IaC/talos/patches/talos-cluster.yml

---
cluster:
  allowSchedulingOnControlPlanes: true
  apiServer:
    admissionControl:
      - name: PodSecurity
        configuration:
          apiVersion: pod-security.admission.config.k8s.io/v1beta1
          kind: PodSecurityConfiguration
          exemptions:
            namespaces:
              - openebs
              - democratic-csi
  controlPlane:
    endpoint: https://cp00.balsillie.house:6443
    localAPIServerPort: 6443
  clusterName: cluster00.balsillie.house
  extraManifests:
    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
    - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
  inlineManifests:
    - name: calico-installation
      contents: |
        apiVersion: operator.tigera.io/v1
        kind: Installation
        metadata:
          name: default
        spec:
          variant: Calico
          cni:
            type: Calico
            ipam:
              type: Calico
          serviceCIDRs:
            - 10.80.0.0/12
          calicoNetwork:
            bgp: Enabled
            linuxDataplane: Nftables
            hostPorts: Enabled
            ipPools:
            - name: default-ipv4-ippool
              blockSize: 24
              cidr: 10.64.0.0/12
              encapsulation: None
              natOutgoing: Disabled
              nodeSelector: all()        
    - name: calico-apiserver
      contents: |
        apiVersion: operator.tigera.io/v1
        kind: APIServer
        metadata:
          name: default
        spec: {}        
    - name: calico-bgpconfig
      contents: |
        apiVersion: crd.projectcalico.org/v1
        kind: BGPConfiguration
        metadata:
          name: default
        spec:
          asNumber: 64624
          serviceClusterIPs:
          - cidr: 10.80.0.0/12        
    - name: calico-bgppeer
      contents: |
        apiVersion: crd.projectcalico.org/v1
        kind: BGPPeer
        metadata:
          name: router-balsillie-house
        spec:
          asNumber: 64625
          peerIP: 192.168.1.11:179        
  network:
    cni:
      name: custom
      urls:
        - https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
    dnsDomain: cluster00.balsillie.house
    podSubnets:
      - 10.64.0.0/12
    serviceSubnets:
      - 10.80.0.0/12
  proxy:
    mode: nftables
    disabled: false
    extraArgs:
      proxy-mode: nftables