jahanson/valinor
Archived
1
0
Fork 0
Code Issues1 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

..

23 commits
48b15c5f5d ... cf0ad396b0

Author SHA1 Message Date
Smeagol
cf0ad396b0 Update Helm release app-template to v2.4.0 2023-12-13 16:06:14 +00:00
Joseph Hanson
77e513d817
Update externaldns revision 2023-12-12 16:10:06 -06:00
Joseph Hanson
ec4dbfc30c Merge pull request 'Update Helm release cert-manager to v1.13.3' () from renovate/cert-manager-1.x into main 
Reviewed-on:
2023-12-12 22:07:25 +00:00
Joseph Hanson
b3461cd357 Merge pull request 'Update quay.io/prometheus/alertmanager:main Docker digest to cf3b474' () from renovate/quay.io-prometheus-alertmanager-main into main 
Reviewed-on:
2023-12-12 22:07:15 +00:00
Joseph Hanson
7924b2696d Merge pull request 'Update Helm release grafana to v7.0.17' () from renovate/grafana-7.x into main 
Reviewed-on:
2023-12-12 22:07:03 +00:00
Joseph Hanson
3560057df5
don't declare CNAME. 2023-12-12 15:33:08 -06:00
Joseph Hanson
5e05b6ecff
Proxy ingress. 2023-12-12 15:33:07 -06:00
Joseph Hanson
688415fc65 Merge pull request 'Update kube-prometheus-stack Docker tag to v55.3.1' () from renovate/kube-prometheus-stack-55.x into main 
Reviewed-on:
2023-12-12 21:26:24 +00:00
Smeagol
f246416745 Update kube-prometheus-stack Docker tag to v55.3.1 2023-12-12 20:40:01 +00:00
Joseph Hanson
849d21dd19
Moving grafana resources to external file. 2023-12-12 14:36:20 -06:00
Joseph Hanson
ece569535b
Back to talosnet. 2023-12-12 13:11:52 -06:00
Joseph Hanson
844879f83e
Add tolerations to csr-approver for hccm. 2023-12-12 13:11:27 -06:00
Joseph Hanson
c0261d7053
Add hcloud to bootstrap. 2023-12-12 13:10:12 -06:00
Joseph Hanson
ca4b6786f1
Update service endpoint 2023-12-12 13:09:33 -06:00
Joseph Hanson
e7be552415
Added limit, it was crashing without one. 2023-12-12 09:19:50 -06:00
Smeagol
a086d5ce8a Update Helm release grafana to v7.0.17 2023-12-12 15:01:17 +00:00
Joseph Hanson
58ec4cd87d
Added drives and switched blockpool to erasure coded. 2023-12-12 08:10:18 -06:00
Smeagol
0165d90573 Update Helm release cert-manager to v1.13.3 2023-12-12 06:07:06 +00:00
Smeagol
f2eb89105d Update quay.io/prometheus/alertmanager:main Docker digest to cf3b474 2023-12-11 14:01:11 +00:00
Joseph Hanson
fef15282b3
nope. 2023-12-10 22:04:29 -06:00
Joseph Hanson
a9100b44f8
KubePrism. 2023-12-10 21:49:27 -06:00
Joseph Hanson
8ec4555466
Update cilium k8s endpoint 2023-12-10 21:43:08 -06:00
Joseph Hanson
bbf93870ac
updating to use different ips 2023-12-10 16:36:38 -06:00
16 changed files with 350 additions and 61 deletions
.renovate
customManagers.json5
kubernetes
apps
cert-manager/cert-manager/app
helmrelease.yaml
flux-system/add-ons/webhooks/git
ingress.yaml
kube-system/cilium/app
helmrelease.yaml
monitoring
alertmanager/app
helmrelease.yaml
grafana/app
helmrelease.yaml
kube-prometheus-stack/app
helmrelease.yaml
rook-ceph/rook-ceph/cluster
helmrelease.yaml
system/kubelet-csr-approver/app
helmrelease.yaml
bootstrap
hcloud.sops.yamlreadme.md
flux/vars
cluster-secrets.sops.yaml
renovate.json5
talos
talconfig-pips.yamltalconfig.yamltalenv.sops.yaml

22
.renovate/customManagers.json5
View file

@ -1,5 +1,14 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"customDatasources": {
"grafana-dashboards": {
"defaultRegistryUrlTemplate": "https://grafana.com/api/dashboards/{{packageName}}",
"format": "json",
"transformTemplates": [
"{\"releases\":[{\"version\": $string(revision)}]}"
]
}
},
"customManagers": [
{
"customType": "regex",
@ -8,10 +17,21 @@
"(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"
],
"matchStrings": [
"depName=\"(?<depName>.*)\"\\n\\s+gnetId:\\s+(?<packageName>.*?)\\n\\s+revision:\\s+(?<currentValue>.*)"
"depName=\"(?<depName>\\S+)\"\\n.*?gnetId: (?<packageName>\\d+)\\n.*?revision: (?<currentValue>\\d+)"
],
"datasourceTemplate": "custom.grafana-dashboards",
"versioningTemplate": "regex:^(?<major>\\d+)$"
}
],
"packageRules": [
{
"addLabels": ["renovate/grafana-dashboard"],
"commitMessageExtra": "to revision {{newVersion}}",
"commitMessageTopic": "dashboard {{depName}}",
"matchDatasources": ["grafana-dashboards", "custom.grafana-dashboards"],
"matchUpdateTypes": ["major"],
"semanticCommitScope": "grafana-dashboards",
"semanticCommitType": "chore"
}
]
}

2
kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
View file

@ -10,7 +10,7 @@ spec:
chart:
spec:
chart: cert-manager
version: v1.13.2
version: v1.13.3
sourceRef:
kind: HelmRepository
name: jetstack

2
kubernetes/apps/flux-system/add-ons/webhooks/git/ingress.yaml
View file

@ -5,7 +5,7 @@ metadata:
name: webhook-receiver
namespace: flux-system
annotations:
external-dns.alpha.kubernetes.io/target: valinor.hsn.dev
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
spec:
ingressClassName: "hsn-nginx"
rules:

2
kubernetes/apps/kube-system/cilium/app/helmrelease.yaml
View file

@ -54,6 +54,6 @@ spec:
autoMount:
enabled: false
hostRoot: /sys/fs/cgroup
k8sServiceHost: 10.2.0.6
k8sServiceHost: ${K8S_SERVICE_ENDPOINT}
k8sServicePort: 6443
rollOutCiliumPods: true

2
kubernetes/apps/monitoring/alertmanager/app/helmrelease.yaml
View file

@ -27,7 +27,7 @@ spec:
main:
image:
repository: quay.io/prometheus/alertmanager
tag: main@sha256:0834f92a9be3e81baf573a5a286a1d7496b813430fd392aaaa4043b36605bb01
tag: main@sha256:cf3b474d32e1f66fd2d80750bf35529aa4b49dad724857f4c481ab9a53befd94
pullPolicy: IfNotPresent
podAnnotations:
reloader.stakater.com/auto: "true"

4
kubernetes/apps/monitoring/grafana/app/helmrelease.yaml
View file

@ -14,7 +14,7 @@ spec:
kind: HelmRepository
name: grafana
namespace: flux-system
version: 7.0.11
version: 7.0.17
interval: 30m
timeout: 20m
maxHistory: 2
@ -159,7 +159,7 @@ spec:
external-dns:
# renovate: depName="External-dns"
gnetId: 15038
revision: 1
revision: 3
datasource: Prometheus
# minio:
# # renovate: depName="MinIO Dashboard"

2
kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml
View file

@ -11,7 +11,7 @@ spec:
chart:
spec:
chart: kube-prometheus-stack
version: 55.0.0
version: 55.3.1
sourceRef:
kind: HelmRepository
name: prometheus-community

15
kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
View file

@ -57,18 +57,20 @@ spec:
nodes:
- name: "nienna"
devices:
- name: /dev/disk/by-id/scsi-0HC_Volume_37460833
- name: /dev/disk/by-id/nvme-SAMSUNG_MZVLB1T0HALR-00000_S3W6NA0M610693
- name: /dev/disk/by-id/ata-ST16000NM001J-2TW113_ZR5E7NQR
- name: "orome"
devices:
- name: /dev/disk/by-id/scsi-0HC_Volume_37645333
- name: /dev/disk/by-id/nvme-SAMSUNG_MZVLB1T0HBLR-00000_S4GJNX0R613503
- name: /dev/disk/by-id/ata-ST16000NM001J-2TW113_ZR6021Z3
resources:
mgr:
limits:
cpu: "1000m"
memory: "1Gi"
memory: "4Gi"
requests:
cpu: "1000m"
memory: "1Gi"
memory: "4Gi"
cephBlockPoolsVolumeSnapshotClass:
enabled: false
@ -77,8 +79,9 @@ spec:
- name: ceph-blockpool
spec:
failureDomain: host
replicated:
size: 3
erasureCoded:
dataChunks: 2
codingChunks: 1
storageClass:
enabled: true
name: ceph-block

11
kubernetes/apps/system/kubelet-csr-approver/app/helmrelease.yaml
View file

@ -16,6 +16,17 @@ spec:
name: postfinance
namespace: flux-system
interval: 30m
values:
tolerations:
# https://github.com/hetznercloud/hcloud-cloud-controller-manager
# Allow HCCM itself to schedule on nodes that have not yet been initialized by HCCM.
- key: "node.cloudprovider.kubernetes.io/uninitialized"
value: "true"
effect: "NoSchedule"
- key: "CriticalAddonsOnly"
operator: "Exists"
valuesFrom:
- kind: ConfigMap
name: kubelet-csr-approver-values

30
kubernetes/bootstrap/hcloud.sops.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: v1
kind: Secret
metadata:
name: hcloud
namespace: kube-system
stringData:
ROBOT_ENABLED: ENC[AES256_GCM,data:tTSnWw==,iv:rSrqYIiQSOv6G0QxSYVU6DtW7b3PT7XNF/1pWx68M1g=,tag:2m6YXewARCcyXTjZGimodQ==,type:str]
token: ENC[AES256_GCM,data:DzLwUiv5JH/S6OBrzgNp0NO5U/7w0Pq2YtQ7uOAfg7Iw90qzGlzc8CqzlQOw0jHv91LzCUgjpeZn9QP93Dgprw==,iv:T6rqz1HmdKATl+8ov5qclhAo/NzHQTIN6eRSiCEyiZU=,tag:39VZ8N96NEXgvXTPQ/vvBA==,type:str]
robot-password: ENC[AES256_GCM,data:OeITzLUpgj03MyQ2n+SYgwykcw==,iv:9ZdbQW4ZAtqmGEiR4KBsziRXMAoHGHcBYXiwjep5H2A=,tag:4eGKJTfn0+NARz1k7j8jXA==,type:str]
robot-user: ENC[AES256_GCM,data:Cy2ilSDCVNaxES0N,iv:fs/fu9OOhNPDwgnw1xV8SPtbzlbDkbynvL4Z5L6aO2o=,tag:n2+BeAx8HLtD4rFbKMdUqw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaVJMaEQvSGw1Y3h1WXVi
TGFnM1dTaHRaUEtOaVl5anpKazZjbVRpckIwCi9Bc1BueHYvMUljdWRrZFVpQldJ
bkRVMWJIdmdubGJXL2NOeUloV3RXQ0EKLS0tIEZadWZJcytYZW5ZdmtFbGcrUjZN
SGkvdTBIM1hxMTREL1JDT0NCcXo0ckUKW3fJ509OnrgKxLvWHALLvA4Ha91pN+GM
JRdKi8tSlyVEpFgumeOsan3fIrsi9urgqYjMuW5e6ApMZ8/2522MWA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-12T18:16:51Z"
mac: ENC[AES256_GCM,data:m3jplww3Pv4UnCIdyJ2DEkA95U5+Ovddk2DhEG7KhVQ/PTtG31UFCHdoBIgHf0ZcYmAYRLeyvUfRmi19I+h0h1eDrlbTwpFSYByunLvJZqk2Dp9WWCyGnoJ2Wh/dzW/pcLRSJCZWPxUGPR48cyZTlzg+iZHm760kbXQmzAE+ZHc=,iv:xxyyd9IaTtd+Te+2T156/c+842GVeOoPEs+IBZibWrk=,tag:EruEq5+6kU+nme9NydF/bg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1

2
kubernetes/bootstrap/readme.md
View file

@ -15,8 +15,10 @@ _These cannot be applied with `kubectl` in the regular fashion due to be encrypt
```sh
sops --decrypt kubernetes/bootstrap/flux/age-key.sops.yaml | kubectl apply -f -
sops --decrypt kubernetes/bootstrap/flux/git-deploy-key.sops.yaml | kubectl apply -f -
sops --decrypt kubernetes/bootstrap/hcloud.sops.yaml | kubectl apply -f -
sops --decrypt kubernetes/flux/vars/cluster-secrets.sops.yaml | kubectl apply -f -
kubectl apply -f kubernetes/flux/vars/cluster-settings.yaml
kubectl apply -k kubernetes/apps/monitoring/kube-prometheus-stack/crds/
```
### Kick off Flux applying this repository

5
kubernetes/flux/vars/cluster-secrets.sops.yaml
View file

@ -8,6 +8,7 @@ stringData:
SECRET_PUSHOVER_ALERT_MANAGER_APIKEY: ENC[AES256_GCM,data:4+9e/tWQBszoPakAo+1vNhWsdKz8qfoioeUz+dTb,iv:sY4dkzMEmvi8kCLesBiknmoYHWq3uqXpWs5Y4FeFSuk=,tag:rPxH+5m6rPiSnhm2JrrT4w==,type:str]
SECRET_HEALTHCHECKS_WEBHOOK: ENC[AES256_GCM,data:a6hjTy2HRy7s2+KHxfop8077CgAzzILCF/g5I9TIXdhRiziUrLpJVzC0mqNmfdooJsZyErrJ9ihamFKLFoK8S/PmD5IgWuZu,iv:l5JTxmiWct5nr7eJM/Rtl7AclhCoIQ4KW6nJK6Slhg0=,tag:K5yGxYBTNSSoxYJt8Kmhyw==,type:str]
SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:X63a7aMBMyd9Be6bik0knOyMXnYx/Kg3SoOrG0bkAHU=,iv:POcU1kIRWekrzUdzqPopKDovviK+fMZRVuZVWp9Vuuc=,tag:n9UamxITJCiLbH37Ta2lTg==,type:str]
K8S_SERVICE_ENDPOINT: ENC[AES256_GCM,data:3Ozpy3bMzEc=,iv:l0ND37q9ygRzYy/sjjzQC6vHk44PxPAxQPGVll5tXqQ=,tag:jK3FQiHRRoBBKhYugk2/NQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -23,8 +24,8 @@ sops:
dDhWMDZYait3UzNRZy9oVk85cHBPdEUKa7e22jHlW1chaLDKBB1in8ZTFnfKMXug
QJQ/9z6z/RjmnnFam2FWg++Xg2A8LQ7XTZcfR97csf59DQ/xwu7sVw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-28T03:23:26Z"
mac: ENC[AES256_GCM,data:pymGYIauY1QsSuepCBNRi+s1g2UypI5/RIe+c4auKfyv0QFdgPHTPHYhT0q4g8nfFwFp8E6u9oxFlDZSR1Vy3BHc4RqZCREA6+kKHG7bwH25xvhtWUQnLq7bDkNhm7ZzjEeIgNq5pEXeeNr12nlHJqTFw++lvnGjJRJJ5Rzl0AQ=,iv:EMrOFhLoNodX0KCiMqoA/FI+WqypChI+53JCg+eu6OE=,tag:DUOR4uf2ib0eYlJOdTfNNg==,type:str]
lastmodified: "2023-12-12T17:41:48Z"
mac: ENC[AES256_GCM,data:ViV0wIxtAak3BTEALubdJfZZpGO5fvdfzaqQ3LRcZZfEG2tuV/1cUT4UNfENA/Pu/3v6htfepAekwUJPrBLCGQzIdwnrjgeLV3njtwNVeGh9+y/6PGwK3+7Biymg7fWYFEyL348aHyPfZ744Z6Y5bFEoiRfTIW6FgQyZ9DOJ32s=,iv:1DBDc/zekjjbj8TBAX3FbPTyXrwkVt3OJL2OhvcVRqo=,tag:naNziCLKmuXffWHnATB88w==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1

9
renovate.json5
View file

@ -22,15 +22,6 @@
"kubernetes/.+\\.ya?ml$"
]
},
"customDatasources": {
"grafana-dashboards": {
"defaultRegistryUrlTemplate": "https://grafana.com/api/dashboards/{{packageName}}",
"format": "json",
"transformTemplates": [
"{\"releases\":[{\"version\": $string(revision)}]}"
]
}
},
"regexManagers": [
{
"description": [

214
talos/talconfig-pips.yaml Normal file
View file

@ -0,0 +1,214 @@
---
clusterName: valinor
talosVersion: v1.5.5
kubernetesVersion: 1.28.4
endpoint: "https://10.2.0.3:6443"
cniConfig:
name: none
additionalApiServerCertSans:
- 10.2.0.3
additionalMachineCertSans:
- 10.2.0.3
nodes:
# cloud CAX21 Arm64
- hostname: aule
disableSearchDomain: true
ipAddress: 10.2.0.4
controlPlane: true
installDiskSelector:
busPath: /dev/sda
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: true
routes:
- network: 10.2.0.0/16
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
# cloud CAX21 Arm64
- hostname: arlen
disableSearchDomain: true
ipAddress: 10.2.0.5
controlPlane: true
installDiskSelector:
busPath: /dev/sda
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: true
routes:
- network: 10.2.0.0/16
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
# cloud CAX21 Arm64
- hostname: eonwe
disableSearchDomain: true
ipAddress: 10.2.0.6
controlPlane: true
installDiskSelector:
busPath: /dev/sda
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: true
routes:
- network: 10.2.0.0/16
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
# Bare-metal AX41-Nvme - AMD Ryzen 5 3600 6-Core Processor (Zen2) - 64GB ECC RAM
- hostname: nienna
disableSearchDomain: true
ipAddress: 10.2.1.2
controlPlane: false
# customization:
# extraKernelArgs:
# - net.ifnames=0
# systemExtensions:
# officialExtensions:
# - siderolabs/amd-ucode
# - siderolabs/qemu-guest-agent
talosImageURL: factory.talos.dev/installer/696bb48d9c48e567596f393a4ff9bfd26d4dda5d92c16beb580e96fa68d6324c
# https://factory.talos.dev/image/696bb48d9c48e567596f393a4ff9bfd26d4dda5d92c16beb580e96fa68d6324c/v1.5.5/metal-amd64.iso
# no guest agent in the raw.xz image
# https://factory.talos.dev/image/6c789e7a3eec37617fd9d239a7f696ba48e75bc4780f5cb30bf8882686d79a22/v1.5.5/metal-amd64.raw.xz
installDiskSelector:
busPath: /pci0000:00/0000:00:0a.0/virtio2/
# Ceph Disk Fast: /pci0000:00/0000:00:11.0/nvme/nvme0/nvme0n1
# Ceph Disk Large: /pci0000:00/0000:00:10.0/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: false
vlans:
- vlanId: 4010
mtu: 1400
addresses:
- 10.2.1.2/24
dhcp: false
routes:
- network: 10.2.0.0/16
gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
# VM on EX44 - Intel Gen 13 (Raptor Lake) - 64GB RAM
- hostname: orome
disableSearchDomain: true
ipAddress: 10.2.1.3
controlPlane: false
# customization:
# extraKernelArgs:
# - net.ifnames=0
# systemExtensions:
# officialExtensions:
# - siderolabs/i915-ucode
# - siderolabs/intel-ucode
# - siderolabs/qemu-guest-agent
talosImageURL: factory.talos.dev/installer/f2f665587318c2d79e7b315cc333fff276ed59c8de831f16e28b4db107496ac2
# https://factory.talos.dev/image/f2f665587318c2d79e7b315cc333fff276ed59c8de831f16e28b4db107496ac2/metal-amd64.iso
installDiskSelector:
busPath: /pci0000:00/0000:00:0a.0/virtio2/
# Ceph Disk: /dev/disk/by-id/nvme-SAMSUNG_MZVL2512HCJQ-00B00_S675NU0TB36132
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: false
vlans:
- vlanId: 4010
mtu: 1400
addresses:
- 10.2.1.3/24
dhcp: false
routes:
- network: 10.2.0.0/16
gateway: 10.2.1.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
worker:
patches:
- |-
cluster:
externalCloudProvider:
enabled: true
manifests:
- https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/latest/download/ccm.yaml
machine:
sysctls:
fs.inotify.max_user_watches: "1048576"
fs.inotify.max_user_instances: "8192"
time:
disabled: false
servers:
- ntp.hetzner.com
kubelet:
extraArgs:
feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,NewVolumeManagerReconstruction=false
rotate-server-certificates: "true"
extraConfig:
maxPods: 150
nodeIP:
validSubnets:
- 10.2.0.0/16
controlPlane:
patches:
- |-
cluster:
allowSchedulingOnMasters: true
externalCloudProvider:
enabled: true
manifests:
- https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/latest/download/ccm.yaml
network:
cni:
name: none
proxy:
disabled: true
etcd:
advertisedSubnets:
- 10.2.0.0/24
- |-
- op: remove
path: /cluster/apiServer/admissionControl
- |-
machine:
features:
kubePrism:
enabled: true
port: 7445
files:
- op: create
path: /etc/cri/conf.d/20-customization.part
content: |
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
kubelet:
extraArgs:
feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,NewVolumeManagerReconstruction=false
rotate-server-certificates: "true"
extraConfig:
maxPods: 150
nodeIP:
validSubnets:
- 10.2.0.0/16
network:
extraHostEntries:
- ip: 10.2.0.3
sysctls:
fs.inotify.max_user_watches: "1048576"
fs.inotify.max_user_instances: "8192"
time:
disabled: false
servers:
- ntp.hetzner.com

76
talos/talconfig.yaml
View file

@ -3,38 +3,22 @@ clusterName: valinor
talosVersion: v1.5.5
kubernetesVersion: 1.28.4
endpoint: "https://10.2.0.3:6443"
endpoint: "https://${clusterEndpointIP}:6443"
cniConfig:
name: none
additionalApiServerCertSans:
- 10.2.0.3
- ${clusterEndpointIP}
additionalMachineCertSans:
- 10.2.0.3
- ${clusterEndpointIP}
nodes:
# cloud CAX21 Arm64
- hostname: aule
disableSearchDomain: true
ipAddress: 10.2.0.4
controlPlane: true
installDiskSelector:
busPath: /dev/sda
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: true
routes:
- network: 10.2.0.0/16
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
# cloud CAX21 Arm64
- hostname: arlen
disableSearchDomain: true
ipAddress: 10.2.0.5
ipAddress: ${arlenIP}
controlPlane: true
installDiskSelector:
busPath: /dev/sda
@ -50,7 +34,23 @@ nodes:
# cloud CAX21 Arm64
- hostname: eonwe
disableSearchDomain: true
ipAddress: 10.2.0.6
ipAddress: ${eonweIP}
controlPlane: true
installDiskSelector:
busPath: /dev/sda
networkInterfaces:
- interface: eth0
dhcp: true
- interface: eth1
dhcp: true
routes:
- network: 10.2.0.0/16
gateway: 10.2.0.1 # The route's gateway (if empty, creates link scope route).
metric: 2048
# cloud CAX21 Arm64
- hostname: aule
disableSearchDomain: true
ipAddress: ${auleIP}
controlPlane: true
installDiskSelector:
busPath: /dev/sda
@ -66,7 +66,7 @@ nodes:
# Bare-metal AX41-Nvme - AMD Ryzen 5 3600 6-Core Processor (Zen2) - 64GB ECC RAM
- hostname: nienna
disableSearchDomain: true
ipAddress: 10.2.1.2
ipAddress: ${niennaIP}
controlPlane: false
# customization:
# extraKernelArgs:
@ -75,14 +75,12 @@ nodes:
# officialExtensions:
# - siderolabs/amd-ucode
# - siderolabs/qemu-guest-agent
talosImageURL: factory.talos.dev/installer/696bb48d9c48e567596f393a4ff9bfd26d4dda5d92c16beb580e96fa68d6324c
talosImageURL: harbor.hsn.dev/factory.talos.dev/installer/696bb48d9c48e567596f393a4ff9bfd26d4dda5d92c16beb580e96fa68d6324c
# https://factory.talos.dev/image/696bb48d9c48e567596f393a4ff9bfd26d4dda5d92c16beb580e96fa68d6324c/v1.5.5/metal-amd64.iso
# no guest agent in the raw.xz image
# https://factory.talos.dev/image/6c789e7a3eec37617fd9d239a7f696ba48e75bc4780f5cb30bf8882686d79a22/v1.5.5/metal-amd64.raw.xz
installDiskSelector:
busPath: /pci0000:00/0000:00:0a.0/virtio2/
# Ceph Disk Fast: /pci0000:00/0000:00:11.0/nvme/nvme0/nvme0n1
# Ceph Disk Large: /pci0000:00/0000:00:10.0/ata1/host0/target0:0:0/0:0:0:0/
networkInterfaces:
- interface: eth0
dhcp: true
@ -101,7 +99,7 @@ nodes:
# VM on EX44 - Intel Gen 13 (Raptor Lake) - 64GB RAM
- hostname: orome
disableSearchDomain: true
ipAddress: 10.2.1.3
ipAddress: ${oromeIP}
controlPlane: false
# customization:
# extraKernelArgs:
@ -111,11 +109,10 @@ nodes:
# - siderolabs/i915-ucode
# - siderolabs/intel-ucode
# - siderolabs/qemu-guest-agent
talosImageURL: factory.talos.dev/installer/f2f665587318c2d79e7b315cc333fff276ed59c8de831f16e28b4db107496ac2
talosImageURL: harbor.hsn.dev/factory.talos.dev/installer/f2f665587318c2d79e7b315cc333fff276ed59c8de831f16e28b4db107496ac2
# https://factory.talos.dev/image/f2f665587318c2d79e7b315cc333fff276ed59c8de831f16e28b4db107496ac2/metal-amd64.iso
installDiskSelector:
busPath: /pci0000:00/0000:00:0a.0/virtio2/
# Ceph Disk: /dev/disk/by-id/nvme-SAMSUNG_MZVL2512HCJQ-00B00_S675NU0TB36132
networkInterfaces:
- interface: eth0
dhcp: true
@ -156,6 +153,16 @@ worker:
nodeIP:
validSubnets:
- 10.2.0.0/16
registries:
mirrors:
docker.io:
endpoints:
- http://harbor.hsn.dev/v2/docker.io
overridePath: true
ghcr.io:
endpoints:
- http://harbor.hsn.dev/v2/ghcr.io
overridePath: true
controlPlane:
patches:
- |-
@ -184,6 +191,16 @@ controlPlane:
kubePrism:
enabled: true
port: 7445
registries:
mirrors:
docker.io:
endpoints:
- http://harbor.hsn.dev/v2/docker.io
overridePath: true
ghcr.io:
endpoints:
- http://harbor.hsn.dev/v2/ghcr.io
overridePath: true
files:
- op: create
@ -202,9 +219,6 @@ controlPlane:
nodeIP:
validSubnets:
- 10.2.0.0/16
network:
extraHostEntries:
- ip: 10.2.0.3
sysctls:
fs.inotify.max_user_watches: "1048576"
fs.inotify.max_user_instances: "8192"

13
talos/talenv.sops.yaml
View file

@ -1,7 +1,10 @@
clusterName: ENC[AES256_GCM,data:iT5CwpMddw==,iv:st1ajjpRXQiHozpIJqUUwmRe542IiR2aWLEdqkk4W9k=,tag:KOCQ8x28kwNNDUXwOTpulg==,type:str]
clusterEndpointIP: ENC[AES256_GCM,data:5VXivET/uV4=,iv:SRhLmDfbSlhnb9DsaFXCqiP/Bx4Khi4GdXseyuhuYAw=,tag:BrP3OL/1FwrUyCMWRFB0BQ==,type:str]
oromeIP: ENC[AES256_GCM,data:SQyZ1Lpe8HipAbpOdGWRMQ==,iv:1u1eM3N90BvX9tob0c+hKXUFlrFWDh+oKM+sSRrmSyY=,tag:oWjt80hHImn0s1r0CM+1eA==,type:str]
oromeGateway: ENC[AES256_GCM,data:Ic8WKbNl9SsdfYT1,iv:HlKGNuBrvHjwrydybAD7cQEKYXL/JLzs/1m+G2bznYA=,tag:NGt1IacjxuX1XqP7mHB5ww==,type:str]
clusterEndpointIP: ENC[AES256_GCM,data:3oaQK/8A4H8=,iv:GUtz5qkZMy/mq+Qf2VkoxTJpoeC7F8ySJcmzcTcLEkY=,tag:8GsMnWRBptAhzSQ9IZxwbA==,type:str]
auleIP: ENC[AES256_GCM,data:l+3uRMhfUDk=,iv:emxhDXyCKP9ijhxH4egI/3i+BCprcPf0AIVVi29GCGE=,tag:+0dl4A72vIgXdNlk5Etdug==,type:str]
arlenIP: ENC[AES256_GCM,data:uXEM6zEuo40=,iv:eZMNksxYqpfYaY70yiJDOOnpOZ2cIfu4sE71irlUWOY=,tag:C0PjKj3FVDeLhUFInEQzLg==,type:str]
eonweIP: ENC[AES256_GCM,data:zfIK5G67zEQ=,iv:xXPae345ybW9u6SX5eNHwEcBe+Y/7Gvzt6qWni3x+k4=,tag:hFO15lqDviJz+dnsa8IgMg==,type:str]
niennaIP: ENC[AES256_GCM,data:3FRJBHRujl0=,iv:wd+Wp8DCXITYv4/Ys26+2GmeMXn0hvakxMUpDALqciE=,tag:P0Px35bWU0IzpH2H0i6dpA==,type:str]
oromeIP: ENC[AES256_GCM,data:xSp35+pBlyk=,iv:Utk+kCiUKbSrx3kCsEtc90VRWEC9FSZJvJ1fvLZWc38=,tag:6uHW+BiOau9PUS2I2OnVGA==,type:str]
sops:
kms: []
gcp_kms: []
@ -17,8 +20,8 @@ sops:
MTFUZEplYVN5RGhhMGNEcDlGbTVQcjQKktwztZAHGUqoxbGHuAg0dX5Vap+wFVfx
ku6Hzg1ZU8Lvd8ODe+4p+RvHSKVll1akgpPVuymCUxl+I6EvH7gEDA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-02T02:23:49Z"
mac: ENC[AES256_GCM,data:vut8v85tPP1DoJCvdqa0Da3z+78qadjuq5PTmqP/DB8fXy8S7qY5QiDZBv4kKhb5j6lmzYUD1USZZYLzDJN5n4Vw9qdstMr6WuCTqimt5MsZEefn621/p0Q2hdH7rC75gGiLHTFLc53HnrESg+opZRkmknrNuKKcZH8GI0H4MeQ=,iv:OakKTwA24IlwIU3gXP53CN7bdO8iDoKpoGLy+EcVGIg=,tag:82RBOg4ebBk9QEtSRAMymw==,type:str]
lastmodified: "2023-12-12T17:44:15Z"
mac: ENC[AES256_GCM,data:bXullHomsdG80EKIVrghmPIkcQMzWX/gvM8w0iqWRbunC4SlNTzFIgrHvs1qYdyPqy+rC2NhhhWGBVSDEfAA5wRQ/xmLPmFP/z9hKsUiQqHUwZflu2taB2SLuhjMMHS2sKwcP3uPA1anPkvEjhx+IpGv9X92RHqr8YF1r2LhOVk=,iv:OQwhjxw/FI/S9pXS9/HHTFdFxIetKUPcESscfJNjkao=,tag:AhoPRZifwQVPRO38fA/LSQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1