https://192.168.0.10:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
clusterName: veda # Configures the cluster's name.
# Provides cluster specific network configuration options.
network:
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
# # The CNI used.
# cni:
# name: custom # Name of CNI to use.
# # URLs containing manifests to apply for the CNI.
# urls:
# - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
token: qsuvb3.2y1ty21ec140yl45 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
secretboxEncryptionSecret: ojT/PNT9XPneOWP6udTll98G8z3OjHqMlfGlWNYnQmw= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVMrZ0F3SUJBZ0lRWlBiRENCZUdHVWN1T08zR3FaSzE4REFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNRFV3TVRFd01UTXdObG9YRFRNMU1EUXlPVEV3TVRNdwpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCSE9SS0IxYjhUaWpNSnQzdmpuN0lhUWNsWXRpVjZuY1lrRkZ6emFqNEQ4d09pUmszNXlvam5mRDVDWDkKMGhqSThNUXA3ZzhxZ1BRSTJjQXpoaUJyVWNDallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVWTUl3TnRCN3VhSWFhaXc5RlFnbXgvbU5TaFF3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnY3R1NGxsUHgKOXFpR2VVK280bCsrME45emY4MVdFNXh6cjh5MUhQR25wSFFDSUFYMW13RFFRYS9Sd2tCMitwQXNnS2hFRlE0ZQo3Z1BmTXBrVWtiMDZ4VmZwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFreEkrLzVpM09CSU9mYzVKSGFSVEh4R1JLZklRRTh4N3JUVFluR2dpaTFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYzVFb0hWdnhPS013bTNlK09mc2hwQnlWaTJKWHFkeGlRVVhQTnFQZ1B6QTZKR1RmbktpTwpkOFBrSmYzU0dNand4Q251RHlxQTlBalp3RE9HSUd0UndBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
aggregatorCA:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQUo3aDdWVFRrWSsyT2wrUmxrbkRSZ1l3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5UQTFNREV4TURFek1EWmFGdzB6TlRBME1qa3hNREV6TURaYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVJPWDBjMkxPSzBLOUE0OEN1alorN3dFV0pyZFBmd1ZDY3E2aTlVVE9oTGtRc1YzWW44Cmw3SzMzK1diRWVVcU9KTGUrWXNhRkhiQ3RnTXo0ZHkzOUtDdm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGTVN4K1FuRkwrWmdkbVAvaWtQRjV0Z1hjRjIwTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRRGRyWlpCc0FodEY1M3RFa2F1aWNld05ZSHdPWmpuV284YXdyR3BPaml2bXdJaEFPLzc5NVBJeTNmdDRsQVQKWSt5QW5kc1hrWWtmU0tDcnBja00yREViRGFuNQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdNbFgzOGNDbFhsRzRrMU1jeDdDUEN2TG5JTHFpVy9oZE9WcFd2WXI3OVpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVGw5SE5peml0Q3ZRT1BBcm8yZnU4QkZpYTNUMzhGUW5LdW92VkV6b1M1RUxGZDJKL0pleQp0OS9sbXhIbEtqaVMzdm1MR2hSMndyWURNK0hjdC9TZ3J3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded private key for service account token generation.
serviceAccount:
key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBN083YlVLRXg4Vyt1RENscTd6OG5LRUdMS0Jxb3lZdTc5NUJiVkp6bzYvWE1Od210ClFvVTRhM3htb0VKYk1MWVZLOWdEQldVU01pTk9FZHF1SjQ3WEVWc1RoRzRRQ1VsVy9oUkJ3a1FwZUh2Ykwyd2cKWXd5QkhvOXFTN2RPQUdNNjJncUl4S1dMOEw2SlZCZ2N6elhyTmt3eHBxaXhOZktIS21ERkdMWXdiTU9LbHpQdAp1alAzT00xQ0ludlhRb2hqWmNmTGRveUtCQXUxOUZkbmtGejg4WWxhNVlMR3NsaW0xaFJodXVSa2dsZlBnYzRqCmFlVGREM3c5R0lIWjFDdGVrSGhxVjFBK0lWcUV4dktpL05wVmI0eDhVQnA0cSt4MHlDNExhRldaTHphc2xhRGkKMkZaYUtXZ1Bxa25SQTZuU2VUdFlKRXJXL3Z5aVQ2QVVSbW5oemRJT3dUY0ZmNXdqa1hLc3RqV01ndnRqdnpYRApGZklSd1k5MUNrTUZtcTZxbVVabzRIZkduNWFqWHZBUlFUWkxxRWZvVXNkeURMV3k0ZEZ1ajQ3OUhKR3AvSmtMCi9xZjFqMEZpayt0NFUxZ1VFVEtzTWZhSTlvUUdLeHVhVmsvVUF0NEl2UWdvcndEUml6WUw0cjR4KzR3WjVwTnkKRDBYSGt3Z1VUbE13OGpqa09KVVZVRnBPV1VTbTJwQVAvUGVveXVuWHFqNlhmTWU3dTdjNEZ1c0k5YUpuUGxibwpRTDlWNEh2ZVZCSmhRajVIc0NCTEgyR1JDM2pxZzM5UDY4M2pHNW9QUGQ5eE5tTGpuaGxPaWFibHhRQ1VkQUFKClYzMU16QzZNbXpBc0NRS2YrVEFiK0NEcUpNQitYK0xaUTBMeWkxUXoraThjbnJQNU5MVGNQZU5UTmJVQ0F3RUEKQVFLQ0FnQUxWMCtXSjNFZGptdjFWeEl3UzRTVFQ3ZmFmcFF2dVltUXl3OGtHTEtwZ01WNnFQTHJLVGRQSmRBLwp3WTFkNG9sVzVPc1lHZ05wOVBpcXNCMy85TDFrcmtoYjRXelJGUHFlQk5nMDlWQkszUnJieFVBem5ZaWNydDYyCnF4cUh1RGc3OFo4a1VveEZSTW1NQmU5ekY3Q2ZrN3dZcnlCMFpaeUVzY2NkYkxNYXNhMXptVis2dHZ3UmN2bkUKYnNzWit5OU8wdVp4VVQ3Vi9MMkQ2WjhpY09FR3FyMTRHTzlyNEFSMFlOdGd0OGY3MlRvc2kzSjBnaWoyc2NxMgozcGhQcUpmSk1JcGVqWSs3eHZwdUQzVXZ4eitwckQ3VEVzRk44VzZSbW1xZlh1R0xPZ0crMDhtbjgxSXpnekNrCnhRM0ZNQjdNQU1ReVVJYkVBOUc5SC90NGQxOEFoSVNKbUYrTnlSMGJtalpBMmdOMlM0bDBzWGV3ckpxcVRPZWQKNnN2bGdRNEdiUFZzZnFIY3ZDMzFuRFFyNDlPZzFBSnNlb29PNy90ZUw5d3NOWmFNa2Z0UkJRYXJJd1V0OU50TwppTlk4cDE0M0xmWVE5YUJQL2J5d2cyNGZlS0RDZGZHWUJpNHhUNFcwZzNYaU5mRUZYdWdHVTdLUjNGNU0veUhICjc2NmpLSnN2L3lKU2J0TTR2RXd5d2RteDF4U2U2WnpZUTVPN1QwOTBWakVNSFlZUXo1M29lZGE1ekhJdUl0bkYKVW9pVnVQTDFaS2REbW80TG1zbHR3OUZ0OWVnUTNYTDQvam5lRUpLdHRZcnpQNVZaQm9iaEZUNFhWZWVGWU1HMApXKzV2bzlueE50UzVPSitDMHFVVWhLdU9sdHhWVGIyRmxZdmtZazRMNkU5bitreHNZUUtDQVFFQS9PeExKb1FuCkZYdlI4UjJlQ0pSeDJRUjd4SzY4bTdJbjZCNTJmS2cvaWQwM2syT0QrLzJvUGNwczcyYi9RUWl1S0YvRitsSW0KbWJOaVh6c0F0N0ZsS0hQMFZFclBwL3JOb1pub1BkY3FuZUtNYlZ6Z3JHUHVDWGFBNGdWaG1uUUlqKzN3Z0t6QwptbS9oSE1FVlVWUnpiMXB6WHJBQjFRRFh2b2hXOTlLREdDNE5jQ1gwdExUek5DN0ZPTmZ0aG96emJRNSsxSzV1CmNpWCtJeHNoN0tpZGRUWWdxOTB6VC96V0NBdDVFd1RNTkVzQ0V6d01aYThvcWJyZlF6MWN6Qnkzc0NtZmFuK0sKSUt1Y2RIa01PbmszNjh2a3R2bjVDb3dGSEFhcnBBYS9qRkx3ZUNUVk1odHRtUlV0N093Q21ZNG04TnFFRFFSQQozTFdTczlOaTFRZDZpUUtDQVFFQTc5RERoRFlYYmxoZU5IUFZKNk9VTWREc05lSW1Pa1htNDMweEZDYW5zZHRnCjkxYUYyb0JPYXYweUlkQ3Z6UHk5N1ZNanNlZmd1RlRZTnl1aTc0MTZmVGJFUXlYZmRYZWR5NytVa21ROWtib3EKUVNzc0dpTkUzUlloMmJsSFpYYVRWM3dvaExFWFJFVEYxTitaSVRKMWJpaTBHeVJYeWdwdmNIM0MySmFYcXBrNwpDQVV1cTJ2bDVraXFXYlkvMmxmOGhJN3BtcllraHlPdTZ4TU92QmpVYUdFc3RGUnlTV2NIbC91bEI5c1gvQTd1CmpVcDJlaWdOL2pCVXVzcXVaZWQxcVhEaXFlc0ovUjV3eGloQmovU3o3NmtDZ1FjcFBiaHVRdjJrcVlwdXU1NTQKM1ZpbThhK0JYTW9oYWpYSG10OWNJOHJKWGNyWWo2ajRqei9WeG9mbXpRS0NBUUVBNGxrcHpEZDZydHhYLzN2dApBV3F3RkhMUnZTeFArTnJRb2dnWksraDZySXZBZi9RUW0wVGYreVNjcHdlN0tsMTFWd2FYTERXMis5aXhFZDdBCi9xUVFqc3B1Lzd6UDZGb3BDeFdzNVNNWnJhQ2c0Z0s3d3l2UFRNSzBCeEtmemRWSUVGNzEzSUkveW15VHZ1TUIKaS82VExEVjdpR0xsME5WblBzblBZd3dQYkdWU2UycE1mQ2h3ZXVQY2RzbXZkYm5RNUdtVGtnemxKTnpoZWxOKwo0Y2ZvMm92dFkwR2IrVnFoeFNOWFlIRHJ1MlRoWDR0ZTRPV0g4NVljMXBVazVqcFJIYU95V21IM29OTlVPbHhXCldFSkJqSkcxaHhkaERGSlJCRXJuOHV4aklsYmJnL29hbmpRenVrdGRCV29Well5TlJ3R1lLZm9EZmtJMUh4L3YKbEF5VVdRS0NBUUFTRTU1cFBOcVBTc0h2R2p3YS9NMlM0N2lxWngyU2p1cFVnMzlMa1k1YWJicmxhZlExQUM3cApDYVRadjYxQXVseG1vem14azFUeEVCUXNOSEhYdE1aaTRkbnhaYzF1UVZIM3BiMUJPNlVZY3Z2MFpaaXhiNjhsCkt5SHFFM2s2UUxIaWlrMVRrelc1dzZWVjRuVGNkNzA2VEg4bS9KcFJkRy9wL3RETkdxemNBeWpiOWVnS3E5dHMKZkZXNjVXM3l1MmNoWnRSZEFSWEh5ZnpKWTJwYzYxSTNlL3V1ckI3aFFZN2srZWI2ckowbU5zbnNoSXhoc05zOQpLYzk1TlFYb1VJWWgrNHhhV29rcU56MHc4cC9laGdkNkxUY3ZHcWNWSyszRHh2SytoTnpMNzZvVXBUWVFTYlpxCmxDSG9xNTBjSTNJQ2tLcVZFMUUzb3ZqNWMwcGQ2S2lSQW9JQkFRREo4WEJ0RWJOQWM2T0VDSVNUbXFHZjFHUkkKck55NlJjNjVPdGlRNlpFZGQ5cS9DZE8wdHF1dHcwbjBpU3RsN3ZiSjJOdzhFTmIvem9WSnZGbWVCeVo1ZUlzMApTVzdrUXJuc1cvZmNCS3ZLMnk0dEJoMmsyMzY4d3AxWW1VLzZRelhPTDRqakhLKzlPOTQyT1VsbW1teVJlRWV2CjY4V09UWGQybFl3dDZhLzVGUElLZU1aYVZXemRUcjIyVHlURmlhWXF5Z3Zuc1I3YzZLWStIYmZKNmY5TVh5eUwKMUdHMWllTmNZK21tYiswM1JLUjZETVk1aHEwTjU5VFc3a3QxTG5BcHpQdlVPdVB2RnVlMTNjV1FNWUh1YjdIRQpSSTBLNk9SdzB2SmNGQngvNytJcnorOHF1bVpaUnJGM2hUSENRVlNjQXYyaVpBYXRUbFJDdS9JbXBxZUsKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
# API server specific configuration options.
apiServer:
image: registry.k8s.io/kube-apiserver:v1.32.0 # The container image used in the API server manifest.
# Extra certificate subject alternative names for the API server's certificate.
certSANs:
- 192.168.0.10
disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
# Configure the API server admission plugins.
admissionControl:
- name: PodSecurity # Name is the name of the admission controller.
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
# Configure the API server audit policy.
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
# # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
# authorizationConfig:
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
# name: webhook # Name is used to describe the authorizer.
# # webhook is the configuration for the webhook authorizer.
# webhook:
# connectionInfo:
# type: InClusterConfig
# failurePolicy: Deny
# matchConditionSubjectAccessReviewVersion: v1
# matchConditions:
# - expression: has(request.resourceAttributes)
# - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
# subjectAccessReviewVersion: v1
# timeout: 3s
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
# name: in-cluster-authorizer # Name is used to describe the authorizer.
# # webhook is the configuration for the webhook authorizer.
# webhook:
# connectionInfo:
# type: InClusterConfig
# failurePolicy: NoOpinion
# matchConditionSubjectAccessReviewVersion: v1
# subjectAccessReviewVersion: v1
# timeout: 3s
# Controller manager server specific configuration options.
controllerManager:
image: registry.k8s.io/kube-controller-manager:v1.32.0 # The container image used in the controller manager manifest.
# Kube-proxy server-specific configuration options
proxy:
image: registry.k8s.io/kube-proxy:v1.32.0 # The container image used in the kube-proxy manifest.
# # Disable kube-proxy deployment on cluster bootstrap.
# disabled: false
# Scheduler server specific configuration options.
scheduler:
image: registry.k8s.io/kube-scheduler:v1.32.0 # The container image used in the scheduler manifest.
# Configures cluster member discovery.
discovery:
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
disabled: true # Disable Kubernetes discovery registry.
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# # External service endpoint.
# endpoint: https://discovery.talos.dev/
# Etcd specific configuration options.
etcd:
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmekNDQVNTZ0F3SUJBZ0lSQU5xaTJoai9LTkt3cmcrTTZyeHQ1YXN3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBMU1ERXhNREV6TURaYUZ3MHpOVEEwTWpreE1ERXpNRFphTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRelJzakZZV3BlCk5YMDlQWHJMeW1CUldyMEpGcGNkaCs0QUhTaEtPbXh6NzFaUGw2R2U4aGdjWlVJSGxIM2kzUE1uUERsTE9vdDkKMjc2UEU5REc0bG81bzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk8zNlU0RTNONk1HCkMraUM0QXN0YTVRMmphK0ZNQW9HQ0NxR1NNNDlCQU1DQTBrQU1FWUNJUUNJRDlLeXJOczZ6RFp0KzVDaFV6QjgKNEgyV2Y4MG40c0ljYWlzRU16em5CZ0loQVA5V0VXcTZkNlZpdjNacENsK3JXcWdLS2MvaTlrVG5pdHdPZ0tjZwozdmlXCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU9MakJYbFFlNzdxSVRjNktnTVFzWlhqQVF5Y0JRa3Q0YVZaYzg1YkM2aXZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTTBiSXhXRnFYalY5UFQxNnk4cGdVVnE5Q1JhWEhZZnVBQjBvU2pwc2MrOVdUNWVobnZJWQpIR1ZDQjVSOTR0enpKenc1U3pxTGZkdStqeFBReHVKYU9RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# # The container image used to create the etcd service.
# image: gcr.io/etcd-development/etcd:v3.5.17
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
# A list of urls that point to additional manifests.
extraManifests: []
# - https://www.example.com/manifest1.yaml
# - https://www.example.com/manifest2.yaml
# A list of inline Kubernetes manifests.
inlineManifests: []
# - name: namespace-ci # Name of the manifest.
# contents: |- # Manifest contents as a string.
# apiVersion: v1
# kind: Namespace
# metadata:
# name: ci
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # Core DNS specific configuration options.
# coreDNS:
# image: registry.k8s.io/coredns/coredns:v1.12.0 # The `image` field is an override to the default coredns image.
# # External cloud provider configuration.
# externalCloudProvider:
# enabled: true # Enable external cloud provider.
# # A list of urls that point to additional manifests for an external cloud provider.
# manifests:
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
# # A map of key value pairs that will be added while fetching the extraManifests.
# extraManifestHeaders:
# Token: "1234567"
# X-ExtraInfo: info
# # Settings for admin kubeconfig generation.
# adminKubeconfig:
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
# # Allows running workload on control-plane nodes.
allowSchedulingOnControlPlanes: true

3
talos/nodes/master1.yaml Normal file
View File

@ -0,0 +1,3 @@
machine:
network:
hostname: master1

3
talos/nodes/master2.yaml Normal file
View File

@ -0,0 +1,3 @@
machine:
network:
hostname: master2

3
talos/nodes/master3.yaml Normal file
View File

@ -0,0 +1,3 @@
machine:
network:
hostname: master3

3
talos/nodes/veda-1.yaml
View File

@ -1,3 +0,0 @@
machine:
network:
hostname: veda-1

3
talos/nodes/veda-2.yaml
View File

@ -1,3 +0,0 @@
machine:
network:
hostname: veda-2

3
talos/nodes/veda-3.yaml
View File

@ -1,3 +0,0 @@
machine:
network:
hostname: veda-3

3
talos/nodes/veda-4.yaml
View File

@ -1,3 +0,0 @@
machine:
network:
hostname: veda-4

3
talos/nodes/worker1.yaml Normal file
View File

@ -0,0 +1,3 @@
machine:
network:
hostname: worker1

3
talos/patches/discovery.yaml Normal file
View File

@ -0,0 +1,3 @@
cluster:
discovery:
enabled: false

5
talos/patches/diskselector.yaml Normal file
View File

@ -0,0 +1,5 @@
machine:
install:
diskSelector:
size: <= 1TiB
type: ssd

2
talos/patches/scheduling.yaml Normal file
View File

@ -0,0 +1,2 @@
cluster:
allowSchedulingOnControlPlanes: true

8
talos/patches/vip.yaml Normal file
View File

@ -0,0 +1,8 @@
machine:
network:
interfaces:
- deviceSelector:
busPath: "0*" # should select any hardware network device, if you have just one, it will be selected
dhcp: true
vip:
ip: 192.168.0.1

1
talos/rendered/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.yaml

627
talos/worker.yaml
View File

@ -1,627 +0,0 @@
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: false # Enable verbose logging to the console.
persist: true
# Provides machine specific configuration options.
machine:
type: worker # Defines the role of the machine within the cluster.
token: 3uidom.1vcwkierii21gxy7 # The `token` is used by a machine to join the PKI of the cluster.
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc2NKK2QydlFtaFRSZFZGdTBydzdoVEFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdOVEF4TVRBeE16QTJXaGNOTXpVd05ESTVNVEF4TXpBMldqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUIvZ3lFSHlMRDNJTzZTazdwaUZva0Jwc21obkxwckJMTll3Cno3K1pMbXdlbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkozUFM4YTR2NEtHd2srbQpOb0V0elpEcTlaYmFNQVVHQXl0bGNBTkJBTFo2SGZPS3A5c3kzbkcxL1Z1bVhuM2hWQjd1bGpZeW95Mkh3Qm5QClpLNFo3Sk1Yb3NEMVJOY05KdGUxQUp2Tm5NaElxbVMvamhXbjZQdCtLN1YxbWcwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: ""
# Extra certificate subject alternative names for the machine's certificate.
certSANs: []
# # Uncomment this to enable SANs.
# - 10.0.0.10
# - 172.16.0.10
# - 192.168.0.10
# Used to provide additional options to the kubelet.
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.32.0 # The `image` field is an optional reference to an alternative kubelet image.
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraArgs` field is used to provide additional flags to the kubelet.
# extraArgs:
# key: value
# # The `extraMounts` field is used to add additional mounts to the kubelet container.
# extraMounts:
# - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
# type: bind # Type specifies the mount kind.
# source: /var/lib/example # Source specifies the source path of the mount.
# # Options are fstab style mount options.
# options:
# - bind
# - rshared
# - rw
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
# Provides machine specific network configuration options.
network: {}
# # `interfaces` is used to define the network interface configuration.
# interfaces:
# - interface: enp0s1 # The interface name.
# # Assigns static IP addresses to the interface.
# addresses:
# - 192.168.2.0/24
# # A list of routes associated with the interface.
# routes:
# - network: 0.0.0.0/0 # The route's network (destination).
# gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
# metric: 1024 # The optional metric for the route.
# mtu: 1500 # The interface's MTU.
#
# # # Picks a network device using the selector.
# # # select a device with bus prefix 00:*.
# # deviceSelector:
# # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # # Bond specific options.
# # bond:
# # # The interfaces that make up the bond.
# # interfaces:
# # - enp2s0
# # - enp2s1
# # # Picks a network device using the selector.
# # deviceSelectors:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
# # driver: virtio_net # Kernel driver, supports matching by wildcard.
# # mode: 802.3ad # A bond option.
# # lacpRate: fast # A bond option.
# # # Bridge specific options.
# # bridge:
# # # The interfaces that make up the bridge.
# # interfaces:
# # - enxda4042ca9a51
# # - enxae2a6774c259
# # # Enable STP on this bridge.
# # stp:
# # enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # # Configure this device as a bridge port.
# # bridgePort:
# # master: br0 # The name of the bridge master interface
# # # Indicates if DHCP should be used to configure the interface.
# # dhcp: true
# # # DHCP specific options.
# # dhcpOptions:
# # routeMetric: 1024 # The priority of all routes received via DHCP.
# # # Wireguard specific configuration.
# # # wireguard server example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # listenPort: 51111 # Specifies a device's listening port.
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # wireguard peer example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # Virtual (shared) IP address configuration.
# # # layer2 vip example
# # vip:
# # ip: 172.16.199.55 # Specifies the IP address to be used.
# # Used to statically set the nameservers for the machine.
# nameservers:
# - 8.8.8.8
# - 1.1.1.1
# # Used to statically set arbitrary search domains.
# searchDomains:
# - example.org
# - example.com
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
# Used to provide instructions for installations.
install:
# disk: /dev/sda # The disk used for installations.
image: ghcr.io/siderolabs/installer:v1.9.0 # Allows for supplying the image used to perform the installation.
wipe: false # Indicates if the installation disk should be wiped at installation time.
# # Look up disk using disk attributes like model, size, serial and others.
diskSelector:
size: '<= 1TB' # Disk size.
type: ssd
# model: WDC* # Disk model `/sys/block/<dev>/device/model`.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
# # Allows for supplying extra kernel args via the bootloader.
# extraKernelArgs:
# - talos.platform=metal
# - reboot=k
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
# Used to configure the machine's container image registry mirrors.
registries: {}
# # Specifies mirror configuration for each registry host namespace.
# mirrors:
# ghcr.io:
# # List of endpoints (URLs) for registry mirrors to use.
# endpoints:
# - https://registry.insecure
# - https://ghcr.io/v2/
# # Specifies TLS & auth configuration for HTTPS image registries.
# config:
# registry.insecure:
# # The TLS configuration for the registry.
# tls:
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
#
# # # Enable mutual TLS authentication with the registry.
# # clientIdentity:
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
#
# # # The auth configuration for this registry.
# # auth:
# # username: username # Optional registry authentication.
# # password: password # Optional registry authentication.
# Features describe individual Talos features that can be switched on or off.
features:
rbac: true # Enable role-based access control (RBAC).
stableHostname: true # Enable stable default hostname.
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
enabled: true # Enable KubePrism support - will start local load balancing proxy.
port: 7445 # KubePrism port.
# Configures host DNS caching resolver.
hostDNS:
enabled: true # Enable host DNS caching resolver.
forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
# # Provides machine specific control plane configuration options.
# # ControlPlane definition example.
# controlPlane:
# # Controller manager machine specific configuration options.
# controllerManager:
# disabled: false # Disable kube-controller-manager on the node.
# # Scheduler machine specific configuration options.
# scheduler:
# disabled: true # Disable kube-scheduler on the node.
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
# # nginx static pod.
# pods:
# - apiVersion: v1
# kind: pod
# metadata:
# name: nginx
# spec:
# containers:
# - image: nginx
# name: nginx
# # Used to partition, format and mount additional disks.
# # MachineDisks list example.
# disks:
# - device: /dev/sdb # The name of the disk to use.
# # A list of partitions to create on the disk.
# partitions:
# - mountpoint: /var/mnt/extra # Where to mount the partition.
#
# # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
# # # Human readable representation.
# # size: 100 MB
# # # Precise value in bytes.
# # size: 1073741824
# # Allows the addition of user specified files.
# # MachineFiles usage example.
# files:
# - content: '...' # The contents of the file.
# permissions: 0o666 # The file's permissions in octal.
# path: /tmp/file.txt # The path of the file.
# op: append # The operation to use
# # The `env` field allows for the addition of environment variables.
# # Environment variables definition examples.
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: info
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
# https_proxy: http://SERVER:PORT/
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: error
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
# env:
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
# # Used to configure the machine's time settings.
# # Example configuration for cloudflare ntp server.
# time:
# disabled: false # Indicates if the time service is disabled for the machine.
# # description: |
# servers:
# - time.cloudflare.com
# bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
# # Used to configure the machine's sysctls.
# # MachineSysctls usage example.
# sysctls:
# kernel.domainname: talos.dev
# net.ipv4.ip_forward: "0"
# net/ipv6/conf/eth0.100/disable_ipv6: "1"
# # Used to configure the machine's sysfs.
# # MachineSysfs usage example.
# sysfs:
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
# # Machine system disk encryption configuration.
# systemDiskEncryption:
# # Ephemeral partition encryption.
# ephemeral:
# provider: luks2 # Encryption provider to use for the encryption.
# # Defines the encryption keys generation and storage method.
# keys:
# - # Deterministically generated key from the node UUID and PartitionLabel.
# nodeID: {}
# slot: 0 # Key slot number for LUKS2 encryption.
#
# # # KMS managed encryption key.
# # kms:
# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#
# # # Cipher kind to use for the encryption. Depends on the encryption provider.
# # cipher: aes-xts-plain64
# # # Defines the encryption sector size.
# # blockSize: 4096
# # # Additional --perf parameters for the LUKS2 encryption.
# # options:
# # - no_read_workqueue
# # - no_write_workqueue
# # Configures the udev system.
# udev:
# # List of udev rules to apply to the udev system
# rules:
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
# # Configures the logging system.
# logging:
# # Logging destination.
# destinations:
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
# format: json_lines # Logs format.
# # Configures the kernel.
# kernel:
# # Kernel modules to load.
# modules:
# - name: brtfs # Module name.
# # Configures the seccomp profiles for the machine.
# seccompProfiles:
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# # The `value` field is used to provide the seccomp profile.
# value:
# defaultAction: SCMP_ACT_LOG
# # Override (patch) settings in the default OCI runtime spec for CRI containers.
# # override default open file limit
# baseRuntimeSpecOverrides:
# process:
# rlimits:
# - hard: 1024
# soft: 1024
# type: RLIMIT_NOFILE
# # Configures the node labels for the machine.
# # node labels example.
# nodeLabels:
# exampleLabel: exampleLabelValue
# # Configures the node annotations for the machine.
# # node annotations example.
# nodeAnnotations:
# customer.io/rack: r13a25
# # Configures the node taints for the machine. Effect is optional.
# # node taints example.
# nodeTaints:
# exampleTaint: exampleTaintValue:NoSchedule
# Provides cluster specific configuration options.
cluster:
id: 2nhlmlYevQvBg_85ycRHU6k13EQuzD7E23appM63huk= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
secret: Vp2u9OUmz+tAUBbMk0PKrL0QTLHZpKny5AD4L4l7RYw= # Shared secret of cluster (base64 encoded random 32 bytes).
# Provides control plane specific configuration options.
controlPlane:
endpoint: https://192.168.0.10:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
clusterName: veda # Configures the cluster's name.
# Provides cluster specific network configuration options.
network:
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
# # The CNI used.
# cni:
# name: custom # Name of CNI to use.
# # URLs containing manifests to apply for the CNI.
# urls:
# - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
token: qsuvb3.2y1ty21ec140yl45 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpRENDQVMrZ0F3SUJBZ0lRWlBiRENCZUdHVWN1T08zR3FaSzE4REFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNRFV3TVRFd01UTXdObG9YRFRNMU1EUXlPVEV3TVRNdwpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCSE9SS0IxYjhUaWpNSnQzdmpuN0lhUWNsWXRpVjZuY1lrRkZ6emFqNEQ4d09pUmszNXlvam5mRDVDWDkKMGhqSThNUXA3ZzhxZ1BRSTJjQXpoaUJyVWNDallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVVWTUl3TnRCN3VhSWFhaXc5RlFnbXgvbU5TaFF3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnY3R1NGxsUHgKOXFpR2VVK280bCsrME45emY4MVdFNXh6cjh5MUhQR25wSFFDSUFYMW13RFFRYS9Sd2tCMitwQXNnS2hFRlE0ZQo3Z1BmTXBrVWtiMDZ4VmZwCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: ""
# Configures cluster member discovery.
discovery:
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
disabled: true # Disable Kubernetes discovery registry.
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# # External service endpoint.
# endpoint: https://discovery.talos.dev/
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
# # AggregatorCA example.
# aggregatorCA:
# crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # The base64 encoded private key for service account token generation.
# # AggregatorCA example.
# serviceAccount:
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # API server specific configuration options.
# apiServer:
# image: registry.k8s.io/kube-apiserver:v1.32.0 # The container image used in the API server manifest.
# # Extra arguments to supply to the API server.
# extraArgs:
# feature-gates: ServerSideApply=true
# http2-max-streams-per-connection: "32"
# # Extra certificate subject alternative names for the API server's certificate.
# certSANs:
# - 1.2.3.4
# - 4.5.6.7
# # Configure the API server admission plugins.
# admissionControl:
# - name: PodSecurity # Name is the name of the admission controller.
# # Configuration is an embedded configuration object to be used as the plugin's
# configuration:
# apiVersion: pod-security.admission.config.k8s.io/v1alpha1
# defaults:
# audit: restricted
# audit-version: latest
# enforce: baseline
# enforce-version: latest
# warn: restricted
# warn-version: latest
# exemptions:
# namespaces:
# - kube-system
# runtimeClasses: []
# usernames: []
# kind: PodSecurityConfiguration
# # Configure the API server audit policy.
# auditPolicy:
# apiVersion: audit.k8s.io/v1
# kind: Policy
# rules:
# - level: Metadata
# # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
# authorizationConfig:
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
# name: webhook # Name is used to describe the authorizer.
# # webhook is the configuration for the webhook authorizer.
# webhook:
# connectionInfo:
# type: InClusterConfig
# failurePolicy: Deny
# matchConditionSubjectAccessReviewVersion: v1
# matchConditions:
# - expression: has(request.resourceAttributes)
# - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
# subjectAccessReviewVersion: v1
# timeout: 3s
# - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
# name: in-cluster-authorizer # Name is used to describe the authorizer.
# # webhook is the configuration for the webhook authorizer.
# webhook:
# connectionInfo:
# type: InClusterConfig
# failurePolicy: NoOpinion
# matchConditionSubjectAccessReviewVersion: v1
# subjectAccessReviewVersion: v1
# timeout: 3s
# # Controller manager server specific configuration options.
# controllerManager:
# image: registry.k8s.io/kube-controller-manager:v1.32.0 # The container image used in the controller manager manifest.
# # Extra arguments to supply to the controller manager.
# extraArgs:
# feature-gates: ServerSideApply=true
# # Kube-proxy server-specific configuration options
# proxy:
# disabled: false # Disable kube-proxy deployment on cluster bootstrap.
# image: registry.k8s.io/kube-proxy:v1.32.0 # The container image used in the kube-proxy manifest.
# mode: ipvs # proxy mode of kube-proxy.
# # Extra arguments to supply to kube-proxy.
# extraArgs:
# proxy-mode: iptables
# # Scheduler server specific configuration options.
# scheduler:
# image: registry.k8s.io/kube-scheduler:v1.32.0 # The container image used in the scheduler manifest.
# # Extra arguments to supply to the scheduler.
# extraArgs:
# feature-gates: AllBeta=true
# # Etcd specific configuration options.
# etcd:
# image: gcr.io/etcd-development/etcd:v3.5.17 # The container image used to create the etcd service.
# # The `ca` is the root certificate authority of the PKI.
# ca:
# crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # Extra arguments to supply to etcd.
# extraArgs:
# election-timeout: "5000"
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
# # Core DNS specific configuration options.
# coreDNS:
# image: registry.k8s.io/coredns/coredns:v1.12.0 # The `image` field is an override to the default coredns image.
# # External cloud provider configuration.
# externalCloudProvider:
# enabled: true # Enable external cloud provider.
# # A list of urls that point to additional manifests for an external cloud provider.
# manifests:
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
# # A list of urls that point to additional manifests.
# extraManifests:
# - https://www.example.com/manifest1.yaml
# - https://www.example.com/manifest2.yaml
# # A map of key value pairs that will be added while fetching the extraManifests.
# extraManifestHeaders:
# Token: "1234567"
# X-ExtraInfo: info
# # A list of inline Kubernetes manifests.
# inlineManifests:
# - name: namespace-ci # Name of the manifest.
# contents: |- # Manifest contents as a string.
# apiVersion: v1
# kind: Namespace
# metadata:
# name: ci
# # Settings for admin kubeconfig generation.
# adminKubeconfig:
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
# # Allows running workload on control-plane nodes.
# allowSchedulingOnControlPlanes: true