fix(talos): enable MetalLB on control plane nodes

Remove node.kubernetes.io/exclude-from-external-load-balancers label
from control plane nodes to allow MetalLB speakers to announce
LoadBalancer IPs on all nodes. This enables proper L2 advertisement
and automatic failover for services.

Changed:
- Commented out nodeLabels section in all three controlplane configs
- Applied to nodes 10.0.1.3, 10.0.1.4, and 10.0.1.5

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

testing1/controlplane-10.0.1.3.yaml

@@ -0,0 +1,549 @@
+version: v1alpha1 # Indicates the schema used to decode the contents.
+debug: false # Enable verbose logging to the console.
+persist: true
+# Provides machine specific configuration options.
+machine:
+    type: controlplane # Defines the role of the machine within the cluster.
+    token: 7rgo5u.juv7x1jtvu26cn92 # The `token` is used by a machine to join the PKI of the cluster.
+    # The root certificate authority of the PKI.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBK2FzSlFsejRzdmUvWU9iU1lXZE9JREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qWXdNakl6TURBek56QTNXaGNOTXpZd01qSXhNREF6TnpBM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQURXdFhTVHJJYUNEVFp0TFdCVllQY2dlcG5xN3BwbFJPSys4Ck9EZDJTQ2hrbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVoY1FsN2paOHhqZE05SApyazRHNWE4SmJJMWZNQVVHQXl0bGNBTkJBS0ZIWkJsSGJaUjMzVzNGRS9rZ3BDaERkS0MvSlFlcDFRdktnZit3ClNoZEZTNDdGY0FuQWVmcXRpUWhuUlU1UU5Nb2hIZXp6dzdKcG5KU09kUHd1alFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQmJyUE5lT1B0VS8yRFprdkU4T0lEZjQwZHdjU3VnVmYvb0ZjQnNPRkFsOQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+    # Extra certificate subject alternative names for the machine's certificate.
+    certSANs:
+        - 10.0.1.3
+        - 10.0.1.3
+        - 10.0.1.4
+        - 10.0.1.5
+    # Used to provide additional options to the kubelet.
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.33.0 # The `image` field is an optional reference to an alternative kubelet image.
+        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
+        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
+        
+        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
+        # clusterDNS:
+        #     - 10.96.0.10
+        #     - 169.254.2.53
+
+        # # The `extraArgs` field is used to provide additional flags to the kubelet.
+        # extraArgs:
+        #     key: value
+
+        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        # extraMounts:
+        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
+        #       type: bind # Type specifies the mount kind.
+        #       source: /var/lib/example # Source specifies the source path of the mount.
+        #       # Options are fstab style mount options.
+        #       options:
+        #         - bind
+        #         - rshared
+        #         - rw
+
+        # # The `extraConfig` field is used to provide kubelet configuration overrides.
+        # extraConfig:
+        #     serverTLSBootstrap: true
+
+        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
+        # credentialProviderConfig:
+        #     apiVersion: kubelet.config.k8s.io/v1
+        #     kind: CredentialProviderConfig
+        #     providers:
+        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1
+        #           defaultCacheDuration: 12h
+        #           matchImages:
+        #             - '*.dkr.ecr.*.amazonaws.com'
+        #             - '*.dkr.ecr.*.amazonaws.com.cn'
+        #             - '*.dkr.ecr-fips.*.amazonaws.com'
+        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
+        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
+        #           name: ecr-credential-provider
+
+        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
+        # nodeIP:
+        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
+        #     validSubnets:
+        #         - 10.0.0.0/8
+        #         - '!10.0.0.3/32'
+        #         - fdc7::/16
+    # Provides machine specific network configuration options.
+    network:
+        hostname: cp-0 # Used to statically set the hostname for the machine.
+        
+        # # `interfaces` is used to define the network interface configuration.
+        # interfaces:
+        #     - interface: enp0s1 # The interface name.
+        #       # Assigns static IP addresses to the interface.
+        #       addresses:
+        #         - 192.168.2.0/24
+        #       # A list of routes associated with the interface.
+        #       routes:
+        #         - network: 0.0.0.0/0 # The route's network (destination).
+        #           gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
+        #           metric: 1024 # The optional metric for the route.
+        #       mtu: 1500 # The interface's MTU.
+        #       
+        #       # # Picks a network device using the selector.
+
+        #       # # select a device with bus prefix 00:*.
+        #       # deviceSelector:
+        #       #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+        #       # deviceSelector:
+        #       #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #     driver: virtio_net # Kernel driver, supports matching by wildcard.
+        #       # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+        #       # deviceSelector:
+        #       #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #       driver: virtio_net # Kernel driver, supports matching by wildcard.
+
+        #       # # Bond specific options.
+        #       # bond:
+        #       #     # The interfaces that make up the bond.
+        #       #     interfaces:
+        #       #         - enp2s0
+        #       #         - enp2s1
+        #       #     # Picks a network device using the selector.
+        #       #     deviceSelectors:
+        #       #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #           driver: virtio_net # Kernel driver, supports matching by wildcard.
+        #       #     mode: 802.3ad # A bond option.
+        #       #     lacpRate: fast # A bond option.
+
+        #       # # Bridge specific options.
+        #       # bridge:
+        #       #     # The interfaces that make up the bridge.
+        #       #     interfaces:
+        #       #         - enxda4042ca9a51
+        #       #         - enxae2a6774c259
+        #       #     # Enable STP on this bridge.
+        #       #     stp:
+        #       #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
+
+        #       # # Configure this device as a bridge port.
+        #       # bridgePort:
+        #       #     master: br0 # The name of the bridge master interface
+
+        #       # # Indicates if DHCP should be used to configure the interface.
+        #       # dhcp: true
+
+        #       # # DHCP specific options.
+        #       # dhcpOptions:
+        #       #     routeMetric: 1024 # The priority of all routes received via DHCP.
+
+        #       # # Wireguard specific configuration.
+
+        #       # # wireguard server example
+        #       # wireguard:
+        #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+        #       #     listenPort: 51111 # Specifies a device's listening port.
+        #       #     # Specifies a list of peer configurations to apply to a device.
+        #       #     peers:
+        #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+        #       #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
+        #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+        #       #           allowedIPs:
+        #       #             - 192.168.1.0/24
+        #       # # wireguard peer example
+        #       # wireguard:
+        #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+        #       #     # Specifies a list of peer configurations to apply to a device.
+        #       #     peers:
+        #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+        #       #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
+        #       #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
+        #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+        #       #           allowedIPs:
+        #       #             - 192.168.1.0/24
+
+        #       # # Virtual (shared) IP address configuration.
+
+        #       # # layer2 vip example
+        #       # vip:
+        #       #     ip: 172.16.199.55 # Specifies the IP address to be used.
+
+        # Used to statically set the nameservers for the machine.
+        nameservers:
+            - 8.8.8.8
+            - 1.1.1.1
+
+        # # Used to statically set arbitrary search domains.
+        # searchDomains:
+        #     - example.org
+        #     - example.com
+
+        # # Allows for extra entries to be added to the `/etc/hosts` file
+        # extraHostEntries:
+        #     - ip: 192.168.1.100 # The IP of the host.
+        #       # The host alias.
+        #       aliases:
+        #         - example
+        #         - example.domain.tld
+
+        # # Configures KubeSpan feature.
+        # kubespan:
+        #     enabled: true # Enable the KubeSpan feature.
+    # Used to provide instructions for installations.
+    install:
+        disk: /dev/sda # The disk used for installations.
+        image: ghcr.io/siderolabs/installer:v1.11.5 # Allows for supplying the image used to perform the installation.
+        wipe: false # Indicates if the installation disk should be wiped at installation time.
+        
+        # # Look up disk using disk attributes like model, size, serial and others.
+        # diskSelector:
+        #     size: 4GB # Disk size.
+        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
+        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
+
+        # # Allows for supplying extra kernel args via the bootloader.
+        # extraKernelArgs:
+        #     - talos.platform=metal
+        #     - reboot=k
+    # Used to configure the machine's container image registry mirrors.
+    registries: {}
+    # # Specifies mirror configuration for each registry host namespace.
+    # mirrors:
+    #     ghcr.io:
+    #         # List of endpoints (URLs) for registry mirrors to use.
+    #         endpoints:
+    #             - https://registry.insecure
+    #             - https://ghcr.io/v2/
+
+    # # Specifies TLS & auth configuration for HTTPS image registries.
+    # config:
+    #     registry.insecure:
+    #         # The TLS configuration for the registry.
+    #         tls:
+    #             insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
+    #             
+    #             # # Enable mutual TLS authentication with the registry.
+    #             # clientIdentity:
+    #             #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #             #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+    #         
+    #         # # The auth configuration for this registry.
+    #         # auth:
+    #         #     username: username # Optional registry authentication.
+    #         #     password: password # Optional registry authentication.
+
+    # Features describe individual Talos features that can be switched on or off.
+    features:
+        rbac: true # Enable role-based access control (RBAC).
+        stableHostname: true # Enable stable default hostname.
+        apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
+        diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
+        # KubePrism - local proxy/load balancer on defined port that will distribute
+        kubePrism:
+            enabled: true # Enable KubePrism support - will start local load balancing proxy.
+            port: 7445 # KubePrism port.
+        # Configures host DNS caching resolver.
+        hostDNS:
+            enabled: true # Enable host DNS caching resolver.
+            forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
+        
+        # # Configure Talos API access from Kubernetes pods.
+        # kubernetesTalosAPIAccess:
+        #     enabled: true # Enable Talos API access from Kubernetes pods.
+        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
+        #     allowedRoles:
+        #         - os:reader
+        #     # The list of Kubernetes namespaces Talos API access is available from.
+        #     allowedKubernetesNamespaces:
+        #         - kube-system
+    # Configures the node labels for the machine.
+    # nodeLabels:
+    #     node.kubernetes.io/exclude-from-external-load-balancers: ""
+
+    # # Provides machine specific control plane configuration options.
+
+    # # ControlPlane definition example.
+    # controlPlane:
+    #     # Controller manager machine specific configuration options.
+    #     controllerManager:
+    #         disabled: false # Disable kube-controller-manager on the node.
+    #     # Scheduler machine specific configuration options.
+    #     scheduler:
+    #         disabled: true # Disable kube-scheduler on the node.
+
+    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
+
+    # # nginx static pod.
+    # pods:
+    #     - apiVersion: v1
+    #       kind: pod
+    #       metadata:
+    #         name: nginx
+    #       spec:
+    #         containers:
+    #             - image: nginx
+    #               name: nginx
+
+    # # Allows the addition of user specified files.
+
+    # # MachineFiles usage example.
+    # files:
+    #     - content: '...' # The contents of the file.
+    #       permissions: 0o666 # The file's permissions in octal.
+    #       path: /tmp/file.txt # The path of the file.
+    #       op: append # The operation to use
+
+    # # The `env` field allows for the addition of environment variables.
+
+    # # Environment variables definition examples.
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: info
+    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
+    #     https_proxy: http://SERVER:PORT/
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: error
+    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
+    # env:
+    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
+
+    # # Used to configure the machine's time settings.
+
+    # # Example configuration for cloudflare ntp server.
+    # time:
+    #     disabled: false # Indicates if the time service is disabled for the machine.
+    #     # description: |
+    #     servers:
+    #         - time.cloudflare.com
+    #     bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
+
+    # # Used to configure the machine's sysctls.
+
+    # # MachineSysctls usage example.
+    # sysctls:
+    #     kernel.domainname: talos.dev
+    #     net.ipv4.ip_forward: "0"
+    #     net/ipv6/conf/eth0.100/disable_ipv6: "1"
+
+    # # Used to configure the machine's sysfs.
+
+    # # MachineSysfs usage example.
+    # sysfs:
+    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
+
+    # # Configures the udev system.
+    # udev:
+    #     # List of udev rules to apply to the udev system
+    #     rules:
+    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
+
+    # # Configures the logging system.
+    # logging:
+    #     # Logging destination.
+    #     destinations:
+    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
+    #           format: json_lines # Logs format.
+
+    # # Configures the kernel.
+    # kernel:
+    #     # Kernel modules to load.
+    #     modules:
+    #         - name: brtfs # Module name.
+
+    # # Configures the seccomp profiles for the machine.
+    # seccompProfiles:
+    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
+    #       # The `value` field is used to provide the seccomp profile.
+    #       value:
+    #         defaultAction: SCMP_ACT_LOG
+
+    # # Override (patch) settings in the default OCI runtime spec for CRI containers.
+
+    # # override default open file limit
+    # baseRuntimeSpecOverrides:
+    #     process:
+    #         rlimits:
+    #             - hard: 1024
+    #               soft: 1024
+    #               type: RLIMIT_NOFILE
+
+    # # Configures the node annotations for the machine.
+
+    # # node annotations example.
+    # nodeAnnotations:
+    #     customer.io/rack: r13a25
+
+    # # Configures the node taints for the machine. Effect is optional.
+
+    # # node taints example.
+    # nodeTaints:
+    #     exampleTaint: exampleTaintValue:NoSchedule
+# Provides cluster specific configuration options.
+cluster:
+    id: 34a8UzPmkeW1KotPydx05XqtRO1lS8FQ8QFJRLfhxUo= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
+    secret: dKJk+UZXuMSz/0CN1p7pH0zBoXAXw9Q9O9AbTs2wwig= # Shared secret of cluster (base64 encoded random 32 bytes).
+    # Provides control plane specific configuration options.
+    controlPlane:
+        endpoint: https://10.0.1.3:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
+    clusterName: talos-cluster # Configures the cluster's name.
+    # Provides cluster specific network configuration options.
+    network:
+        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
+        # The pod subnet CIDR.
+        podSubnets:
+            - 10.244.0.0/16
+        # The service subnet CIDR.
+        serviceSubnets:
+            - 10.96.0.0/12
+        
+        # # The CNI used.
+        # cni:
+        #     name: custom # Name of CNI to use.
+        #     # URLs containing manifests to apply for the CNI.
+        #     urls:
+        #         - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
+    token: 15hjxu.y89oz55uwwm1qmm2 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
+    secretboxEncryptionSecret: WJOMi1rld5VZ77PjwNOUiurOroFaZe0TvsmGRIrzD+I= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+    # The base64 encoded root certificate authority used by Kubernetes.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQU1DdU1LWW1RZkFEZnNHTFlheHZmMFF3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOakF5TWpNd01ETTNNRGRhRncwek5qQXlNakV3TURNMwpNRGRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNhMGRhaFlQalNXaURVZWJjN0liTmppUk5nSjE4MDZMVDQyOFFXbWJJd0k2NE54emVyNlNpZDF0QTUKQXNuelhMaHpCMHdJWVovRGZqNTRwem1tdmRwRW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGRXNiZldwU0h3bFJlVTdOMWlFV1R4NEF1RzBjTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUcrUkQ1OVEKRzVlcDhubHJtMURhS1NYM3pHZ2ZUMzhHSVJ2a0srY1piVG9OQWlFQXY1eVh5RWlnTERKSzZWekhtd2JwRU1KSAp6YkszZTlnZWpwYXByUllhVm9JPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURSUkRKL2xVVExxa2t3bkZ1WTlHTUMweXhTejJONFlKUlVGUytxTU1WNXlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbXRIV29XRDQwbG9nMUhtM095R3pZNGtUWUNkZk5PaTArTnZFRnBteU1DT3VEY2MzcStrbwpuZGJRT1FMSjgxeTRjd2RNQ0dHZnczNCtlS2M1cHIzYVJBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
+    aggregatorCA:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQU5CRlNyT01kL1ZGQzYvdXVHRDdHUnd3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5qQXlNak13TURNM01EZGFGdzB6TmpBeU1qRXdNRE0zTURkYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVRPdDdveTNBMHZ1TFBMbDNFUU8vRXlOaGh5TGgyeHJDaHJLMENSM3dFbnpkOUFvOUJlCmRjVE90a2xSV0lRbTI1RTJpeGlRcHZqUGNXdTNucmdCUTVjTm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGSlYzMjU2dmhCNDFXUE93VHB3N3lvWllOek9VTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRQ2EvaVJWK3BONkVQM3diWHMybVpQMEFrUEVPY21sRnhqNjllWGE2c05JbUFJaEFQZGZaR0xiQ1AwVnZlYTMKUUZjNEEyYXcxZUxFSjB3WmtNdkhoS2hMa1hCaAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBiaGNIdHhRalk1SGRtakkzT25FZ1ZVb21OUmQ5TnBvNmRjRFYrMnlmOVBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFenJlNk10d05MN2l6eTVkeEVEdnhNallZY2k0ZHNhd29heXRBa2Q4Qko4M2ZRS1BRWG5YRQp6clpKVVZpRUp0dVJOb3NZa0tiNHozRnJ0NTY0QVVPWERRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded private key for service account token generation.
+    serviceAccount:
+        key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBdGZXMHEza3pMWVFwSlFYNlpaUmxCdzhiMmp5SHZRTnBQOG55Z0pHY1FyYk1ST2hiCmNBNFRjdVBYanoydmRyR3VSWHBNNEN4eGVGWmtldDBuTDJKQzExaEE5bktaYUd4aUV4Z0lWQWlNRFlVcS9lK3kKTWx6Y2ZvQkxlN1NQSTY0b0pONzlUalZwS0kySHVBUjNLWlduK1pMajkzL2VzS3dBZ29iMWZRazg0WHAwR1pMbQpZQVNRbENIakh5UmErUWptemloQnMrRzBkakRGNmRkZzZjd3hpN2hKTmp4TUF6K0UzcUhJYnhINit2UENyQiswCnFTWCtLbU1ERUlRUlN6eGEwN01kQUFMakpUb0Z5eTNwWnFlOVcvcmNRQXdNbllWSGZYaHNBbm1ZQmdsOWRLYTUKd0c3SEpPT21zeUNvOHUzV2hpR2ZGc1JUbTUzVXk1S2pIMkVwd2J1R1FSbXlUTHd2MWR6a1RTdU5qMGRoVzFvTApSL0VvaWh3Rnh0bklKUDR2K3NmVmNFOXhWbGZFbUhmekIydGc3bUhpdkJBT0tGMTRwM3V3YzJncG96WEY1NDF4CmV2MHN1RXgzaDhHcWt0cmRVVmhMTzlmVDJxbVFqQnlScVJkSnlWVXdUc2E2dkl1dHJydk1BTVBHKzJENW51cFYKaEszZ2xNUFB0Z01icU9rSFFaejZCa2MyRHhlbzYzeUFITmxCRTQ2TVliTFEralhxSDhreEFHN05XQnViditoegpjWWJsTElQek5vbkJjYW9SYkNZdXJOQTcxR093YnVoeWlsT0VpOU50K2FveVVOcmJSUk9GMDBvVlBDWFJXbmlpCjhLSHZNY05hMzlweGtPUXRwQWR6aURvaHJ0RTNtcUdyVXZWaEYyaXJnVy93bkMrZ01IWDdnMSthMFprQ0F3RUEKQVFLQ0FnQURUdUhIZ2s4WFkwRTZQcGNVVkxQWGdvTlBudTBhMXg2SlBkc3VVamRra1IwNm5YellGekZzVTg4ZAorQkdpRjAzalRudHFVZlNJS3czdG0rcXo5bFhmdzJkKzg0dHRkaGI4WU9INTRTUG10UWFZa2t5TGxOdWZZeWE4Cks0YTByOXhqK3pmZ3ZhRFpUMlZweDQ4QkR3cjhReHJvNjRhNWNJOGIwR2RUTENGU3VoNjFQbEg0NmV4VS9SNjcKZUxZOHM5ZzZaRW41Z3I5OHJKdFVpb2xsQnNUWjFQSmp6WW5XUDBmam9rNWFFcG9kQ09SL3E1M2x1MTZaRjY2OQpGS0daM0JHTXFzTjZ0aEs2SVFsczdidENGZ2VmemZwR0lkSHk1VEx0Q1l6eEtKUEdmRkt2RmI3bnpEdkxwR1hwCitNeUppaUJ0MU51bkZzK3NVeHpFekxneGdGczVkaFYzNEx3LzRtMTNtV2RuVGtTelRWeWFycmJnWlZ0R0hFOU0KOEdJcDNvNGR4VW5QZnkrYzRmbkNGZ0NISzNSQUNjczlCVWJlSU5pQnlycXQ0SHBmUGdvdXI2T0hGRXJTUjJONgp4VVp1RW0zb0I1TjdFd0paVXo4YUllblpDclBYZWJhNmhyb3RnaGdzeUZETEZnSjYzOEgxZHNRTXFDb1BTZ05qCkgweE9YQmtKbWRDYStFdVA2NVFhL1h4OU8waW9YbTE1aTRiVEF4YWxoWGdVS3hnQ1FIQUpLb3VvcTZpLzEwUnAKOWlCZ1Zpak5VWS9QYXlkL1BMVEhsN2FiRnlTemYyYUJIQnFueElNVU90alJSckRVbHRaazZHVnlGcjFjdmdSNApFMWduK0RKeTZKbnc2alFCUTMwd25yUG1TbXl6eUdFMDdMbU5tNmRMaXE5ZVNSOEtqd0tDQVFFQXhSSHAweVB4ClFJQW9ZVmNNK0tmR1FXRWI2K2F4RGovenZFSHpYTk4vVW9pMVlFWDZZNHBaUnRrdFJpaVg5ZktXb214eU9yckUKTUdyUTdTeHVqa2oyYkZwY1RDTnV0UUxXU3ZqajZXb3pGbVA3dWdLTGZLUXhLU1p4QUo2Y3NUYVZxZkpiWFVsQQpZQ2h1aDQ5NzI0TmxKV1pZSks2ZS82M2lOd09hNk9aWW9OMVV4YTd4SStFbDhFaUJhUUtBRDJVWXIyRkYvazRPCitOSlpoTi9BOWZCK1Y5a1g2dnltNktPZUhtTUxuZExObkdIekdmUkhKWCswUkh3cnNYM215RnBVVXA0ZFpXeE0KcWFmUVNJSUl2Qm9uZHFqRG1hcmhZQ0NNZlZIQURGTEcxZ2ZZYmYzMDNObG12YVlkSXAvL2l5UTJvREdtTXZXWgpONy9Eazk3Mmxtam82d0tDQVFFQTdGOFVGdkF5dXVLek5EZ2ZnUDhEL09QRkcvSzRJNHNoNTVLU0lmRkRPRWQ3CnJReHg4b29NaEVRL2hlSFJWRURMaTU5ZG1NSzA2bXQ4UkVvWHVYMEt6ZzQvanB0WldKOFNNaHFYT0pJb3kzWWUKMVgvZjEyT1YwbVc2Tk1UNHVvbkRnS2dsS1F6aDJIQ0xNTWhOdTFoWWFTa1hJaVR0SjR0eFUyU2Z2RlQ0aUwvMQpkNGZ1enNkOVg2bkZ6TE5IaWkyekYzNTZXVG5jSEMrWmpWaTlCSmFFelF0NFJsWm95bTBRZk8xNUhzZkNqaU9iCldMQmJYSXV5N29rc2NRZ0Vtc2xrN0ZpNGxGSUZxUVFIVnhjYURKMXpnYmhoMk1VSTRRYURCNjZtYzdsUFo0dUIKcmJBZXhrR2cwQjBmYWFsMTcrRVhIN1dnei9JOUNzNERaTU5JcmRhT2l3S0NBUUFFcEk5bHNnc1ZBZS94bXlOcgpHRWpMY1lZKzRJaDdWWFpna1EweXVxamRRT3RGQVdFTXgwMmpKYXF6WkhGd0VlOEtsSk44WHJvUWlmT3lJc0hZCkNGQUY3WHNQTUNhRGpUV1BQcDNmK2VpS05vRFB1UStnT0I0UVloOTNiRVUweDV4dkRJNnFlL2RRVEtPTi9ndGsKK0l1QmZnL0ZqWGVoZm04OTdJL1J2TnVKcnEwNG13NkRVZUthN3BwZDV2a3RZNnhaTldsNHZFNE4vcWF0UXJoQgpFeEZtOEc1bjB0djd6eDhDaUVMVnpRbWJEWk8wb05Tc1JYM3h2eHNvYTFic2tYUTdIZzZEUFRIeExVcnk2bDFhClVTTnM0RHo3ZWRNbGVKN1d0UDVaUy9uelFPd1FhMU5CZ0wyeTZoNzFtZDlqWDg4SnB5SExRWTRDaWpvSldjOWwKYThOUkFvSUJBSHBrbFJOM2x0MGNhK3liTHZ6dGo1UVFJTTFpOWlRNWMvbmo5RlV0QjBDS0N5bEU2Mi9LT2NiMwpTK2s0VDlzUG5oWVRGRFQ0aFJOcFNyUlZwVWsvelN0N1J6L0JneGNYYnlXUWpVTVdzNWIrOStKWFQ0SEpLQmdFCjR0RldPUERtU3R4QXROVTN2VzRFZ0o1bTZaRWJvdFA1R2VodE5IdW9nYXJMek1hSlBSUWFTYkYyS3ByWnd6cVkKdnpwS2pyMm5BamdsSHBjN0ZaVm10Rnp6V1JTYUYvUFFmNXYwUEZpczlyK3BlM0VMd05zMjVzYWFzd1FOdGo0Nwp1MDVmOTNwcTFCNXBwbEh1MHMxOHI0eFNBd1FMTjNjeEVVRmNiVWVQeHFOZ3RRSHhMNE9QUWp1OG1ZTFJFc01RCmdXYUYvL0tSSEJjb1JqZkcyQUxUUUFDWitmVkJ4eGNDZ2dFQVFmUGJ2Q2hLbVkwYmRNSVRnZWs5UmNOZXh5NU4Kb0ZIcGJlWWdOYThxc2o5ZzhWQmZZY1hnWm1GVTdnZ0pFMEs0enZTQ1ljb0lCbHFLU0s3NTI1YlhLcFdRcWRlUAo4aXRlUm82QjV5YmhxdDVCaTZBa2tHRE40WklOVCsrZk44OE9Kbml5aGJSM2gzdSt0UERHbVFiRTg5bVliNDNwCkFOVTFXaFpWU2ltc3RBemFKTWpaSnFhQ3NlQ004VFk1cXlzM0MzTHE3NWRwVWZoeHNVSFlDMjRxQWFzRTVmK1QKU2VvT2tyV0l5RWNhV3RYQi9DdHhmYThGRHF6SmYyVzJQYmszK29PVXppcVkzbUl5WllweGFWM1VWYS9JRm5WUworVVRjdUw3V1Fpb2JjN2YzOEgxWmNwUHV3MXM5bGxTTlVZb042Ukl3SG9nVzdOVUVqNGo3c3B4MkZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+    # API server specific configuration options.
+    apiServer:
+        image: registry.k8s.io/kube-apiserver:v1.33.0 # The container image used in the API server manifest.
+        # Extra certificate subject alternative names for the API server's certificate.
+        certSANs:
+            - 10.0.1.3
+        disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
+        # Configure the API server admission plugins.
+        admissionControl:
+            - name: PodSecurity # Name is the name of the admission controller.
+              # Configuration is an embedded configuration object to be used as the plugin's
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                defaults:
+                    audit: restricted
+                    audit-version: latest
+                    enforce: baseline
+                    enforce-version: latest
+                    warn: restricted
+                    warn-version: latest
+                exemptions:
+                    namespaces:
+                        - kube-system
+                    runtimeClasses: []
+                    usernames: []
+                kind: PodSecurityConfiguration
+        # Configure the API server audit policy.
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: Metadata
+        
+        # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
+        # authorizationConfig:
+        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
+        #       name: webhook # Name is used to describe the authorizer.
+        #       # webhook is the configuration for the webhook authorizer.
+        #       webhook:
+        #         connectionInfo:
+        #             type: InClusterConfig
+        #         failurePolicy: Deny
+        #         matchConditionSubjectAccessReviewVersion: v1
+        #         matchConditions:
+        #             - expression: has(request.resourceAttributes)
+        #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
+        #         subjectAccessReviewVersion: v1
+        #         timeout: 3s
+        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
+        #       name: in-cluster-authorizer # Name is used to describe the authorizer.
+        #       # webhook is the configuration for the webhook authorizer.
+        #       webhook:
+        #         connectionInfo:
+        #             type: InClusterConfig
+        #         failurePolicy: NoOpinion
+        #         matchConditionSubjectAccessReviewVersion: v1
+        #         subjectAccessReviewVersion: v1
+        #         timeout: 3s
+    # Controller manager server specific configuration options.
+    controllerManager:
+        image: registry.k8s.io/kube-controller-manager:v1.33.0 # The container image used in the controller manager manifest.
+    # Kube-proxy server-specific configuration options
+    proxy:
+        image: registry.k8s.io/kube-proxy:v1.33.0 # The container image used in the kube-proxy manifest.
+        
+        # # Disable kube-proxy deployment on cluster bootstrap.
+        # disabled: false
+    # Scheduler server specific configuration options.
+    scheduler:
+        image: registry.k8s.io/kube-scheduler:v1.33.0 # The container image used in the scheduler manifest.
+    # Configures cluster member discovery.
+    discovery:
+        enabled: true # Enable the cluster membership discovery feature.
+        # Configure registries used for cluster member discovery.
+        registries:
+            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
+            kubernetes:
+                disabled: true # Disable Kubernetes discovery registry.
+            # Service registry is using an external service to push and pull information about cluster members.
+            service: {}
+            # # External service endpoint.
+            # endpoint: https://discovery.talos.dev/
+    # Etcd specific configuration options.
+    etcd:
+        # The `ca` is the root certificate authority of the PKI.
+        ca:
+            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU82dmxYSjQrRHo2RS9jQWc5Lzk5RnN3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TmpBeU1qTXdNRE0zTURkYUZ3MHpOakF5TWpFd01ETTNNRGRhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSbjJlNjFXVG1ZCmFMckNtVmFxWlFsVDNYRTNJUGYrOWFzMmRwUEVNL0xNM05uRnlyOHdPQzNCejVYcU1heW9FV2ExQk5iSmx3TmIKZjNBc2dVeU1PV2NsbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkJkOXR5Z3d5Z2dWClVzamt1QS8yZ3RFZEpXUHlNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUMyQmhhOWZQbmtoOURLT0xFa3ozanQKRjhhTnBYZ2FadGxMZUl2UHd6aG9NQUlnVVVXQjFzU1U1aGljbDRCcmpyRGV3MnQvSHVxNk94VFQxMGZndGIyRApKUXM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtrc21UZzhGSjdndTRocG95YzJYV1dFOVJFYjlQUks3MzlLaWN3SkZXdkFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWjludXRWazVtR2k2d3BsV3FtVUpVOTF4TnlEMy92V3JObmFUeERQeXpOelp4Y3EvTURndAp3YytWNmpHc3FCRm10UVRXeVpjRFczOXdMSUZNakRsbkpRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+        
+        # # The container image used to create the etcd service.
+        # image: gcr.io/etcd-development/etcd:v3.6.5
+
+        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
+        # advertisedSubnets:
+        #     - 10.0.0.0/8
+    # A list of urls that point to additional manifests.
+    extraManifests: []
+    #   - https://www.example.com/manifest1.yaml
+    #   - https://www.example.com/manifest2.yaml
+
+    # A list of inline Kubernetes manifests.
+    inlineManifests: []
+    #   - name: namespace-ci # Name of the manifest.
+    #     contents: |- # Manifest contents as a string.
+    #       apiVersion: v1
+    #       kind: Namespace
+    #       metadata:
+    #       	name: ci
+
+    allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
+    
+    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+
+    # # Decryption secret example (do not use in production!).
+    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
+
+    # # Core DNS specific configuration options.
+    # coreDNS:
+    #     image: registry.k8s.io/coredns/coredns:v1.12.4 # The `image` field is an override to the default coredns image.
+
+    # # External cloud provider configuration.
+    # externalCloudProvider:
+    #     enabled: true # Enable external cloud provider.
+    #     # A list of urls that point to additional manifests for an external cloud provider.
+    #     manifests:
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
+
+    # # A map of key value pairs that will be added while fetching the extraManifests.
+    # extraManifestHeaders:
+    #     Token: "1234567"
+    #     X-ExtraInfo: info
+
+    # # Settings for admin kubeconfig generation.
+    # adminKubeconfig:
+    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

testing1/controlplane-10.0.1.4.yaml

@@ -0,0 +1,549 @@
+version: v1alpha1 # Indicates the schema used to decode the contents.
+debug: false # Enable verbose logging to the console.
+persist: true
+# Provides machine specific configuration options.
+machine:
+    type: controlplane # Defines the role of the machine within the cluster.
+    token: 7rgo5u.juv7x1jtvu26cn92 # The `token` is used by a machine to join the PKI of the cluster.
+    # The root certificate authority of the PKI.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBK2FzSlFsejRzdmUvWU9iU1lXZE9JREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qWXdNakl6TURBek56QTNXaGNOTXpZd01qSXhNREF6TnpBM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQURXdFhTVHJJYUNEVFp0TFdCVllQY2dlcG5xN3BwbFJPSys4Ck9EZDJTQ2hrbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVoY1FsN2paOHhqZE05SApyazRHNWE4SmJJMWZNQVVHQXl0bGNBTkJBS0ZIWkJsSGJaUjMzVzNGRS9rZ3BDaERkS0MvSlFlcDFRdktnZit3ClNoZEZTNDdGY0FuQWVmcXRpUWhuUlU1UU5Nb2hIZXp6dzdKcG5KU09kUHd1alFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQmJyUE5lT1B0VS8yRFprdkU4T0lEZjQwZHdjU3VnVmYvb0ZjQnNPRkFsOQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+    # Extra certificate subject alternative names for the machine's certificate.
+    certSANs:
+        - 10.0.1.4
+        - 10.0.1.3
+        - 10.0.1.4
+        - 10.0.1.5
+    # Used to provide additional options to the kubelet.
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.33.0 # The `image` field is an optional reference to an alternative kubelet image.
+        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
+        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
+        
+        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
+        # clusterDNS:
+        #     - 10.96.0.10
+        #     - 169.254.2.53
+
+        # # The `extraArgs` field is used to provide additional flags to the kubelet.
+        # extraArgs:
+        #     key: value
+
+        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        # extraMounts:
+        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
+        #       type: bind # Type specifies the mount kind.
+        #       source: /var/lib/example # Source specifies the source path of the mount.
+        #       # Options are fstab style mount options.
+        #       options:
+        #         - bind
+        #         - rshared
+        #         - rw
+
+        # # The `extraConfig` field is used to provide kubelet configuration overrides.
+        # extraConfig:
+        #     serverTLSBootstrap: true
+
+        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
+        # credentialProviderConfig:
+        #     apiVersion: kubelet.config.k8s.io/v1
+        #     kind: CredentialProviderConfig
+        #     providers:
+        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1
+        #           defaultCacheDuration: 12h
+        #           matchImages:
+        #             - '*.dkr.ecr.*.amazonaws.com'
+        #             - '*.dkr.ecr.*.amazonaws.com.cn'
+        #             - '*.dkr.ecr-fips.*.amazonaws.com'
+        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
+        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
+        #           name: ecr-credential-provider
+
+        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
+        # nodeIP:
+        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
+        #     validSubnets:
+        #         - 10.0.0.0/8
+        #         - '!10.0.0.3/32'
+        #         - fdc7::/16
+    # Provides machine specific network configuration options.
+    network:
+        hostname: cp-1 # Used to statically set the hostname for the machine.
+        
+        # # `interfaces` is used to define the network interface configuration.
+        # interfaces:
+        #     - interface: enp0s1 # The interface name.
+        #       # Assigns static IP addresses to the interface.
+        #       addresses:
+        #         - 192.168.2.0/24
+        #       # A list of routes associated with the interface.
+        #       routes:
+        #         - network: 0.0.0.0/0 # The route's network (destination).
+        #           gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
+        #           metric: 1024 # The optional metric for the route.
+        #       mtu: 1500 # The interface's MTU.
+        #       
+        #       # # Picks a network device using the selector.
+
+        #       # # select a device with bus prefix 00:*.
+        #       # deviceSelector:
+        #       #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+        #       # deviceSelector:
+        #       #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #     driver: virtio_net # Kernel driver, supports matching by wildcard.
+        #       # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+        #       # deviceSelector:
+        #       #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #       driver: virtio_net # Kernel driver, supports matching by wildcard.
+
+        #       # # Bond specific options.
+        #       # bond:
+        #       #     # The interfaces that make up the bond.
+        #       #     interfaces:
+        #       #         - enp2s0
+        #       #         - enp2s1
+        #       #     # Picks a network device using the selector.
+        #       #     deviceSelectors:
+        #       #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #           driver: virtio_net # Kernel driver, supports matching by wildcard.
+        #       #     mode: 802.3ad # A bond option.
+        #       #     lacpRate: fast # A bond option.
+
+        #       # # Bridge specific options.
+        #       # bridge:
+        #       #     # The interfaces that make up the bridge.
+        #       #     interfaces:
+        #       #         - enxda4042ca9a51
+        #       #         - enxae2a6774c259
+        #       #     # Enable STP on this bridge.
+        #       #     stp:
+        #       #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
+
+        #       # # Configure this device as a bridge port.
+        #       # bridgePort:
+        #       #     master: br0 # The name of the bridge master interface
+
+        #       # # Indicates if DHCP should be used to configure the interface.
+        #       # dhcp: true
+
+        #       # # DHCP specific options.
+        #       # dhcpOptions:
+        #       #     routeMetric: 1024 # The priority of all routes received via DHCP.
+
+        #       # # Wireguard specific configuration.
+
+        #       # # wireguard server example
+        #       # wireguard:
+        #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+        #       #     listenPort: 51111 # Specifies a device's listening port.
+        #       #     # Specifies a list of peer configurations to apply to a device.
+        #       #     peers:
+        #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+        #       #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
+        #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+        #       #           allowedIPs:
+        #       #             - 192.168.1.0/24
+        #       # # wireguard peer example
+        #       # wireguard:
+        #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+        #       #     # Specifies a list of peer configurations to apply to a device.
+        #       #     peers:
+        #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+        #       #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
+        #       #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
+        #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+        #       #           allowedIPs:
+        #       #             - 192.168.1.0/24
+
+        #       # # Virtual (shared) IP address configuration.
+
+        #       # # layer2 vip example
+        #       # vip:
+        #       #     ip: 172.16.199.55 # Specifies the IP address to be used.
+
+        # Used to statically set the nameservers for the machine.
+        nameservers:
+            - 8.8.8.8
+            - 1.1.1.1
+
+        # # Used to statically set arbitrary search domains.
+        # searchDomains:
+        #     - example.org
+        #     - example.com
+
+        # # Allows for extra entries to be added to the `/etc/hosts` file
+        # extraHostEntries:
+        #     - ip: 192.168.1.100 # The IP of the host.
+        #       # The host alias.
+        #       aliases:
+        #         - example
+        #         - example.domain.tld
+
+        # # Configures KubeSpan feature.
+        # kubespan:
+        #     enabled: true # Enable the KubeSpan feature.
+    # Used to provide instructions for installations.
+    install:
+        disk: /dev/sda # The disk used for installations.
+        image: ghcr.io/siderolabs/installer:v1.11.5 # Allows for supplying the image used to perform the installation.
+        wipe: false # Indicates if the installation disk should be wiped at installation time.
+        
+        # # Look up disk using disk attributes like model, size, serial and others.
+        # diskSelector:
+        #     size: 4GB # Disk size.
+        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
+        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
+
+        # # Allows for supplying extra kernel args via the bootloader.
+        # extraKernelArgs:
+        #     - talos.platform=metal
+        #     - reboot=k
+    # Used to configure the machine's container image registry mirrors.
+    registries: {}
+    # # Specifies mirror configuration for each registry host namespace.
+    # mirrors:
+    #     ghcr.io:
+    #         # List of endpoints (URLs) for registry mirrors to use.
+    #         endpoints:
+    #             - https://registry.insecure
+    #             - https://ghcr.io/v2/
+
+    # # Specifies TLS & auth configuration for HTTPS image registries.
+    # config:
+    #     registry.insecure:
+    #         # The TLS configuration for the registry.
+    #         tls:
+    #             insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
+    #             
+    #             # # Enable mutual TLS authentication with the registry.
+    #             # clientIdentity:
+    #             #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #             #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+    #         
+    #         # # The auth configuration for this registry.
+    #         # auth:
+    #         #     username: username # Optional registry authentication.
+    #         #     password: password # Optional registry authentication.
+
+    # Features describe individual Talos features that can be switched on or off.
+    features:
+        rbac: true # Enable role-based access control (RBAC).
+        stableHostname: true # Enable stable default hostname.
+        apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
+        diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
+        # KubePrism - local proxy/load balancer on defined port that will distribute
+        kubePrism:
+            enabled: true # Enable KubePrism support - will start local load balancing proxy.
+            port: 7445 # KubePrism port.
+        # Configures host DNS caching resolver.
+        hostDNS:
+            enabled: true # Enable host DNS caching resolver.
+            forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
+        
+        # # Configure Talos API access from Kubernetes pods.
+        # kubernetesTalosAPIAccess:
+        #     enabled: true # Enable Talos API access from Kubernetes pods.
+        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
+        #     allowedRoles:
+        #         - os:reader
+        #     # The list of Kubernetes namespaces Talos API access is available from.
+        #     allowedKubernetesNamespaces:
+        #         - kube-system
+    # Configures the node labels for the machine.
+    # nodeLabels:
+    #     node.kubernetes.io/exclude-from-external-load-balancers: ""
+    
+    # # Provides machine specific control plane configuration options.
+
+    # # ControlPlane definition example.
+    # controlPlane:
+    #     # Controller manager machine specific configuration options.
+    #     controllerManager:
+    #         disabled: false # Disable kube-controller-manager on the node.
+    #     # Scheduler machine specific configuration options.
+    #     scheduler:
+    #         disabled: true # Disable kube-scheduler on the node.
+
+    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
+
+    # # nginx static pod.
+    # pods:
+    #     - apiVersion: v1
+    #       kind: pod
+    #       metadata:
+    #         name: nginx
+    #       spec:
+    #         containers:
+    #             - image: nginx
+    #               name: nginx
+
+    # # Allows the addition of user specified files.
+
+    # # MachineFiles usage example.
+    # files:
+    #     - content: '...' # The contents of the file.
+    #       permissions: 0o666 # The file's permissions in octal.
+    #       path: /tmp/file.txt # The path of the file.
+    #       op: append # The operation to use
+
+    # # The `env` field allows for the addition of environment variables.
+
+    # # Environment variables definition examples.
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: info
+    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
+    #     https_proxy: http://SERVER:PORT/
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: error
+    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
+    # env:
+    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
+
+    # # Used to configure the machine's time settings.
+
+    # # Example configuration for cloudflare ntp server.
+    # time:
+    #     disabled: false # Indicates if the time service is disabled for the machine.
+    #     # description: |
+    #     servers:
+    #         - time.cloudflare.com
+    #     bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
+
+    # # Used to configure the machine's sysctls.
+
+    # # MachineSysctls usage example.
+    # sysctls:
+    #     kernel.domainname: talos.dev
+    #     net.ipv4.ip_forward: "0"
+    #     net/ipv6/conf/eth0.100/disable_ipv6: "1"
+
+    # # Used to configure the machine's sysfs.
+
+    # # MachineSysfs usage example.
+    # sysfs:
+    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
+
+    # # Configures the udev system.
+    # udev:
+    #     # List of udev rules to apply to the udev system
+    #     rules:
+    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
+
+    # # Configures the logging system.
+    # logging:
+    #     # Logging destination.
+    #     destinations:
+    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
+    #           format: json_lines # Logs format.
+
+    # # Configures the kernel.
+    # kernel:
+    #     # Kernel modules to load.
+    #     modules:
+    #         - name: brtfs # Module name.
+
+    # # Configures the seccomp profiles for the machine.
+    # seccompProfiles:
+    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
+    #       # The `value` field is used to provide the seccomp profile.
+    #       value:
+    #         defaultAction: SCMP_ACT_LOG
+
+    # # Override (patch) settings in the default OCI runtime spec for CRI containers.
+
+    # # override default open file limit
+    # baseRuntimeSpecOverrides:
+    #     process:
+    #         rlimits:
+    #             - hard: 1024
+    #               soft: 1024
+    #               type: RLIMIT_NOFILE
+
+    # # Configures the node annotations for the machine.
+
+    # # node annotations example.
+    # nodeAnnotations:
+    #     customer.io/rack: r13a25
+
+    # # Configures the node taints for the machine. Effect is optional.
+
+    # # node taints example.
+    # nodeTaints:
+    #     exampleTaint: exampleTaintValue:NoSchedule
+# Provides cluster specific configuration options.
+cluster:
+    id: 34a8UzPmkeW1KotPydx05XqtRO1lS8FQ8QFJRLfhxUo= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
+    secret: dKJk+UZXuMSz/0CN1p7pH0zBoXAXw9Q9O9AbTs2wwig= # Shared secret of cluster (base64 encoded random 32 bytes).
+    # Provides control plane specific configuration options.
+    controlPlane:
+        endpoint: https://10.0.1.3:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
+    clusterName: talos-cluster # Configures the cluster's name.
+    # Provides cluster specific network configuration options.
+    network:
+        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
+        # The pod subnet CIDR.
+        podSubnets:
+            - 10.244.0.0/16
+        # The service subnet CIDR.
+        serviceSubnets:
+            - 10.96.0.0/12
+        
+        # # The CNI used.
+        # cni:
+        #     name: custom # Name of CNI to use.
+        #     # URLs containing manifests to apply for the CNI.
+        #     urls:
+        #         - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
+    token: 15hjxu.y89oz55uwwm1qmm2 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
+    secretboxEncryptionSecret: WJOMi1rld5VZ77PjwNOUiurOroFaZe0TvsmGRIrzD+I= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+    # The base64 encoded root certificate authority used by Kubernetes.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQU1DdU1LWW1RZkFEZnNHTFlheHZmMFF3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOakF5TWpNd01ETTNNRGRhRncwek5qQXlNakV3TURNMwpNRGRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNhMGRhaFlQalNXaURVZWJjN0liTmppUk5nSjE4MDZMVDQyOFFXbWJJd0k2NE54emVyNlNpZDF0QTUKQXNuelhMaHpCMHdJWVovRGZqNTRwem1tdmRwRW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGRXNiZldwU0h3bFJlVTdOMWlFV1R4NEF1RzBjTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUcrUkQ1OVEKRzVlcDhubHJtMURhS1NYM3pHZ2ZUMzhHSVJ2a0srY1piVG9OQWlFQXY1eVh5RWlnTERKSzZWekhtd2JwRU1KSAp6YkszZTlnZWpwYXByUllhVm9JPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURSUkRKL2xVVExxa2t3bkZ1WTlHTUMweXhTejJONFlKUlVGUytxTU1WNXlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbXRIV29XRDQwbG9nMUhtM095R3pZNGtUWUNkZk5PaTArTnZFRnBteU1DT3VEY2MzcStrbwpuZGJRT1FMSjgxeTRjd2RNQ0dHZnczNCtlS2M1cHIzYVJBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
+    aggregatorCA:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQU5CRlNyT01kL1ZGQzYvdXVHRDdHUnd3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5qQXlNak13TURNM01EZGFGdzB6TmpBeU1qRXdNRE0zTURkYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVRPdDdveTNBMHZ1TFBMbDNFUU8vRXlOaGh5TGgyeHJDaHJLMENSM3dFbnpkOUFvOUJlCmRjVE90a2xSV0lRbTI1RTJpeGlRcHZqUGNXdTNucmdCUTVjTm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGSlYzMjU2dmhCNDFXUE93VHB3N3lvWllOek9VTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRQ2EvaVJWK3BONkVQM3diWHMybVpQMEFrUEVPY21sRnhqNjllWGE2c05JbUFJaEFQZGZaR0xiQ1AwVnZlYTMKUUZjNEEyYXcxZUxFSjB3WmtNdkhoS2hMa1hCaAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBiaGNIdHhRalk1SGRtakkzT25FZ1ZVb21OUmQ5TnBvNmRjRFYrMnlmOVBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFenJlNk10d05MN2l6eTVkeEVEdnhNallZY2k0ZHNhd29heXRBa2Q4Qko4M2ZRS1BRWG5YRQp6clpKVVZpRUp0dVJOb3NZa0tiNHozRnJ0NTY0QVVPWERRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded private key for service account token generation.
+    serviceAccount:
+        key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBdGZXMHEza3pMWVFwSlFYNlpaUmxCdzhiMmp5SHZRTnBQOG55Z0pHY1FyYk1ST2hiCmNBNFRjdVBYanoydmRyR3VSWHBNNEN4eGVGWmtldDBuTDJKQzExaEE5bktaYUd4aUV4Z0lWQWlNRFlVcS9lK3kKTWx6Y2ZvQkxlN1NQSTY0b0pONzlUalZwS0kySHVBUjNLWlduK1pMajkzL2VzS3dBZ29iMWZRazg0WHAwR1pMbQpZQVNRbENIakh5UmErUWptemloQnMrRzBkakRGNmRkZzZjd3hpN2hKTmp4TUF6K0UzcUhJYnhINit2UENyQiswCnFTWCtLbU1ERUlRUlN6eGEwN01kQUFMakpUb0Z5eTNwWnFlOVcvcmNRQXdNbllWSGZYaHNBbm1ZQmdsOWRLYTUKd0c3SEpPT21zeUNvOHUzV2hpR2ZGc1JUbTUzVXk1S2pIMkVwd2J1R1FSbXlUTHd2MWR6a1RTdU5qMGRoVzFvTApSL0VvaWh3Rnh0bklKUDR2K3NmVmNFOXhWbGZFbUhmekIydGc3bUhpdkJBT0tGMTRwM3V3YzJncG96WEY1NDF4CmV2MHN1RXgzaDhHcWt0cmRVVmhMTzlmVDJxbVFqQnlScVJkSnlWVXdUc2E2dkl1dHJydk1BTVBHKzJENW51cFYKaEszZ2xNUFB0Z01icU9rSFFaejZCa2MyRHhlbzYzeUFITmxCRTQ2TVliTFEralhxSDhreEFHN05XQnViditoegpjWWJsTElQek5vbkJjYW9SYkNZdXJOQTcxR093YnVoeWlsT0VpOU50K2FveVVOcmJSUk9GMDBvVlBDWFJXbmlpCjhLSHZNY05hMzlweGtPUXRwQWR6aURvaHJ0RTNtcUdyVXZWaEYyaXJnVy93bkMrZ01IWDdnMSthMFprQ0F3RUEKQVFLQ0FnQURUdUhIZ2s4WFkwRTZQcGNVVkxQWGdvTlBudTBhMXg2SlBkc3VVamRra1IwNm5YellGekZzVTg4ZAorQkdpRjAzalRudHFVZlNJS3czdG0rcXo5bFhmdzJkKzg0dHRkaGI4WU9INTRTUG10UWFZa2t5TGxOdWZZeWE4Cks0YTByOXhqK3pmZ3ZhRFpUMlZweDQ4QkR3cjhReHJvNjRhNWNJOGIwR2RUTENGU3VoNjFQbEg0NmV4VS9SNjcKZUxZOHM5ZzZaRW41Z3I5OHJKdFVpb2xsQnNUWjFQSmp6WW5XUDBmam9rNWFFcG9kQ09SL3E1M2x1MTZaRjY2OQpGS0daM0JHTXFzTjZ0aEs2SVFsczdidENGZ2VmemZwR0lkSHk1VEx0Q1l6eEtKUEdmRkt2RmI3bnpEdkxwR1hwCitNeUppaUJ0MU51bkZzK3NVeHpFekxneGdGczVkaFYzNEx3LzRtMTNtV2RuVGtTelRWeWFycmJnWlZ0R0hFOU0KOEdJcDNvNGR4VW5QZnkrYzRmbkNGZ0NISzNSQUNjczlCVWJlSU5pQnlycXQ0SHBmUGdvdXI2T0hGRXJTUjJONgp4VVp1RW0zb0I1TjdFd0paVXo4YUllblpDclBYZWJhNmhyb3RnaGdzeUZETEZnSjYzOEgxZHNRTXFDb1BTZ05qCkgweE9YQmtKbWRDYStFdVA2NVFhL1h4OU8waW9YbTE1aTRiVEF4YWxoWGdVS3hnQ1FIQUpLb3VvcTZpLzEwUnAKOWlCZ1Zpak5VWS9QYXlkL1BMVEhsN2FiRnlTemYyYUJIQnFueElNVU90alJSckRVbHRaazZHVnlGcjFjdmdSNApFMWduK0RKeTZKbnc2alFCUTMwd25yUG1TbXl6eUdFMDdMbU5tNmRMaXE5ZVNSOEtqd0tDQVFFQXhSSHAweVB4ClFJQW9ZVmNNK0tmR1FXRWI2K2F4RGovenZFSHpYTk4vVW9pMVlFWDZZNHBaUnRrdFJpaVg5ZktXb214eU9yckUKTUdyUTdTeHVqa2oyYkZwY1RDTnV0UUxXU3ZqajZXb3pGbVA3dWdLTGZLUXhLU1p4QUo2Y3NUYVZxZkpiWFVsQQpZQ2h1aDQ5NzI0TmxKV1pZSks2ZS82M2lOd09hNk9aWW9OMVV4YTd4SStFbDhFaUJhUUtBRDJVWXIyRkYvazRPCitOSlpoTi9BOWZCK1Y5a1g2dnltNktPZUhtTUxuZExObkdIekdmUkhKWCswUkh3cnNYM215RnBVVXA0ZFpXeE0KcWFmUVNJSUl2Qm9uZHFqRG1hcmhZQ0NNZlZIQURGTEcxZ2ZZYmYzMDNObG12YVlkSXAvL2l5UTJvREdtTXZXWgpONy9Eazk3Mmxtam82d0tDQVFFQTdGOFVGdkF5dXVLek5EZ2ZnUDhEL09QRkcvSzRJNHNoNTVLU0lmRkRPRWQ3CnJReHg4b29NaEVRL2hlSFJWRURMaTU5ZG1NSzA2bXQ4UkVvWHVYMEt6ZzQvanB0WldKOFNNaHFYT0pJb3kzWWUKMVgvZjEyT1YwbVc2Tk1UNHVvbkRnS2dsS1F6aDJIQ0xNTWhOdTFoWWFTa1hJaVR0SjR0eFUyU2Z2RlQ0aUwvMQpkNGZ1enNkOVg2bkZ6TE5IaWkyekYzNTZXVG5jSEMrWmpWaTlCSmFFelF0NFJsWm95bTBRZk8xNUhzZkNqaU9iCldMQmJYSXV5N29rc2NRZ0Vtc2xrN0ZpNGxGSUZxUVFIVnhjYURKMXpnYmhoMk1VSTRRYURCNjZtYzdsUFo0dUIKcmJBZXhrR2cwQjBmYWFsMTcrRVhIN1dnei9JOUNzNERaTU5JcmRhT2l3S0NBUUFFcEk5bHNnc1ZBZS94bXlOcgpHRWpMY1lZKzRJaDdWWFpna1EweXVxamRRT3RGQVdFTXgwMmpKYXF6WkhGd0VlOEtsSk44WHJvUWlmT3lJc0hZCkNGQUY3WHNQTUNhRGpUV1BQcDNmK2VpS05vRFB1UStnT0I0UVloOTNiRVUweDV4dkRJNnFlL2RRVEtPTi9ndGsKK0l1QmZnL0ZqWGVoZm04OTdJL1J2TnVKcnEwNG13NkRVZUthN3BwZDV2a3RZNnhaTldsNHZFNE4vcWF0UXJoQgpFeEZtOEc1bjB0djd6eDhDaUVMVnpRbWJEWk8wb05Tc1JYM3h2eHNvYTFic2tYUTdIZzZEUFRIeExVcnk2bDFhClVTTnM0RHo3ZWRNbGVKN1d0UDVaUy9uelFPd1FhMU5CZ0wyeTZoNzFtZDlqWDg4SnB5SExRWTRDaWpvSldjOWwKYThOUkFvSUJBSHBrbFJOM2x0MGNhK3liTHZ6dGo1UVFJTTFpOWlRNWMvbmo5RlV0QjBDS0N5bEU2Mi9LT2NiMwpTK2s0VDlzUG5oWVRGRFQ0aFJOcFNyUlZwVWsvelN0N1J6L0JneGNYYnlXUWpVTVdzNWIrOStKWFQ0SEpLQmdFCjR0RldPUERtU3R4QXROVTN2VzRFZ0o1bTZaRWJvdFA1R2VodE5IdW9nYXJMek1hSlBSUWFTYkYyS3ByWnd6cVkKdnpwS2pyMm5BamdsSHBjN0ZaVm10Rnp6V1JTYUYvUFFmNXYwUEZpczlyK3BlM0VMd05zMjVzYWFzd1FOdGo0Nwp1MDVmOTNwcTFCNXBwbEh1MHMxOHI0eFNBd1FMTjNjeEVVRmNiVWVQeHFOZ3RRSHhMNE9QUWp1OG1ZTFJFc01RCmdXYUYvL0tSSEJjb1JqZkcyQUxUUUFDWitmVkJ4eGNDZ2dFQVFmUGJ2Q2hLbVkwYmRNSVRnZWs5UmNOZXh5NU4Kb0ZIcGJlWWdOYThxc2o5ZzhWQmZZY1hnWm1GVTdnZ0pFMEs0enZTQ1ljb0lCbHFLU0s3NTI1YlhLcFdRcWRlUAo4aXRlUm82QjV5YmhxdDVCaTZBa2tHRE40WklOVCsrZk44OE9Kbml5aGJSM2gzdSt0UERHbVFiRTg5bVliNDNwCkFOVTFXaFpWU2ltc3RBemFKTWpaSnFhQ3NlQ004VFk1cXlzM0MzTHE3NWRwVWZoeHNVSFlDMjRxQWFzRTVmK1QKU2VvT2tyV0l5RWNhV3RYQi9DdHhmYThGRHF6SmYyVzJQYmszK29PVXppcVkzbUl5WllweGFWM1VWYS9JRm5WUworVVRjdUw3V1Fpb2JjN2YzOEgxWmNwUHV3MXM5bGxTTlVZb042Ukl3SG9nVzdOVUVqNGo3c3B4MkZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+    # API server specific configuration options.
+    apiServer:
+        image: registry.k8s.io/kube-apiserver:v1.33.0 # The container image used in the API server manifest.
+        # Extra certificate subject alternative names for the API server's certificate.
+        certSANs:
+            - 10.0.1.3
+        disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
+        # Configure the API server admission plugins.
+        admissionControl:
+            - name: PodSecurity # Name is the name of the admission controller.
+              # Configuration is an embedded configuration object to be used as the plugin's
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                defaults:
+                    audit: restricted
+                    audit-version: latest
+                    enforce: baseline
+                    enforce-version: latest
+                    warn: restricted
+                    warn-version: latest
+                exemptions:
+                    namespaces:
+                        - kube-system
+                    runtimeClasses: []
+                    usernames: []
+                kind: PodSecurityConfiguration
+        # Configure the API server audit policy.
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: Metadata
+        
+        # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
+        # authorizationConfig:
+        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
+        #       name: webhook # Name is used to describe the authorizer.
+        #       # webhook is the configuration for the webhook authorizer.
+        #       webhook:
+        #         connectionInfo:
+        #             type: InClusterConfig
+        #         failurePolicy: Deny
+        #         matchConditionSubjectAccessReviewVersion: v1
+        #         matchConditions:
+        #             - expression: has(request.resourceAttributes)
+        #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
+        #         subjectAccessReviewVersion: v1
+        #         timeout: 3s
+        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
+        #       name: in-cluster-authorizer # Name is used to describe the authorizer.
+        #       # webhook is the configuration for the webhook authorizer.
+        #       webhook:
+        #         connectionInfo:
+        #             type: InClusterConfig
+        #         failurePolicy: NoOpinion
+        #         matchConditionSubjectAccessReviewVersion: v1
+        #         subjectAccessReviewVersion: v1
+        #         timeout: 3s
+    # Controller manager server specific configuration options.
+    controllerManager:
+        image: registry.k8s.io/kube-controller-manager:v1.33.0 # The container image used in the controller manager manifest.
+    # Kube-proxy server-specific configuration options
+    proxy:
+        image: registry.k8s.io/kube-proxy:v1.33.0 # The container image used in the kube-proxy manifest.
+        
+        # # Disable kube-proxy deployment on cluster bootstrap.
+        # disabled: false
+    # Scheduler server specific configuration options.
+    scheduler:
+        image: registry.k8s.io/kube-scheduler:v1.33.0 # The container image used in the scheduler manifest.
+    # Configures cluster member discovery.
+    discovery:
+        enabled: true # Enable the cluster membership discovery feature.
+        # Configure registries used for cluster member discovery.
+        registries:
+            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
+            kubernetes:
+                disabled: true # Disable Kubernetes discovery registry.
+            # Service registry is using an external service to push and pull information about cluster members.
+            service: {}
+            # # External service endpoint.
+            # endpoint: https://discovery.talos.dev/
+    # Etcd specific configuration options.
+    etcd:
+        # The `ca` is the root certificate authority of the PKI.
+        ca:
+            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU82dmxYSjQrRHo2RS9jQWc5Lzk5RnN3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TmpBeU1qTXdNRE0zTURkYUZ3MHpOakF5TWpFd01ETTNNRGRhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSbjJlNjFXVG1ZCmFMckNtVmFxWlFsVDNYRTNJUGYrOWFzMmRwUEVNL0xNM05uRnlyOHdPQzNCejVYcU1heW9FV2ExQk5iSmx3TmIKZjNBc2dVeU1PV2NsbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkJkOXR5Z3d5Z2dWClVzamt1QS8yZ3RFZEpXUHlNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUMyQmhhOWZQbmtoOURLT0xFa3ozanQKRjhhTnBYZ2FadGxMZUl2UHd6aG9NQUlnVVVXQjFzU1U1aGljbDRCcmpyRGV3MnQvSHVxNk94VFQxMGZndGIyRApKUXM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtrc21UZzhGSjdndTRocG95YzJYV1dFOVJFYjlQUks3MzlLaWN3SkZXdkFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWjludXRWazVtR2k2d3BsV3FtVUpVOTF4TnlEMy92V3JObmFUeERQeXpOelp4Y3EvTURndAp3YytWNmpHc3FCRm10UVRXeVpjRFczOXdMSUZNakRsbkpRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+        
+        # # The container image used to create the etcd service.
+        # image: gcr.io/etcd-development/etcd:v3.6.5
+
+        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
+        # advertisedSubnets:
+        #     - 10.0.0.0/8
+    # A list of urls that point to additional manifests.
+    extraManifests: []
+    #   - https://www.example.com/manifest1.yaml
+    #   - https://www.example.com/manifest2.yaml
+
+    # A list of inline Kubernetes manifests.
+    inlineManifests: []
+    #   - name: namespace-ci # Name of the manifest.
+    #     contents: |- # Manifest contents as a string.
+    #       apiVersion: v1
+    #       kind: Namespace
+    #       metadata:
+    #       	name: ci
+
+    allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
+    
+    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+
+    # # Decryption secret example (do not use in production!).
+    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
+
+    # # Core DNS specific configuration options.
+    # coreDNS:
+    #     image: registry.k8s.io/coredns/coredns:v1.12.4 # The `image` field is an override to the default coredns image.
+
+    # # External cloud provider configuration.
+    # externalCloudProvider:
+    #     enabled: true # Enable external cloud provider.
+    #     # A list of urls that point to additional manifests for an external cloud provider.
+    #     manifests:
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
+
+    # # A map of key value pairs that will be added while fetching the extraManifests.
+    # extraManifestHeaders:
+    #     Token: "1234567"
+    #     X-ExtraInfo: info
+
+    # # Settings for admin kubeconfig generation.
+    # adminKubeconfig:
+    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

testing1/controlplane-10.0.1.5.yaml

@@ -0,0 +1,549 @@
+version: v1alpha1 # Indicates the schema used to decode the contents.
+debug: false # Enable verbose logging to the console.
+persist: true
+# Provides machine specific configuration options.
+machine:
+    type: controlplane # Defines the role of the machine within the cluster.
+    token: 7rgo5u.juv7x1jtvu26cn92 # The `token` is used by a machine to join the PKI of the cluster.
+    # The root certificate authority of the PKI.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBK2FzSlFsejRzdmUvWU9iU1lXZE9JREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qWXdNakl6TURBek56QTNXaGNOTXpZd01qSXhNREF6TnpBM1dqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQURXdFhTVHJJYUNEVFp0TFdCVllQY2dlcG5xN3BwbFJPSys4Ck9EZDJTQ2hrbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkVoY1FsN2paOHhqZE05SApyazRHNWE4SmJJMWZNQVVHQXl0bGNBTkJBS0ZIWkJsSGJaUjMzVzNGRS9rZ3BDaERkS0MvSlFlcDFRdktnZit3ClNoZEZTNDdGY0FuQWVmcXRpUWhuUlU1UU5Nb2hIZXp6dzdKcG5KU09kUHd1alFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQmJyUE5lT1B0VS8yRFprdkU4T0lEZjQwZHdjU3VnVmYvb0ZjQnNPRkFsOQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+    # Extra certificate subject alternative names for the machine's certificate.
+    certSANs:
+        - 10.0.1.5
+        - 10.0.1.3
+        - 10.0.1.4
+        - 10.0.1.5
+    # Used to provide additional options to the kubelet.
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.33.0 # The `image` field is an optional reference to an alternative kubelet image.
+        defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
+        disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
+        
+        # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
+        # clusterDNS:
+        #     - 10.96.0.10
+        #     - 169.254.2.53
+
+        # # The `extraArgs` field is used to provide additional flags to the kubelet.
+        # extraArgs:
+        #     key: value
+
+        # # The `extraMounts` field is used to add additional mounts to the kubelet container.
+        # extraMounts:
+        #     - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
+        #       type: bind # Type specifies the mount kind.
+        #       source: /var/lib/example # Source specifies the source path of the mount.
+        #       # Options are fstab style mount options.
+        #       options:
+        #         - bind
+        #         - rshared
+        #         - rw
+
+        # # The `extraConfig` field is used to provide kubelet configuration overrides.
+        # extraConfig:
+        #     serverTLSBootstrap: true
+
+        # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
+        # credentialProviderConfig:
+        #     apiVersion: kubelet.config.k8s.io/v1
+        #     kind: CredentialProviderConfig
+        #     providers:
+        #         - apiVersion: credentialprovider.kubelet.k8s.io/v1
+        #           defaultCacheDuration: 12h
+        #           matchImages:
+        #             - '*.dkr.ecr.*.amazonaws.com'
+        #             - '*.dkr.ecr.*.amazonaws.com.cn'
+        #             - '*.dkr.ecr-fips.*.amazonaws.com'
+        #             - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
+        #             - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
+        #           name: ecr-credential-provider
+
+        # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
+        # nodeIP:
+        #     # The `validSubnets` field configures the networks to pick kubelet node IP from.
+        #     validSubnets:
+        #         - 10.0.0.0/8
+        #         - '!10.0.0.3/32'
+        #         - fdc7::/16
+    # Provides machine specific network configuration options.
+    network:
+        hostname: cp-2 # Used to statically set the hostname for the machine.
+        
+        # # `interfaces` is used to define the network interface configuration.
+        # interfaces:
+        #     - interface: enp0s1 # The interface name.
+        #       # Assigns static IP addresses to the interface.
+        #       addresses:
+        #         - 192.168.2.0/24
+        #       # A list of routes associated with the interface.
+        #       routes:
+        #         - network: 0.0.0.0/0 # The route's network (destination).
+        #           gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
+        #           metric: 1024 # The optional metric for the route.
+        #       mtu: 1500 # The interface's MTU.
+        #       
+        #       # # Picks a network device using the selector.
+
+        #       # # select a device with bus prefix 00:*.
+        #       # deviceSelector:
+        #       #     busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+        #       # deviceSelector:
+        #       #     hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #     driver: virtio_net # Kernel driver, supports matching by wildcard.
+        #       # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
+        #       # deviceSelector:
+        #       #     - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       #     - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #       driver: virtio_net # Kernel driver, supports matching by wildcard.
+
+        #       # # Bond specific options.
+        #       # bond:
+        #       #     # The interfaces that make up the bond.
+        #       #     interfaces:
+        #       #         - enp2s0
+        #       #         - enp2s1
+        #       #     # Picks a network device using the selector.
+        #       #     deviceSelectors:
+        #       #         - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
+        #       #         - hardwareAddr: '*:f0:ab' # Device hardware (MAC) address, supports matching by wildcard.
+        #       #           driver: virtio_net # Kernel driver, supports matching by wildcard.
+        #       #     mode: 802.3ad # A bond option.
+        #       #     lacpRate: fast # A bond option.
+
+        #       # # Bridge specific options.
+        #       # bridge:
+        #       #     # The interfaces that make up the bridge.
+        #       #     interfaces:
+        #       #         - enxda4042ca9a51
+        #       #         - enxae2a6774c259
+        #       #     # Enable STP on this bridge.
+        #       #     stp:
+        #       #         enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
+
+        #       # # Configure this device as a bridge port.
+        #       # bridgePort:
+        #       #     master: br0 # The name of the bridge master interface
+
+        #       # # Indicates if DHCP should be used to configure the interface.
+        #       # dhcp: true
+
+        #       # # DHCP specific options.
+        #       # dhcpOptions:
+        #       #     routeMetric: 1024 # The priority of all routes received via DHCP.
+
+        #       # # Wireguard specific configuration.
+
+        #       # # wireguard server example
+        #       # wireguard:
+        #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+        #       #     listenPort: 51111 # Specifies a device's listening port.
+        #       #     # Specifies a list of peer configurations to apply to a device.
+        #       #     peers:
+        #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+        #       #           endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
+        #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+        #       #           allowedIPs:
+        #       #             - 192.168.1.0/24
+        #       # # wireguard peer example
+        #       # wireguard:
+        #       #     privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
+        #       #     # Specifies a list of peer configurations to apply to a device.
+        #       #     peers:
+        #       #         - publicKey: ABCDEF... # Specifies the public key of this peer.
+        #       #           endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
+        #       #           persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
+        #       #           # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
+        #       #           allowedIPs:
+        #       #             - 192.168.1.0/24
+
+        #       # # Virtual (shared) IP address configuration.
+
+        #       # # layer2 vip example
+        #       # vip:
+        #       #     ip: 172.16.199.55 # Specifies the IP address to be used.
+
+        # Used to statically set the nameservers for the machine.
+        nameservers:
+            - 8.8.8.8
+            - 1.1.1.1
+
+        # # Used to statically set arbitrary search domains.
+        # searchDomains:
+        #     - example.org
+        #     - example.com
+
+        # # Allows for extra entries to be added to the `/etc/hosts` file
+        # extraHostEntries:
+        #     - ip: 192.168.1.100 # The IP of the host.
+        #       # The host alias.
+        #       aliases:
+        #         - example
+        #         - example.domain.tld
+
+        # # Configures KubeSpan feature.
+        # kubespan:
+        #     enabled: true # Enable the KubeSpan feature.
+    # Used to provide instructions for installations.
+    install:
+        disk: /dev/sda # The disk used for installations.
+        image: ghcr.io/siderolabs/installer:v1.11.5 # Allows for supplying the image used to perform the installation.
+        wipe: false # Indicates if the installation disk should be wiped at installation time.
+        
+        # # Look up disk using disk attributes like model, size, serial and others.
+        # diskSelector:
+        #     size: 4GB # Disk size.
+        #     model: WDC* # Disk model `/sys/block/<dev>/device/model`.
+        #     busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
+
+        # # Allows for supplying extra kernel args via the bootloader.
+        # extraKernelArgs:
+        #     - talos.platform=metal
+        #     - reboot=k
+    # Used to configure the machine's container image registry mirrors.
+    registries: {}
+    # # Specifies mirror configuration for each registry host namespace.
+    # mirrors:
+    #     ghcr.io:
+    #         # List of endpoints (URLs) for registry mirrors to use.
+    #         endpoints:
+    #             - https://registry.insecure
+    #             - https://ghcr.io/v2/
+
+    # # Specifies TLS & auth configuration for HTTPS image registries.
+    # config:
+    #     registry.insecure:
+    #         # The TLS configuration for the registry.
+    #         tls:
+    #             insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
+    #             
+    #             # # Enable mutual TLS authentication with the registry.
+    #             # clientIdentity:
+    #             #     crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
+    #             #     key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
+    #         
+    #         # # The auth configuration for this registry.
+    #         # auth:
+    #         #     username: username # Optional registry authentication.
+    #         #     password: password # Optional registry authentication.
+
+    # Features describe individual Talos features that can be switched on or off.
+    features:
+        rbac: true # Enable role-based access control (RBAC).
+        stableHostname: true # Enable stable default hostname.
+        apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
+        diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
+        # KubePrism - local proxy/load balancer on defined port that will distribute
+        kubePrism:
+            enabled: true # Enable KubePrism support - will start local load balancing proxy.
+            port: 7445 # KubePrism port.
+        # Configures host DNS caching resolver.
+        hostDNS:
+            enabled: true # Enable host DNS caching resolver.
+            forwardKubeDNSToHost: true # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
+        
+        # # Configure Talos API access from Kubernetes pods.
+        # kubernetesTalosAPIAccess:
+        #     enabled: true # Enable Talos API access from Kubernetes pods.
+        #     # The list of Talos API roles which can be granted for access from Kubernetes pods.
+        #     allowedRoles:
+        #         - os:reader
+        #     # The list of Kubernetes namespaces Talos API access is available from.
+        #     allowedKubernetesNamespaces:
+        #         - kube-system
+    # Configures the node labels for the machine.
+    # nodeLabels:
+    #     node.kubernetes.io/exclude-from-external-load-balancers: ""
+    
+    # # Provides machine specific control plane configuration options.
+
+    # # ControlPlane definition example.
+    # controlPlane:
+    #     # Controller manager machine specific configuration options.
+    #     controllerManager:
+    #         disabled: false # Disable kube-controller-manager on the node.
+    #     # Scheduler machine specific configuration options.
+    #     scheduler:
+    #         disabled: true # Disable kube-scheduler on the node.
+
+    # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
+
+    # # nginx static pod.
+    # pods:
+    #     - apiVersion: v1
+    #       kind: pod
+    #       metadata:
+    #         name: nginx
+    #       spec:
+    #         containers:
+    #             - image: nginx
+    #               name: nginx
+
+    # # Allows the addition of user specified files.
+
+    # # MachineFiles usage example.
+    # files:
+    #     - content: '...' # The contents of the file.
+    #       permissions: 0o666 # The file's permissions in octal.
+    #       path: /tmp/file.txt # The path of the file.
+    #       op: append # The operation to use
+
+    # # The `env` field allows for the addition of environment variables.
+
+    # # Environment variables definition examples.
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: info
+    #     GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
+    #     https_proxy: http://SERVER:PORT/
+    # env:
+    #     GRPC_GO_LOG_SEVERITY_LEVEL: error
+    #     https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
+    # env:
+    #     https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
+
+    # # Used to configure the machine's time settings.
+
+    # # Example configuration for cloudflare ntp server.
+    # time:
+    #     disabled: false # Indicates if the time service is disabled for the machine.
+    #     # description: |
+    #     servers:
+    #         - time.cloudflare.com
+    #     bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
+
+    # # Used to configure the machine's sysctls.
+
+    # # MachineSysctls usage example.
+    # sysctls:
+    #     kernel.domainname: talos.dev
+    #     net.ipv4.ip_forward: "0"
+    #     net/ipv6/conf/eth0.100/disable_ipv6: "1"
+
+    # # Used to configure the machine's sysfs.
+
+    # # MachineSysfs usage example.
+    # sysfs:
+    #     devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
+
+    # # Configures the udev system.
+    # udev:
+    #     # List of udev rules to apply to the udev system
+    #     rules:
+    #         - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
+
+    # # Configures the logging system.
+    # logging:
+    #     # Logging destination.
+    #     destinations:
+    #         - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
+    #           format: json_lines # Logs format.
+
+    # # Configures the kernel.
+    # kernel:
+    #     # Kernel modules to load.
+    #     modules:
+    #         - name: brtfs # Module name.
+
+    # # Configures the seccomp profiles for the machine.
+    # seccompProfiles:
+    #     - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
+    #       # The `value` field is used to provide the seccomp profile.
+    #       value:
+    #         defaultAction: SCMP_ACT_LOG
+
+    # # Override (patch) settings in the default OCI runtime spec for CRI containers.
+
+    # # override default open file limit
+    # baseRuntimeSpecOverrides:
+    #     process:
+    #         rlimits:
+    #             - hard: 1024
+    #               soft: 1024
+    #               type: RLIMIT_NOFILE
+
+    # # Configures the node annotations for the machine.
+
+    # # node annotations example.
+    # nodeAnnotations:
+    #     customer.io/rack: r13a25
+
+    # # Configures the node taints for the machine. Effect is optional.
+
+    # # node taints example.
+    # nodeTaints:
+    #     exampleTaint: exampleTaintValue:NoSchedule
+# Provides cluster specific configuration options.
+cluster:
+    id: 34a8UzPmkeW1KotPydx05XqtRO1lS8FQ8QFJRLfhxUo= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
+    secret: dKJk+UZXuMSz/0CN1p7pH0zBoXAXw9Q9O9AbTs2wwig= # Shared secret of cluster (base64 encoded random 32 bytes).
+    # Provides control plane specific configuration options.
+    controlPlane:
+        endpoint: https://10.0.1.3:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
+    clusterName: talos-cluster # Configures the cluster's name.
+    # Provides cluster specific network configuration options.
+    network:
+        dnsDomain: cluster.local # The domain used by Kubernetes DNS.
+        # The pod subnet CIDR.
+        podSubnets:
+            - 10.244.0.0/16
+        # The service subnet CIDR.
+        serviceSubnets:
+            - 10.96.0.0/12
+        
+        # # The CNI used.
+        # cni:
+        #     name: custom # Name of CNI to use.
+        #     # URLs containing manifests to apply for the CNI.
+        #     urls:
+        #         - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
+    token: 15hjxu.y89oz55uwwm1qmm2 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
+    secretboxEncryptionSecret: WJOMi1rld5VZ77PjwNOUiurOroFaZe0TvsmGRIrzD+I= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+    # The base64 encoded root certificate authority used by Kubernetes.
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpakNDQVRDZ0F3SUJBZ0lSQU1DdU1LWW1RZkFEZnNHTFlheHZmMFF3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOakF5TWpNd01ETTNNRGRhRncwek5qQXlNakV3TURNMwpNRGRhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVNhMGRhaFlQalNXaURVZWJjN0liTmppUk5nSjE4MDZMVDQyOFFXbWJJd0k2NE54emVyNlNpZDF0QTUKQXNuelhMaHpCMHdJWVovRGZqNTRwem1tdmRwRW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGRXNiZldwU0h3bFJlVTdOMWlFV1R4NEF1RzBjTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSUcrUkQ1OVEKRzVlcDhubHJtMURhS1NYM3pHZ2ZUMzhHSVJ2a0srY1piVG9OQWlFQXY1eVh5RWlnTERKSzZWekhtd2JwRU1KSAp6YkszZTlnZWpwYXByUllhVm9JPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURSUkRKL2xVVExxa2t3bkZ1WTlHTUMweXhTejJONFlKUlVGUytxTU1WNXlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbXRIV29XRDQwbG9nMUhtM095R3pZNGtUWUNkZk5PaTArTnZFRnBteU1DT3VEY2MzcStrbwpuZGJRT1FMSjgxeTRjd2RNQ0dHZnczNCtlS2M1cHIzYVJBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
+    aggregatorCA:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQU5CRlNyT01kL1ZGQzYvdXVHRDdHUnd3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5qQXlNak13TURNM01EZGFGdzB6TmpBeU1qRXdNRE0zTURkYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVRPdDdveTNBMHZ1TFBMbDNFUU8vRXlOaGh5TGgyeHJDaHJLMENSM3dFbnpkOUFvOUJlCmRjVE90a2xSV0lRbTI1RTJpeGlRcHZqUGNXdTNucmdCUTVjTm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGSlYzMjU2dmhCNDFXUE93VHB3N3lvWllOek9VTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRQ2EvaVJWK3BONkVQM3diWHMybVpQMEFrUEVPY21sRnhqNjllWGE2c05JbUFJaEFQZGZaR0xiQ1AwVnZlYTMKUUZjNEEyYXcxZUxFSjB3WmtNdkhoS2hMa1hCaAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBiaGNIdHhRalk1SGRtakkzT25FZ1ZVb21OUmQ5TnBvNmRjRFYrMnlmOVBvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFenJlNk10d05MN2l6eTVkeEVEdnhNallZY2k0ZHNhd29heXRBa2Q4Qko4M2ZRS1BRWG5YRQp6clpKVVZpRUp0dVJOb3NZa0tiNHozRnJ0NTY0QVVPWERRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    # The base64 encoded private key for service account token generation.
+    serviceAccount:
+        key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBdGZXMHEza3pMWVFwSlFYNlpaUmxCdzhiMmp5SHZRTnBQOG55Z0pHY1FyYk1ST2hiCmNBNFRjdVBYanoydmRyR3VSWHBNNEN4eGVGWmtldDBuTDJKQzExaEE5bktaYUd4aUV4Z0lWQWlNRFlVcS9lK3kKTWx6Y2ZvQkxlN1NQSTY0b0pONzlUalZwS0kySHVBUjNLWlduK1pMajkzL2VzS3dBZ29iMWZRazg0WHAwR1pMbQpZQVNRbENIakh5UmErUWptemloQnMrRzBkakRGNmRkZzZjd3hpN2hKTmp4TUF6K0UzcUhJYnhINit2UENyQiswCnFTWCtLbU1ERUlRUlN6eGEwN01kQUFMakpUb0Z5eTNwWnFlOVcvcmNRQXdNbllWSGZYaHNBbm1ZQmdsOWRLYTUKd0c3SEpPT21zeUNvOHUzV2hpR2ZGc1JUbTUzVXk1S2pIMkVwd2J1R1FSbXlUTHd2MWR6a1RTdU5qMGRoVzFvTApSL0VvaWh3Rnh0bklKUDR2K3NmVmNFOXhWbGZFbUhmekIydGc3bUhpdkJBT0tGMTRwM3V3YzJncG96WEY1NDF4CmV2MHN1RXgzaDhHcWt0cmRVVmhMTzlmVDJxbVFqQnlScVJkSnlWVXdUc2E2dkl1dHJydk1BTVBHKzJENW51cFYKaEszZ2xNUFB0Z01icU9rSFFaejZCa2MyRHhlbzYzeUFITmxCRTQ2TVliTFEralhxSDhreEFHN05XQnViditoegpjWWJsTElQek5vbkJjYW9SYkNZdXJOQTcxR093YnVoeWlsT0VpOU50K2FveVVOcmJSUk9GMDBvVlBDWFJXbmlpCjhLSHZNY05hMzlweGtPUXRwQWR6aURvaHJ0RTNtcUdyVXZWaEYyaXJnVy93bkMrZ01IWDdnMSthMFprQ0F3RUEKQVFLQ0FnQURUdUhIZ2s4WFkwRTZQcGNVVkxQWGdvTlBudTBhMXg2SlBkc3VVamRra1IwNm5YellGekZzVTg4ZAorQkdpRjAzalRudHFVZlNJS3czdG0rcXo5bFhmdzJkKzg0dHRkaGI4WU9INTRTUG10UWFZa2t5TGxOdWZZeWE4Cks0YTByOXhqK3pmZ3ZhRFpUMlZweDQ4QkR3cjhReHJvNjRhNWNJOGIwR2RUTENGU3VoNjFQbEg0NmV4VS9SNjcKZUxZOHM5ZzZaRW41Z3I5OHJKdFVpb2xsQnNUWjFQSmp6WW5XUDBmam9rNWFFcG9kQ09SL3E1M2x1MTZaRjY2OQpGS0daM0JHTXFzTjZ0aEs2SVFsczdidENGZ2VmemZwR0lkSHk1VEx0Q1l6eEtKUEdmRkt2RmI3bnpEdkxwR1hwCitNeUppaUJ0MU51bkZzK3NVeHpFekxneGdGczVkaFYzNEx3LzRtMTNtV2RuVGtTelRWeWFycmJnWlZ0R0hFOU0KOEdJcDNvNGR4VW5QZnkrYzRmbkNGZ0NISzNSQUNjczlCVWJlSU5pQnlycXQ0SHBmUGdvdXI2T0hGRXJTUjJONgp4VVp1RW0zb0I1TjdFd0paVXo4YUllblpDclBYZWJhNmhyb3RnaGdzeUZETEZnSjYzOEgxZHNRTXFDb1BTZ05qCkgweE9YQmtKbWRDYStFdVA2NVFhL1h4OU8waW9YbTE1aTRiVEF4YWxoWGdVS3hnQ1FIQUpLb3VvcTZpLzEwUnAKOWlCZ1Zpak5VWS9QYXlkL1BMVEhsN2FiRnlTemYyYUJIQnFueElNVU90alJSckRVbHRaazZHVnlGcjFjdmdSNApFMWduK0RKeTZKbnc2alFCUTMwd25yUG1TbXl6eUdFMDdMbU5tNmRMaXE5ZVNSOEtqd0tDQVFFQXhSSHAweVB4ClFJQW9ZVmNNK0tmR1FXRWI2K2F4RGovenZFSHpYTk4vVW9pMVlFWDZZNHBaUnRrdFJpaVg5ZktXb214eU9yckUKTUdyUTdTeHVqa2oyYkZwY1RDTnV0UUxXU3ZqajZXb3pGbVA3dWdLTGZLUXhLU1p4QUo2Y3NUYVZxZkpiWFVsQQpZQ2h1aDQ5NzI0TmxKV1pZSks2ZS82M2lOd09hNk9aWW9OMVV4YTd4SStFbDhFaUJhUUtBRDJVWXIyRkYvazRPCitOSlpoTi9BOWZCK1Y5a1g2dnltNktPZUhtTUxuZExObkdIekdmUkhKWCswUkh3cnNYM215RnBVVXA0ZFpXeE0KcWFmUVNJSUl2Qm9uZHFqRG1hcmhZQ0NNZlZIQURGTEcxZ2ZZYmYzMDNObG12YVlkSXAvL2l5UTJvREdtTXZXWgpONy9Eazk3Mmxtam82d0tDQVFFQTdGOFVGdkF5dXVLek5EZ2ZnUDhEL09QRkcvSzRJNHNoNTVLU0lmRkRPRWQ3CnJReHg4b29NaEVRL2hlSFJWRURMaTU5ZG1NSzA2bXQ4UkVvWHVYMEt6ZzQvanB0WldKOFNNaHFYT0pJb3kzWWUKMVgvZjEyT1YwbVc2Tk1UNHVvbkRnS2dsS1F6aDJIQ0xNTWhOdTFoWWFTa1hJaVR0SjR0eFUyU2Z2RlQ0aUwvMQpkNGZ1enNkOVg2bkZ6TE5IaWkyekYzNTZXVG5jSEMrWmpWaTlCSmFFelF0NFJsWm95bTBRZk8xNUhzZkNqaU9iCldMQmJYSXV5N29rc2NRZ0Vtc2xrN0ZpNGxGSUZxUVFIVnhjYURKMXpnYmhoMk1VSTRRYURCNjZtYzdsUFo0dUIKcmJBZXhrR2cwQjBmYWFsMTcrRVhIN1dnei9JOUNzNERaTU5JcmRhT2l3S0NBUUFFcEk5bHNnc1ZBZS94bXlOcgpHRWpMY1lZKzRJaDdWWFpna1EweXVxamRRT3RGQVdFTXgwMmpKYXF6WkhGd0VlOEtsSk44WHJvUWlmT3lJc0hZCkNGQUY3WHNQTUNhRGpUV1BQcDNmK2VpS05vRFB1UStnT0I0UVloOTNiRVUweDV4dkRJNnFlL2RRVEtPTi9ndGsKK0l1QmZnL0ZqWGVoZm04OTdJL1J2TnVKcnEwNG13NkRVZUthN3BwZDV2a3RZNnhaTldsNHZFNE4vcWF0UXJoQgpFeEZtOEc1bjB0djd6eDhDaUVMVnpRbWJEWk8wb05Tc1JYM3h2eHNvYTFic2tYUTdIZzZEUFRIeExVcnk2bDFhClVTTnM0RHo3ZWRNbGVKN1d0UDVaUy9uelFPd1FhMU5CZ0wyeTZoNzFtZDlqWDg4SnB5SExRWTRDaWpvSldjOWwKYThOUkFvSUJBSHBrbFJOM2x0MGNhK3liTHZ6dGo1UVFJTTFpOWlRNWMvbmo5RlV0QjBDS0N5bEU2Mi9LT2NiMwpTK2s0VDlzUG5oWVRGRFQ0aFJOcFNyUlZwVWsvelN0N1J6L0JneGNYYnlXUWpVTVdzNWIrOStKWFQ0SEpLQmdFCjR0RldPUERtU3R4QXROVTN2VzRFZ0o1bTZaRWJvdFA1R2VodE5IdW9nYXJMek1hSlBSUWFTYkYyS3ByWnd6cVkKdnpwS2pyMm5BamdsSHBjN0ZaVm10Rnp6V1JTYUYvUFFmNXYwUEZpczlyK3BlM0VMd05zMjVzYWFzd1FOdGo0Nwp1MDVmOTNwcTFCNXBwbEh1MHMxOHI0eFNBd1FMTjNjeEVVRmNiVWVQeHFOZ3RRSHhMNE9QUWp1OG1ZTFJFc01RCmdXYUYvL0tSSEJjb1JqZkcyQUxUUUFDWitmVkJ4eGNDZ2dFQVFmUGJ2Q2hLbVkwYmRNSVRnZWs5UmNOZXh5NU4Kb0ZIcGJlWWdOYThxc2o5ZzhWQmZZY1hnWm1GVTdnZ0pFMEs0enZTQ1ljb0lCbHFLU0s3NTI1YlhLcFdRcWRlUAo4aXRlUm82QjV5YmhxdDVCaTZBa2tHRE40WklOVCsrZk44OE9Kbml5aGJSM2gzdSt0UERHbVFiRTg5bVliNDNwCkFOVTFXaFpWU2ltc3RBemFKTWpaSnFhQ3NlQ004VFk1cXlzM0MzTHE3NWRwVWZoeHNVSFlDMjRxQWFzRTVmK1QKU2VvT2tyV0l5RWNhV3RYQi9DdHhmYThGRHF6SmYyVzJQYmszK29PVXppcVkzbUl5WllweGFWM1VWYS9JRm5WUworVVRjdUw3V1Fpb2JjN2YzOEgxWmNwUHV3MXM5bGxTTlVZb042Ukl3SG9nVzdOVUVqNGo3c3B4MkZ3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+    # API server specific configuration options.
+    apiServer:
+        image: registry.k8s.io/kube-apiserver:v1.33.0 # The container image used in the API server manifest.
+        # Extra certificate subject alternative names for the API server's certificate.
+        certSANs:
+            - 10.0.1.3
+        disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
+        # Configure the API server admission plugins.
+        admissionControl:
+            - name: PodSecurity # Name is the name of the admission controller.
+              # Configuration is an embedded configuration object to be used as the plugin's
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                defaults:
+                    audit: restricted
+                    audit-version: latest
+                    enforce: baseline
+                    enforce-version: latest
+                    warn: restricted
+                    warn-version: latest
+                exemptions:
+                    namespaces:
+                        - kube-system
+                    runtimeClasses: []
+                    usernames: []
+                kind: PodSecurityConfiguration
+        # Configure the API server audit policy.
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: Metadata
+        
+        # # Configure the API server authorization config. Node and RBAC authorizers are always added irrespective of the configuration.
+        # authorizationConfig:
+        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
+        #       name: webhook # Name is used to describe the authorizer.
+        #       # webhook is the configuration for the webhook authorizer.
+        #       webhook:
+        #         connectionInfo:
+        #             type: InClusterConfig
+        #         failurePolicy: Deny
+        #         matchConditionSubjectAccessReviewVersion: v1
+        #         matchConditions:
+        #             - expression: has(request.resourceAttributes)
+        #             - expression: '!(\''system:serviceaccounts:kube-system\'' in request.groups)'
+        #         subjectAccessReviewVersion: v1
+        #         timeout: 3s
+        #     - type: Webhook # Type is the name of the authorizer. Allowed values are `Node`, `RBAC`, and `Webhook`.
+        #       name: in-cluster-authorizer # Name is used to describe the authorizer.
+        #       # webhook is the configuration for the webhook authorizer.
+        #       webhook:
+        #         connectionInfo:
+        #             type: InClusterConfig
+        #         failurePolicy: NoOpinion
+        #         matchConditionSubjectAccessReviewVersion: v1
+        #         subjectAccessReviewVersion: v1
+        #         timeout: 3s
+    # Controller manager server specific configuration options.
+    controllerManager:
+        image: registry.k8s.io/kube-controller-manager:v1.33.0 # The container image used in the controller manager manifest.
+    # Kube-proxy server-specific configuration options
+    proxy:
+        image: registry.k8s.io/kube-proxy:v1.33.0 # The container image used in the kube-proxy manifest.
+        
+        # # Disable kube-proxy deployment on cluster bootstrap.
+        # disabled: false
+    # Scheduler server specific configuration options.
+    scheduler:
+        image: registry.k8s.io/kube-scheduler:v1.33.0 # The container image used in the scheduler manifest.
+    # Configures cluster member discovery.
+    discovery:
+        enabled: true # Enable the cluster membership discovery feature.
+        # Configure registries used for cluster member discovery.
+        registries:
+            # Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
+            kubernetes:
+                disabled: true # Disable Kubernetes discovery registry.
+            # Service registry is using an external service to push and pull information about cluster members.
+            service: {}
+            # # External service endpoint.
+            # endpoint: https://discovery.talos.dev/
+    # Etcd specific configuration options.
+    etcd:
+        # The `ca` is the root certificate authority of the PKI.
+        ca:
+            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU82dmxYSjQrRHo2RS9jQWc5Lzk5RnN3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TmpBeU1qTXdNRE0zTURkYUZ3MHpOakF5TWpFd01ETTNNRGRhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSbjJlNjFXVG1ZCmFMckNtVmFxWlFsVDNYRTNJUGYrOWFzMmRwUEVNL0xNM05uRnlyOHdPQzNCejVYcU1heW9FV2ExQk5iSmx3TmIKZjNBc2dVeU1PV2NsbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkJkOXR5Z3d5Z2dWClVzamt1QS8yZ3RFZEpXUHlNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUMyQmhhOWZQbmtoOURLT0xFa3ozanQKRjhhTnBYZ2FadGxMZUl2UHd6aG9NQUlnVVVXQjFzU1U1aGljbDRCcmpyRGV3MnQvSHVxNk94VFQxMGZndGIyRApKUXM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUtrc21UZzhGSjdndTRocG95YzJYV1dFOVJFYjlQUks3MzlLaWN3SkZXdkFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWjludXRWazVtR2k2d3BsV3FtVUpVOTF4TnlEMy92V3JObmFUeERQeXpOelp4Y3EvTURndAp3YytWNmpHc3FCRm10UVRXeVpjRFczOXdMSUZNakRsbkpRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+        
+        # # The container image used to create the etcd service.
+        # image: gcr.io/etcd-development/etcd:v3.6.5
+
+        # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
+        # advertisedSubnets:
+        #     - 10.0.0.0/8
+    # A list of urls that point to additional manifests.
+    extraManifests: []
+    #   - https://www.example.com/manifest1.yaml
+    #   - https://www.example.com/manifest2.yaml
+
+    # A list of inline Kubernetes manifests.
+    inlineManifests: []
+    #   - name: namespace-ci # Name of the manifest.
+    #     contents: |- # Manifest contents as a string.
+    #       apiVersion: v1
+    #       kind: Namespace
+    #       metadata:
+    #       	name: ci
+
+    allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
+    
+    # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
+
+    # # Decryption secret example (do not use in production!).
+    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
+
+    # # Core DNS specific configuration options.
+    # coreDNS:
+    #     image: registry.k8s.io/coredns/coredns:v1.12.4 # The `image` field is an override to the default coredns image.
+
+    # # External cloud provider configuration.
+    # externalCloudProvider:
+    #     enabled: true # Enable external cloud provider.
+    #     # A list of urls that point to additional manifests for an external cloud provider.
+    #     manifests:
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
+    #         - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
+
+    # # A map of key value pairs that will be added while fetching the extraManifests.
+    # extraManifestHeaders:
+    #     Token: "1234567"
+    #     X-ExtraInfo: info
+
+    # # Settings for admin kubeconfig generation.
+    # adminKubeconfig:
+    #     certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).