theshire/kubernetes/bootstrap/talos/talconfig.yaml

297 lines
7.3 KiB
YAML
Raw Normal View History

2024-05-06 08:53:47 -05:00
---
2024-11-08 12:13:27 -06:00
# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json
clusterName: theshire
2024-05-06 08:53:47 -05:00
2024-11-08 12:13:27 -06:00
# renovate: datasource=github-releases depName=siderolabs/talos
talosVersion: v1.8.1
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
2024-11-06 08:04:23 -06:00
kubernetesVersion: 1.31.1
endpoint: "https://10.1.1.57:6444"
2024-05-06 08:53:47 -05:00
additionalApiServerCertSans:
- 10.1.1.57
2024-05-06 08:53:47 -05:00
additionalMachineCertSans:
- 10.1.1.57
2024-05-06 08:53:47 -05:00
nodes:
- hostname: bilbo
2024-05-06 08:53:47 -05:00
disableSearchDomain: true
ipAddress: 10.1.1.62
2024-05-06 08:53:47 -05:00
controlPlane: true
installDiskSelector:
busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/
2024-05-06 08:53:47 -05:00
networkInterfaces:
- interface: eno1
dhcp: true
2024-05-07 19:05:31 -05:00
- hostname: frodo
disableSearchDomain: true
ipAddress: 10.1.1.63
controlPlane: true
installDiskSelector:
busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eno1
dhcp: true
- hostname: sam
disableSearchDomain: true
ipAddress: 10.1.1.64
controlPlane: true
installDiskSelector:
busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eno1
dhcp: true
- hostname: pippin
disableSearchDomain: true
ipAddress: 10.1.1.65
controlPlane: false
installDiskSelector:
busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eno1
dhcp: true
2024-08-08 12:50:06 -05:00
- hostname: merry
disableSearchDomain: true
ipAddress: 10.1.1.66
controlPlane: false
installDiskSelector:
busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eno1
dhcp: true
- hostname: rosie
disableSearchDomain: true
ipAddress: 10.1.1.67
controlPlane: false
installDiskSelector:
busPath: /pci0000:00/0000:00:1f.2/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eno1
dhcp: true
- hostname: gandalf-01
disableSearchDomain: true
ipAddress: 10.1.1.68
controlPlane: false
installDisk: /dev/sda
networkInterfaces:
- interface: enp5s0
dhcp: true
- hostname: shadowfax-01
disableSearchDomain: true
ipAddress: 10.1.1.69
controlPlane: false
installDiskSelector:
busPath: /pci0000:00/0000:00:01.1/0000:02:00.0/virtio6/host0/target0:0:0/0:0:0:1/
networkInterfaces:
- interface: enp5s0
dhcp: true
patches:
- |-
machine:
sysctls:
net.core.bpf_jit_harden: 1
kernelModules:
- name: nvidia
- name: nvidia_uvm
- name: nvidia_drm
- name: nvidia_modeset
schematic:
customization:
systemExtensions:
officialExtensions:
- siderolabs/amd-ucode
2024-10-11 07:30:38 -05:00
- siderolabs/nonfree-kmod-nvidia-production
- siderolabs/nvidia-container-toolkit-production
worker:
schematic:
customization:
extraKernelArgs:
- net.ifnames=1
systemExtensions:
officialExtensions:
- siderolabs/intel-ucode
- siderolabs/i915-ucode
2024-09-05 03:18:26 -05:00
patches:
# hugepages
- &hugepages |-
machine:
sysctls:
vm.nr_hugepages: "1024"
# Kubelet local mount
- &kubelet_extra_mounts |-
machine:
kubelet:
extraMounts:
- destination: /var/openebs/local
type: bind
source: /var/openebs/local
options:
- bind
- rshared
- rw
2024-09-05 03:18:26 -05:00
# Configure containerd
- &containerd |-
machine:
files:
- op: create
path: /etc/cri/conf.d/20-customization.part
content: |
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
[plugins."io.containerd.grpc.v1.cri".containerd]
discard_unpacked_layers = false
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
discard_unpacked_layers = false
# Kubelet configuration
- &kubeletConf |-
machine:
kubelet:
defaultRuntimeSeccompProfileEnabled: true
extraArgs:
rotate-server-certificates: "true"
extraConfig:
maxPods: 150
nodeIP:
validSubnets:
- 10.1.1.0/24
- &sysctls |-
machine:
sysctls:
fs.inotify.max_queued_events: "65536"
fs.inotify.max_user_instances: "8192"
fs.inotify.max_user_watches: "524288"
2024-11-06 08:04:23 -06:00
net.core.rmem_max: "7500000"
net.core.wmem_max: "7500000"
2024-09-05 03:18:26 -05:00
- &nfsMountOptions |-
machine:
files:
- op: overwrite
path: /etc/nfsmount.conf
permissions: 0o644
content: |
[ NFSMount_Global_Options ]
nfsvers=4.1
hard=True
noatime=True
nodiratime=True
rsize=131072
wsize=131072
nconnect=8
- &hostDNS |-
machine:
features:
hostDNS:
enabled: true
resolveMemberNames: true
forwardKubeDNSToHost: false
- &searchDomain |-
machine:
network:
disableSearchDomain: true
- &nameservers |-
machine:
network:
nameservers:
- 10.1.1.1
2024-05-06 08:53:47 -05:00
controlPlane:
schematic:
customization:
extraKernelArgs:
- net.ifnames=1
systemExtensions:
officialExtensions:
- siderolabs/intel-ucode
- siderolabs/i915-ucode
2024-05-06 08:53:47 -05:00
patches:
# hugepages
- *hugepages
# Kubelet local mount
- *kubelet_extra_mounts
# Disable search domain everywhere
2024-09-05 03:18:26 -05:00
- *searchDomain
2024-05-06 08:53:47 -05:00
# Force nameserver
2024-09-05 03:18:26 -05:00
- *nameservers
2024-05-06 08:53:47 -05:00
# Configure NTP
- |-
machine:
time:
disabled: false
servers:
2024-09-01 21:16:41 -05:00
- time.cloudflare.com
2024-05-06 08:53:47 -05:00
# hostDNS configuration
2024-09-05 03:18:26 -05:00
- *hostDNS
# coreDNS configuration
- |-
cluster:
coreDNS:
disabled: true
2024-05-06 08:53:47 -05:00
# Cluster configuration
- |-
cluster:
allowSchedulingOnMasters: true
proxy:
disabled: true
network:
cni:
name: none
2024-05-14 08:56:38 -05:00
controllerManager:
extraArgs:
bind-address: 0.0.0.0
etcd:
extraArgs:
listen-metrics-urls: http://0.0.0.0:2381
scheduler:
extraArgs:
bind-address: 0.0.0.0
2024-05-06 08:53:47 -05:00
# ETCD configuration
- |-
cluster:
etcd:
advertisedSubnets:
- 10.1.1.0/24
# Configure containerd
2024-09-05 03:18:26 -05:00
- *containerd
2024-05-06 08:53:47 -05:00
# Disable default API server admission plugins.
- |-
- op: remove
path: /cluster/apiServer/admissionControl
# Enable K8s Talos API Access
- |-
machine:
features:
kubernetesTalosAPIAccess:
enabled: true
allowedRoles:
- os:admin
allowedKubernetesNamespaces:
- system-upgrade
# Kubelet configuration
2024-09-05 03:18:26 -05:00
- *kubeletConf
2024-05-06 08:53:47 -05:00
# Custom sysctls
2024-09-05 03:18:26 -05:00
- *sysctls
# Configure nfs mount options
2024-09-05 03:18:26 -05:00
- *nfsMountOptions