WIP

talos/clusters/testing.yaml

@@ -0,0 +1,55 @@
+# yaml-language-server: $schema=../../schemas/cluster.json
+version:
+  kubernetes: 1.34.1
+  talos: 1.11.3
+production: false
+controlPlaneIp: 192.168.1.100
+nodes:
+  - testing/talos-vm
+base:
+  kernelArgs:
+    - talos.platform=metal
+    - console=tty0
+    - init_on_alloc=1
+    - init_on_free=1
+    - slab_nomerge
+    - pti=on
+    - consoleblank=0
+    - nvme_core.io_timeout=4294967295
+    - printk.devkmsg=on
+    - selinux=1
+    - lockdown=confidentiality
+  patches:
+    all:
+      - system/hostname
+      - system/install-disk
+      - system/network
+      - networking/vip
+      - networking/tailscale
+      - networking/cilium
+      - spegel
+      - storage/longhorn
+      - storage/longhorn/user-volume
+      - storage/local-path-provisioner/user-volume
+      - storage/limit-ephemeral
+      - metrics/all
+    controlPlane:
+      - system/allow-control-plane-workloads
+      - sops
+      - flux
+      - metrics/control-plane
+      - networking/gateway-api
+default:
+  arch: amd64
+  network:
+    interface: enp1s0
+    netmask: 255.255.255.0
+    gateway: 192.168.1.1
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+    advertiseRoutes: true
+  ntp: nl.pool.ntp.org
+  install:
+    auto: true
+    disk: /dev/vda

talos/nodes/testing/talos-vm.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=../../../schemas/node.json
+type: controlPlane
+network:
+  ip: 192.168.1.2

talos/patches/flux.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  inlineManifests:
+    - name: flux
+      contents: |
+        ---
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: cluster-variables
+          namespace: flux-system
+        data:
+          cluster_env: "{%- if node.cluster.production %} production {%- else %} staging {%- endif %}"

talos/patches/metrics/all.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: "true"

talos/patches/metrics/control-plane.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  extraManifests:
+    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

talos/patches/networking/cilium.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  features:
+    hostDNS:
+      # This option is enabled by default and causes issues with cilium
+      forwardKubeDNSToHost: false
+cluster:
+  network:
+    cni:
+      name: none
+  proxy:
+    disabled: true

talos/patches/networking/gateway-api.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  extraManifests:
+    - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml

talos/patches/networking/tailscale.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: tailscale
+environment:
+  - TS_AUTHKEY={{ config.tailscale.authKey }}
+  - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags=tag:cluster-{{ node.cluster.name }}
+  - TS_ROUTES={% if node.advertiseRoutes -%} {{ helper.tailscale_subnet(node.gateway, node.netmask) }} {%- endif %}

talos/patches/networking/vip.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  network:
+    interfaces:
+      - interface: "{{node.interface}}"
+        vip:
+          ip: "{{node.cluster.controlPlaneIp}}"

talos/patches/sops.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  inlineManifests:
+    - name: sops-key
+      contents: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: sops-gpg
+          namespace: flux-system
+        data:
+          age.agekey: |
+            {{ helper.load_secret(node.cluster.sopsKeyFile) }}

talos/patches/spegel.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  files:
+    - path: /etc/cri/conf.d/20-customization.part
+      op: create
+      content: |
+        [plugins."io.containerd.cri.v1.images"]
+          discard_unpacked_layers = false

talos/patches/storage/limit-ephemeral.yaml

@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: VolumeConfig
+name: EPHEMERAL
+provisioning:
+  maxSize: 30GB

talos/patches/storage/local-path-provisioner/user-volume.yaml

@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: local-path-provisioner
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 10GB

talos/patches/storage/longhorn.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  kubelet:
+    extraMounts:
+      - destination: /var/lib/longhorn
+        type: bind
+        source: /var/lib/longhorn
+        options:
+          - bind
+          - rshared
+          - rw

talos/patches/storage/longhorn/user-volume.yaml

@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: longhorn
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 2000GB

talos/patches/storage/openebs.yaml

@@ -0,0 +1,17 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  # This is only needed on nodes that will have storage
+  sysctls:
+    vm.nr_hugepages: "1024"
+  nodeLabels:
+    openebs.io/engine: mayastor
+  # This is needed on ALL nodes
+  kubelet:
+    extraMounts:
+      - destination: /var/local
+        type: bind
+        source: /var/local
+        options:
+          - bind
+          - rshared
+          - rw

talos/patches/system/allow-control-plane-workloads.yaml

@@ -0,0 +1,3 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  allowSchedulingOnControlPlanes: true

talos/patches/system/hostname.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  network:
+    hostname: "{{node.hostname}}"

talos/patches/system/install-disk.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  install:
+    disk: "{{node.installDisk}}"

talos/patches/system/network.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  network:
+    interfaces:
+      - interface: "{{node.interface}}"
+        dhcp: false
+        addresses:
+          - "{{node.ip}}"
+        routes:
+          - network: 0.0.0.0/0
+            gateway: "{{node.gateway}}"