diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml index b88c2a1f..56a56bdf 100644 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yml @@ -1,2 +1,2 @@ --- -providerRegex: ^bilbo|^frodo|^sam$ +providerRegex: ^bilbo|^frodo|^sam|^merry|^pippin|^rosie|^shadowfax-01|^gandalf-01$ diff --git a/kubernetes/bootstrap/talos/talconfig.yaml b/kubernetes/bootstrap/talos/talconfig.yaml index ac731e6a..c2ac4fea 100644 --- a/kubernetes/bootstrap/talos/talconfig.yaml +++ b/kubernetes/bootstrap/talos/talconfig.yaml @@ -170,6 +170,73 @@ worker: officialExtensions: - siderolabs/intel-ucode - siderolabs/i915-ucode + patches: + # Configure containerd + - &containerd |- + machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false + # Kubelet configuration + - &kubeletConf |- + machine: + kubelet: + defaultRuntimeSeccompProfileEnabled: true + extraArgs: + rotate-server-certificates: "true" + extraConfig: + maxPods: 150 + nodeIP: + validSubnets: + - 10.1.1.0/24 + - &sysctls |- + machine: + sysctls: + fs.inotify.max_queued_events: "65536" + fs.inotify.max_user_instances: "8192" + fs.inotify.max_user_watches: "524288" + net.core.rmem_max: "2500000" + net.core.wmem_max: "2500000" + - &nfsMountOptions |- + machine: + files: + - op: overwrite + path: /etc/nfsmount.conf + permissions: 0o644 + content: | + [ NFSMount_Global_Options ] + nfsvers=4.1 + hard=True + noatime=True + nodiratime=True + rsize=131072 + wsize=131072 + nconnect=8 + - &hostDNS |- + machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: false + - &searchDomain |- + machine: + network: + disableSearchDomain: true + - &nameservers |- + machine: + network: + nameservers: + - 10.1.1.1 controlPlane: schematic: customization: @@ -181,17 +248,10 @@ controlPlane: - siderolabs/i915-ucode patches: # Disable search domain everywhere - - |- - machine: - network: - disableSearchDomain: true + - *searchDomain # Force nameserver - - |- - machine: - network: - nameservers: - - 10.1.1.1 + - *nameservers # Configure NTP - |- @@ -201,22 +261,8 @@ controlPlane: servers: - time.cloudflare.com - # Enable KubePrism - - |- - machine: - features: - kubePrism: - enabled: true - port: 7445 - # hostDNS configuration - - |- - machine: - features: - hostDNS: - enabled: true - resolveMemberNames: true - forwardKubeDNSToHost: false + - *hostDNS # coreDNS configuration - |- @@ -251,20 +297,7 @@ controlPlane: - 10.1.1.0/24 # Configure containerd - - |- - machine: - files: - - op: create - path: /etc/cri/conf.d/20-customization.part - content: | - [plugins] - [plugins."io.containerd.grpc.v1.cri"] - enable_unprivileged_ports = true - enable_unprivileged_icmp = true - [plugins."io.containerd.grpc.v1.cri".containerd] - discard_unpacked_layers = false - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - discard_unpacked_layers = false + - *containerd # Disable default API server admission plugins. - |- @@ -283,41 +316,10 @@ controlPlane: - system-upgrade # Kubelet configuration - - |- - machine: - kubelet: - defaultRuntimeSeccompProfileEnabled: true - extraArgs: - rotate-server-certificates: "true" - extraConfig: - maxPods: 150 - nodeIP: - validSubnets: - - 10.1.1.0/24 + - *kubeletConf # Custom sysctls - - |- - machine: - sysctls: - fs.inotify.max_queued_events: "65536" - fs.inotify.max_user_instances: "8192" - fs.inotify.max_user_watches: "524288" - net.core.rmem_max: "2500000" - net.core.wmem_max: "2500000" + - *sysctls # Configure nfs mount options - - |- - machine: - files: - - op: overwrite - path: /etc/nfsmount.conf - permissions: 0o644 - content: | - [ NFSMount_Global_Options ] - nfsvers=4.1 - hard=True - noatime=True - nodiratime=True - rsize=131072 - wsize=131072 - nconnect=8 + - *nfsMountOptions