generated from onedr0p/cluster-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.sample.yaml
178 lines (159 loc) · 8.2 KB
/
config.sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
---
#
# (REQUIRED) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations
#
# (REQUIRED) The network (in CIDR notation) your nodes are on (e.g. 192.168.1.0/24)
node_network: ""
# (REQUIRED) Use only 1, 3 or more ODD number of controller nodes, recommended is 3. Worker nodes are optional.
node_inventory: []
# - name: "" # (REQUIRED) Name of the node (must match [a-z0-9-\]+)
# address: "" # (REQUIRED) IP address of the node
# controller: true # (REQUIRED) Set to true if this is a controller node
# disk: "" # (REQUIRED) Device path or serial number of the disk for this node (talosctl get disks -n <ip> --insecure)
# mac_addr: "" # (REQUIRED) MAC address of the NIC for this node, must be lowercase (talosctl get links -n <ip> --insecure)
# schematic_id: "" # (REQUIRED) Schematic ID from https://factory.talos.dev/
# mtu: 1500 # (ADVANCED/OPTIONAL) MTU for the NIC. DEFAULT: 1500
# secureboot: false # (ADVANCED/OPTIONAL) SecureBoot mode on UEFI platforms. Ref: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot
# encrypt_disk: false # (ADVANCED/OPTIONAL) TPM-based disk encryption. Ref: https://www.talos.dev/latest/talos-guides/install/bare-metal-platforms/secureboot
# ...
# (REQUIRED) The DNS servers to use for the cluster nodes. (DEFAULT: Cloudflare DNS)
dns_servers:
- "1.1.1.1"
- "1.0.0.1"
# (REQUIRED) The NTP servers to use for the cluster nodes. (DEFAULT: Cloudflare NTP)
ntp_servers:
- "162.159.200.1"
- "162.159.200.123"
# (REQUIRED) The pod CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below
pod_network: "10.69.0.0/16"
# (REQUIRED) The service CIDR for the cluster, this must NOT overlap with any
# existing networks and is usually a /16 (64K IPs).
# If you want to use IPv6 check the advanced flags below
service_network: "10.96.0.0/16"
# (REQUIRED) The IP address of the Kube API, choose an available IP
# in your nodes host network that is NOT being used.
# This is announced over L2.
controller_vip: ""
# (REQUIRED) Age Public Key (e.g. age1...)
# 1. Generate a new key with the following command:
# > task template:generate-age-key
# 2. Copy the PUBLIC key and paste it below
age_pubkey: ""
# (OPTIONAL) Add additional SANs to the Kube API cert, this is useful
# if you want to call the Kube API by hostname rather than IP
tls_sans: []
# (REQUIRED) GitHub details for Flux - Flux is used to manage the cluster configuration.
github:
# (REQUIRED) GitHub repository URL
# For a public repo use the 'https://' URL (e.g. "https://github.com/onedr0p/cluster-template.git")
# For a private repo use the 'ssh://' URL (e.g. "ssh://[email protected]/onedr0p/cluster-template.git")
# If using a private repo make sure to following the instructions with the 'github.private_key' option below.
address: ""
# (REQUIRED) GitHub repository branch
branch: "main"
# (REQUIRED) Token for GitHub push-based sync
# 1. Generate a new token with the following command:
# > openssl rand -hex 16
# 2. Copy the token and paste it below
webhook_token: ""
# (OPTIONAL) Private key for Flux to access the GitHub repository
# 1. Generate a new key with the following command:
# > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
# 2. Make sure to paste public key from "github-deploy.key.pub" into
# the deploy keys section of your GitHub repository settings.
# 3. Uncomment and paste the private key below
# 4. Optionally set your repository on GitHub to private
# private_key: |
# -----BEGIN OPENSSH PRIVATE KEY-----
# ...
# -----END OPENSSH PRIVATE KEY-----
#
# (OPTIONAL) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling.
#
cloudflare:
# (REQUIRED) Disable to manually setup and use a different DNS provider - setting this
# to false will not deploy a network namespace or the workloads contained within.
enabled: true
# (REQUIRED) Cloudflare Domain
domain: ""
# (REQUIRED) Cloudflare API Token (NOT API Key)
# 1. Head over to Cloudflare and create a API Token by going to
# https://dash.cloudflare.com/profile/api-tokens
# 2. Under the `API Tokens` section click the blue `Create Token` button.
# 3. Click the blue `Use template` button for the `Edit zone DNS` template.
# 4. Name your token something like `kubernetes`
# 5. Under `Permissions`, click `+ Add More` and add each permission below:
# `Zone - DNS - Edit`
# `Account - Cloudflare Tunnel - Read`
# 6. Limit the permissions to a specific account and zone resources.
# 7. Click the blue `Continue to Summary` button and then the blue `Create Token` button.
# 8. Copy the token and paste it below.
token: ""
# (REQUIRED) Optionals for Cloudflare Acme
acme:
# (REQUIRED) Any email you want to be associated with the ACME account (used for TLS certs via letsencrypt.org)
email: ""
# (REQUIRED) Use the ACME production server when requesting the wildcard certificate.
# By default the ACME staging server is used. This is to prevent being rate-limited.
# Update this option to `true` when you have verified the staging certificate
# works and then re-run `task configure` and push your changes to Github.
production: false
# (REQUIRED) Provide LAN access to the cluster ingresses for internal ingress classes
# The Load balancer IP for internal ingress, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
ingress_vip: ""
# (REQUIRED) Gateway is used for providing DNS to your cluster on LAN
# The Load balancer IP for k8s_gateway, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
gateway_vip: ""
# (REQUIRED) Options for Cloudflare Tunnel
# 1. Authenticate cloudflared to your domain with the following command:
# > cloudflared tunnel login
# 2. Create the tunnel with the following command:
# > cloudflared tunnel create k8s
tunnel:
# (REQUIRED) Get the Cloudflared Tunnel ID with the following command:
# > jq -r .TunnelID ~/.cloudflared/*.json
id: ""
# (REQUIRED) Get the Cloudflare Account ID with the following command:
# > jq -r .AccountTag ~/.cloudflared/*.json
account_id: ""
# (REQUIRED) Get the Cloudflared Tunnel Secret with the following command:
# > jq -r .TunnelSecret ~/.cloudflared/*.json
secret: ""
# (REQUIRED) Provide WAN access to the cluster ingresses for external ingress classes
# The Load balancer IP for external ingress, choose an available IP
# in your nodes host network that is NOT being used. This is announced over L2.
ingress_vip: ""
#
# (ADVANCED) Here be dragons - Advanced settings for the brave
#
# (OPTIONAL) The default gateway for the nodes
# Leave blank if your default gateway is the same as the first IP in the network (.1)
node_default_gateway: ""
# (OPTIONAL) Add vlan tag to network master device, leave blank if you tag
# ports on your switch or do not use VLANs at all.
# Ref: https://www.talos.dev/latest/advanced/advanced-networking/#vlans
vlan: ""
# (OPTIONAL) Change Cilium load balancer mode
# Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
loadbalancer_mode: "dsr"
# (OPTIONAL) Use cilium BGP control plane for L3 routing
# Needs a BGP capable router setup with the node IPs as peers.
# To keep things simple, node network will be used for BGP peering.
# Ref: https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane/
bgp:
enabled: false
# (REQUIRED) Router IP address - BGP must be configured on this router using FRR or similar
router_address: ""
# (REQUIRED) Router ASN
router_asn: 64513
# (REQUIRED) Node ASN
node_asn: 64514
# (OPTIONAL) Enable Dual Stack IPv4 first
# IMPORTANT: I am looking for people to help contribute IPv6 support since I cannot test it.
# Ref: https://github.com/onedr0p/cluster-template/discussions/1510
# IMPORTANT: Cilium does not currently support IPv6 L2 announcements.
dual_stack_ipv4_first: false