-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathconfig.sample.yaml
212 lines (188 loc) · 10.2 KB
/
config.sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
---
#
# 1. (Required) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations
#
# (Optional) Cluster name; affects Cilium and Talos
# Default is "home-kubernetes"
bootstrap_cluster_name: ""
# (Required) Generated schematic id from https://factory.talos.dev/
bootstrap_schematic_id: ""
# (Required) The CIDR your nodes are on (e.g. 192.168.1.0/24)
bootstrap_node_network: ""
# (Required) Use only 1, 3 or more ODD number of controller nodes, recommended is 3
# Worker nodes are optional
bootstrap_node_inventory: []
# - name: "" # (Required) Name of the node (must match [a-z0-9-\]+)
# address: "" # (Optional) IP address of the node (Remove if node has a static DHCP reservation)
# controller: true # (Required) Set to true if this is a controller node
# disk: "" # (Required) Device path or serial number of the disk for this node (talosctl disks -n <ip> --insecure)
# mac_addr: "" # (Required) MAC address of the NIC for this node (talosctl get links -n <ip> --insecure)
# schematic_id: "" # (Optional) Override the 'bootstrap_schematic_id' with a node specific schematic ID from https://factory.talos.dev/
# mtu: "" # (Optional) MTU for the NIC, default is 1500
# manifests: # (Optional) Additional manifests to include after MachineConfig
# - extra.yaml # See: https://www.talos.dev/v1.7/reference/configuration/extensions/extensionserviceconfig/
# extension_services: # (Optional) Additional talhelper ExtensionServices (supports talenv.sops.yaml envsubst)
# - name: name
# configFiles:
# - content: |-
# ...
# mountPath: ...
# environment:
# - key=value
# ...
# (Optional) The DNS servers to use for the cluster nodes.
# Default is pulled from your DHCP server.
# If using a local DNS server make sure it meets the following requirements:
# 1. your nodes can reach it
# 2. it is configured to forward requests to a public DNS server
# 3. you are not force redirecting DNS requests to it - this will break cert generation over DNS01
# If using multiple DNS servers make sure they are setup the same way, there is no
# guarantee that the first DNS server will always be used for every lookup.
bootstrap_dns_servers: []
# (Optional) The NTP servers to use for the cluster nodes.
# Default is pulled from your DHCP server.
bootstrap_ntp_servers: []
# (Required) The pod CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below and be aware of
# https://github.com/onedr0p/cluster-template/issues/1148
bootstrap_pod_network: "10.69.0.0/16"
# (Required) The service CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below and be aware of
# https://github.com/onedr0p/cluster-template/issues/1148
bootstrap_service_network: "10.96.0.0/16"
# (Required) The IP address of the Kube API, choose an available IP in
# your nodes host network that is NOT being used. This is announced over L2.
bootstrap_controller_vip: ""
# (Optional) Add additional SANs to the Kube API cert, this is useful
# if you want to call the Kube API by hostname rather than IP
bootstrap_tls_sans: []
# (Optional) The default gateway for the nodes
# Default is .1 which is derrived from bootstrap_node_network (e.g. 192.168.1.1)
bootstrap_node_default_gateway: ""
# (Optional) Add vlan tag to network master device, this is not needed if you tag ports on your switch with the VLAN
# See: https://www.talos.dev/latest/advanced/advanced-networking/#vlans
bootstrap_vlan: ""
# (Required) Age Public Key (e.g. age1...)
# 1. Generate a new key with the following command:
# > task sops:age-keygen
# 2. Copy the PUBLIC key and paste it below
bootstrap_sops_age_pubkey: ""
# (Optional) Use cilium BGP control plane when L2 announcements won't traverse VLAN network segments.
# Needs a BGP capable router setup with the node IPs as peers.
# See: https://docs.cilium.io/en/latest/network/bgp-control-plane/
bootstrap_bgp:
enabled: false
# (Optional) If using multiple BGP peers add them here.
# Default is .1 derrived from host_network: ['x.x.x.1']
peers: []
# (Required) Set the BGP Autonomous System Number for the router(s) and nodes.
# If these match, iBGP will be used. If not, eBGP will be used.
peer_asn: "" # Router(s) AS
local_asn: "" # Node(s) AS
peer_port: 179 # BGP Port - default is TCP port 179
# (Required) The advertised CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below
advertised_network: ""
# (Optional) Secureboot and TPM-based disk encryption
bootstrap_secureboot:
# (Optional) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode.
# See: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot
enabled: false
# (Optional) Enable TPM-based disk encryption. Requires TPM 2.0
# See: https://www.talos.dev/v1.6/talos-guides/install/bare-metal-platforms/secureboot/#disk-encryption-with-tpm
encrypt_disk_with_tpm: false
#
# 2. (Required) Flux details - Flux is used to manage the cluster configuration.
#
# (Required) GitHub repository URL
# For a public repo use the 'https://' URL (e.g. "https://github.com/onedr0p/cluster-template.git")
# For a private repo use the 'ssh://' URL (e.g. "ssh://[email protected]/onedr0p/cluster-template.git")
# If using a private repo make sure to following the instructions with the 'bootstrap_github_private_key' option below.
bootstrap_github_address: ""
# (Required) GitHub repository branch
bootstrap_github_branch: "main"
# (Required) Token for GitHub push-based sync
# 1. Generate a new token with the following command:
# > openssl rand -hex 16
# 2. Copy the token and paste it below
bootstrap_github_webhook_token: ""
# (Optional) Private key for Flux to access the GitHub repository
# 1. Generate a new key with the following command:
# > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
# 2. Make sure to paste public key from "github-deploy.key.pub" into
# the deploy keys section of your GitHub repository settings.
# 3. Uncomment and paste the private key below
# 4. Optionally set your repository on GitHub to private
# bootstrap_github_private_key: |
# -----BEGIN OPENSSH PRIVATE KEY-----
# ...
# -----END OPENSSH PRIVATE KEY-----
#
# 3. (Optional) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling.
#
bootstrap_cloudflare:
# (Required) Disable to manually setup and use a different DNS provider - setting this
# to false will not deploy a network namespace or the workloads contained within.
enabled: true
# (Required) Cloudflare Domain
domain: ""
# (Required) Cloudflare API Token (NOT API Key)
# 1. Head over to Cloudflare and create a API Token by going to
# https://dash.cloudflare.com/profile/api-tokens
# 2. Under the `API Tokens` section click the blue `Create Token` button.
# 3. Click the blue `Use template` button for the `Edit zone DNS` template.
# 4. Name your token something like `home-kubernetes`
# 5. Under `Permissions`, click `+ Add More` and add each permission below:
# `Zone - DNS - Edit`
# `Account - Cloudflare Tunnel - Read`
# 6. Limit the permissions to a specific account and zone resources.
# 7. Click the blue `Continue to Summary` button and then the blue `Create Token` button.
# 8. Copy the token and paste it below.
token: ""
# (Required) Optionals for Cloudflare Acme
acme:
# (Required) Any email you want to be associated with the ACME account (used for TLS certs via letsencrypt.org)
email: ""
# (Required) Use the ACME production server when requesting the wildcard certificate.
# By default the ACME staging server is used. This is to prevent being rate-limited.
# Update this option to `true` when you have verified the staging certificate
# works and then re-run `task configure` and push your changes to Github.
production: false
# (Required) Provide LAN access to the cluster ingresses for internal ingress classes
# The Load balancer IP for internal ingress, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
ingress_vip: ""
# (Required) Gateway is used for providing DNS to your cluster on LAN
# The Load balancer IP for k8s_gateway, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
gateway_vip: ""
# (Required) Options for Cloudflare Tunnel
# There's two methods to create a tunnel, via the CLI or the Cloudflare dashboard.
# 1. Authenticate cloudflared to your domain with the following command:
# > cloudflared tunnel login
# 2. Create the tunnel with the following command:
# > cloudflared tunnel create k8s
tunnel:
# (Required) Get the Cloudflared Tunnel ID with the following command:
# > jq -r .TunnelID ~/.cloudflared/*.json
id: ""
# (Required) Get the Cloudflare Account ID with the following command:
# > jq -r .AccountTag ~/.cloudflared/*.json
account_id: ""
# (Required) Get the Cloudflared Tunnel Secret with the following command:
# > jq -r .TunnelSecret ~/.cloudflared/*.json
secret: ""
# (Required) Provide WAN access to the cluster ingresses for external ingress classes
# The Load balancer IP for external ingress, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
ingress_vip: ""
# (Optional) Feature gates are used to enable experimental features
# bootstrap_feature_gates:
# # Enable Dual Stack IPv4 first
# # IMPORTANT: I am looking for people to help maintain IPv6 support since I cannot test it.
# # Ref: https://github.com/onedr0p/cluster-template/issues/1148
# # Keep in mind that Cilium does not currently support IPv6 L2 announcements.
# dual_stack_ipv4_first: false