WIP

talos/clusters/testing.yaml

@@ -0,0 +1,64 @@
+# yaml-language-server: $schema=../../schemas/cluster.json
+version:
+  kubernetes: 1.34.1
+  talos: 1.11.3
+clusterEnv: staging
+controlPlaneIp: 192.168.1.100
+secretsFile: testing/secrets.yaml
+nodes:
+  - testing/talos-vm
+
+base:
+  kernelArgs:
+    - talos.platform=metal
+    - console=tty0
+    - init_on_alloc=1
+    - init_on_free=1
+    - slab_nomerge
+    - pti=on
+    - consoleblank=0
+    - nvme_core.io_timeout=4294967295
+    - printk.devkmsg=on
+    - selinux=1
+    - lockdown=confidentiality
+  patches:
+    all:
+      - system/hostname.yaml
+      - system/install-disk.yaml
+      - system/network.yaml
+      - networking/vip.yaml
+      - networking/tailscale.yaml
+      - networking/cilium.yaml
+      - spegel.yaml
+      - storage/longhorn.yaml
+      - storage/longhorn/user-volume.yaml
+      - storage/local-path-provisioner/user-volume.yaml
+      - storage/limit-ephemeral.yaml
+      - metrics/all.yaml
+    controlPlane:
+      - system/allow-control-plane-workloads.yaml
+      - sops.yaml
+      - flux/cluster-variables.yaml
+      - metrics/control-plane.yaml
+      - networking/gateway-api.yaml
+default:
+  arch: amd64
+  schematic: default.yaml
+  network:
+    interface: enp1s0
+    netmask: 255.255.252.0
+    gateway: 192.168.1.1
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+    tailscale:
+      server: https://headscale.huizinga.dev
+      authKey:
+        file: tailscale.key
+      advertiseRoutes: true
+  ntp: nl.pool.ntp.org
+  sops:
+    file: testing/age.key
+  install:
+    auto: true
+    disk: /dev/vda

talos/nodes/testing/talos-vm.yaml

@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=../../../schemas/node.json
+type: controlPlane
+install:
+  serial: talos-vm
+network:
+  ip: 192.168.1.2

talos/patches/flux/cluster-variables.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  inlineManifests:
+    - name: cluster-variables
+      contents: |
+        ---
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: cluster-variables
+          namespace: flux-system
+        data:
+          cluster_env: {{ cluster.clusterEnv }}

talos/patches/metrics/all.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: "true"

talos/patches/metrics/control-plane.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  extraManifests:
+    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

talos/patches/networking/cilium.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  features:
+    hostDNS:
+      # This option is enabled by default and causes issues with cilium
+      forwardKubeDNSToHost: false
+cluster:
+  network:
+    cni:
+      name: none
+  proxy:
+    disabled: true

talos/patches/networking/gateway-api.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  extraManifests:
+    - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml

talos/patches/networking/tailscale.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: tailscale
+environment:
+  - TS_AUTHKEY={{ node.network.tailscale.authKey }}
+  - TS_EXTRA_ARGS={% if node.network.tailscale.server %}--login-server {{ node.network.tailscale.server }} {% endif %}--advertise-tags=tag:cluster-{{ cluster.name }}
+  - TS_ROUTES={% if node.network.tailscale.advertiseRoutes %}{{node.network.ip}}/{{ node.network.netmask | to_prefix }}{% endif %}

talos/patches/networking/vip.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  network:
+    interfaces:
+      - interface: "{{node.network.interface}}"
+        vip:
+          ip: "{{cluster.controlPlaneIp}}"

talos/patches/sops.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  inlineManifests:
+    - name: sops-key
+      contents: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: sops-gpg
+          namespace: flux-system
+        data:
+          age.agekey: |
+            {{ node.sops | indent(6*2) }}

talos/patches/spegel.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  files:
+    - path: /etc/cri/conf.d/20-customization.part
+      op: create
+      content: |
+        [plugins."io.containerd.cri.v1.images"]
+          discard_unpacked_layers = false

talos/patches/storage/limit-ephemeral.yaml

@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: VolumeConfig
+name: EPHEMERAL
+provisioning:
+  maxSize: 30GB

talos/patches/storage/local-path-provisioner/user-volume.yaml

@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: local-path-provisioner
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 10GB

talos/patches/storage/longhorn.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  kubelet:
+    extraMounts:
+      - destination: /var/lib/longhorn
+        type: bind
+        source: /var/lib/longhorn
+        options:
+          - bind
+          - rshared
+          - rw

talos/patches/storage/longhorn/user-volume.yaml

@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: longhorn
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 2000GB

talos/patches/storage/openebs.yaml

@@ -0,0 +1,17 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  # This is only needed on nodes that will have storage
+  sysctls:
+    vm.nr_hugepages: "1024"
+  nodeLabels:
+    openebs.io/engine: mayastor
+  # This is needed on ALL nodes
+  kubelet:
+    extraMounts:
+      - destination: /var/local
+        type: bind
+        source: /var/local
+        options:
+          - bind
+          - rshared
+          - rw

talos/patches/system/allow-control-plane-workloads.yaml

@@ -0,0 +1,3 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+cluster:
+  allowSchedulingOnControlPlanes: true

talos/patches/system/hostname.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  network:
+    hostname: "{{node.hostname}}"

talos/patches/system/install-disk.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  install:
+    disk: "{{node.install.disk}}"

talos/patches/system/network.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.11/website/content/v1.11/schemas/config.schema.json
+machine:
+  network:
+    interfaces:
+      - interface: "{{node.network.interface}}"
+        dhcp: false
+        addresses:
+          - "{{node.network.ip}}"
+        routes:
+          - network: 0.0.0.0/0
+            gateway: "{{node.network.gateway}}"

talos/schematics/default.yaml

@@ -0,0 +1,8 @@
+customization:
+  systemExtensions:
+    officialExtensions:
+      - siderolabs/iscsi-tools
+      - siderolabs/util-linux-tools
+      - siderolabs/intel-ucode
+      - siderolabs/i915
+      - siderolabs/tailscale