diff --git a/talos/gen-config.sh b/talos/gen-config.sh index 45f6f67..19f5f8a 100755 --- a/talos/gen-config.sh +++ b/talos/gen-config.sh @@ -3,7 +3,9 @@ talosctl gen config \ cluster00 https://cp00.balsillie.house:6443 \ --with-secrets secrets.yaml \ - --config-patch @talos-patch.yaml \ + --config-patch @patches/talos-cluster.yml \ + --config-patch @patches/mc-all.yml \ + --config-patch @patches/mc-node00.yml \ --output rendered/ \ --force diff --git a/talos/patches/mc-all.yml b/talos/patches/mc-all.yml new file mode 100644 index 0000000..1fbb0ea --- /dev/null +++ b/talos/patches/mc-all.yml @@ -0,0 +1,31 @@ +machine: + features: + hostDNS: + enabled: true + forwardKubeDNSToHost: false + kubePrism: + enabled: false + install: + wipe: true + legacyBIOSSupport: false + diskSelector: + type: ssd + kubelet: + extraArgs: + rotate-server-certificates: true + extraMounts: + - destination: /var/local/openebs + type: bind + source: /var/local/openebs + options: + - bind + - rshared + - rw + nodeLabels: + openebs.io/engine: mayastor + sysctls: + vm.nr_hugepages: "1024" + time: + disabled: false + servers: + - 192.168.1.11 \ No newline at end of file diff --git a/talos/patches/mc-node00.yml b/talos/patches/mc-node00.yml new file mode 100644 index 0000000..00532c2 --- /dev/null +++ b/talos/patches/mc-node00.yml @@ -0,0 +1,15 @@ +--- +machine: + network: + hostname: node00.balsillie.house + nameservers: + - 192.168.1.11 + interfaces: + - deviceSelector: + hardwareAddr: 'f4:4d:30:6e:62:a7' + dhcp: false + routes: + - network: 0.0.0.0/0 + gateway: 192.168.1.11 + addresses: + - 192.168.1.15/24 \ No newline at end of file diff --git a/talos/patches/talos-cluster.yaml b/talos/patches/talos-cluster.yaml deleted file mode 100644 index cc72258..0000000 --- a/talos/patches/talos-cluster.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -cluster: - allowSchedulingOnControlPlanes: true - controlPlane: - endpoint: https://cp00.balsillie.house:6443 - localAPIServerPort: 6443 - clusterName: cluster00.balsillie.house - extraManifests: - - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml - network: - cni: - name: custom - urls: - - https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml - dnsDomain: cluster00.balsillie.house - podSubnets: - - 10.64.0.0/12 - serviceSubnets: - - 10.80.0.0/12 - proxy: - disabled: true diff --git a/talos/patches/talos-cluster.yml b/talos/patches/talos-cluster.yml new file mode 100644 index 0000000..20f8edc --- /dev/null +++ b/talos/patches/talos-cluster.yml @@ -0,0 +1,88 @@ +--- +cluster: + allowSchedulingOnControlPlanes: true + apiServer: + admissionControl: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + exemptions: + namespaces: + - openebs + - democratic-csi + controlPlane: + endpoint: https://cp00.balsillie.house:6443 + localAPIServerPort: 6443 + clusterName: cluster00.balsillie.house + extraManifests: + - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml + - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml + inlineManifests: + - name: calico-installation + contents: | + apiVersion: operator.tigera.io/v1 + kind: Installation + metadata: + name: default + spec: + variant: Calico + cni: + type: Calico + ipam: + type: Calico + serviceCIDRs: + - 10.80.0.0/12 + calicoNetwork: + bgp: Enabled + linuxDataplane: Nftables + hostPorts: Enabled + ipPools: + - name: default-ipv4-ippool + blockSize: 24 + cidr: 10.64.0.0/12 + encapsulation: None + natOutgoing: Disabled + nodeSelector: all() + - name: calico-apiserver + contents: | + apiVersion: operator.tigera.io/v1 + kind: APIServer + metadata: + name: default + spec: {} + - name: calico-bgpconfig + contents: | + apiVersion: crd.projectcalico.org/v1 + kind: BGPConfiguration + metadata: + name: default + spec: + asNumber: 64624 + serviceClusterIPs: + - cidr: 10.80.0.0/12 + - name: calico-bgppeer + contents: | + apiVersion: crd.projectcalico.org/v1 + kind: BGPPeer + metadata: + name: router-balsillie-house + spec: + asNumber: 64625 + peerIP: 192.168.1.11:179 + network: + cni: + name: custom + urls: + - https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml + dnsDomain: cluster00.balsillie.house + podSubnets: + - 10.64.0.0/12 + serviceSubnets: + - 10.80.0.0/12 + proxy: + mode: nftables + disabled: false + extraArgs: + proxy-mode: nftables \ No newline at end of file diff --git a/talos/patches/talos-machine.yaml b/talos/patches/talos-machine.yaml deleted file mode 100644 index edcf336..0000000 --- a/talos/patches/talos-machine.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -machine: - kubelet: - extraArgs: - rotate-server-certificates: true - network: - hostname: node00.balsillie.house - nameservers: - - 192.168.1.11 - interfaces: - - deviceSelector: - hardwareAddr: 'f4:4d:30:6e:62:a7' - dhcp: false - routes: - - network: 0.0.0.0/0 - gateway: 192.168.1.11 - addresses: - - 192.168.1.15/24 - vip: - ip: 192.168.1.14/24 - features: - hostDNS: - enabled: true - forwardKubeDNSToHost: false - time: - disabled: false - servers: - - 192.168.1.11 - install: - wipe: true - legacyBIOSSupport: false - diskSelector: - type: ssd - diff --git a/talos/rendered/controlplane.yaml b/talos/rendered/controlplane.yaml index 3f1eb5c..e6ad94f 100644 --- a/talos/rendered/controlplane.yaml +++ b/talos/rendered/controlplane.yaml @@ -22,6 +22,16 @@ machine: # The `extraArgs` field is used to provide additional flags to the kubelet. extraArgs: rotate-server-certificates: "true" + # The `extraMounts` field is used to add additional mounts to the kubelet container. + extraMounts: + - destination: /var/local/openebs # Destination is the absolute path where the mount will be placed in the container. + type: bind # Type specifies the mount kind. + source: /var/local/openebs # Source specifies the source path of the mount. + # Options are fstab style mount options. + options: + - bind + - rshared + - rw defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. @@ -30,17 +40,6 @@ machine: # - 10.96.0.10 # - 169.254.2.53 - # # The `extraMounts` field is used to add additional mounts to the kubelet container. - # extraMounts: - # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. - # type: bind # Type specifies the mount kind. - # source: /var/lib/example # Source specifies the source path of the mount. - # # Options are fstab style mount options. - # options: - # - bind - # - rshared - # - rw - # # The `extraConfig` field is used to provide kubelet configuration overrides. # extraConfig: # serverTLSBootstrap: true @@ -197,6 +196,9 @@ machine: # description: | servers: - 192.168.1.11 + # Used to configure the machine's sysctls. + sysctls: + vm.nr_hugepages: "1024" # Used to configure the machine's container image registry mirrors. registries: {} # # Specifies mirror configuration for each registry host namespace. @@ -232,7 +234,7 @@ machine: diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. # KubePrism - local proxy/load balancer on defined port that will distribute kubePrism: - enabled: true # Enable KubePrism support - will start local load balancing proxy. + enabled: false # Enable KubePrism support - will start local load balancing proxy. port: 7445 # KubePrism port. # Configures host DNS caching resolver. hostDNS: @@ -251,6 +253,7 @@ machine: # Configures the node labels for the machine. nodeLabels: node.kubernetes.io/exclude-from-external-load-balancers: "" + openebs.io/engine: mayastor # # Provides machine specific control plane configuration options. @@ -314,14 +317,6 @@ machine: # env: # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ - # # Used to configure the machine's sysctls. - - # # MachineSysctls usage example. - # sysctls: - # kernel.domainname: talos.dev - # net.ipv4.ip_forward: "0" - # net/ipv6/conf/eth0.100/disable_ipv6: "1" - # # Used to configure the machine's sysfs. # # MachineSysfs usage example. @@ -440,7 +435,7 @@ cluster: - name: PodSecurity # Name is the name of the admission controller. # Configuration is an embedded configuration object to be used as the plugin's configuration: - apiVersion: pod-security.admission.config.k8s.io/v1alpha1 + apiVersion: pod-security.admission.config.k8s.io/v1beta1 defaults: audit: restricted audit-version: latest @@ -451,6 +446,8 @@ cluster: exemptions: namespaces: - kube-system + - openebs + - democratic-csi runtimeClasses: [] usernames: [] kind: PodSecurityConfiguration @@ -503,6 +500,7 @@ cluster: extraManifests: - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml # A list of inline Kubernetes manifests. inlineManifests: - name: calico-installation # Name of the manifest. @@ -537,6 +535,25 @@ cluster: metadata: name: default spec: {} + - name: calico-bgpconfig # Name of the manifest. + contents: | # Manifest contents as a string. + apiVersion: crd.projectcalico.org/v1 + kind: BGPConfiguration + metadata: + name: default + spec: + asNumber: 64624 + serviceClusterIPs: + - cidr: 10.80.0.0/12 + - name: calico-bgppeer # Name of the manifest. + contents: | # Manifest contents as a string. + apiVersion: crd.projectcalico.org/v1 + kind: BGPPeer + metadata: + name: router-balsillie-house + spec: + asNumber: 64625 + peerIP: 192.168.1.11:179 allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes. # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). diff --git a/talos/rendered/talosconfig b/talos/rendered/talosconfig index a4009a5..e31c7c3 100644 --- a/talos/rendered/talosconfig +++ b/talos/rendered/talosconfig @@ -3,5 +3,5 @@ contexts: cluster00: endpoints: [] ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc3QvY3BtNEliZnhzS3d3VGxHMFNtREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakEwTVRneU1qQTFXaGNOTXpReE1qQXlNVGd5TWpBMVdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQU9aVVU3Vzh3OXcwR0l4cmVxVitNQ3JrUENmQS9keWdJMGtVCkJDQTkyTjhNbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRksvei83WWVqamt0VFAwcgppcFFNa2hxK3hNU1pNQVVHQXl0bGNBTkJBTDNJTDk4b3NkeDVPTGpQeEZFcXRTK0NOeWhPS2RFMGU5S3ZnQi9VCmpaT3VEMWE3Zmx3Q1grTVVrdk1qMnBEUER1eTN1Tko5Ym41ZFdPMldmdWFwdEFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEFGdzJjZTl5RWtSakpidEYzSEhmVGFNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5ERXlNRGd3TkRBNE1UUmFGdzB5TlRFeU1EZ3dOREE0TVRSYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQUNMR2IyM2JQODZ6aUJ6SVRDaHZxYTl0dVlxSUl6Y1p4Cmd0WjVwWWZWcWoyalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCU3Y4LysySG80NUxVejlLNHFVREpJYXZzVEVtVEFGQmdNclpYQURRUUN4R2RsTAppNzlxcUsvcm94SzBybU5ZMVJ3ZFROK3hhNlJaNVliL1B0RFY1RDk0cThxL2dDTGxZcWZSSnNXTml3VVVnUDdxCjU1U1BLMmZlQXlLOVZRc0sKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRThPeXNZMHJlUy9nVkt6VlZLR3M3YWVJTEQ4M0ZaYjF3clpXbndkVWFIMgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBMytSdmZzZW5qSDk2cldNSUJsRFhQREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakE1TWpJd056TTBXaGNOTWpVeE1qQTVNakl3TnpNMFdqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFNZXVSaHNsRHhRMVpHTmNRQmlldWVRQmhJNG8vNkFOClIxQW1tSm80MVlwZm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVyL1AvdGg2T09TMU0vU3VLbEF5U0dyN0V4Smt3QlFZREsyVndBMEVBaHVSRwp4VzJOSmlaMVJidG1RY0hVY3dWYW5BOUtETzV4aGZObHFpRXZRSWl3UmdlblJBRjFobkp2ejZ0d2lXT2tXZFF0CjNNTWprMDVVQ3BXV2g3NUJDdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTVBtcWV2cnBuZm1hVGNMM3JhRU8rK0JDdGNkTFhoMmRMdy9ZSGVqY0xBSAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K diff --git a/talos/rendered/worker.yaml b/talos/rendered/worker.yaml index 6ea6fba..5ed5bfa 100644 --- a/talos/rendered/worker.yaml +++ b/talos/rendered/worker.yaml @@ -22,6 +22,16 @@ machine: # The `extraArgs` field is used to provide additional flags to the kubelet. extraArgs: rotate-server-certificates: "true" + # The `extraMounts` field is used to add additional mounts to the kubelet container. + extraMounts: + - destination: /var/local/openebs # Destination is the absolute path where the mount will be placed in the container. + type: bind # Type specifies the mount kind. + source: /var/local/openebs # Source specifies the source path of the mount. + # Options are fstab style mount options. + options: + - bind + - rshared + - rw defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. @@ -30,17 +40,6 @@ machine: # - 10.96.0.10 # - 169.254.2.53 - # # The `extraMounts` field is used to add additional mounts to the kubelet container. - # extraMounts: - # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. - # type: bind # Type specifies the mount kind. - # source: /var/lib/example # Source specifies the source path of the mount. - # # Options are fstab style mount options. - # options: - # - bind - # - rshared - # - rw - # # The `extraConfig` field is used to provide kubelet configuration overrides. # extraConfig: # serverTLSBootstrap: true @@ -197,6 +196,9 @@ machine: # description: | servers: - 192.168.1.11 + # Used to configure the machine's sysctls. + sysctls: + vm.nr_hugepages: "1024" # Used to configure the machine's container image registry mirrors. registries: {} # # Specifies mirror configuration for each registry host namespace. @@ -232,7 +234,7 @@ machine: diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. # KubePrism - local proxy/load balancer on defined port that will distribute kubePrism: - enabled: true # Enable KubePrism support - will start local load balancing proxy. + enabled: false # Enable KubePrism support - will start local load balancing proxy. port: 7445 # KubePrism port. # Configures host DNS caching resolver. hostDNS: @@ -248,6 +250,9 @@ machine: # # The list of Kubernetes namespaces Talos API access is available from. # allowedKubernetesNamespaces: # - kube-system + # Configures the node labels for the machine. + nodeLabels: + openebs.io/engine: mayastor # # Provides machine specific control plane configuration options. @@ -311,14 +316,6 @@ machine: # env: # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ - # # Used to configure the machine's sysctls. - - # # MachineSysctls usage example. - # sysctls: - # kernel.domainname: talos.dev - # net.ipv4.ip_forward: "0" - # net/ipv6/conf/eth0.100/disable_ipv6: "1" - # # Used to configure the machine's sysfs. # # MachineSysfs usage example. @@ -377,12 +374,6 @@ machine: # value: # defaultAction: SCMP_ACT_LOG - # # Configures the node labels for the machine. - - # # node labels example. - # nodeLabels: - # exampleLabel: exampleLabelValue - # # Configures the node annotations for the machine. # # node annotations example. @@ -423,6 +414,29 @@ cluster: ca: crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQVBoRnFMK05xZ3JWSnprWkJUOUliSUl3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOREV5TURReE9ESXlNRFZhRncwek5ERXlNREl4T0RJeQpNRFZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFMbS8vMjJTVWp5elFFMVhzSEY3dGpWR1plME9UQnNTWUE1VjdxSkFEaWlNZEhRL1pnZTlpMGY4SzkKbzI2UmFxazBXaXdaMmVxUWo2bzhOMWN6Mmdwd28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQkgvbkVibWgwWFg4aGhaSWI4L0JLRjZYMUN6TUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFEcGdrQkoKN2wzMlpjQmZXYlNzMEd3UU1FSWtjQjBlSXhOMDVtbjZVYlFHUEFJaEFJZlY1MG43Qi9nT1dtYjFVSExPNUMwTgpwaTFwS0lGU0p3aWFwYkxFeGYzOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== key: "" + # API server specific configuration options. + apiServer: + # Configure the API server admission plugins. + admissionControl: + - name: PodSecurity # Name is the name of the admission controller. + # Configuration is an embedded configuration object to be used as the plugin's + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + exemptions: + namespaces: + - openebs + - democratic-csi + kind: PodSecurityConfiguration + + # # The container image used in the API server manifest. + # image: registry.k8s.io/kube-apiserver:v1.31.2 + + # # Configure the API server audit policy. + # auditPolicy: + # apiVersion: audit.k8s.io/v1 + # kind: Policy + # rules: + # - level: Metadata # Kube-proxy server-specific configuration options proxy: disabled: false # Disable kube-proxy deployment on cluster bootstrap. @@ -449,6 +463,7 @@ cluster: extraManifests: - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml # A list of inline Kubernetes manifests. inlineManifests: - name: calico-installation # Name of the manifest. @@ -483,6 +498,25 @@ cluster: metadata: name: default spec: {} + - name: calico-bgpconfig # Name of the manifest. + contents: | # Manifest contents as a string. + apiVersion: crd.projectcalico.org/v1 + kind: BGPConfiguration + metadata: + name: default + spec: + asNumber: 64624 + serviceClusterIPs: + - cidr: 10.80.0.0/12 + - name: calico-bgppeer # Name of the manifest. + contents: | # Manifest contents as a string. + apiVersion: crd.projectcalico.org/v1 + kind: BGPPeer + metadata: + name: router-balsillie-house + spec: + asNumber: 64625 + peerIP: 192.168.1.11:179 allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes. # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). @@ -508,43 +542,6 @@ cluster: # serviceAccount: # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== - # # API server specific configuration options. - # apiServer: - # image: registry.k8s.io/kube-apiserver:v1.31.2 # The container image used in the API server manifest. - # # Extra arguments to supply to the API server. - # extraArgs: - # feature-gates: ServerSideApply=true - # http2-max-streams-per-connection: "32" - # # Extra certificate subject alternative names for the API server's certificate. - # certSANs: - # - 1.2.3.4 - # - 4.5.6.7 - # # Configure the API server admission plugins. - # admissionControl: - # - name: PodSecurity # Name is the name of the admission controller. - # # Configuration is an embedded configuration object to be used as the plugin's - # configuration: - # apiVersion: pod-security.admission.config.k8s.io/v1alpha1 - # defaults: - # audit: restricted - # audit-version: latest - # enforce: baseline - # enforce-version: latest - # warn: restricted - # warn-version: latest - # exemptions: - # namespaces: - # - kube-system - # runtimeClasses: [] - # usernames: [] - # kind: PodSecurityConfiguration - # # Configure the API server audit policy. - # auditPolicy: - # apiVersion: audit.k8s.io/v1 - # kind: Policy - # rules: - # - level: Metadata - # # Controller manager server specific configuration options. # controllerManager: # image: registry.k8s.io/kube-controller-manager:v1.31.2 # The container image used in the controller manager manifest. diff --git a/talos/talos-patch.yaml b/talos/talos-patch.yaml index 565463a..0cb143c 100644 --- a/talos/talos-patch.yaml +++ b/talos/talos-patch.yaml @@ -9,6 +9,7 @@ cluster: extraManifests: - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml inlineManifests: - name: calico-installation contents: | @@ -42,6 +43,25 @@ cluster: metadata: name: default spec: {} + - name: calico-bgpconfig + contents: | + apiVersion: crd.projectcalico.org/v1 + kind: BGPConfiguration + metadata: + name: default + spec: + asNumber: 64624 + serviceClusterIPs: + - cidr: 10.80.0.0/12 + - name: calico-bgppeer + contents: | + apiVersion: crd.projectcalico.org/v1 + kind: BGPPeer + metadata: + name: router-balsillie-house + spec: + asNumber: 64625 + peerIP: 192.168.1.11:179 network: cni: name: custom @@ -58,6 +78,10 @@ cluster: extraArgs: proxy-mode: nftables machine: + disks: + - device: /dev/nvme0n1 + # partitions: + # - mountpoint: /var/mnt/storage features: hostDNS: enabled: true @@ -78,6 +102,13 @@ machine: - rbind - rshared - rw + # - destination: /var/dev/nvme0n1 + # type: bind + # source: /dev/nvme0n1 + # options: + # - bind + # - rshared + # - rw network: hostname: node00.balsillie.house nameservers: diff --git a/talos/volume-config.yaml b/talos/volume-config.yaml new file mode 100644 index 0000000..4d4280e --- /dev/null +++ b/talos/volume-config.yaml @@ -0,0 +1,9 @@ +apiVersion: v1alpha1 +kind: VolumeConfig +name: mayastor # Name of the volume. +# The provisioning describes how the volume is provisioned. +provisioning: + # The disk selector expression. + diskSelector: + match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk. + maxSize: 501GiB \ No newline at end of file