From 39f579d781c801f1c4cadddae54070193a7c7346 Mon Sep 17 00:00:00 2001 From: 0xWheatyz Date: Fri, 14 Nov 2025 23:09:08 +0000 Subject: [PATCH] feat: new testing cluster with boilerplate code --- shell.nix | 37 ++ testing1/.talosconfig | 10 + testing1/clusters/testing/apps.yaml | 13 + testing1/controlplane.yaml | 577 ++++++++++++++++++++++++++ testing1/kubeconfig | 20 + testing1/talosconfig | 7 + testing1/worker.yaml | 606 ++++++++++++++++++++++++++++ 7 files changed, 1270 insertions(+) create mode 100644 shell.nix create mode 100644 testing1/.talosconfig create mode 100644 testing1/clusters/testing/apps.yaml create mode 100644 testing1/controlplane.yaml create mode 100644 testing1/kubeconfig create mode 100644 testing1/talosconfig create mode 100644 testing1/worker.yaml diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..b8cc7e7 --- /dev/null +++ b/shell.nix @@ -0,0 +1,37 @@ +{ pkgs ? import {} }: + +pkgs.mkShell { + # Define the packages you want in your environment + packages = with pkgs; [ + fluxcd + talosctl + kubectl + zsh # Include zsh itself in the shell environment + ]; + + # Optional: Set environment variables or run commands when entering the shell + shellHook = '' + echo "Welcome to your FluxCD, Talosctl, and Kubectl development environment with Zsh!" + echo "The following tools are available:" + echo " - flux" + echo " - talosctl" + echo " - kubectl" + + export TALOSCONFIG="$(pwd)/testing1/.talosconfig" + # Source your Home Manager generated Zsh configuration + # This assumes your home-manager configuration is applied to your user. + # The exact path might vary slightly based on your home-manager setup. + if [ -f "$HOME/.nix-profile/etc/profile.d/hm-session-vars.sh" ]; then + . "$HOME/.nix-profile/etc/profile.d/hm-session-vars.sh" + fi + if [ -f "$HOME/.nix-profile/etc/profile.d/hm-config-loader.sh" ]; then + . "$HOME/.nix-profile/etc/profile.d/hm-config-loader.sh" + fi + if [ -f "$HOME/.nix-profile/etc/profile.d/hm-zsh.sh" ]; then + . "$HOME/.nix-profile/etc/profile.d/hm-zsh.sh" + fi + + # Start Zsh within the nix-shell + exec zsh + ''; +} diff --git a/testing1/.talosconfig b/testing1/.talosconfig new file mode 100644 index 0000000..d383e34 --- /dev/null +++ b/testing1/.talosconfig @@ -0,0 +1,10 @@ +context: test-talos1-control +contexts: + test-talos1-control: + endpoints: + - 10.0.0.67 + nodes: + - 10.0.0.67 + ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBNTUzYnZ2c1RjRlE1RktIRTZEZ0l5ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXhNVEV6TURJMU9UQXhXaGNOTXpVeE1URXhNREkxT1RBeFdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUU1cnptdE1WcjZCZkxnZEE1UUV6bDZOVEhxQi9OaXFCK1dICnI3ZW5yNWw2bzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVzcXFnZXFaYWZna3dTRApKUko0c0JNbWxaYkRNQVVHQXl0bGNBTkJBUFVMcWR1Z2Y1OEZmTVFTRC9Bc21RdkZBQnNjSkRLVnd2RXBWRWh3CnQ3Vnd3bVFRaEVyNVB3KzI3M1B3c1kvLzE3SjZDOFY2SGhiVDFqRFFMZ2hvY1FFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEF6VXZDRUpPaGFoQ3Vhalg3alBDeXhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5URXhNVE13TWpVNU1ERmFGdzB5TmpFeE1UTXdNalU1TURGYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQVZCcmM5QUJDdXpYYW1adEFjQ3V6b2hrM21Eb0dLalhtClVZaEdwNEJ4VUsralNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCUkxLcW9IcW1XbjRKTUVneVVTZUxBVEpwV1d3ekFGQmdNclpYQURRUUFjSzFRRQpDeThxVmxxN1lmc2ZNVFF2L3RNbkQ1YUJNSUp6SDNiNFNTUkU0SkFYQ2hQcktSM3laSno3Y2xNSDVORXVxTE9UCkxwYjM3UHpKVWxRbDMyQUUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRjNic3BNbmZQdTR1aU9NOGFGNmJ4ZklGSDBLdm45YytPZHdMOXZlb0hHVgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K diff --git a/testing1/clusters/testing/apps.yaml b/testing1/clusters/testing/apps.yaml new file mode 100644 index 0000000..b966c3e --- /dev/null +++ b/testing1/clusters/testing/apps.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: apps + namespace: flux-system +spec: + interval: 5m + path: ./apps + prune: true + sourceRef: + kind: GitRepository + name: flux-system + wait: true diff --git a/testing1/controlplane.yaml b/testing1/controlplane.yaml new file mode 100644 index 0000000..dfec197 --- /dev/null +++ b/testing1/controlplane.yaml @@ -0,0 +1,577 @@ +version: v1alpha1 # Indicates the schema used to decode the contents. +debug: false # Enable verbose logging to the console. +persist: true +# Provides machine specific configuration options. +machine: + type: controlplane # Defines the role of the machine within the cluster. + token: dhmkxg.kgt4nn0mw72kd3yb # The `token` is used by a machine to join the PKI of the cluster. + # The root certificate authority of the PKI. + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBNTUzYnZ2c1RjRlE1RktIRTZEZ0l5ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXhNVEV6TURJMU9UQXhXaGNOTXpVeE1URXhNREkxT1RBeFdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUU1cnptdE1WcjZCZkxnZEE1UUV6bDZOVEhxQi9OaXFCK1dICnI3ZW5yNWw2bzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVzcXFnZXFaYWZna3dTRApKUko0c0JNbWxaYkRNQVVHQXl0bGNBTkJBUFVMcWR1Z2Y1OEZmTVFTRC9Bc21RdkZBQnNjSkRLVnd2RXBWRWh3CnQ3Vnd3bVFRaEVyNVB3KzI3M1B3c1kvLzE3SjZDOFY2SGhiVDFqRFFMZ2hvY1FFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQVZVTjAyWTRiVnpXenhyL0tKOWRicE1Iakt2V1JVV2VEVjZRRGtzcWV0dwotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K + # Extra certificate subject alternative names for the machine's certificate. + certSANs: [] + # # Uncomment this to enable SANs. + # - 10.0.0.10 + # - 172.16.0.10 + # - 192.168.0.10 + + # Used to provide additional options to the kubelet. + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.33.0 # The `image` field is an optional reference to an alternative kubelet image. + defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. + disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. + + # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. + # clusterDNS: + # - 10.96.0.10 + # - 169.254.2.53 + + # # The `extraArgs` field is used to provide additional flags to the kubelet. + # extraArgs: + # key: value + + # # The `extraMounts` field is used to add additional mounts to the kubelet container. + # extraMounts: + # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. + # type: bind # Type specifies the mount kind. + # source: /var/lib/example # Source specifies the source path of the mount. + # # Options are fstab style mount options. + # options: + # - bind + # - rshared + # - rw + + # # The `extraConfig` field is used to provide kubelet configuration overrides. + # extraConfig: + # serverTLSBootstrap: true + + # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. + # credentialProviderConfig: + # apiVersion: kubelet.config.k8s.io/v1 + # kind: CredentialProviderConfig + # providers: + # - apiVersion: credentialprovider.kubelet.k8s.io/v1 + # defaultCacheDuration: 12h + # matchImages: + # - '*.dkr.ecr.*.amazonaws.com' + # - '*.dkr.ecr.*.amazonaws.com.cn' + # - '*.dkr.ecr-fips.*.amazonaws.com' + # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' + # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' + # name: ecr-credential-provider + + # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. + # nodeIP: + # # The `validSubnets` field configures the networks to pick kubelet node IP from. + # validSubnets: + # - 10.0.0.0/8 + # - '!10.0.0.3/32' + # - fdc7::/16 + # Provides machine specific network configuration options. + network: {} + # # `interfaces` is used to define the network interface configuration. + # interfaces: + # - interface: enp0s1 # The interface name. + # # Assigns static IP addresses to the interface. + # addresses: + # - 192.168.2.0/24 + # # A list of routes associated with the interface. + # routes: + # - network: 0.0.0.0/0 # The route's network (destination). + # gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route). + # metric: 1024 # The optional metric for the route. + # mtu: 1500 # The interface's MTU. + # + # # # Picks a network device using the selector. + + # # # select a device with bus prefix 00:*. + # # deviceSelector: + # # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver. + # # deviceSelector: + # # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. + # # driver: virtio_net # Kernel driver, supports matching by wildcard. + # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. + # # deviceSelector: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. + # # driver: virtio_net # Kernel driver, supports matching by wildcard. + + # # # Bond specific options. + # # bond: + # # # The interfaces that make up the bond. + # # interfaces: + # # - enp2s0 + # # - enp2s1 + # # # Picks a network device using the selector. + # # deviceSelectors: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. + # # driver: virtio_net # Kernel driver, supports matching by wildcard. + # # mode: 802.3ad # A bond option. + # # lacpRate: fast # A bond option. + + # # # Bridge specific options. + # # bridge: + # # # The interfaces that make up the bridge. + # # interfaces: + # # - enxda4042ca9a51 + # # - enxae2a6774c259 + # # # Enable STP on this bridge. + # # stp: + # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. + + # # # Configure this device as a bridge port. + # # bridgePort: + # # master: br0 # The name of the bridge master interface + + # # # Indicates if DHCP should be used to configure the interface. + # # dhcp: true + + # # # DHCP specific options. + # # dhcpOptions: + # # routeMetric: 1024 # The priority of all routes received via DHCP. + + # # # Wireguard specific configuration. + + # # # wireguard server example + # # wireguard: + # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). + # # listenPort: 51111 # Specifies a device's listening port. + # # # Specifies a list of peer configurations to apply to a device. + # # peers: + # # - publicKey: ABCDEF... # Specifies the public key of this peer. + # # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry. + # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. + # # allowedIPs: + # # - 192.168.1.0/24 + # # # wireguard peer example + # # wireguard: + # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). + # # # Specifies a list of peer configurations to apply to a device. + # # peers: + # # - publicKey: ABCDEF... # Specifies the public key of this peer. + # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. + # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. + # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. + # # allowedIPs: + # # - 192.168.1.0/24 + + # # # Virtual (shared) IP address configuration. + + # # # layer2 vip example + # # vip: + # # ip: 172.16.199.55 # Specifies the IP address to be used. + + # # Used to statically set the nameservers for the machine. + # nameservers: + # - 8.8.8.8 + # - 1.1.1.1 + + # # Used to statically set arbitrary search domains. + # searchDomains: + # - example.org + # - example.com + + # # Allows for extra entries to be added to the `/etc/hosts` file + # extraHostEntries: + # - ip: 192.168.1.100 # The IP of the host. + # # The host alias. + # aliases: + # - example + # - example.domain.tld + + # # Configures KubeSpan feature. + # kubespan: + # enabled: true # Enable the KubeSpan feature. + + # Used to provide instructions for installations. + install: + disk: /dev/sda # The disk used for installations. + image: ghcr.io/siderolabs/installer:v1.10.1 # Allows for supplying the image used to perform the installation. + wipe: false # Indicates if the installation disk should be wiped at installation time. + + # # Look up disk using disk attributes like model, size, serial and others. + # diskSelector: + # size: 4GB # Disk size. + # model: WDC* # Disk model `/sys/block//device/model`. + # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. + + # # Allows for supplying extra kernel args via the bootloader. + # extraKernelArgs: + # - talos.platform=metal + # - reboot=k + # Used to configure the machine's container image registry mirrors. + registries: {} + # # Specifies mirror configuration for each registry host namespace. + # mirrors: + # ghcr.io: + # # List of endpoints (URLs) for registry mirrors to use. + # endpoints: + # - https://registry.insecure + # - https://ghcr.io/v2/ + + # # Specifies TLS & auth configuration for HTTPS image registries. + # config: + # registry.insecure: + # # The TLS configuration for the registry. + # tls: + # insecureSkipVerify: true # Skip TLS server certificate verification (not recommended). + # + # # # Enable mutual TLS authentication with the registry. + # # clientIdentity: + # # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t + # # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== + # + # # # The auth configuration for this registry. + # # auth: + # # username: username # Optional registry authentication. + # # password: password # Optional registry authentication. + + # Features describe individual Talos features that can be switched on or off. + features: + rbac: true # Enable role-based access control (RBAC). + stableHostname: true # Enable stable default hostname. + apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid. + diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. + # KubePrism - local proxy/load balancer on defined port that will distribute + kubePrism: + enabled: true # Enable KubePrism support - will start local load balancing proxy. + port: 7445 # KubePrism port. + # Configures host DNS caching resolver. + hostDNS: + enabled: true # Enable host DNS caching resolver. + forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods. + + # # Configure Talos API access from Kubernetes pods. + # kubernetesTalosAPIAccess: + # enabled: true # Enable Talos API access from Kubernetes pods. + # # The list of Talos API roles which can be granted for access from Kubernetes pods. + # allowedRoles: + # - os:reader + # # The list of Kubernetes namespaces Talos API access is available from. + # allowedKubernetesNamespaces: + # - kube-system + # Configures the node labels for the machine. + nodeLabels: + node.kubernetes.io/exclude-from-external-load-balancers: "" + + # # Provides machine specific control plane configuration options. + + # # ControlPlane definition example. + # controlPlane: + # # Controller manager machine specific configuration options. + # controllerManager: + # disabled: false # Disable kube-controller-manager on the node. + # # Scheduler machine specific configuration options. + # scheduler: + # disabled: true # Disable kube-scheduler on the node. + + # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. + + # # nginx static pod. + # pods: + # - apiVersion: v1 + # kind: pod + # metadata: + # name: nginx + # spec: + # containers: + # - image: nginx + # name: nginx + + # # Allows the addition of user specified files. + + # # MachineFiles usage example. + # files: + # - content: '...' # The contents of the file. + # permissions: 0o666 # The file's permissions in octal. + # path: /tmp/file.txt # The path of the file. + # op: append # The operation to use + + # # The `env` field allows for the addition of environment variables. + + # # Environment variables definition examples. + # env: + # GRPC_GO_LOG_SEVERITY_LEVEL: info + # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" + # https_proxy: http://SERVER:PORT/ + # env: + # GRPC_GO_LOG_SEVERITY_LEVEL: error + # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ + # env: + # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ + + # # Used to configure the machine's time settings. + + # # Example configuration for cloudflare ntp server. + # time: + # disabled: false # Indicates if the time service is disabled for the machine. + # # description: | + # servers: + # - time.cloudflare.com + # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. + + # # Used to configure the machine's sysctls. + + # # MachineSysctls usage example. + # sysctls: + # kernel.domainname: talos.dev + # net.ipv4.ip_forward: "0" + # net/ipv6/conf/eth0.100/disable_ipv6: "1" + + # # Used to configure the machine's sysfs. + + # # MachineSysfs usage example. + # sysfs: + # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance + + # # Machine system disk encryption configuration. + # systemDiskEncryption: + # # Ephemeral partition encryption. + # ephemeral: + # provider: luks2 # Encryption provider to use for the encryption. + # # Defines the encryption keys generation and storage method. + # keys: + # - # Deterministically generated key from the node UUID and PartitionLabel. + # nodeID: {} + # slot: 0 # Key slot number for LUKS2 encryption. + # + # # # KMS managed encryption key. + # # kms: + # # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key. + # + # # # Cipher kind to use for the encryption. Depends on the encryption provider. + # # cipher: aes-xts-plain64 + + # # # Defines the encryption sector size. + # # blockSize: 4096 + + # # # Additional --perf parameters for the LUKS2 encryption. + # # options: + # # - no_read_workqueue + # # - no_write_workqueue + + # # Configures the udev system. + # udev: + # # List of udev rules to apply to the udev system + # rules: + # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" + + # # Configures the logging system. + # logging: + # # Logging destination. + # destinations: + # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". + # format: json_lines # Logs format. + + # # Configures the kernel. + # kernel: + # # Kernel modules to load. + # modules: + # - name: brtfs # Module name. + + # # Configures the seccomp profiles for the machine. + # seccompProfiles: + # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. + # # The `value` field is used to provide the seccomp profile. + # value: + # defaultAction: SCMP_ACT_LOG + + # # Override (patch) settings in the default OCI runtime spec for CRI containers. + + # # override default open file limit + # baseRuntimeSpecOverrides: + # process: + # rlimits: + # - hard: 1024 + # soft: 1024 + # type: RLIMIT_NOFILE + + # # Configures the node annotations for the machine. + + # # node annotations example. + # nodeAnnotations: + # customer.io/rack: r13a25 + + # # Configures the node taints for the machine. Effect is optional. + + # # node taints example. + # nodeTaints: + # exampleTaint: exampleTaintValue:NoSchedule +# Provides cluster specific configuration options. +cluster: + id: T1wrNZkR6bWDMhqxHwogu6UC1XYwE-HzhO5aB6yzelg= # Globally unique identifier for this cluster (base64 encoded random 32 bytes). + secret: t6mCiKFppGqSJNbTIelhMvxE7OCsAHiCdlDkBgukszo= # Shared secret of cluster (base64 encoded random 32 bytes). + # Provides control plane specific configuration options. + controlPlane: + endpoint: https://10.0.0.67:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. + clusterName: test-talos1-control # Configures the cluster's name. + # Provides cluster specific network configuration options. + network: + dnsDomain: cluster.local # The domain used by Kubernetes DNS. + # The pod subnet CIDR. + podSubnets: + - 10.244.0.0/16 + # The service subnet CIDR. + serviceSubnets: + - 10.96.0.0/12 + + # # The CNI used. + # cni: + # name: custom # Name of CNI to use. + # # URLs containing manifests to apply for the CNI. + # urls: + # - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml + token: kaxfds.we8jyuew8eqc6df8 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. + secretboxEncryptionSecret: ZY8YL8xl+egIKxKDyg20zGDWa/T7sZWN/rZr1JuKN1g= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). + # The base64 encoded root certificate authority used by Kubernetes. + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpzNTZtbElxQUNKZytDeUU5MWhzb2d3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEV4TVRNd01qVTVNREZhRncwek5URXhNVEV3TWpVNQpNREZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVRoRlpkRGNmZFo5d3d2ZFh4UUJVU2JmV2MzUGxuNVBCVENEeCtmSVM4UUdGSVFDdGg0aFk4Zmc1RVEKVUFaM2VuajN5WU5jQmlGWERxK21sZW9zdlVDMG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGRzI5NUw1NGNqcmMzWjFZc0xlTE9VM1l3L0krTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUY5M08rV2IKbnkrSHhtZWZJQU5BUnJtY0FEQkZac1psOGxoQjJZL2t2aGFoQWlFQXBnQW0xSWR0azA3Nkp0a1VySXVMWDJCYwpxTTZWSnVNczhnTmlQTExaNEFZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUl0K1JDNVFtMHlEazlXZkpzQnRmRVVZbVpLOFhzTHhCMGxBcmVOb0poSXdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNFJXWFEzSDNXZmNNTDNWOFVBVkVtMzFuTno1WitUd1V3ZzhmbnlFdkVCaFNFQXJZZUlXUApINE9SRUZBR2QzcDQ5OG1EWEFZaFZ3NnZwcFhxTEwxQXRBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= + # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. + aggregatorCA: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZRENDQVFXZ0F3SUJBZ0lRYktJc0RBelF0QjRYS0RESm5QZFRxakFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJMU1URXhNekF5TlRrd01Wb1hEVE0xTVRFeE1UQXlOVGt3TVZvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCRitkc080ZXBwM2ZscWxEV2NXKzJidW8zVUxKUW4weExCSzJQSHhhVWFuWjdVTmVPM0RxCk9SUjVNbkl3L1NaMnJiT2RIeEVtR3BpSzg0MUlsRVZaZ0syallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVVMUTVWRkcrd05ycldSTVZPN01hZnc3dG9OUkl3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loCkFKS3JJT284Z29QWXFpVVJUV2JJNHZyQXRteWRaTzVpak9QYmZUei9DQkR3QWlFQTkzZ2IrVHh3Z2J2R1BQcWwKWDR6ZFM2bm1Rc3JSTUZtZXE4M1EzSms0L2xzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU8vL0tYUXBzcDczN1NSUzcydFhrTDdTMWFadU5sa29NSlVROTRUZEU1TjNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWDUydzdoNm1uZCtXcVVOWnhiN1p1NmpkUXNsQ2ZURXNFclk4ZkZwUnFkbnRRMTQ3Y09vNQpGSGt5Y2pEOUpuYXRzNTBmRVNZYW1JcnpqVWlVUlZtQXJRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= + # The base64 encoded private key for service account token generation. + serviceAccount: + key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdzVOemVMc1pVcjhxTTkrNzhuNkhYUGNBMEV0eGJGbkFqWDJORjNMK1VCTDZGb0kzCjdxR0w2OWFFQTRxaFZoTVNzSDVFWk96T2VZajFEazByNEJzMXV2QzcrSnVQU0dmUFNzUWdyMDdQWmRuRml2YUsKdmRJZk1TVEIzZVdwZTdBTXROclROVWxsTXlQci8rektBMWRsWFQzamRjL0ZrMWtHdmRvZklEM0Q0clJIaGhnVgp2Q0lMU0MzeU9USU43NkVMSi9VdjRuZFVDYWxmZG5xSGFyYUs1V2tPZDYyb3JyY25vWm40dzVzL0xobE1pUFo0CkljMWU5ayt4Nlp0Ymp1U2lGaXIycjdWOC9qN1dpOTA0aUxPWWRxenloQ1RTbUZiUjRtd3o3emt2b1dORU5PQ20KS1dERVV6YWhadmo3NUZqS3hId1dsMHlGUi95VUw1RU8xZ2o1alA3RW1vTURveXlyQ3lmU3Q1V20zd1ROYVNtLwpvekZPaUhqWUc1UUlBV3BvNDZWYngrbGd4TXVrQmgrTnFUdVNkdzY3YkhaVmhZV2hReW5oSnU4QlQ1NDNqY0FhCmxtT1RCaEd5UkFlZ211NC9PRWlSUk1zOE5CNTJubGtuRGhGNnFkUnp1cUFKYVpQVnR0RG81QXA2eWJmL3g2ZHEKaUg2a0F4VUc2WmpDNlR4bCtuRTBsMXUrcTRZa0tuY0ovQ2w5bXZ1THgxaW84WHVzYm9qSEo5UVNpeXpVdmFFcwo5R3N2ZHgrYW5SN0VyQ0d2dTVuTC9uZ0I4dHg4Z1N4WDBWWlJLdG1SbWcwZS95bEdZOXI4eFpCTDNSVWNjeUoyCjJtNE5XT2ZSNjY1YklwdnJhNFBuVWFZaW80dWlsVTUvQ0MzZVBwUm5CVFF3U1JTTVQzMmRpM2FtZ0pFQ0F3RUEKQVFLQ0FnQVByODNBL0Z3bUNDOFhJcENxdlFNdFRjMksvTkRLbEp5dWJKM1ZhSlBsTWM4aWk0d2lHbzNaeGRGbwpaRS9zL1dkNnhiZEZmaE5RbEdUaXpRWDNlaVNTTmpscGZIYTBEaDdidThWTEI3cWpEQ0lvQ05RczIxbEU5ejBLCmg5OTl6Q3VLRW1HQzk3eFkxZjZFVkVhSmJwTGRpcUlxTFZjSEFDQWJqYm1Ba1VaYk1tNW9pY1F0TWNZdkRQKzQKU1RUQ0hld1h2Q0dTQnFsZkExbGt3WGxjOGVwMjhma25BeG1SZHArRWtDV2FjT01TMXVvak05dXVZR1hkRi9GOQorb2Y2a0ltVXJCcGJFbWJ3WmZOam5BUHJFN2FuVVlJUk5IcVBjcXFhZ0pISTFCRFIzeCtySmNLd3luSVhkNUswCndFU1o5cFRxODNDdmJ0azQ0b0F6UnRnR1lGNjlwWnVBQ3p5ejRVU2NCZkx5bjF4QmpvdFFMUXRtQlg2K0ZWUUwKMFBuU0NiQ0VKOFFLRUo5M01vWERjUUpFNjRqWmJLU25BZmszYzBpK0ZyUzdzYmZ5MXN4WHNzSHVuNGRDY2ZaSwp4R3dJVVZPd3VWNHJrQnp4Vnk4OUw5R3JaWTFvM25ZTnJrTUJjaWVuWHhiTXFoanU5OWFsUmJvcWZKS21qSGgxCmgrOUVaRlFCc1N6TUFnSnlCT24rbTJCbmNHV0UzakUwWVdRQWlaVFRrQ1JGek1ETTNITWR2dk9VZVZLbWw0RXAKYzJURFBNWGpjQnk5dzZvd1hpZUNPYTdGTm56eUZzcnFCbWdkOWcwZTNwMVdLekczM3orUFplUWFVNEpSTHMwQwp4Rm9Gd0xBbCs4cWE5b3JNaHZiQTFvbXNGZnM3Qmo4N3FzWjFIWWFIZ3M5S1FzVm5EUUtDQVFFQXpTRFVYWDdHCmtGYU8ycmZjdEFYWVFQQ2hXM216QytHZUdiZlhOMTU0Q0MxOUI0azZNNDlHUFJHQ20vNnYrUldILzRQbEJhV0sKWVFsRFFoV3BiK2lLb3BYdGcwUTBoemxubzRSdGJDS0wwWm9RN3RxQjcvNERSSFJXUHpSNmR0bUU2aFg0RmVtbApDRkV5RmltdDhaaVVaVDFpKzVEdmlObTF0UmQ5SWw5U3orQTlsUGFjS3ZFOURoUFM2ZWNuQ0x6eUhvbjdNNk9lCmFBZjhNMUFYZm9ib0lkbjdJaDFsVEN4YXo4dXY0UmpqaEpVTHYrbmpUUGhCR3NJYzJzcGUvQzdzQXcwWVgyMHMKV1FyeHdOY0Q4VFdEYThqeWkzTWhFc291MkRpeGZDRkdkSjJvNXptSjNXSUxHQm5TaDE2T3FBSXN0QS9NTlJ2eAp3L3pMOHBtTzhWbVpWUUtDQVFFQTlCUXJEUjY2Ky9KT2hRRzY0ZEJCQ0g4UXQ4UUdmemVKRzhkV0dhU3JncVhlClVVbXA2NStISnpnSWpCbHEyUVYzOTBuMGVhaGlJeFk0M3llMHYvckhkR1I0VTVVZDVZY2NYUy9vdXR0OStWbEwKcmEzbXBtQytCV0NQZ0lmYnhadjVPNnIvSU5vckQ0QUxlaGVncExjV3NIdU5iNTlLek1UemozbVpuUUdsZ0JPaApkUTdKQnFtTHRGZTJTT2JQUXRaTFZNaC9VNXJVMnppUk5qUCtVVkhoVit0NmZCdExxTE1YVmpJd2R6UnBXVnY4CkJmTGhweWQ3UUgxK1Iyb3pVeDRBTERmL2tSTnlXbXZBcjRzaU5MT25udlRKelVOZm90QXFCdHI5amRyT25kckIKeW9XMEZld2FMbnkwY2hRV0pDL1gxWXA2KzBob1dEWTJBY2hCWlozYVRRS0NBUUJ2VHNNdHdKOHFyMjF4RFpmNwpMN2k2OUZmNmRUMU0weTZoTWZyY2xxeDNjNGVHMFZYOXFGOHF3QmVwWWpoRzV3SVhDcEQ1MFd3WFg1bFpnTHVpCmVBTFNXcHk1UUFkbzRTTjF2V1JLNnl3SG5weFZuOGdtWENXVnZiTVhOUGpIQ1Ixd2tGOUFOTHBTbXd5Y3JoMHYKSGVaWVVVa216T3pOeTZVb0VRamIzL0hsenY1Ym1MNEJKMHBFRzBtMWxySzlzUm1Jck1MY3NJcENWU0xyRFNqUwpoWTNzNElXL2EwZ09YM3NmaXAxemZiZm50NkRha0tYQW5HMW5nYkY2bjVtUEtqN3pJT1g2MGhqZ2NHbmloRW9sClZ5NXJERzFnY2lhZU5ZdloxRm1xeTd1WmgvdWhETDNjblZqN3lQZE9jV2JqajlxR0VwUnl0U2twZWtHSThQNTUKeEc3SkFvSUJBUUN5QW9lSGNSTWtMd3N2SEJ6bEZoSm9GT3ZuYW5MbWsyVk91aW5FV0FHeUxqQ2ZEbDk3OWdRSApDV25LYTdzdWZqdUpRZ21vTkxNbUxjM2Fpc1hiZ2hXM2dKTDFPbnJzYklhMk8vdTdVOXRqWU1tOTZHZWdqa3ZuCjlnMlN5d0x3OHhscGVBUE1QUEZNdzdFYklXSkszekVRRTN3S25aMWJESVVwN2FDb0RveGFoWGFxdmRiRklpQSsKcmYzRzIzYnJvd2liMUFKd3dpcGRtN3JrVWpVM3I4VHViMUlNYzRmUmlKUUxqRjBtZ3pZV011enlsYm9YUThjegpPSk5CbUdYSVI4Z09kK1RQTk9TZ3A1ZUhMNjBKek1FQ1FEdHhsYUtKUnRKdjM0VXUwUmNCcjRySW5vekJ0RWxBCkFEbEdQZm9MK0V5c2MrdlBtblpuWjFvcUlKZjVlWSs5QW9JQkFDRThDbFZITWJEZkJtUXRBYzhHMFM0eUhqNXEKWkdEWTkxSGZIOVVnOFhBdWxuRmViaXpFSDFuQmNLTE5zTndZejcrNTdJaldocHhFcStrMWRpQUdEeTJNVXhNQQpoNGVzWDY1QmZRVHVBNGRMVVk2c2J4eHYwVDBOSW55bXk1SC9xL3RVMUJOVkJNK1FJWDduS1owMjJwek8zWUM1CnNjSDkyY3RwcEdKSDl2V2FZS3NOVUNTbFhBNXc3c3AxRTZBTkRtbVMzR1ZrUnlvOEFVVTZsalZnQ0FJSmFUV1YKN25yaHltY01xbGVyanlXYW9wTUo1d0pnbXJQOWR0ZUJNVmlucG5jdjd4N3ZybW5jeFdVOVU2ZmdtK2pFTGt4UApoTFA2VWpnd1BXMmk1VUZNY1ZzcFNJMEhCMkxvYXBYUWgwQjRUaVNtOFVmY1JUdUJTc21pUkM1cGdpaz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + # API server specific configuration options. + apiServer: + image: registry.k8s.io/kube-apiserver:v1.33.0 # The container image used in the API server manifest. + # Extra certificate subject alternative names for the API server's certificate. + certSANs: + - 10.0.0.67 + disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests. + # Configure the API server admission plugins. + admissionControl: + - name: PodSecurity # Name is the name of the admission controller. + # Configuration is an embedded configuration object to be used as the plugin's + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1alpha1 + defaults: + audit: restricted + audit-version: latest + enforce: baseline + enforce-version: latest + warn: restricted + warn-version: latest + exemptions: + namespaces: + - kube-system + runtimeClasses: [] + usernames: [] + kind: PodSecurityConfiguration + # Configure the API server audit policy. + auditPolicy: + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadata + + # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration. + # authorizationConfig: + # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. + # name: webhook # Name is used to describe the authorizer. + # # webhook is the configuration for the webhook authorizer. + # webhook: + # connectionInfo: + # type: InClusterConfig + # failurePolicy: Deny + # matchConditionSubjectAccessReviewVersion: v1 + # matchConditions: + # - expression: has(request.resourceAttributes) + # - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)' + # subjectAccessReviewVersion: v1 + # timeout: 3s + # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. + # name: in-cluster-authorizer # Name is used to describe the authorizer. + # # webhook is the configuration for the webhook authorizer. + # webhook: + # connectionInfo: + # type: InClusterConfig + # failurePolicy: NoOpinion + # matchConditionSubjectAccessReviewVersion: v1 + # subjectAccessReviewVersion: v1 + # timeout: 3s + # Controller manager server specific configuration options. + controllerManager: + image: registry.k8s.io/kube-controller-manager:v1.33.0 # The container image used in the controller manager manifest. + # Kube-proxy server-specific configuration options + proxy: + image: registry.k8s.io/kube-proxy:v1.33.0 # The container image used in the kube-proxy manifest. + + # # Disable kube-proxy deployment on cluster bootstrap. + # disabled: false + # Scheduler server specific configuration options. + scheduler: + image: registry.k8s.io/kube-scheduler:v1.33.0 # The container image used in the scheduler manifest. + # Configures cluster member discovery. + discovery: + enabled: true # Enable the cluster membership discovery feature. + # Configure registries used for cluster member discovery. + registries: + # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information + kubernetes: + disabled: true # Disable Kubernetes discovery registry. + # Service registry is using an external service to push and pull information about cluster members. + service: {} + # # External service endpoint. + # endpoint: https://discovery.talos.dev/ + # Etcd specific configuration options. + etcd: + # The `ca` is the root certificate authority of the PKI. + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU1CYjZha2VXZFFobk1JYW5aSm9aZVF3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRFeE1UTXdNalU1TURGYUZ3MHpOVEV4TVRFd01qVTVNREZhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFRWmJNeEhTUHNiCmZHcnJCVkUxZXdmNVFoSDZ1djlnS1V1STdFVTl5SWpvdmtyZ1R6dGU3NkFLRG5zREhGRmxVTEdMQzlodGtPcWcKQmhhSnRqN2MxUUhGbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkc5c3IxelhJSk1sCm13SE1NekJVcTZwYytidmJNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJR2FrSmxYQmZGRUliaHB5VVpDOStLdWoKL3NqWHo1ZWY0TkFxcFdHV1RGSXZBaUVBODR6WHRWWC92dVVYUmFGODdJdTNOZEV6TTRubTZndUFrVWRwWFRsUwptQmM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdIa3hkOGo5Sk43cXowWWdtZUo1QTVVYW5ocDkyM0FFNzdiSjgxZmMyeWdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFR1d6TVIwajdHM3hxNndWUk5Yc0grVUlSK3JyL1lDbExpT3hGUGNpSTZMNUs0RTg3WHUrZwpDZzU3QXh4UlpWQ3hpd3ZZYlpEcW9BWVdpYlkrM05VQnhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= + + # # The container image used to create the etcd service. + # image: gcr.io/etcd-development/etcd:v3.5.21 + + # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. + # advertisedSubnets: + # - 10.0.0.0/8 + # A list of urls that point to additional manifests. + extraManifests: [] + # - https://www.example.com/manifest1.yaml + # - https://www.example.com/manifest2.yaml + + # A list of inline Kubernetes manifests. + inlineManifests: [] + # - name: namespace-ci # Name of the manifest. + # contents: |- # Manifest contents as a string. + # apiVersion: v1 + # kind: Namespace + # metadata: + # name: ci + + + # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). + + # # Decryption secret example (do not use in production!). + # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= + + # # Core DNS specific configuration options. + # coreDNS: + # image: registry.k8s.io/coredns/coredns:v1.12.1 # The `image` field is an override to the default coredns image. + + # # External cloud provider configuration. + # externalCloudProvider: + # enabled: true # Enable external cloud provider. + # # A list of urls that point to additional manifests for an external cloud provider. + # manifests: + # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml + # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml + + # # A map of key value pairs that will be added while fetching the extraManifests. + # extraManifestHeaders: + # Token: "1234567" + # X-ExtraInfo: info + + # # Settings for admin kubeconfig generation. + # adminKubeconfig: + # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). + + # # Allows running workload on control-plane nodes. + # allowSchedulingOnControlPlanes: true diff --git a/testing1/kubeconfig b/testing1/kubeconfig new file mode 100644 index 0000000..26e447b --- /dev/null +++ b/testing1/kubeconfig @@ -0,0 +1,20 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpzNTZtbElxQUNKZytDeUU5MWhzb2d3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEV4TVRNd01qVTVNREZhRncwek5URXhNVEV3TWpVNQpNREZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVRoRlpkRGNmZFo5d3d2ZFh4UUJVU2JmV2MzUGxuNVBCVENEeCtmSVM4UUdGSVFDdGg0aFk4Zmc1RVEKVUFaM2VuajN5WU5jQmlGWERxK21sZW9zdlVDMG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGRzI5NUw1NGNqcmMzWjFZc0xlTE9VM1l3L0krTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUY5M08rV2IKbnkrSHhtZWZJQU5BUnJtY0FEQkZac1psOGxoQjJZL2t2aGFoQWlFQXBnQW0xSWR0azA3Nkp0a1VySXVMWDJCYwpxTTZWSnVNczhnTmlQTExaNEFZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + server: https://10.0.0.67:6443 + name: test-talos1-control +contexts: +- context: + cluster: test-talos1-control + namespace: default + user: admin@test-talos1-control + name: admin@test-talos1-control +current-context: admin@test-talos1-control +kind: Config +preferences: {} +users: +- name: admin@test-talos1-control + user: + client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnekNDQVNxZ0F3SUJBZ0lRZkJMSFlBczI5cFRJcGxlYXg5KzkyREFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTFNVEV4TkRJek1EWXdObG9YRFRJMk1URXhOREl6TURZeApObG93S1RFWE1CVUdBMVVFQ2hNT2MzbHpkR1Z0T20xaGMzUmxjbk14RGpBTUJnTlZCQU1UQldGa2JXbHVNRmt3CkV3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMkVpSGFGZHhDMk5sdXEyTkovR3FHRnFOK3RkUnU5M3YKUDAvQXhzQWtxaXJ5OUdoSUFrK3grZGNQNDRQOERlVkhFM1lWeTRObE9GSTI5NHhJWkF6a0c2TklNRVl3RGdZRApWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGQndNQ01COEdBMVVkSXdRWU1CYUFGRzI5CjVMNTRjanJjM1oxWXNMZUxPVTNZdy9JK01Bb0dDQ3FHU000OUJBTUNBMGNBTUVRQ0lHRThqQUNiNk1GT1QzL3cKNFB3L0JhYk42UXF2eVJDM1gzUFFzTHFrc3RkMkFpQjRaOXgwZHY3dEoyVTB0NzRvOHIwK084V3NVTWFIWDM2egpzSmZWVUV4MGt3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUQ2OVJ0K2o2ZmR0RUtTamNIVmxMamxibHFrYVJtMUNDNUU0QUNWSFI2cU5vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMkVpSGFGZHhDMk5sdXEyTkovR3FHRnFOK3RkUnU5M3ZQMC9BeHNBa3Fpcnk5R2hJQWsreAorZGNQNDRQOERlVkhFM1lWeTRObE9GSTI5NHhJWkF6a0d3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= diff --git a/testing1/talosconfig b/testing1/talosconfig new file mode 100644 index 0000000..32798a6 --- /dev/null +++ b/testing1/talosconfig @@ -0,0 +1,7 @@ +context: test-talos1-control +contexts: + test-talos1-control: + endpoints: [] + ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBNTUzYnZ2c1RjRlE1RktIRTZEZ0l5ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXhNVEV6TURJMU9UQXhXaGNOTXpVeE1URXhNREkxT1RBeFdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUU1cnptdE1WcjZCZkxnZEE1UUV6bDZOVEhxQi9OaXFCK1dICnI3ZW5yNWw2bzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVzcXFnZXFaYWZna3dTRApKUko0c0JNbWxaYkRNQVVHQXl0bGNBTkJBUFVMcWR1Z2Y1OEZmTVFTRC9Bc21RdkZBQnNjSkRLVnd2RXBWRWh3CnQ3Vnd3bVFRaEVyNVB3KzI3M1B3c1kvLzE3SjZDOFY2SGhiVDFqRFFMZ2hvY1FFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEF6VXZDRUpPaGFoQ3Vhalg3alBDeXhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5URXhNVE13TWpVNU1ERmFGdzB5TmpFeE1UTXdNalU1TURGYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQVZCcmM5QUJDdXpYYW1adEFjQ3V6b2hrM21Eb0dLalhtClVZaEdwNEJ4VUsralNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCUkxLcW9IcW1XbjRKTUVneVVTZUxBVEpwV1d3ekFGQmdNclpYQURRUUFjSzFRRQpDeThxVmxxN1lmc2ZNVFF2L3RNbkQ1YUJNSUp6SDNiNFNTUkU0SkFYQ2hQcktSM3laSno3Y2xNSDVORXVxTE9UCkxwYjM3UHpKVWxRbDMyQUUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRjNic3BNbmZQdTR1aU9NOGFGNmJ4ZklGSDBLdm45YytPZHdMOXZlb0hHVgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K diff --git a/testing1/worker.yaml b/testing1/worker.yaml new file mode 100644 index 0000000..ce408ab --- /dev/null +++ b/testing1/worker.yaml @@ -0,0 +1,606 @@ +version: v1alpha1 # Indicates the schema used to decode the contents. +debug: false # Enable verbose logging to the console. +persist: true +# Provides machine specific configuration options. +machine: + type: worker # Defines the role of the machine within the cluster. + token: dhmkxg.kgt4nn0mw72kd3yb # The `token` is used by a machine to join the PKI of the cluster. + # The root certificate authority of the PKI. + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBNTUzYnZ2c1RjRlE1RktIRTZEZ0l5ekFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXhNVEV6TURJMU9UQXhXaGNOTXpVeE1URXhNREkxT1RBeFdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUU1cnptdE1WcjZCZkxnZEE1UUV6bDZOVEhxQi9OaXFCK1dICnI3ZW5yNWw2bzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVzcXFnZXFaYWZna3dTRApKUko0c0JNbWxaYkRNQVVHQXl0bGNBTkJBUFVMcWR1Z2Y1OEZmTVFTRC9Bc21RdkZBQnNjSkRLVnd2RXBWRWh3CnQ3Vnd3bVFRaEVyNVB3KzI3M1B3c1kvLzE3SjZDOFY2SGhiVDFqRFFMZ2hvY1FFPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: "" + # Extra certificate subject alternative names for the machine's certificate. + certSANs: [] + # # Uncomment this to enable SANs. + # - 10.0.0.10 + # - 172.16.0.10 + # - 192.168.0.10 + + # Used to provide additional options to the kubelet. + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.33.0 # The `image` field is an optional reference to an alternative kubelet image. + defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile. + disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. + + # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. + # clusterDNS: + # - 10.96.0.10 + # - 169.254.2.53 + + # # The `extraArgs` field is used to provide additional flags to the kubelet. + # extraArgs: + # key: value + + # # The `extraMounts` field is used to add additional mounts to the kubelet container. + # extraMounts: + # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. + # type: bind # Type specifies the mount kind. + # source: /var/lib/example # Source specifies the source path of the mount. + # # Options are fstab style mount options. + # options: + # - bind + # - rshared + # - rw + + # # The `extraConfig` field is used to provide kubelet configuration overrides. + # extraConfig: + # serverTLSBootstrap: true + + # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. + # credentialProviderConfig: + # apiVersion: kubelet.config.k8s.io/v1 + # kind: CredentialProviderConfig + # providers: + # - apiVersion: credentialprovider.kubelet.k8s.io/v1 + # defaultCacheDuration: 12h + # matchImages: + # - '*.dkr.ecr.*.amazonaws.com' + # - '*.dkr.ecr.*.amazonaws.com.cn' + # - '*.dkr.ecr-fips.*.amazonaws.com' + # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' + # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' + # name: ecr-credential-provider + + # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. + # nodeIP: + # # The `validSubnets` field configures the networks to pick kubelet node IP from. + # validSubnets: + # - 10.0.0.0/8 + # - '!10.0.0.3/32' + # - fdc7::/16 + # Provides machine specific network configuration options. + network: {} + # # `interfaces` is used to define the network interface configuration. + # interfaces: + # - interface: enp0s1 # The interface name. + # # Assigns static IP addresses to the interface. + # addresses: + # - 192.168.2.0/24 + # # A list of routes associated with the interface. + # routes: + # - network: 0.0.0.0/0 # The route's network (destination). + # gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route). + # metric: 1024 # The optional metric for the route. + # mtu: 1500 # The interface's MTU. + # + # # # Picks a network device using the selector. + + # # # select a device with bus prefix 00:*. + # # deviceSelector: + # # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver. + # # deviceSelector: + # # hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. + # # driver: virtio_net # Kernel driver, supports matching by wildcard. + # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. + # # deviceSelector: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. + # # driver: virtio_net # Kernel driver, supports matching by wildcard. + + # # # Bond specific options. + # # bond: + # # # The interfaces that make up the bond. + # # interfaces: + # # - enp2s0 + # # - enp2s1 + # # # Picks a network device using the selector. + # # deviceSelectors: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard. + # # driver: virtio_net # Kernel driver, supports matching by wildcard. + # # mode: 802.3ad # A bond option. + # # lacpRate: fast # A bond option. + + # # # Bridge specific options. + # # bridge: + # # # The interfaces that make up the bridge. + # # interfaces: + # # - enxda4042ca9a51 + # # - enxae2a6774c259 + # # # Enable STP on this bridge. + # # stp: + # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. + + # # # Configure this device as a bridge port. + # # bridgePort: + # # master: br0 # The name of the bridge master interface + + # # # Indicates if DHCP should be used to configure the interface. + # # dhcp: true + + # # # DHCP specific options. + # # dhcpOptions: + # # routeMetric: 1024 # The priority of all routes received via DHCP. + + # # # Wireguard specific configuration. + + # # # wireguard server example + # # wireguard: + # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). + # # listenPort: 51111 # Specifies a device's listening port. + # # # Specifies a list of peer configurations to apply to a device. + # # peers: + # # - publicKey: ABCDEF... # Specifies the public key of this peer. + # # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry. + # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. + # # allowedIPs: + # # - 192.168.1.0/24 + # # # wireguard peer example + # # wireguard: + # # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded). + # # # Specifies a list of peer configurations to apply to a device. + # # peers: + # # - publicKey: ABCDEF... # Specifies the public key of this peer. + # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. + # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. + # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. + # # allowedIPs: + # # - 192.168.1.0/24 + + # # # Virtual (shared) IP address configuration. + + # # # layer2 vip example + # # vip: + # # ip: 172.16.199.55 # Specifies the IP address to be used. + + # # Used to statically set the nameservers for the machine. + # nameservers: + # - 8.8.8.8 + # - 1.1.1.1 + + # # Used to statically set arbitrary search domains. + # searchDomains: + # - example.org + # - example.com + + # # Allows for extra entries to be added to the `/etc/hosts` file + # extraHostEntries: + # - ip: 192.168.1.100 # The IP of the host. + # # The host alias. + # aliases: + # - example + # - example.domain.tld + + # # Configures KubeSpan feature. + # kubespan: + # enabled: true # Enable the KubeSpan feature. + + # Used to provide instructions for installations. + install: + disk: /dev/sda # The disk used for installations. + image: ghcr.io/siderolabs/installer:v1.10.1 # Allows for supplying the image used to perform the installation. + wipe: false # Indicates if the installation disk should be wiped at installation time. + + # # Look up disk using disk attributes like model, size, serial and others. + # diskSelector: + # size: 4GB # Disk size. + # model: WDC* # Disk model `/sys/block//device/model`. + # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. + + # # Allows for supplying extra kernel args via the bootloader. + # extraKernelArgs: + # - talos.platform=metal + # - reboot=k + # Used to configure the machine's container image registry mirrors. + registries: {} + # # Specifies mirror configuration for each registry host namespace. + # mirrors: + # ghcr.io: + # # List of endpoints (URLs) for registry mirrors to use. + # endpoints: + # - https://registry.insecure + # - https://ghcr.io/v2/ + + # # Specifies TLS & auth configuration for HTTPS image registries. + # config: + # registry.insecure: + # # The TLS configuration for the registry. + # tls: + # insecureSkipVerify: true # Skip TLS server certificate verification (not recommended). + # + # # # Enable mutual TLS authentication with the registry. + # # clientIdentity: + # # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t + # # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== + # + # # # The auth configuration for this registry. + # # auth: + # # username: username # Optional registry authentication. + # # password: password # Optional registry authentication. + + # Features describe individual Talos features that can be switched on or off. + features: + rbac: true # Enable role-based access control (RBAC). + stableHostname: true # Enable stable default hostname. + apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid. + diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks. + # KubePrism - local proxy/load balancer on defined port that will distribute + kubePrism: + enabled: true # Enable KubePrism support - will start local load balancing proxy. + port: 7445 # KubePrism port. + # Configures host DNS caching resolver. + hostDNS: + enabled: true # Enable host DNS caching resolver. + forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods. + + # # Configure Talos API access from Kubernetes pods. + # kubernetesTalosAPIAccess: + # enabled: true # Enable Talos API access from Kubernetes pods. + # # The list of Talos API roles which can be granted for access from Kubernetes pods. + # allowedRoles: + # - os:reader + # # The list of Kubernetes namespaces Talos API access is available from. + # allowedKubernetesNamespaces: + # - kube-system + + # # Provides machine specific control plane configuration options. + + # # ControlPlane definition example. + # controlPlane: + # # Controller manager machine specific configuration options. + # controllerManager: + # disabled: false # Disable kube-controller-manager on the node. + # # Scheduler machine specific configuration options. + # scheduler: + # disabled: true # Disable kube-scheduler on the node. + + # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. + + # # nginx static pod. + # pods: + # - apiVersion: v1 + # kind: pod + # metadata: + # name: nginx + # spec: + # containers: + # - image: nginx + # name: nginx + + # # Allows the addition of user specified files. + + # # MachineFiles usage example. + # files: + # - content: '...' # The contents of the file. + # permissions: 0o666 # The file's permissions in octal. + # path: /tmp/file.txt # The path of the file. + # op: append # The operation to use + + # # The `env` field allows for the addition of environment variables. + + # # Environment variables definition examples. + # env: + # GRPC_GO_LOG_SEVERITY_LEVEL: info + # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" + # https_proxy: http://SERVER:PORT/ + # env: + # GRPC_GO_LOG_SEVERITY_LEVEL: error + # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ + # env: + # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ + + # # Used to configure the machine's time settings. + + # # Example configuration for cloudflare ntp server. + # time: + # disabled: false # Indicates if the time service is disabled for the machine. + # # description: | + # servers: + # - time.cloudflare.com + # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. + + # # Used to configure the machine's sysctls. + + # # MachineSysctls usage example. + # sysctls: + # kernel.domainname: talos.dev + # net.ipv4.ip_forward: "0" + # net/ipv6/conf/eth0.100/disable_ipv6: "1" + + # # Used to configure the machine's sysfs. + + # # MachineSysfs usage example. + # sysfs: + # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance + + # # Machine system disk encryption configuration. + # systemDiskEncryption: + # # Ephemeral partition encryption. + # ephemeral: + # provider: luks2 # Encryption provider to use for the encryption. + # # Defines the encryption keys generation and storage method. + # keys: + # - # Deterministically generated key from the node UUID and PartitionLabel. + # nodeID: {} + # slot: 0 # Key slot number for LUKS2 encryption. + # + # # # KMS managed encryption key. + # # kms: + # # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key. + # + # # # Cipher kind to use for the encryption. Depends on the encryption provider. + # # cipher: aes-xts-plain64 + + # # # Defines the encryption sector size. + # # blockSize: 4096 + + # # # Additional --perf parameters for the LUKS2 encryption. + # # options: + # # - no_read_workqueue + # # - no_write_workqueue + + # # Configures the udev system. + # udev: + # # List of udev rules to apply to the udev system + # rules: + # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" + + # # Configures the logging system. + # logging: + # # Logging destination. + # destinations: + # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". + # format: json_lines # Logs format. + + # # Configures the kernel. + # kernel: + # # Kernel modules to load. + # modules: + # - name: brtfs # Module name. + + # # Configures the seccomp profiles for the machine. + # seccompProfiles: + # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. + # # The `value` field is used to provide the seccomp profile. + # value: + # defaultAction: SCMP_ACT_LOG + + # # Override (patch) settings in the default OCI runtime spec for CRI containers. + + # # override default open file limit + # baseRuntimeSpecOverrides: + # process: + # rlimits: + # - hard: 1024 + # soft: 1024 + # type: RLIMIT_NOFILE + + # # Configures the node labels for the machine. + + # # node labels example. + # nodeLabels: + # exampleLabel: exampleLabelValue + + # # Configures the node annotations for the machine. + + # # node annotations example. + # nodeAnnotations: + # customer.io/rack: r13a25 + + # # Configures the node taints for the machine. Effect is optional. + + # # node taints example. + # nodeTaints: + # exampleTaint: exampleTaintValue:NoSchedule +# Provides cluster specific configuration options. +cluster: + id: T1wrNZkR6bWDMhqxHwogu6UC1XYwE-HzhO5aB6yzelg= # Globally unique identifier for this cluster (base64 encoded random 32 bytes). + secret: t6mCiKFppGqSJNbTIelhMvxE7OCsAHiCdlDkBgukszo= # Shared secret of cluster (base64 encoded random 32 bytes). + # Provides control plane specific configuration options. + controlPlane: + endpoint: https://10.0.0.67:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. + clusterName: test-talos1-control # Configures the cluster's name. + # Provides cluster specific network configuration options. + network: + dnsDomain: cluster.local # The domain used by Kubernetes DNS. + # The pod subnet CIDR. + podSubnets: + - 10.244.0.0/16 + # The service subnet CIDR. + serviceSubnets: + - 10.96.0.0/12 + + # # The CNI used. + # cni: + # name: custom # Name of CNI to use. + # # URLs containing manifests to apply for the CNI. + # urls: + # - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml + token: kaxfds.we8jyuew8eqc6df8 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. + # The base64 encoded root certificate authority used by Kubernetes. + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQUpzNTZtbElxQUNKZytDeUU5MWhzb2d3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEV4TVRNd01qVTVNREZhRncwek5URXhNVEV3TWpVNQpNREZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVRoRlpkRGNmZFo5d3d2ZFh4UUJVU2JmV2MzUGxuNVBCVENEeCtmSVM4UUdGSVFDdGg0aFk4Zmc1RVEKVUFaM2VuajN5WU5jQmlGWERxK21sZW9zdlVDMG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGRzI5NUw1NGNqcmMzWjFZc0xlTE9VM1l3L0krTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUY5M08rV2IKbnkrSHhtZWZJQU5BUnJtY0FEQkZac1psOGxoQjJZL2t2aGFoQWlFQXBnQW0xSWR0azA3Nkp0a1VySXVMWDJCYwpxTTZWSnVNczhnTmlQTExaNEFZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: "" + # Configures cluster member discovery. + discovery: + enabled: true # Enable the cluster membership discovery feature. + # Configure registries used for cluster member discovery. + registries: + # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information + kubernetes: + disabled: true # Disable Kubernetes discovery registry. + # Service registry is using an external service to push and pull information about cluster members. + service: {} + # # External service endpoint. + # endpoint: https://discovery.talos.dev/ + + # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). + + # # Decryption secret example (do not use in production!). + # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= + + # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). + + # # Decryption secret example (do not use in production!). + # secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= + + # # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. + + # # AggregatorCA example. + # aggregatorCA: + # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t + # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== + + # # The base64 encoded private key for service account token generation. + + # # AggregatorCA example. + # serviceAccount: + # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== + + # # API server specific configuration options. + # apiServer: + # image: registry.k8s.io/kube-apiserver:v1.33.0 # The container image used in the API server manifest. + # # Extra arguments to supply to the API server. + # extraArgs: + # feature-gates: ServerSideApply=true + # http2-max-streams-per-connection: "32" + # # Extra certificate subject alternative names for the API server's certificate. + # certSANs: + # - 1.2.3.4 + # - 4.5.6.7 + # # Configure the API server admission plugins. + # admissionControl: + # - name: PodSecurity # Name is the name of the admission controller. + # # Configuration is an embedded configuration object to be used as the plugin's + # configuration: + # apiVersion: pod-security.admission.config.k8s.io/v1alpha1 + # defaults: + # audit: restricted + # audit-version: latest + # enforce: baseline + # enforce-version: latest + # warn: restricted + # warn-version: latest + # exemptions: + # namespaces: + # - kube-system + # runtimeClasses: [] + # usernames: [] + # kind: PodSecurityConfiguration + # # Configure the API server audit policy. + # auditPolicy: + # apiVersion: audit.k8s.io/v1 + # kind: Policy + # rules: + # - level: Metadata + # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration. + # authorizationConfig: + # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. + # name: webhook # Name is used to describe the authorizer. + # # webhook is the configuration for the webhook authorizer. + # webhook: + # connectionInfo: + # type: InClusterConfig + # failurePolicy: Deny + # matchConditionSubjectAccessReviewVersion: v1 + # matchConditions: + # - expression: has(request.resourceAttributes) + # - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)' + # subjectAccessReviewVersion: v1 + # timeout: 3s + # - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`. + # name: in-cluster-authorizer # Name is used to describe the authorizer. + # # webhook is the configuration for the webhook authorizer. + # webhook: + # connectionInfo: + # type: InClusterConfig + # failurePolicy: NoOpinion + # matchConditionSubjectAccessReviewVersion: v1 + # subjectAccessReviewVersion: v1 + # timeout: 3s + + # # Controller manager server specific configuration options. + # controllerManager: + # image: registry.k8s.io/kube-controller-manager:v1.33.0 # The container image used in the controller manager manifest. + # # Extra arguments to supply to the controller manager. + # extraArgs: + # feature-gates: ServerSideApply=true + + # # Kube-proxy server-specific configuration options + # proxy: + # disabled: false # Disable kube-proxy deployment on cluster bootstrap. + # image: registry.k8s.io/kube-proxy:v1.33.0 # The container image used in the kube-proxy manifest. + # mode: ipvs # proxy mode of kube-proxy. + # # Extra arguments to supply to kube-proxy. + # extraArgs: + # proxy-mode: iptables + + # # Scheduler server specific configuration options. + # scheduler: + # image: registry.k8s.io/kube-scheduler:v1.33.0 # The container image used in the scheduler manifest. + # # Extra arguments to supply to the scheduler. + # extraArgs: + # feature-gates: AllBeta=true + + # # Etcd specific configuration options. + # etcd: + # image: gcr.io/etcd-development/etcd:v3.5.21 # The container image used to create the etcd service. + # # The `ca` is the root certificate authority of the PKI. + # ca: + # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t + # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== + # # Extra arguments to supply to etcd. + # extraArgs: + # election-timeout: "5000" + # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. + # advertisedSubnets: + # - 10.0.0.0/8 + + # # Core DNS specific configuration options. + # coreDNS: + # image: registry.k8s.io/coredns/coredns:v1.12.1 # The `image` field is an override to the default coredns image. + + # # External cloud provider configuration. + # externalCloudProvider: + # enabled: true # Enable external cloud provider. + # # A list of urls that point to additional manifests for an external cloud provider. + # manifests: + # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml + # - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml + + # # A list of urls that point to additional manifests. + # extraManifests: + # - https://www.example.com/manifest1.yaml + # - https://www.example.com/manifest2.yaml + + # # A map of key value pairs that will be added while fetching the extraManifests. + # extraManifestHeaders: + # Token: "1234567" + # X-ExtraInfo: info + + # # A list of inline Kubernetes manifests. + # inlineManifests: + # - name: namespace-ci # Name of the manifest. + # contents: |- # Manifest contents as a string. + # apiVersion: v1 + # kind: Namespace + # metadata: + # name: ci + + # # Settings for admin kubeconfig generation. + # adminKubeconfig: + # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). + + # # Allows running workload on control-plane nodes. + # allowSchedulingOnControlPlanes: true