--- # yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json clusterName: theshire # renovate: datasource=github-releases depName=siderolabs/talos talosVersion: v1.9.1 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet kubernetesVersion: 1.31.4 endpoint: "https://10.1.1.8:6443" additionalApiServerCertSans: &sans - 10.1.1.8 # VIP - 10.1.1.57 # haproxy loadbalancer additionalMachineCertSans: *sans clusterPodNets: - "10.3.0.0/16" clusterSvcNets: - "10.4.0.0/16" ## Cilium LBPool CIDR 10.1.1.30-49 --> 10.5.0.0/16 nodes: - hostname: bilbo disableSearchDomain: true ipAddress: 10.1.1.62 controlPlane: true installDiskSelector: model: INTEL* networkInterfaces: - interface: eno1 dhcp: true vip: ip: 10.1.1.8 schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/i915 - siderolabs/intel-ucode - hostname: frodo disableSearchDomain: true ipAddress: 10.1.1.63 controlPlane: true installDiskSelector: model: INTEL* networkInterfaces: - interface: eno1 dhcp: true vip: ip: 10.1.1.8 schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/i915 - siderolabs/intel-ucode - hostname: sam disableSearchDomain: true ipAddress: 10.1.1.64 controlPlane: true installDiskSelector: model: INTEL* networkInterfaces: - interface: eno1 dhcp: true vip: ip: 10.1.1.8 schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/i915 - siderolabs/intel-ucode - hostname: pippin disableSearchDomain: true ipAddress: 10.1.1.65 controlPlane: false installDiskSelector: model: INTEL* networkInterfaces: - interface: eno1 dhcp: true schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/i915 - siderolabs/intel-ucode - hostname: merry disableSearchDomain: true ipAddress: 10.1.1.66 controlPlane: false installDiskSelector: wwid: eui.0025385381b04243 networkInterfaces: - interface: eno1 dhcp: true patches: - |- machine: sysctls: net.core.bpf_jit_harden: 1 kernelModules: - name: nvidia - name: nvidia_uvm - name: nvidia_drm - name: nvidia_modeset schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/amd-ucode - siderolabs/nvidia-container-toolkit-production - siderolabs/nvidia-open-gpu-kernel-modules-production - hostname: rosie disableSearchDomain: true ipAddress: 10.1.1.67 controlPlane: false installDiskSelector: model: INTEL* networkInterfaces: - interface: eno1 dhcp: true schematic: customization: extraKernelArgs: - net.ifnames=1 systemExtensions: officialExtensions: - siderolabs/i915 - siderolabs/intel-ucode worker: patches: # registries - ®istries |- machine: registries: config: registry-1.docker.io: auth: username: ${dockerUsername} password: ${dockerPassword} docker.io: auth: username: ${dockerUsername} password: ${dockerPassword} # hugepages - &hugepages |- machine: sysctls: vm.nr_hugepages: "1024" # Kubelet local mount - &kubelet_extra_mounts |- machine: kubelet: extraMounts: - destination: /var/openebs/local type: bind source: /var/openebs/local options: - bind - rshared - rw # Configure containerd - &containerd |- machine: files: - op: create path: /etc/cri/conf.d/20-customization.part content: | [plugins] [plugins."io.containerd.grpc.v1.cri"] enable_unprivileged_ports = true enable_unprivileged_icmp = true [plugins."io.containerd.grpc.v1.cri".containerd] discard_unpacked_layers = false [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] discard_unpacked_layers = false # Kubelet configuration - &kubeletConf |- machine: kubelet: defaultRuntimeSeccompProfileEnabled: true extraArgs: rotate-server-certificates: "true" extraConfig: maxPods: 150 nodeIP: validSubnets: - 10.1.1.0/24 - &sysctls |- machine: sysctls: fs.inotify.max_queued_events: "65536" fs.inotify.max_user_instances: "8192" fs.inotify.max_user_watches: "524288" net.core.rmem_max: "7500000" net.core.wmem_max: "7500000" - &nfsMountOptions |- machine: files: - op: overwrite path: /etc/nfsmount.conf permissions: 0o644 content: | [ NFSMount_Global_Options ] nfsvers=4.1 hard=True noatime=True nodiratime=True rsize=131072 wsize=131072 nconnect=8 - &hostDNS |- machine: features: hostDNS: enabled: true resolveMemberNames: true forwardKubeDNSToHost: false - &searchDomain |- machine: network: disableSearchDomain: true - &nameservers |- machine: network: nameservers: - 10.1.1.1 controlPlane: patches: # registries - *registries # hugepages - *hugepages # Kubelet local mount - *kubelet_extra_mounts # Disable search domain everywhere - *searchDomain # Force nameserver - *nameservers # Configure NTP - |- machine: time: disabled: false servers: - time.cloudflare.com # hostDNS configuration - *hostDNS # coreDNS configuration - |- cluster: coreDNS: disabled: true # Cluster configuration - |- cluster: allowSchedulingOnMasters: true proxy: disabled: true network: cni: name: none controllerManager: extraArgs: bind-address: 0.0.0.0 etcd: extraArgs: listen-metrics-urls: http://0.0.0.0:2381 scheduler: extraArgs: bind-address: 0.0.0.0 # ETCD configuration - |- cluster: etcd: advertisedSubnets: - 10.1.1.0/24 # Configure containerd - *containerd # Disable default API server admission plugins. - |- - op: remove path: /cluster/apiServer/admissionControl # Enable K8s Talos API Access - |- machine: features: kubernetesTalosAPIAccess: enabled: true allowedRoles: - os:admin allowedKubernetesNamespaces: - system-upgrade # Kubelet configuration - *kubeletConf # Custom sysctls - *sysctls # Configure nfs mount options - *nfsMountOptions