talos

talos/gen-config.sh

@@ -3,7 +3,9 @@
 talosctl gen config \
     cluster00 https://cp00.balsillie.house:6443 \
     --with-secrets secrets.yaml \
-    --config-patch @talos-patch.yaml \
+    --config-patch @patches/talos-cluster.yml \
+    --config-patch @patches/mc-all.yml \
+    --config-patch @patches/mc-node00.yml \
     --output rendered/ \
     --force
 

talos/patches/mc-all.yml

@@ -0,0 +1,31 @@
+machine:
+  features:
+    hostDNS:
+      enabled: true
+      forwardKubeDNSToHost: false
+    kubePrism:
+      enabled: false
+  install:
+    wipe: true
+    legacyBIOSSupport: false
+    diskSelector:
+      type: ssd
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: true
+    extraMounts:
+      - destination: /var/local/openebs
+        type: bind
+        source: /var/local/openebs
+        options:
+          - bind
+          - rshared
+          - rw
+  nodeLabels:
+    openebs.io/engine: mayastor
+  sysctls:
+    vm.nr_hugepages: "1024"
+  time:
+    disabled: false
+    servers:
+      - 192.168.1.11

talos/patches/mc-node00.yml

@@ -0,0 +1,15 @@
+---
+machine:
+  network:
+    hostname: node00.balsillie.house
+    nameservers:
+      - 192.168.1.11
+    interfaces:
+      - deviceSelector:
+          hardwareAddr: 'f4:4d:30:6e:62:a7'
+        dhcp: false
+        routes:
+          - network: 0.0.0.0/0
+            gateway: 192.168.1.11
+        addresses:
+          - 192.168.1.15/24

talos/patches/talos-cluster.yaml

@@ -1,22 +0,0 @@
----
-
-cluster:
-  allowSchedulingOnControlPlanes: true
-  controlPlane:
-    endpoint: https://cp00.balsillie.house:6443
-    localAPIServerPort: 6443
-  clusterName: cluster00.balsillie.house
-  extraManifests:
-    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
-  network:
-    cni:
-      name: custom
-      urls:
-        - https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
-    dnsDomain: cluster00.balsillie.house
-    podSubnets:
-      - 10.64.0.0/12
-    serviceSubnets:
-      - 10.80.0.0/12
-  proxy:
-    disabled: true

talos/patches/talos-cluster.yml

@@ -0,0 +1,88 @@
+---
+cluster:
+  allowSchedulingOnControlPlanes: true
+  apiServer:
+    admissionControl:
+      - name: PodSecurity
+        configuration:
+          apiVersion: pod-security.admission.config.k8s.io/v1beta1
+          kind: PodSecurityConfiguration
+          exemptions:
+            namespaces:
+              - openebs
+              - democratic-csi
+  controlPlane:
+    endpoint: https://cp00.balsillie.house:6443
+    localAPIServerPort: 6443
+  clusterName: cluster00.balsillie.house
+  extraManifests:
+    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+    - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
+  inlineManifests:
+    - name: calico-installation
+      contents: |
+        apiVersion: operator.tigera.io/v1
+        kind: Installation
+        metadata:
+          name: default
+        spec:
+          variant: Calico
+          cni:
+            type: Calico
+            ipam:
+              type: Calico
+          serviceCIDRs:
+            - 10.80.0.0/12
+          calicoNetwork:
+            bgp: Enabled
+            linuxDataplane: Nftables
+            hostPorts: Enabled
+            ipPools:
+            - name: default-ipv4-ippool
+              blockSize: 24
+              cidr: 10.64.0.0/12
+              encapsulation: None
+              natOutgoing: Disabled
+              nodeSelector: all()
+    - name: calico-apiserver
+      contents: |
+        apiVersion: operator.tigera.io/v1
+        kind: APIServer
+        metadata:
+          name: default
+        spec: {}
+    - name: calico-bgpconfig
+      contents: |
+        apiVersion: crd.projectcalico.org/v1
+        kind: BGPConfiguration
+        metadata:
+          name: default
+        spec:
+          asNumber: 64624
+          serviceClusterIPs:
+          - cidr: 10.80.0.0/12
+    - name: calico-bgppeer
+      contents: |
+        apiVersion: crd.projectcalico.org/v1
+        kind: BGPPeer
+        metadata:
+          name: router-balsillie-house
+        spec:
+          asNumber: 64625
+          peerIP: 192.168.1.11:179
+  network:
+    cni:
+      name: custom
+      urls:
+        - https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
+    dnsDomain: cluster00.balsillie.house
+    podSubnets:
+      - 10.64.0.0/12
+    serviceSubnets:
+      - 10.80.0.0/12
+  proxy:
+    mode: nftables
+    disabled: false
+    extraArgs:
+      proxy-mode: nftables

talos/patches/talos-machine.yaml

@@ -1,35 +0,0 @@
----
-
-machine:
-  kubelet:
-    extraArgs:
-      rotate-server-certificates: true
-  network:
-    hostname: node00.balsillie.house
-    nameservers:
-      - 192.168.1.11
-    interfaces:
-      - deviceSelector:
-          hardwareAddr: 'f4:4d:30:6e:62:a7'
-        dhcp: false
-        routes:
-          - network: 0.0.0.0/0
-            gateway: 192.168.1.11
-        addresses:
-          - 192.168.1.15/24
-        vip:
-          ip: 192.168.1.14/24
-  features:
-    hostDNS:
-      enabled: true
-      forwardKubeDNSToHost: false
-  time:
-    disabled: false
-    servers:
-      - 192.168.1.11
-  install:
-    wipe: true
-    legacyBIOSSupport: false
-    diskSelector:
-      type: ssd
-    

talos/rendered/controlplane.yaml

@@ -22,6 +22,16 @@ machine:
         # The `extraArgs` field is used to provide additional flags to the kubelet.
         extraArgs:
             rotate-server-certificates: "true"
+        # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        extraMounts:
+            - destination: /var/local/openebs # Destination is the absolute path where the mount will be placed in the container.
+              type: bind # Type specifies the mount kind.
+              source: /var/local/openebs # Source specifies the source path of the mount.
+              # Options are fstab style mount options.
+              options:
+                - bind
+                - rshared
+                - rw
         defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
         disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
         
@@ -30,17 +40,6 @@ machine:
         #     - 10.96.0.10
         #     - 169.254.2.53
 
-        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
-        # extraMounts:
-        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
-        #       type: bind # Type specifies the mount kind.
-        #       source: /var/lib/example # Source specifies the source path of the mount.
-        #       # Options are fstab style mount options.
-        #       options:
-        #         - bind
-        #         - rshared
-        #         - rw
-
         # # The `extraConfig` field is used to provide kubelet configuration overrides.
         # extraConfig:
         #     serverTLSBootstrap: true
@@ -197,6 +196,9 @@ machine:
         # description: |
         servers:
             - 192.168.1.11
+    # Used to configure the machine's sysctls.
+    sysctls:
+        vm.nr_hugepages: "1024"
     # Used to configure the machine's container image registry mirrors.
     registries: {}
     # # Specifies mirror configuration for each registry host namespace.
@@ -232,7 +234,7 @@ machine:
         diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
         # KubePrism - local proxy/load balancer on defined port that will distribute
         kubePrism:
-            enabled: true # Enable KubePrism support - will start local load balancing proxy.
+            enabled: false # Enable KubePrism support - will start local load balancing proxy.
             port: 7445 # KubePrism port.
         # Configures host DNS caching resolver.
         hostDNS:
@@ -251,6 +253,7 @@ machine:
     # Configures the node labels for the machine.
     nodeLabels:
         node.kubernetes.io/exclude-from-external-load-balancers: ""
+        openebs.io/engine: mayastor
     
     # # Provides machine specific control plane configuration options.
 
@@ -314,14 +317,6 @@ machine:
     # env:
     #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
 
-    # # Used to configure the machine's sysctls.
-
-    # # MachineSysctls usage example.
-    # sysctls:
-    #     kernel.domainname: talos.dev
-    #     net.ipv4.ip_forward: "0"
-    #     net/ipv6/conf/eth0.100/disable_ipv6: "1"
-
     # # Used to configure the machine's sysfs.
 
     # # MachineSysfs usage example.
@@ -440,7 +435,7 @@ cluster:
             - name: PodSecurity # Name is the name of the admission controller.
               # Configuration is an embedded configuration object to be used as the plugin's
               configuration:
-                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                apiVersion: pod-security.admission.config.k8s.io/v1beta1
                 defaults:
                     audit: restricted
                     audit-version: latest
@@ -451,6 +446,8 @@ cluster:
                 exemptions:
                     namespaces:
                         - kube-system
+                        - openebs
+                        - democratic-csi
                     runtimeClasses: []
                     usernames: []
                 kind: PodSecurityConfiguration
@@ -503,6 +500,7 @@ cluster:
     extraManifests:
         - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
         - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+        - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
     # A list of inline Kubernetes manifests.
     inlineManifests:
         - name: calico-installation # Name of the manifest.
@@ -537,6 +535,25 @@ cluster:
             metadata:
               name: default
             spec: {}
+        - name: calico-bgpconfig # Name of the manifest.
+          contents: | # Manifest contents as a string.
+            apiVersion: crd.projectcalico.org/v1
+            kind: BGPConfiguration
+            metadata:
+              name: default
+            spec:
+              asNumber: 64624
+              serviceClusterIPs:
+              - cidr: 10.80.0.0/12
+        - name: calico-bgppeer # Name of the manifest.
+          contents: | # Manifest contents as a string.
+            apiVersion: crd.projectcalico.org/v1
+            kind: BGPPeer
+            metadata:
+              name: router-balsillie-house
+            spec:
+              asNumber: 64625
+              peerIP: 192.168.1.11:179
     allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
     
     # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

talos/rendered/talosconfig

@@ -3,5 +3,5 @@ contexts:
     cluster00:
         endpoints: []
         ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc3QvY3BtNEliZnhzS3d3VGxHMFNtREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakEwTVRneU1qQTFXaGNOTXpReE1qQXlNVGd5TWpBMVdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQU9aVVU3Vzh3OXcwR0l4cmVxVitNQ3JrUENmQS9keWdJMGtVCkJDQTkyTjhNbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRksvei83WWVqamt0VFAwcgppcFFNa2hxK3hNU1pNQVVHQXl0bGNBTkJBTDNJTDk4b3NkeDVPTGpQeEZFcXRTK0NOeWhPS2RFMGU5S3ZnQi9VCmpaT3VEMWE3Zmx3Q1grTVVrdk1qMnBEUER1eTN1Tko5Ym41ZFdPMldmdWFwdEFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEFGdzJjZTl5RWtSakpidEYzSEhmVGFNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5ERXlNRGd3TkRBNE1UUmFGdzB5TlRFeU1EZ3dOREE0TVRSYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQUNMR2IyM2JQODZ6aUJ6SVRDaHZxYTl0dVlxSUl6Y1p4Cmd0WjVwWWZWcWoyalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCU3Y4LysySG80NUxVejlLNHFVREpJYXZzVEVtVEFGQmdNclpYQURRUUN4R2RsTAppNzlxcUsvcm94SzBybU5ZMVJ3ZFROK3hhNlJaNVliL1B0RFY1RDk0cThxL2dDTGxZcWZSSnNXTml3VVVnUDdxCjU1U1BLMmZlQXlLOVZRc0sKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBMytSdmZzZW5qSDk2cldNSUJsRFhQREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakE1TWpJd056TTBXaGNOTWpVeE1qQTVNakl3TnpNMFdqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFNZXVSaHNsRHhRMVpHTmNRQmlldWVRQmhJNG8vNkFOClIxQW1tSm80MVlwZm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVyL1AvdGg2T09TMU0vU3VLbEF5U0dyN0V4Smt3QlFZREsyVndBMEVBaHVSRwp4VzJOSmlaMVJidG1RY0hVY3dWYW5BOUtETzV4aGZObHFpRXZRSWl3UmdlblJBRjFobkp2ejZ0d2lXT2tXZFF0CjNNTWprMDVVQ3BXV2g3NUJDdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
-        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRThPeXNZMHJlUy9nVkt6VlZLR3M3YWVJTEQ4M0ZaYjF3clpXbndkVWFIMgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTVBtcWV2cnBuZm1hVGNMM3JhRU8rK0JDdGNkTFhoMmRMdy9ZSGVqY0xBSAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K

talos/rendered/worker.yaml

@@ -22,6 +22,16 @@ machine:
         # The `extraArgs` field is used to provide additional flags to the kubelet.
         extraArgs:
             rotate-server-certificates: "true"
+        # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        extraMounts:
+            - destination: /var/local/openebs # Destination is the absolute path where the mount will be placed in the container.
+              type: bind # Type specifies the mount kind.
+              source: /var/local/openebs # Source specifies the source path of the mount.
+              # Options are fstab style mount options.
+              options:
+                - bind
+                - rshared
+                - rw
         defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
         disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
         
@@ -30,17 +40,6 @@ machine:
         #     - 10.96.0.10
         #     - 169.254.2.53
 
-        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
-        # extraMounts:
-        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
-        #       type: bind # Type specifies the mount kind.
-        #       source: /var/lib/example # Source specifies the source path of the mount.
-        #       # Options are fstab style mount options.
-        #       options:
-        #         - bind
-        #         - rshared
-        #         - rw
-
         # # The `extraConfig` field is used to provide kubelet configuration overrides.
         # extraConfig:
         #     serverTLSBootstrap: true
@@ -197,6 +196,9 @@ machine:
         # description: |
         servers:
             - 192.168.1.11
+    # Used to configure the machine's sysctls.
+    sysctls:
+        vm.nr_hugepages: "1024"
     # Used to configure the machine's container image registry mirrors.
     registries: {}
     # # Specifies mirror configuration for each registry host namespace.
@@ -232,7 +234,7 @@ machine:
         diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
         # KubePrism - local proxy/load balancer on defined port that will distribute
         kubePrism:
-            enabled: true # Enable KubePrism support - will start local load balancing proxy.
+            enabled: false # Enable KubePrism support - will start local load balancing proxy.
             port: 7445 # KubePrism port.
         # Configures host DNS caching resolver.
         hostDNS:
@@ -248,6 +250,9 @@ machine:
         #     # The list of Kubernetes namespaces Talos API access is available from.
         #     allowedKubernetesNamespaces:
         #         - kube-system
+    # Configures the node labels for the machine.
+    nodeLabels:
+        openebs.io/engine: mayastor
     
     # # Provides machine specific control plane configuration options.
 
@@ -311,14 +316,6 @@ machine:
     # env:
     #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
 
-    # # Used to configure the machine's sysctls.
-
-    # # MachineSysctls usage example.
-    # sysctls:
-    #     kernel.domainname: talos.dev
-    #     net.ipv4.ip_forward: "0"
-    #     net/ipv6/conf/eth0.100/disable_ipv6: "1"
-
     # # Used to configure the machine's sysfs.
 
     # # MachineSysfs usage example.
@@ -377,12 +374,6 @@ machine:
     #       value:
     #         defaultAction: SCMP_ACT_LOG
 
-    # # Configures the node labels for the machine.
-
-    # # node labels example.
-    # nodeLabels:
-    #     exampleLabel: exampleLabelValue
-
     # # Configures the node annotations for the machine.
 
     # # node annotations example.
@@ -423,6 +414,29 @@ cluster:
     ca:
         crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQVBoRnFMK05xZ3JWSnprWkJUOUliSUl3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOREV5TURReE9ESXlNRFZhRncwek5ERXlNREl4T0RJeQpNRFZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFMbS8vMjJTVWp5elFFMVhzSEY3dGpWR1plME9UQnNTWUE1VjdxSkFEaWlNZEhRL1pnZTlpMGY4SzkKbzI2UmFxazBXaXdaMmVxUWo2bzhOMWN6Mmdwd28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQkgvbkVibWgwWFg4aGhaSWI4L0JLRjZYMUN6TUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFEcGdrQkoKN2wzMlpjQmZXYlNzMEd3UU1FSWtjQjBlSXhOMDVtbjZVYlFHUEFJaEFJZlY1MG43Qi9nT1dtYjFVSExPNUMwTgpwaTFwS0lGU0p3aWFwYkxFeGYzOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
         key: ""
+    # API server specific configuration options.
+    apiServer:
+        # Configure the API server admission plugins.
+        admissionControl:
+            - name: PodSecurity # Name is the name of the admission controller.
+              # Configuration is an embedded configuration object to be used as the plugin's
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1beta1
+                exemptions:
+                    namespaces:
+                        - openebs
+                        - democratic-csi
+                kind: PodSecurityConfiguration
+        
+        # # The container image used in the API server manifest.
+        # image: registry.k8s.io/kube-apiserver:v1.31.2
+
+        # # Configure the API server audit policy.
+        # auditPolicy:
+        #     apiVersion: audit.k8s.io/v1
+        #     kind: Policy
+        #     rules:
+        #         - level: Metadata
     # Kube-proxy server-specific configuration options
     proxy:
         disabled: false # Disable kube-proxy deployment on cluster bootstrap.
@@ -449,6 +463,7 @@ cluster:
     extraManifests:
         - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
         - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+        - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
     # A list of inline Kubernetes manifests.
     inlineManifests:
         - name: calico-installation # Name of the manifest.
@@ -483,6 +498,25 @@ cluster:
             metadata:
               name: default
             spec: {}
+        - name: calico-bgpconfig # Name of the manifest.
+          contents: | # Manifest contents as a string.
+            apiVersion: crd.projectcalico.org/v1
+            kind: BGPConfiguration
+            metadata:
+              name: default
+            spec:
+              asNumber: 64624
+              serviceClusterIPs:
+              - cidr: 10.80.0.0/12
+        - name: calico-bgppeer # Name of the manifest.
+          contents: | # Manifest contents as a string.
+            apiVersion: crd.projectcalico.org/v1
+            kind: BGPPeer
+            metadata:
+              name: router-balsillie-house
+            spec:
+              asNumber: 64625
+              peerIP: 192.168.1.11:179
     allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
     
     # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
@@ -508,43 +542,6 @@ cluster:
     # serviceAccount:
     #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
 
-    # # API server specific configuration options.
-    # apiServer:
-    #     image: registry.k8s.io/kube-apiserver:v1.31.2 # The container image used in the API server manifest.
-    #     # Extra arguments to supply to the API server.
-    #     extraArgs:
-    #         feature-gates: ServerSideApply=true
-    #         http2-max-streams-per-connection: "32"
-    #     # Extra certificate subject alternative names for the API server's certificate.
-    #     certSANs:
-    #         - 1.2.3.4
-    #         - 4.5.6.7
-    #     # Configure the API server admission plugins.
-    #     admissionControl:
-    #         - name: PodSecurity # Name is the name of the admission controller.
-    #           # Configuration is an embedded configuration object to be used as the plugin's
-    #           configuration:
-    #             apiVersion: pod-security.admission.config.k8s.io/v1alpha1
-    #             defaults:
-    #                 audit: restricted
-    #                 audit-version: latest
-    #                 enforce: baseline
-    #                 enforce-version: latest
-    #                 warn: restricted
-    #                 warn-version: latest
-    #             exemptions:
-    #                 namespaces:
-    #                     - kube-system
-    #                 runtimeClasses: []
-    #                 usernames: []
-    #             kind: PodSecurityConfiguration
-    #     # Configure the API server audit policy.
-    #     auditPolicy:
-    #         apiVersion: audit.k8s.io/v1
-    #         kind: Policy
-    #         rules:
-    #             - level: Metadata
-
     # # Controller manager server specific configuration options.
     # controllerManager:
     #     image: registry.k8s.io/kube-controller-manager:v1.31.2 # The container image used in the controller manager manifest.

talos/talos-patch.yaml

@@ -9,6 +9,7 @@ cluster:
   extraManifests:
     - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
     - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+    - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
   inlineManifests:
     - name: calico-installation
       contents: |
@@ -42,6 +43,25 @@ cluster:
         metadata:
           name: default
         spec: {}
+    - name: calico-bgpconfig
+      contents: |
+        apiVersion: crd.projectcalico.org/v1
+        kind: BGPConfiguration
+        metadata:
+          name: default
+        spec:
+          asNumber: 64624
+          serviceClusterIPs:
+          - cidr: 10.80.0.0/12
+    - name: calico-bgppeer
+      contents: |
+        apiVersion: crd.projectcalico.org/v1
+        kind: BGPPeer
+        metadata:
+          name: router-balsillie-house
+        spec:
+          asNumber: 64625
+          peerIP: 192.168.1.11:179
   network:
     cni:
       name: custom
@@ -58,6 +78,10 @@ cluster:
     extraArgs:
       proxy-mode: nftables
 machine:
+  disks:
+    - device: /dev/nvme0n1
+      # partitions:
+      #   - mountpoint: /var/mnt/storage
   features:
     hostDNS:
       enabled: true
@@ -78,6 +102,13 @@ machine:
           - rbind
           - rshared
           - rw
+      # - destination: /var/dev/nvme0n1
+      #   type: bind
+      #   source: /dev/nvme0n1
+      #   options:
+      #     - bind
+      #     - rshared
+      #     - rw
   network:
     hostname: node00.balsillie.house
     nameservers:

talos/volume-config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1alpha1
+kind: VolumeConfig
+name: mayastor # Name of the volume.
+# The provisioning describes how the volume is provisioned.
+provisioning:
+    # The disk selector expression.
+    diskSelector:
+        match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
+    maxSize: 501GiB