-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.sample.yaml
211 lines (186 loc) · 9.59 KB
/
config.sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
---
#
# 1. (REQUIRED) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations
#
# (REQUIRED) Cluster name; affects Cilium and Talos
bootstrap_cluster_name: "home-kubernetes"
# (REQUIRED) Generated schematic id from https://factory.talos.dev/
bootstrap_schematic_id: ""
# (REQUIRED) The network (in CIDR notation) your nodes are on (e.g. 192.168.1.0/24)
bootstrap_node_network: ""
# (REQUIRED) Use only 1, 3 or more ODD number of controller nodes, recommended is 3
# Worker nodes are optional
bootstrap_node_inventory: []
# - name: "" # (REQUIRED) Name of the node (must match [a-z0-9-\]+)
# address: "" # (REQUIRED) IP address of the node
# controller: true # (REQUIRED) Set to true if this is a controller node
# disk: "" # (REQUIRED) Device path or serial number of the disk for this node (talosctl disks -n <ip> --insecure)
# mac_addr: "" # (REQUIRED) MAC address of the NIC for this node (talosctl get links -n <ip> --insecure)
# schematic_id: "" # (OPTIONAL) Override the 'bootstrap_schematic_id' with a node specific schematic ID from https://factory.talos.dev/
# mtu: "" # (OPTIONAL) MTU for the NIC. DEFAULT: 1500
# manifests: # (OPTIONAL) Additional manifests to include after MachineConfig
# - extra.yaml # Ref: https://www.talos.dev/v1.7/reference/configuration/extensions/extensionserviceconfig/
# extension_services: # (OPTIONAL) Additional talhelper ExtensionServices (supports talenv.sops.yaml envsubst)
# - name: name
# configFiles:
# - content: |-
# ...
# mountPath: ...
# environment:
# - key=value
# ...
# (REQUIRED) The DNS servers to use for the cluster nodes.
bootstrap_dns_servers:
- "1.1.1.1"
- "1.0.0.1"
# (REQUIRED) The NTP servers to use for the cluster nodes.
bootstrap_ntp_servers:
- "162.159.200.1"
- "162.159.200.123"
# (REQUIRED) The pod CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below and be aware of
# https://github.com/onedr0p/cluster-template/discussions/1510
bootstrap_pod_network: "10.69.0.0/16"
# (REQUIRED) The service CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below and be aware of
# https://github.com/onedr0p/cluster-template/discussions/1510
bootstrap_service_network: "10.96.0.0/16"
# (REQUIRED) The IP address of the Kube API, choose an available IP
# in your nodes host network that is NOT being used.
# This is announced over L2.
bootstrap_controller_vip: ""
# (REQUIRED) Age Public Key (e.g. age1...)
# 1. Generate a new key with the following command:
# > task bootstrap:age-keygen
# 2. Copy the PUBLIC key and paste it below
bootstrap_age_pubkey: ""
# (OPTIONAL) Add additional SANs to the Kube API cert, this is useful
# if you want to call the Kube API by hostname rather than IP
bootstrap_tls_sans: []
# (OPTIONAL) The default gateway for the nodes
# Leave blank if your default gateway is the same as the first IP in the network (.1)
bootstrap_node_default_gateway: ""
# (OPTIONAL) Add vlan tag to network master device, leave blank if you tag
# ports on your switch or do not use VLANs at all.
# Ref: https://www.talos.dev/latest/advanced/advanced-networking/#vlans
bootstrap_vlan: ""
# (OPTIONAL) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments.
# Needs a BGP capable router setup with the node IPs as peers.
# Ref: https://docs.cilium.io/en/latest/network/bgp-control-plane/
bootstrap_bgp:
enabled: false
# (OPTIONAL) If using multiple BGP peers add them here.
# DEFAULT: .1 derrived from host_network: ['x.x.x.1']
peers: []
# (REQUIRED) Set the BGP Autonomous System Number for the router(s) and nodes.
# If these match, iBGP will be used. If not, eBGP will be used.
peer_asn: "" # Router(s) AS
local_asn: "" # Node(s) AS
peer_port: 179 # BGP Port
# (REQUIRED) The advertised CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16
# If you want to use IPv6 check the advanced flags below
advertised_network: ""
# (OPTIONAL) Secureboot and TPM-based disk encryption
# Ref: https://www.talos.dev/v1.8/talos-guides/install/bare-metal-platforms/secureboot
bootstrap_secureboot:
# (OPTIONAL) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode.
enabled: false
# (OPTIONAL) Enable TPM-based disk encryption. Requires TPM 2.0
encrypt_disk_with_tpm: false
# (OPTIONAL) Change Cilium load balancer mode
# Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
bootstrap_loadbalancer_mode: "dsr"
#
# 2. (REQUIRED) Flux details - Flux is used to manage the cluster configuration.
#
# (REQUIRED) GitHub repository URL
# For a public repo use the 'https://' URL (e.g. "https://github.com/onedr0p/cluster-template.git")
# For a private repo use the 'ssh://' URL (e.g. "ssh://[email protected]/onedr0p/cluster-template.git")
# If using a private repo make sure to following the instructions with the 'bootstrap_github_private_key' option below.
bootstrap_github_address: ""
# (REQUIRED) GitHub repository branch
bootstrap_github_branch: "main"
# (REQUIRED) Token for GitHub push-based sync
# 1. Generate a new token with the following command:
# > openssl rand -hex 16
# 2. Copy the token and paste it below
bootstrap_github_webhook_token: ""
# (OPTIONAL) Private key for Flux to access the GitHub repository
# 1. Generate a new key with the following command:
# > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
# 2. Make sure to paste public key from "github-deploy.key.pub" into
# the deploy keys section of your GitHub repository settings.
# 3. Uncomment and paste the private key below
# 4. Optionally set your repository on GitHub to private
# bootstrap_github_private_key: |
# -----BEGIN OPENSSH PRIVATE KEY-----
# ...
# -----END OPENSSH PRIVATE KEY-----
#
# 3. (OPTIONAL) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling.
#
bootstrap_cloudflare:
# (REQUIRED) Disable to manually setup and use a different DNS provider - setting this
# to false will not deploy a network namespace or the workloads contained within.
enabled: true
# (REQUIRED) Cloudflare Domain
domain: ""
# (REQUIRED) Cloudflare API Token (NOT API Key)
# 1. Head over to Cloudflare and create a API Token by going to
# https://dash.cloudflare.com/profile/api-tokens
# 2. Under the `API Tokens` section click the blue `Create Token` button.
# 3. Click the blue `Use template` button for the `Edit zone DNS` template.
# 4. Name your token something like `home-kubernetes`
# 5. Under `Permissions`, click `+ Add More` and add each permission below:
# `Zone - DNS - Edit`
# `Account - Cloudflare Tunnel - Read`
# 6. Limit the permissions to a specific account and zone resources.
# 7. Click the blue `Continue to Summary` button and then the blue `Create Token` button.
# 8. Copy the token and paste it below.
token: ""
# (REQUIRED) Optionals for Cloudflare Acme
acme:
# (REQUIRED) Any email you want to be associated with the ACME account (used for TLS certs via letsencrypt.org)
email: ""
# (REQUIRED) Use the ACME production server when requesting the wildcard certificate.
# By default the ACME staging server is used. This is to prevent being rate-limited.
# Update this option to `true` when you have verified the staging certificate
# works and then re-run `task configure` and push your changes to Github.
production: false
# (REQUIRED) Provide LAN access to the cluster ingresses for internal ingress classes
# The Load balancer IP for internal ingress, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
ingress_vip: ""
# (REQUIRED) Gateway is used for providing DNS to your cluster on LAN
# The Load balancer IP for k8s_gateway, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
gateway_vip: ""
# (REQUIRED) Options for Cloudflare Tunnel
# 1. Authenticate cloudflared to your domain with the following command:
# > cloudflared tunnel login
# 2. Create the tunnel with the following command:
# > cloudflared tunnel create k8s
tunnel:
# (REQUIRED) Get the Cloudflared Tunnel ID with the following command:
# > jq -r .TunnelID ~/.cloudflared/*.json
id: ""
# (REQUIRED) Get the Cloudflare Account ID with the following command:
# > jq -r .AccountTag ~/.cloudflared/*.json
account_id: ""
# (REQUIRED) Get the Cloudflared Tunnel Secret with the following command:
# > jq -r .TunnelSecret ~/.cloudflared/*.json
secret: ""
# (REQUIRED) Provide WAN access to the cluster ingresses for external ingress classes
# The Load balancer IP for external ingress, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
ingress_vip: ""
# (OPTIONAL) Feature gates are used to enable experimental features
bootstrap_feature_gates:
# Enable Dual Stack IPv4 first
# IMPORTANT: I am looking for people to help maintain IPv6 support since I cannot test it.
# Ref: https://github.com/onedr0p/cluster-template/discussions/1510
# IMPORTANT: Cilium does not currently support IPv6 L2 announcements.
dual_stack_ipv4_first: false