diff --git a/control_plane/configs/controlplane.yaml b/control_plane/configs/controlplane.yaml deleted file mode 100644 index aed9b43..0000000 --- a/control_plane/configs/controlplane.yaml +++ /dev/null @@ -1,551 +0,0 @@ -version: v1alpha1 # Indicates the schema used to decode the contents. -debug: false # Enable verbose logging to the console. -persist: true -# Provides machine specific configuration options. -machine: - type: controlplane # Defines the role of the machine within the cluster. - token: bflu6g.99igvodochnec0ru # The `token` is used by a machine to join the PKI of the cluster. - # The root certificate authority of the PKI. - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBOEMwVGY0M25HaXpBQ0xZZ3JtQU95akFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdPVEk1TURNMU1USXdXaGNOTXpVd09USTNNRE0xTVRJd1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUY0WTh2WDlJS2lSd2FTSllWMjYwREF2VFlwRGhJRzV5SytQCnZDZmIyQklKbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkhVNTgvV3cvQys0QmR1ZgowdlRsT0hJa3cwTm1NQVVHQXl0bGNBTkJBR3NReW1Pb3FUSnRwbHpId3pSWjU1TEdGdUdJSGJ4RmFKVG14TDFXCkZiWTRtNzlsR2syVjBGUDdjL2Q0dnF0Q0dDQ0FJRHpzK01IOUlKZFFRUTdqdXc4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQjY5WkMxYjN2NDFMZ1hwanB6RE4vVFp1ZnNyUytyWVhoWVZ6UzhFdzR2TQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K - # Extra certificate subject alternative names for the machine's certificate. - certSANs: [] - # # Uncomment this to enable SANs. - # - 10.0.0.10 - # - 172.16.0.10 - # - 192.168.0.10 - - # Used to provide additional options to the kubelet. - kubelet: - image: ghcr.io/siderolabs/kubelet:v1.34.0 # The `image` field is an optional reference to an alternative kubelet image. - defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. - disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. - - # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. - # clusterDNS: - # - 10.96.0.10 - # - 169.254.2.53 - - # # The `extraArgs` field is used to provide additional flags to the kubelet. - # extraArgs: - # key: value - - # # The `extraMounts` field is used to add additional mounts to the kubelet container. - # extraMounts: - # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. - # type: bind # Type specifies the mount kind. - # source: /var/lib/example # Source specifies the source path of the mount. - # # Options are fstab style mount options. - # options: - # - bind - # - rshared - # - rw - - # # The `extraConfig` field is used to provide kubelet configuration overrides. - # extraConfig: - # serverTLSBootstrap: true - - # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. - # credentialProviderConfig: - # apiVersion: kubelet.config.k8s.io/v1 - # kind: CredentialProviderConfig - # providers: - # - apiVersion: credentialprovider.kubelet.k8s.io/v1 - # defaultCacheDuration: 12h - # matchImages: - # - '*.dkr.ecr.*.amazonaws.com' - # - '*.dkr.ecr.*.amazonaws.com.cn' - # - '*.dkr.ecr-fips.*.amazonaws.com' - # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' - # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' - # name: ecr-credential-provider - - # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. - # nodeIP: - # # The `validSubnets` field configures the networks to pick kubelet node IP from. - # validSubnets: - # - 10.0.0.0/8 - # - '!10.0.0.3/32' - # - fdc7::/16 - # Provides machine specific network configuration options. - network: {} - # # `interfaces` is used to define the network interface configuration. - # interfaces: - # - interface: enp0s1 # The interface name. - # # Assigns static IP addresses to the interface. - # addresses: - # - 192.168.2.0/24 - # # A list of routes associated with the interface. - # routes: - # - network: 0.0.0.0/0 # The route's network (destination). - # gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route). - # metric: 1024 # The optional metric for the route. - # mtu: 1500 # The interface's MTU. - # - # # # Picks a network device using the selector. - - # # # select a device with bus prefix 00:*. - # # deviceSelector: - # # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. - # # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver. - # # deviceSelector: - # # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. - # # driver: virtio_net # Kernel driver, supports matching by wildcard. - # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. - # # deviceSelector: - # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. - # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. - # # driver: virtio_net # Kernel driver, supports matching by wildcard. - - # # # Bond specific options. - # # bond: - # # # The interfaces that make up the bond. - # # interfaces: - # # - enp2s0 - # # - enp2s1 - # # # Picks a network device using the selector. - # # deviceSelectors: - # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. - # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. - # # driver: virtio_net # Kernel driver, supports matching by wildcard. - # # mode: 802.3ad # A bond option. - # # lacpRate: fast # A bond option. - - # # # Bridge specific options. - # # bridge: - # # # The interfaces that make up the bridge. - # # interfaces: - # # - enxda4042ca9a51 - # # - enxae2a6774c259 - # # # Enable STP on this bridge. - # # stp: - # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. - - # # # Configure this device as a bridge port. - # # bridgePort: - # # master: br0 # The name of the bridge master interface - - # # # Indicates if DHCP should be used to configure the interface. - # # dhcp: true - - # # # DHCP specific options. - # # dhcpOptions: - # # routeMetric: 1024 # The priority of all routes received via DHCP. - - # # # Wireguard specific configuration. - - # # # wireguard server example - # # wireguard: - # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). - # # listenPort: 51111 # Specifies a device's listening port. - # # # Specifies a list of peer configurations to apply to a device. - # # peers: - # # - publicKey: ABCDEF... # Specifies the public key of this peer. - # # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry. - # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. - # # allowedIPs: - # # - 192.168.1.0/24 - # # # wireguard peer example - # # wireguard: - # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). - # # # Specifies a list of peer configurations to apply to a device. - # # peers: - # # - publicKey: ABCDEF... # Specifies the public key of this peer. - # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. - # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. - # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. - # # allowedIPs: - # # - 192.168.1.0/24 - - # # # Virtual (shared) IP address configuration. - - # # # layer2 vip example - # # vip: - # # ip: 172.16.199.55 # Specifies the IP address to be used. - - # # Used to statically set the nameservers for the machine. - # nameservers: - # - 8.8.8.8 - # - 1.1.1.1 - - # # Used to statically set arbitrary search domains. - # searchDomains: - # - example.org - # - example.com - - # # Allows for extra entries to be added to the `/etc/hosts` file - # extraHostEntries: - # - ip: 192.168.1.100 # The IP of the host. - # # The host alias. - # aliases: - # - example - # - example.domain.tld - - # # Configures KubeSpan feature. - # kubespan: - # enabled: true # Enable the KubeSpan feature. - - # Used to provide instructions for installations. - install: - disk: /dev/sda # The disk used for installations. - image: ghcr.io/siderolabs/installer:v1.11.1 # Allows for supplying the image used to perform the installation. - wipe: false # Indicates if the installation disk should be wiped at installation time. - - # # Look up disk using disk attributes like model, size, serial and others. - # diskSelector: - # size: 4GB # Disk size. - # model: WDC* # Disk model `/sys/block//device/model`. - # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. - - # # Allows for supplying extra kernel args via the bootloader. - # extraKernelArgs: - # - talos.platform=metal - # - reboot=k - # Used to configure the machine's container image registry mirrors. - registries: {} - # # Specifies mirror configuration for each registry host namespace. - # mirrors: - # ghcr.io: - # # List of endpoints (URLs) for registry mirrors to use. - # endpoints: - # - https://registry.insecure - # - https://ghcr.io/v2/ - - # # Specifies TLS & auth configuration for HTTPS image registries. - # config: - # registry.insecure: - # # The TLS configuration for the registry. - # tls: - # insecureSkipVerify: true # Skip TLS server certificate verification (not recommended). - # - # # # Enable mutual TLS authentication with the registry. - # # clientIdentity: - # # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t - # # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== - # - # # # The auth configuration for this registry. - # # auth: - # # username: username # Optional registry authentication. - # # password: password # Optional registry authentication. - - # Features describe individual Talos features that can be switched on or off. - features: - rbac: true # Enable role-based access control (RBAC). - stableHostname: true # Enable stable default hostname. - apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid. - diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. - # KubePrism - local proxy/load balancer on defined port that will distribute - kubePrism: - enabled: true # Enable KubePrism support - will start local load balancing proxy. - port: 7445 # KubePrism port. - # Configures host DNS caching resolver. - hostDNS: - enabled: true # Enable host DNS caching resolver. - forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods. - - # # Configure Talos API access from Kubernetes pods. - # kubernetesTalosAPIAccess: - # enabled: true # Enable Talos API access from Kubernetes pods. - # # The list of Talos API roles which can be granted for access from Kubernetes pods. - # allowedRoles: - # - os:reader - # # The list of Kubernetes namespaces Talos API access is available from. - # allowedKubernetesNamespaces: - # - kube-system - # Configures the node labels for the machine. - nodeLabels: - node.kubernetes.io/exclude-from-external-load-balancers: "" - - # # Provides machine specific control plane configuration options. - - # # ControlPlane definition example. - # controlPlane: - # # Controller manager machine specific configuration options. - # controllerManager: - # disabled: false # Disable kube-controller-manager on the node. - # # Scheduler machine specific configuration options. - # scheduler: - # disabled: true # Disable kube-scheduler on the node. - - # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. - - # # nginx static pod. - # pods: - # - apiVersion: v1 - # kind: pod - # metadata: - # name: nginx - # spec: - # containers: - # - image: nginx - # name: nginx - - # # Allows the addition of user specified files. - - # # MachineFiles usage example. - # files: - # - content: '...' # The contents of the file. - # permissions: 0o666 # The file's permissions in octal. - # path: /tmp/file.txt # The path of the file. - # op: append # The operation to use - - # # The `env` field allows for the addition of environment variables. - - # # Environment variables definition examples. - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: info - # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" - # https_proxy: http://SERVER:PORT/ - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: error - # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ - # env: - # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ - - # # Used to configure the machine's time settings. - - # # Example configuration for cloudflare ntp server. - # time: - # disabled: false # Indicates if the time service is disabled for the machine. - # # description: | - # servers: - # - time.cloudflare.com - # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. - - # # Used to configure the machine's sysctls. - - # # MachineSysctls usage example. - # sysctls: - # kernel.domainname: talos.dev - # net.ipv4.ip_forward: "0" - # net/ipv6/conf/eth0.100/disable_ipv6: "1" - - # # Used to configure the machine's sysfs. - - # # MachineSysfs usage example. - # sysfs: - # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance - - # # Configures the udev system. - # udev: - # # List of udev rules to apply to the udev system - # rules: - # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" - - # # Configures the logging system. - # logging: - # # Logging destination. - # destinations: - # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". - # format: json_lines # Logs format. - - # # Configures the kernel. - # kernel: - # # Kernel modules to load. - # modules: - # - name: brtfs # Module name. - - # # Configures the seccomp profiles for the machine. - # seccompProfiles: - # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. - # # The `value` field is used to provide the seccomp profile. - # value: - # defaultAction: SCMP_ACT_LOG - - # # Override (patch) settings in the default OCI runtime spec for CRI containers. - - # # override default open file limit - # baseRuntimeSpecOverrides: - # process: - # rlimits: - # - hard: 1024 - # soft: 1024 - # type: RLIMIT_NOFILE - - # # Configures the node annotations for the machine. - - # # node annotations example. - # nodeAnnotations: - # customer.io/rack: r13a25 - - # # Configures the node taints for the machine. Effect is optional. - - # # node taints example. - # nodeTaints: - # exampleTaint: exampleTaintValue:NoSchedule -# Provides cluster specific configuration options. -cluster: - id: 9CwSQ5eKI6v0A88QYbtQkRLQhISrpgaaqc-myRPPMtk= # Globally unique identifier for this cluster (base64 encoded random 32 bytes). - secret: lZSNX+ZotNqqEBKUVsuiPipQG+OC9/xSRRqEMi3IEI0= # Shared secret of cluster (base64 encoded random 32 bytes). - # Provides control plane specific configuration options. - controlPlane: - endpoint: https://10.5.0.2:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. - clusterName: evo-npcs-clust # Configures the cluster's name. - # Provides cluster specific network configuration options. - network: - dnsDomain: cluster.local # The domain used by Kubernetes DNS. - # The pod subnet CIDR. - podSubnets: - - 10.244.0.0/16 - # The service subnet CIDR. - serviceSubnets: - - 10.96.0.0/12 - - # # The CNI used. - # cni: - # name: custom # Name of CNI to use. - # # URLs containing manifests to apply for the CNI. - # urls: - # - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml - token: p8iqgp.o8cibvj3gtekobpg # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. - secretboxEncryptionSecret: omt6pT4baS9LtMg2mX4B47YdiZpGDwzYd8Y9c/+3V2I= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). - # The base64 encoded root certificate authority used by Kubernetes. - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQVA2ajMvenpLM3FoUW1LMC9NSHhTajB3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEE1TWprd016VXhNakJhRncwek5UQTVNamN3TXpVeApNakJhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVF2UW0wdU80bWgyK1dWcEpuWHFIcUhXMGJXWFNBNk1UamJic2pxWlBWTTY3ZFYySzQwNkpld2ZHOC8KVFdjU0xMVW5jcXh3S2ZzUlFjTWZtYjJ4WTVjVW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGTDVJNE5iU0NjQ2xlNVdtdUd0TStDRzArcGtQTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFDT0VtcXIKaTU3YlU2TXFleTBaVk1RZVNXdG9ybGtHMEVlZGlIZmZvZ2lUT0FJaEFLajRXaFROUHdndCs5UUlsOWVYWnkvSwowZ1BQWEZhaDh0cnlZemVFS3ZnTgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5xNStnVVY4eG1aVExabXBXanJPeXBEMTZ3TUxyRmZ0SUlHVm5VUHVxRC9vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTDBKdExqdUpvZHZsbGFTWjE2aDZoMXRHMWwwZ09qRTQyMjdJNm1UMVRPdTNWZGl1Tk9pWApzSHh2UDAxbkVpeTFKM0tzY0NuN0VVSERINW05c1dPWEZBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= - # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. - aggregatorCA: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFXZ0F3SUJBZ0lRZVIwYXJMZnpXYnFBbGxUay9QUlhSREFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMU1Ea3lPVEF6TlRFeU1Gb1hEVE0xTURreU56QXpOVEV5TUZvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCSmROSEJBS1RvbG94dm5tSE5yYVUwdkVJeTNpRFVTMmFNREdFTk8zWVU0UEFzcUhBdHdOCkxBWnhtbkdyTmt5YUxqSDI5c2J1WGxqd3RkY3BOMVlLSUJTallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVVlUVBFNVl1NVNRdHg4akhFeVl4MGhrQ0toQkl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnCmJ6MWc3YXgxWHoxMSt6MkhFN2JnSGRvVFo2T1RjNUs5dlFCc1g3Yi9sWklDSVFDZW9BRGJzRmZVNUVoek1PTG8KTDAySGE4cHd1dU9vdkFGcCs5RmdyM0RvOEE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU9KU0ZwQnlpS0F1VjdtQk9lNGF6dU56UFdnVXZuQUxUWGVpcG81YldXUDlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbDAwY0VBcE9pV2pHK2VZYzJ0cFRTOFFqTGVJTlJMWm93TVlRMDdkaFRnOEN5b2NDM0EwcwpCbkdhY2FzMlRKb3VNZmIyeHU1ZVdQQzExeWszVmdvZ0ZBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= - # The base64 encoded private key for service account token generation. - serviceAccount: - key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdWxWdjdKdzMzOThXbE1mdHB3Zmt3WlQrM3h4K3FmWFlBbVpMdnpna0ZjcHJRZFJRCmRJc2RIZ00wSEdDYnZUVS9EVEpZM0N0dmhoVUtoQ1dON0FkKzg2RHJVdFpZTWkwUE5sd3U2TVFlSVNoSU1CWjIKcjExOHpyRkFuSmh5eEFERGordmZaSVBFWnZqVmZZbEY0WWJGY2w5UEtsUitEKy96b3JCZTZxYUNUMCtIczl3bApPLysvcmVaVVhZU3JNYTc4S1J1dzBiOHpDaHkvUjh4Q2R1K2xPSXp5QjJKM0NVME01L2I0U2Fhb2wrUVQ2bW9CCkJHcDJ4U2JmOE5KTWx6S1lXWU9sWEVKT1BnTE5hZmIrVjR6aWpQaHROZndtR1pteU9oT1p3RkxHaXFlVzlZK2UKTE80VmRIVVRwUVUydGpNM0dVK2lIeHVqb2tWdXJjS0NLekpzZ2JLKzg4WmxCVldJR2luZjhUZm5hZnFMaElPNApjTzFON0FReWlJcXFWQXRtMUQvOVJ2NXk4UEI1TmhYd1UxUEkxaEsrZzdvQlJDWUxWZ0QyNVBDZUcvV2orRzBoCnJQb0c1bUZqNU5WRThhaDJTdlhHZVQyeGJTdVdFdGV4TDBnWksxN3dURHdFay9raUVyRmdxNVowTmhzSHhKZnAKVWMvWEJDMkVFaml3SEhnRnVHTFBoVzh3T29hR2xpVEVGdWZFeStZUnhqQXJQbzlpVW8xZloza1pRbHlkdkd5TAp2cXFIaFRRRnF4aVowNEFLb2hjV05sWU8wWGhJT0gwenNLR2tzWDlvYXQ5d3UrdUxkaEluM0krdnZPM3BFV1BDCjl3Q2JENGR1TDVCYVpSaG9OQktaSzRNS0JDeVZvc1BLWEFmRFoyNnlSeWhpem1QWHl3WTF6dXhJcWlrQ0F3RUEKQVFLQ0FmOWhkeTJRL3RVRlR6ek9DS3NBSXVlYzdzSHBTZ2grQURpOUk0aDAyRVBSN0R0ZGdTMnZYSnZOazcyNApheE9TV3NSZ1ZVbkF1RWgvVUErNlB1cVZJeTR6enhBZ001a3JMSWhTb0MrTEJETWNzbVNKWkhvSDlxVjkxcEU4Ckw3ZTlYQlM1V0ltTG13Sy9IV0w2Y3hvNDAzSG13eU1PSmxNMk1oUDM1d3puZEFKQytnLytOek1hV3dkZVBLYlEKVVgxK0hkYzYrbEhlSVlhb3BTUXk3WGxDY3g2eWhyWldPcnZhQTA2WDN1VFJvYUlBM3QxamxMZWI2K3dGTFc3RwoxcGd5d2JvNU0yTTYxTi9PUmRnbDl3L0pPK1VCcU9NbWVDMW9QV3dOWjJKdGkyVitEVCs5bDk2YStYVVFYZW5ECm1rckVDZjlaQkwycVMwNHVQd0dicFpHN0tGNUJEYnN4U1NnT0hPR0hyNzNPQ01kYktWdVhpOTlXUll0T3RjN20KT2RjS0puT0ozemR1R1J3L3QrNU92YjJZb21XSERzOEMxZEVPNGZLQlJXakl5dnh0bFgvb041d3gwa1g1YWdBSQpONkluRTA1MTV6QXFnZStQaE1abTlBd0F6b2FWSjFxa24rZkNxY3FZNkI2QXlCWVcvSTB1RktWRnNyejlEU244CmF5VTd6SGlYOUJHSHlmaUx5TDd2d0JwRTNLd0dBMG9xRjNCN3A3NjFTUWNxc1BuQnZ1V29ZaUIyNWtlZWlIWjMKV0QyK01pSUVMVWdLdnFzNHpYNjhHaEVsWW5DRzgyeGY3RDZCOURtRHZ4TTlmVXJYZHRsK094bjk0N3dRRm84cwpSYXNXejZPQ1FVSitWZDJ2bHZLVXMvM2hGbVBmRFF2bU1sOEpKU2xqbEpYSS8wMUJBb0lCQVFEbjFtNko5dnJtCnlNMHFOQ1hyUmtYM01RdWV6clEwTVlob0FKdzBaaHdzZktkTEErdnVtVlZwTnY2WWhkbi9sYjRWbFBsb2dic3cKdlVTeVc4RlNaVzBGZnViMHcyTXdhNlpSVEROK0NJMTZVaTZDeWhSZDlja2hQbVlBZ3RoMXluWE1HWUYyNEt0UgpsUE02OTF2UktIZGc4Q2Y0V2pPZ1RKajRZTmV3VUs3dnFYbnFLUDJ0MDZrNFd4bXBhaUhLTDJ5MUhTb0pNRk12CktMa0ppcGlxbjJ1Y2NZbXUzNit3VjNobmRBeFlHcnVpYUh5VWtNS0UveGxETnBJRjZJTFJsWk5Ha1dVc1BsM2sKT0Fub056MkhDS1dSY0pmd0VLdVF1RHl3TEpUV0dxYW0wSk0yYUx0ajlISW1tcG16TEhnYjdZQnZNQk5KRmFkNAprNnNveUQ0UlMreEpBb0lCQVFETndPOG55aTlaSEUweVhnSFBrNHBPVHVUdzU0dVkzUCt2NVg2eWxHZ3Z4NGRmCnZ3eFVhNHZPamtLVXl3MVR0ZEMyUXlSUlJpOU5sbm9KVVUzeHVLMExHUllqQ1J0T2dvL0Zydk5iMlk0cXNwRzQKOVhoWXp6VGtwZHRLNDhOWG4zRHZkRDh6cmF6QmRsWnpEZklvaVdUSkEvL3U1MUNrbDBTbEhKM3BpN3lHVllIYQp1Skp4SS91bWFINEdBVXpZK1RxUWt0OHd0OE82SlNJZmZZTU1mS2VkZmVqTm9TNUxmN3EvL0UyTERISkVRQ3BtCndvTWkxc2hWNktiYi9XZVBaZ3V3OHF4K1VoSEljcGxTVjhnSjByU2R1OWhPdzdRc1haR3pyaTBtRUYyMmRVakYKTC96N2RRUmk1ZzZ3TDRFMnFMcFBZWmpCZXFQaHRRM3JhY3hRa2c3aEFvSUJBUUNDMlU4SVJVSjFFUzVpdkk0TwpUVnBkMnV1aEZTODJLaUsvK0dBeFh0UlY4NEVFWU5FL21JRlJZZjJ1SGhYZElDbnB5bXcrSk1KL0RzUUFHck54CkN0Zk9lMEpsTVFZQnBUQjR3QlpyOHUzTzlTVlZJakwrbVNPTXhNZ1RUOFpXTFEveFF4QUVCV2dNSXBKcFhJVVEKOXRMeC9ubkF2VUJZSUFOU1pHNDRFRUc3K0o1Ym9Ba1ZtOW50ZWRWdy9mcldQNUFPWk1oOTZTMTU5M1VBUXA1Sgo1cko0Mk1nSjBDdzd6aEtoNlNpeWJWd3JuT2Q3Zm55YlRkTjNVUXgza3pTS2orNVFyTzA2WEhUbnd3MHNhRWtzCnRwK2tCN1ZwaEM4Zy9pc2FqLzd0SEp1a21TSU5XbTB4VEIxRlZvcWJTdVQ3ZGovQUFaVlE4WXpWREJ0VmFEZEgKMGQ4cEFvSUJBRkxSSkxJa1hKaUduci8yUE01YmVhRDVlb2RJKzlTRXA5b2FDcnhBcGdzTlNmME0vaDZBeDE1Vgp2cEQ3aGhxNnBRNm55ZGQ0NDVOY1RUU3c2Q215aHR4ZnRaeFdqd296M1VEWm9aVEg1Y1JqNmVuRHpEUWEreFJKCmVoSVR5VTNjbkcyVm9kYmdRaGdBMU4wc3NOc0dLbTRLMFJwTk94VjAyYW1IOGp2T0JnMGdIOHQwM1dUeThkalMKV0Y5OGFIMHhIQlNUT1lqM2ZxM1BRb1BnVmo1UmNub2U4dlRKdXNPaTN2MWx4YVNCVndFSHZzbHI0N0xETnhIMQpPaXgwUEJucEhpMlVFRUFzTW9JM05tV0JkY0FXY3FMR3VGTkR6S0xLNnRtaTh3Tk9OUm82N1JhSnNVOVprM0ZuClhtUW1TdUZBV3ZXV3VCQ3dsNFJEQng1SmtIYWh3NkVDZ2dFQkFNdStWRTc2VEcxdjlOdEdwMnNBS1VCdU1lSHEKN1ZoMGY4ZFJKbmdHZEJBUVN0SjRiMzkxNU1TdHV1OG11ZlpoZ1QxUUg4a0NkTW9za2p4aE5rZU5nVGZXMHEwNwoyVnVGbWwyQUF2QnB5ZWluTzFORGVicXFqMXpZa1JmM3I3b3kyUk5xL2RLVWFmUThvaVoydG94RVQwTU1zRmlBCm1GOHBEWTU2OGlOakU2bUJ6d1UzRmZsTXZUOG1UNno5S0JDYlloVlpjL1kwanF5dUZ2b1p2WmVhazhJT1h5ekkKNXN6V1RIVlgwZkdxMUpBQkU4T2tJb0MzOG1ORVB2d1JMSkR3RlJKaVRXZ0piaUxkNVhsYis5U0xYdmtES3BvdQo5RWx6UW1QV2J6NGFFRE1VMFpITUdOYXJ4QUVjQkhoVDljZWVRcWsyTUZ1Uy9tN1lSVElQdmVHY0xwcz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K - # API server specific configuration options. - apiServer: - image: registry.k8s.io/kube-apiserver:v1.34.0 # The container image used in the API server manifest. - # Extra certificate subject alternative names for the API server's certificate. - certSANs: - - 10.5.0.2 - disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests. - # Configure the API server admission plugins. - admissionControl: - - name: PodSecurity # Name is the name of the admission controller. - # Configuration is an embedded configuration object to be used as the plugin's - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1alpha1 - defaults: - audit: restricted - audit-version: latest - enforce: baseline - enforce-version: latest - warn: restricted - warn-version: latest - exemptions: - namespaces: - - kube-system - runtimeClasses: [] - usernames: [] - kind: PodSecurityConfiguration - # Configure the API server audit policy. - auditPolicy: - apiVersion: audit.k8s.io/v1 - kind: Policy - rules: - - level: Metadata - - # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration. - # authorizationConfig: - # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. - # name: webhook # Name is used to describe the authorizer. - # # webhook is the configuration for the webhook authorizer. - # webhook: - # connectionInfo: - # type: InClusterConfig - # failurePolicy: Deny - # matchConditionSubjectAccessReviewVersion: v1 - # matchConditions: - # - expression: has(request.resourceAttributes) - # - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)' - # subjectAccessReviewVersion: v1 - # timeout: 3s - # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. - # name: in-cluster-authorizer # Name is used to describe the authorizer. - # # webhook is the configuration for the webhook authorizer. - # webhook: - # connectionInfo: - # type: InClusterConfig - # failurePolicy: NoOpinion - # matchConditionSubjectAccessReviewVersion: v1 - # subjectAccessReviewVersion: v1 - # timeout: 3s - # Controller manager server specific configuration options. - controllerManager: - image: registry.k8s.io/kube-controller-manager:v1.34.0 # The container image used in the controller manager manifest. - # Kube-proxy server-specific configuration options - proxy: - image: registry.k8s.io/kube-proxy:v1.34.0 # The container image used in the kube-proxy manifest. - - # # Disable kube-proxy deployment on cluster bootstrap. - # disabled: false - # Scheduler server specific configuration options. - scheduler: - image: registry.k8s.io/kube-scheduler:v1.34.0 # The container image used in the scheduler manifest. - # Configures cluster member discovery. - discovery: - enabled: true # Enable the cluster membership discovery feature. - # Configure registries used for cluster member discovery. - registries: - # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information - kubernetes: - disabled: true # Disable Kubernetes discovery registry. - # Service registry is using an external service to push and pull information about cluster members. - service: {} - # # External service endpoint. - # endpoint: https://discovery.talos.dev/ - # Etcd specific configuration options. - etcd: - # The `ca` is the root certificate authority of the PKI. - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU1WYWFEMHEwaHVoMUN6RjRya1dZYVV3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBNU1qa3dNelV4TWpCYUZ3MHpOVEE1TWpjd016VXhNakJhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTMXdEM3dLU2xwCkF2QjB6bldacnE0TWVtYStJTUg0NzlZanlLZ1lQV09wMEU5bFVmZW9KbmVUM3NsN1pyTU42cVRNRndzS0tFdC8KODQ3N0NtaVhpaTdPbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk5LV1kwUWhNdHIvClUzZExjTlRnV0ZRSVN1b0dNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUM2VjlRVEdiQlMzLzV2UUl5RkdnMjAKNTFuSnBtYmRHVk1aSEhzbEJSUDZ0QUlnYUdadUxaOEhJakIvL2Q1NTNJYzRDamRhVEpNZ0RpSWFFMFI4V2w3QgpnMEk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUZBT1ZpYnNIR3VBa004N0tabVBKajBGUjFIOHVKenJyTUpxendLU091TmNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFdGNBOThDa3BhUUx3ZE01MW1hNnVESHBtdmlEQitPL1dJOGlvR0QxanFkQlBaVkgzcUNaMwprOTdKZTJhekRlcWt6QmNMQ2loTGYvT08rd3BvbDRvdXpnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= - - # # The container image used to create the etcd service. - # image: gcr.io/etcd-development/etcd:v3.6.4 - - # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. - # advertisedSubnets: - # - 10.0.0.0/8 - # A list of urls that point to additional manifests. - extraManifests: [] - # - https://www.example.com/manifest1.yaml - # - https://www.example.com/manifest2.yaml - - # A list of inline Kubernetes manifests. - inlineManifests: [] - # - name: namespace-ci # Name of the manifest. - # contents: |- # Manifest contents as a string. - # apiVersion: v1 - # kind: Namespace - # metadata: - # name: ci - - - # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). - - # # Decryption secret example (do not use in production!). - # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= - - # # Core DNS specific configuration options. - # coreDNS: - # image: registry.k8s.io/coredns/coredns:v1.12.3 # The `image` field is an override to the default coredns image. - - # # External cloud provider configuration. - # externalCloudProvider: - # enabled: true # Enable external cloud provider. - # # A list of urls that point to additional manifests for an external cloud provider. - # manifests: - # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml - # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml - - # # A map of key value pairs that will be added while fetching the extraManifests. - # extraManifestHeaders: - # Token: "1234567" - # X-ExtraInfo: info - - # # Settings for admin kubeconfig generation. - # adminKubeconfig: - # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). - - # # Allows running workload on control-plane nodes. - # allowSchedulingOnControlPlanes: true diff --git a/control_plane/configs/talosconfig b/control_plane/configs/talosconfig deleted file mode 100644 index 2122fde..0000000 --- a/control_plane/configs/talosconfig +++ /dev/null @@ -1,7 +0,0 @@ -context: evo-npcs-clust -contexts: - evo-npcs-clust: - endpoints: [] - ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBOEMwVGY0M25HaXpBQ0xZZ3JtQU95akFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdPVEk1TURNMU1USXdXaGNOTXpVd09USTNNRE0xTVRJd1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUY0WTh2WDlJS2lSd2FTSllWMjYwREF2VFlwRGhJRzV5SytQCnZDZmIyQklKbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkhVNTgvV3cvQys0QmR1ZgowdlRsT0hJa3cwTm1NQVVHQXl0bGNBTkJBR3NReW1Pb3FUSnRwbHpId3pSWjU1TEdGdUdJSGJ4RmFKVG14TDFXCkZiWTRtNzlsR2syVjBGUDdjL2Q0dnF0Q0dDQ0FJRHpzK01IOUlKZFFRUTdqdXc4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBZ1lOcjFtajNyWEFYbEFJMkRWckdFakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdPVEk1TURNMU1USXdXaGNOTWpZd09USTVNRE0xTVRJd1dqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFEZ1JWSzl5cFlPMmlBOHdOVGJHU2tzdkVjdmNDeXVnCi9hVVl4MFpDREJtRW8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVkVG56OWJEOEw3Z0YyNS9TOU9VNGNpVERRMll3QlFZREsyVndBMEVBbEpvYQpiRDR3SWNYVUlteVJEbVYvT3I0WllXeWlxZDRpUVg5NmFIOW5pK3g4OEZUR3IxSEZDekdWdjBqc3BiSUdSV2VKCkVrT2tnTEF0KzNwQ0JGVE5BQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJUFJOWXdmMWxrNEtLYXRrRUtqcDk0YWQ4Z3d3b05BdXd2YjdqR0pJR1hIMQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K diff --git a/control_plane/configs/worker.yaml b/control_plane/configs/worker.yaml deleted file mode 100644 index c3a6933..0000000 --- a/control_plane/configs/worker.yaml +++ /dev/null @@ -1,580 +0,0 @@ -version: v1alpha1 # Indicates the schema used to decode the contents. -debug: false # Enable verbose logging to the console. -persist: true -# Provides machine specific configuration options. -machine: - type: worker # Defines the role of the machine within the cluster. - token: bflu6g.99igvodochnec0ru # The `token` is used by a machine to join the PKI of the cluster. - # The root certificate authority of the PKI. - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBOEMwVGY0M25HaXpBQ0xZZ3JtQU95akFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdPVEk1TURNMU1USXdXaGNOTXpVd09USTNNRE0xTVRJd1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUY0WTh2WDlJS2lSd2FTSllWMjYwREF2VFlwRGhJRzV5SytQCnZDZmIyQklKbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkhVNTgvV3cvQys0QmR1ZgowdlRsT0hJa3cwTm1NQVVHQXl0bGNBTkJBR3NReW1Pb3FUSnRwbHpId3pSWjU1TEdGdUdJSGJ4RmFKVG14TDFXCkZiWTRtNzlsR2syVjBGUDdjL2Q0dnF0Q0dDQ0FJRHpzK01IOUlKZFFRUTdqdXc4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: "" - # Extra certificate subject alternative names for the machine's certificate. - certSANs: [] - # # Uncomment this to enable SANs. - # - 10.0.0.10 - # - 172.16.0.10 - # - 192.168.0.10 - - # Used to provide additional options to the kubelet. - kubelet: - image: ghcr.io/siderolabs/kubelet:v1.34.0 # The `image` field is an optional reference to an alternative kubelet image. - defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. - disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. - - # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. - # clusterDNS: - # - 10.96.0.10 - # - 169.254.2.53 - - # # The `extraArgs` field is used to provide additional flags to the kubelet. - # extraArgs: - # key: value - - # # The `extraMounts` field is used to add additional mounts to the kubelet container. - # extraMounts: - # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. - # type: bind # Type specifies the mount kind. - # source: /var/lib/example # Source specifies the source path of the mount. - # # Options are fstab style mount options. - # options: - # - bind - # - rshared - # - rw - - # # The `extraConfig` field is used to provide kubelet configuration overrides. - # extraConfig: - # serverTLSBootstrap: true - - # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. - # credentialProviderConfig: - # apiVersion: kubelet.config.k8s.io/v1 - # kind: CredentialProviderConfig - # providers: - # - apiVersion: credentialprovider.kubelet.k8s.io/v1 - # defaultCacheDuration: 12h - # matchImages: - # - '*.dkr.ecr.*.amazonaws.com' - # - '*.dkr.ecr.*.amazonaws.com.cn' - # - '*.dkr.ecr-fips.*.amazonaws.com' - # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' - # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' - # name: ecr-credential-provider - - # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. - # nodeIP: - # # The `validSubnets` field configures the networks to pick kubelet node IP from. - # validSubnets: - # - 10.0.0.0/8 - # - '!10.0.0.3/32' - # - fdc7::/16 - # Provides machine specific network configuration options. - network: {} - # # `interfaces` is used to define the network interface configuration. - # interfaces: - # - interface: enp0s1 # The interface name. - # # Assigns static IP addresses to the interface. - # addresses: - # - 192.168.2.0/24 - # # A list of routes associated with the interface. - # routes: - # - network: 0.0.0.0/0 # The route's network (destination). - # gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route). - # metric: 1024 # The optional metric for the route. - # mtu: 1500 # The interface's MTU. - # - # # # Picks a network device using the selector. - - # # # select a device with bus prefix 00:*. - # # deviceSelector: - # # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. - # # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver. - # # deviceSelector: - # # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. - # # driver: virtio_net # Kernel driver, supports matching by wildcard. - # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. - # # deviceSelector: - # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. - # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. - # # driver: virtio_net # Kernel driver, supports matching by wildcard. - - # # # Bond specific options. - # # bond: - # # # The interfaces that make up the bond. - # # interfaces: - # # - enp2s0 - # # - enp2s1 - # # # Picks a network device using the selector. - # # deviceSelectors: - # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. - # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. - # # driver: virtio_net # Kernel driver, supports matching by wildcard. - # # mode: 802.3ad # A bond option. - # # lacpRate: fast # A bond option. - - # # # Bridge specific options. - # # bridge: - # # # The interfaces that make up the bridge. - # # interfaces: - # # - enxda4042ca9a51 - # # - enxae2a6774c259 - # # # Enable STP on this bridge. - # # stp: - # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. - - # # # Configure this device as a bridge port. - # # bridgePort: - # # master: br0 # The name of the bridge master interface - - # # # Indicates if DHCP should be used to configure the interface. - # # dhcp: true - - # # # DHCP specific options. - # # dhcpOptions: - # # routeMetric: 1024 # The priority of all routes received via DHCP. - - # # # Wireguard specific configuration. - - # # # wireguard server example - # # wireguard: - # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). - # # listenPort: 51111 # Specifies a device's listening port. - # # # Specifies a list of peer configurations to apply to a device. - # # peers: - # # - publicKey: ABCDEF... # Specifies the public key of this peer. - # # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry. - # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. - # # allowedIPs: - # # - 192.168.1.0/24 - # # # wireguard peer example - # # wireguard: - # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). - # # # Specifies a list of peer configurations to apply to a device. - # # peers: - # # - publicKey: ABCDEF... # Specifies the public key of this peer. - # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. - # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. - # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. - # # allowedIPs: - # # - 192.168.1.0/24 - - # # # Virtual (shared) IP address configuration. - - # # # layer2 vip example - # # vip: - # # ip: 172.16.199.55 # Specifies the IP address to be used. - - # # Used to statically set the nameservers for the machine. - # nameservers: - # - 8.8.8.8 - # - 1.1.1.1 - - # # Used to statically set arbitrary search domains. - # searchDomains: - # - example.org - # - example.com - - # # Allows for extra entries to be added to the `/etc/hosts` file - # extraHostEntries: - # - ip: 192.168.1.100 # The IP of the host. - # # The host alias. - # aliases: - # - example - # - example.domain.tld - - # # Configures KubeSpan feature. - # kubespan: - # enabled: true # Enable the KubeSpan feature. - - # Used to provide instructions for installations. - install: - disk: /dev/sda # The disk used for installations. - image: ghcr.io/siderolabs/installer:v1.11.1 # Allows for supplying the image used to perform the installation. - wipe: false # Indicates if the installation disk should be wiped at installation time. - - # # Look up disk using disk attributes like model, size, serial and others. - # diskSelector: - # size: 4GB # Disk size. - # model: WDC* # Disk model `/sys/block//device/model`. - # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. - - # # Allows for supplying extra kernel args via the bootloader. - # extraKernelArgs: - # - talos.platform=metal - # - reboot=k - # Used to configure the machine's container image registry mirrors. - registries: {} - # # Specifies mirror configuration for each registry host namespace. - # mirrors: - # ghcr.io: - # # List of endpoints (URLs) for registry mirrors to use. - # endpoints: - # - https://registry.insecure - # - https://ghcr.io/v2/ - - # # Specifies TLS & auth configuration for HTTPS image registries. - # config: - # registry.insecure: - # # The TLS configuration for the registry. - # tls: - # insecureSkipVerify: true # Skip TLS server certificate verification (not recommended). - # - # # # Enable mutual TLS authentication with the registry. - # # clientIdentity: - # # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t - # # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== - # - # # # The auth configuration for this registry. - # # auth: - # # username: username # Optional registry authentication. - # # password: password # Optional registry authentication. - - # Features describe individual Talos features that can be switched on or off. - features: - rbac: true # Enable role-based access control (RBAC). - stableHostname: true # Enable stable default hostname. - apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid. - diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. - # KubePrism - local proxy/load balancer on defined port that will distribute - kubePrism: - enabled: true # Enable KubePrism support - will start local load balancing proxy. - port: 7445 # KubePrism port. - # Configures host DNS caching resolver. - hostDNS: - enabled: true # Enable host DNS caching resolver. - forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods. - - # # Configure Talos API access from Kubernetes pods. - # kubernetesTalosAPIAccess: - # enabled: true # Enable Talos API access from Kubernetes pods. - # # The list of Talos API roles which can be granted for access from Kubernetes pods. - # allowedRoles: - # - os:reader - # # The list of Kubernetes namespaces Talos API access is available from. - # allowedKubernetesNamespaces: - # - kube-system - - # # Provides machine specific control plane configuration options. - - # # ControlPlane definition example. - # controlPlane: - # # Controller manager machine specific configuration options. - # controllerManager: - # disabled: false # Disable kube-controller-manager on the node. - # # Scheduler machine specific configuration options. - # scheduler: - # disabled: true # Disable kube-scheduler on the node. - - # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. - - # # nginx static pod. - # pods: - # - apiVersion: v1 - # kind: pod - # metadata: - # name: nginx - # spec: - # containers: - # - image: nginx - # name: nginx - - # # Allows the addition of user specified files. - - # # MachineFiles usage example. - # files: - # - content: '...' # The contents of the file. - # permissions: 0o666 # The file's permissions in octal. - # path: /tmp/file.txt # The path of the file. - # op: append # The operation to use - - # # The `env` field allows for the addition of environment variables. - - # # Environment variables definition examples. - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: info - # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" - # https_proxy: http://SERVER:PORT/ - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: error - # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ - # env: - # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ - - # # Used to configure the machine's time settings. - - # # Example configuration for cloudflare ntp server. - # time: - # disabled: false # Indicates if the time service is disabled for the machine. - # # description: | - # servers: - # - time.cloudflare.com - # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. - - # # Used to configure the machine's sysctls. - - # # MachineSysctls usage example. - # sysctls: - # kernel.domainname: talos.dev - # net.ipv4.ip_forward: "0" - # net/ipv6/conf/eth0.100/disable_ipv6: "1" - - # # Used to configure the machine's sysfs. - - # # MachineSysfs usage example. - # sysfs: - # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance - - # # Configures the udev system. - # udev: - # # List of udev rules to apply to the udev system - # rules: - # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" - - # # Configures the logging system. - # logging: - # # Logging destination. - # destinations: - # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". - # format: json_lines # Logs format. - - # # Configures the kernel. - # kernel: - # # Kernel modules to load. - # modules: - # - name: brtfs # Module name. - - # # Configures the seccomp profiles for the machine. - # seccompProfiles: - # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. - # # The `value` field is used to provide the seccomp profile. - # value: - # defaultAction: SCMP_ACT_LOG - - # # Override (patch) settings in the default OCI runtime spec for CRI containers. - - # # override default open file limit - # baseRuntimeSpecOverrides: - # process: - # rlimits: - # - hard: 1024 - # soft: 1024 - # type: RLIMIT_NOFILE - - # # Configures the node labels for the machine. - - # # node labels example. - # nodeLabels: - # exampleLabel: exampleLabelValue - - # # Configures the node annotations for the machine. - - # # node annotations example. - # nodeAnnotations: - # customer.io/rack: r13a25 - - # # Configures the node taints for the machine. Effect is optional. - - # # node taints example. - # nodeTaints: - # exampleTaint: exampleTaintValue:NoSchedule -# Provides cluster specific configuration options. -cluster: - id: 9CwSQ5eKI6v0A88QYbtQkRLQhISrpgaaqc-myRPPMtk= # Globally unique identifier for this cluster (base64 encoded random 32 bytes). - secret: lZSNX+ZotNqqEBKUVsuiPipQG+OC9/xSRRqEMi3IEI0= # Shared secret of cluster (base64 encoded random 32 bytes). - # Provides control plane specific configuration options. - controlPlane: - endpoint: https://10.5.0.2:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. - clusterName: evo-npcs-clust # Configures the cluster's name. - # Provides cluster specific network configuration options. - network: - dnsDomain: cluster.local # The domain used by Kubernetes DNS. - # The pod subnet CIDR. - podSubnets: - - 10.244.0.0/16 - # The service subnet CIDR. - serviceSubnets: - - 10.96.0.0/12 - - # # The CNI used. - # cni: - # name: custom # Name of CNI to use. - # # URLs containing manifests to apply for the CNI. - # urls: - # - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml - token: p8iqgp.o8cibvj3gtekobpg # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. - # The base64 encoded root certificate authority used by Kubernetes. - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQVA2ajMvenpLM3FoUW1LMC9NSHhTajB3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEE1TWprd016VXhNakJhRncwek5UQTVNamN3TXpVeApNakJhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVF2UW0wdU80bWgyK1dWcEpuWHFIcUhXMGJXWFNBNk1UamJic2pxWlBWTTY3ZFYySzQwNkpld2ZHOC8KVFdjU0xMVW5jcXh3S2ZzUlFjTWZtYjJ4WTVjVW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGTDVJNE5iU0NjQ2xlNVdtdUd0TStDRzArcGtQTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFDT0VtcXIKaTU3YlU2TXFleTBaVk1RZVNXdG9ybGtHMEVlZGlIZmZvZ2lUT0FJaEFLajRXaFROUHdndCs5UUlsOWVYWnkvSwowZ1BQWEZhaDh0cnlZemVFS3ZnTgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: "" - # Configures cluster member discovery. - discovery: - enabled: true # Enable the cluster membership discovery feature. - # Configure registries used for cluster member discovery. - registries: - # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information - kubernetes: - disabled: true # Disable Kubernetes discovery registry. - # Service registry is using an external service to push and pull information about cluster members. - service: {} - # # External service endpoint. - # endpoint: https://discovery.talos.dev/ - - # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). - - # # Decryption secret example (do not use in production!). - # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= - - # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). - - # # Decryption secret example (do not use in production!). - # secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= - - # # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. - - # # AggregatorCA example. - # aggregatorCA: - # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t - # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== - - # # The base64 encoded private key for service account token generation. - - # # AggregatorCA example. - # serviceAccount: - # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== - - # # API server specific configuration options. - # apiServer: - # image: registry.k8s.io/kube-apiserver:v1.34.0 # The container image used in the API server manifest. - # # Extra arguments to supply to the API server. - # extraArgs: - # feature-gates: ServerSideApply=true - # http2-max-streams-per-connection: "32" - # # Extra certificate subject alternative names for the API server's certificate. - # certSANs: - # - 1.2.3.4 - # - 4.5.6.7 - # # Configure the API server admission plugins. - # admissionControl: - # - name: PodSecurity # Name is the name of the admission controller. - # # Configuration is an embedded configuration object to be used as the plugin's - # configuration: - # apiVersion: pod-security.admission.config.k8s.io/v1alpha1 - # defaults: - # audit: restricted - # audit-version: latest - # enforce: baseline - # enforce-version: latest - # warn: restricted - # warn-version: latest - # exemptions: - # namespaces: - # - kube-system - # runtimeClasses: [] - # usernames: [] - # kind: PodSecurityConfiguration - # # Configure the API server audit policy. - # auditPolicy: - # apiVersion: audit.k8s.io/v1 - # kind: Policy - # rules: - # - level: Metadata - # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration. - # authorizationConfig: - # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. - # name: webhook # Name is used to describe the authorizer. - # # webhook is the configuration for the webhook authorizer. - # webhook: - # connectionInfo: - # type: InClusterConfig - # failurePolicy: Deny - # matchConditionSubjectAccessReviewVersion: v1 - # matchConditions: - # - expression: has(request.resourceAttributes) - # - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)' - # subjectAccessReviewVersion: v1 - # timeout: 3s - # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. - # name: in-cluster-authorizer # Name is used to describe the authorizer. - # # webhook is the configuration for the webhook authorizer. - # webhook: - # connectionInfo: - # type: InClusterConfig - # failurePolicy: NoOpinion - # matchConditionSubjectAccessReviewVersion: v1 - # subjectAccessReviewVersion: v1 - # timeout: 3s - - # # Controller manager server specific configuration options. - # controllerManager: - # image: registry.k8s.io/kube-controller-manager:v1.34.0 # The container image used in the controller manager manifest. - # # Extra arguments to supply to the controller manager. - # extraArgs: - # feature-gates: ServerSideApply=true - - # # Kube-proxy server-specific configuration options - # proxy: - # disabled: false # Disable kube-proxy deployment on cluster bootstrap. - # image: registry.k8s.io/kube-proxy:v1.34.0 # The container image used in the kube-proxy manifest. - # mode: ipvs # proxy mode of kube-proxy. - # # Extra arguments to supply to kube-proxy. - # extraArgs: - # proxy-mode: iptables - - # # Scheduler server specific configuration options. - # scheduler: - # image: registry.k8s.io/kube-scheduler:v1.34.0 # The container image used in the scheduler manifest. - # # Extra arguments to supply to the scheduler. - # extraArgs: - # feature-gates: AllBeta=true - - # # Etcd specific configuration options. - # etcd: - # image: gcr.io/etcd-development/etcd:v3.6.4 # The container image used to create the etcd service. - # # The `ca` is the root certificate authority of the PKI. - # ca: - # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t - # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== - # # Extra arguments to supply to etcd. - # extraArgs: - # election-timeout: "5000" - # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. - # advertisedSubnets: - # - 10.0.0.0/8 - - # # Core DNS specific configuration options. - # coreDNS: - # image: registry.k8s.io/coredns/coredns:v1.12.3 # The `image` field is an override to the default coredns image. - - # # External cloud provider configuration. - # externalCloudProvider: - # enabled: true # Enable external cloud provider. - # # A list of urls that point to additional manifests for an external cloud provider. - # manifests: - # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml - # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml - - # # A list of urls that point to additional manifests. - # extraManifests: - # - https://www.example.com/manifest1.yaml - # - https://www.example.com/manifest2.yaml - - # # A map of key value pairs that will be added while fetching the extraManifests. - # extraManifestHeaders: - # Token: "1234567" - # X-ExtraInfo: info - - # # A list of inline Kubernetes manifests. - # inlineManifests: - # - name: namespace-ci # Name of the manifest. - # contents: |- # Manifest contents as a string. - # apiVersion: v1 - # kind: Namespace - # metadata: - # name: ci - - # # Settings for admin kubeconfig generation. - # adminKubeconfig: - # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). - - # # Allows running workload on control-plane nodes. - # allowSchedulingOnControlPlanes: true diff --git a/control_plane/main.tf b/control_plane/main.tf index 82dd0e9..dd2fc89 100644 --- a/control_plane/main.tf +++ b/control_plane/main.tf @@ -91,6 +91,22 @@ resource "null_resource" "talos_cluster" { } } +resource "null_resource" "talos_cluster_patches" { + depends_on = [null_resource.talos_cluster] + triggers = { + patches_hash = filesha1("${path.module}/patches/controlplane-patch.yaml") + } + + provisioner "local-exec" { + command = <