From 7ad495a585818feae9b48bfce4a0ac24bd7ba8cf Mon Sep 17 00:00:00 2001 From: Luke Date: Sat, 16 Mar 2024 10:40:29 +0800 Subject: [PATCH] sonarr --- .../main/apps/default/kustomization.yaml | 2 +- .../matchbox/assets/k8s-0.secret.sops.yaml | 183 ++++++++++++++++++ .../matchbox/assets/k8s-1.secret.sops.yaml | 183 ++++++++++++++++++ .../matchbox/assets/k8s-2.secret.sops.yaml | 183 ++++++++++++++++++ .../talos/matchbox/groups/k8s-0.json | 2 +- .../profiles/k8s-0-talos-controller.json | 21 ++ 6 files changed, 572 insertions(+), 2 deletions(-) create mode 100644 kubernetes/main/bootstrap/talos/matchbox/assets/k8s-0.secret.sops.yaml create mode 100644 kubernetes/main/bootstrap/talos/matchbox/assets/k8s-1.secret.sops.yaml create mode 100644 kubernetes/main/bootstrap/talos/matchbox/assets/k8s-2.secret.sops.yaml create mode 100644 kubernetes/main/bootstrap/talos/matchbox/profiles/k8s-0-talos-controller.json diff --git a/kubernetes/main/apps/default/kustomization.yaml b/kubernetes/main/apps/default/kustomization.yaml index 0b1859727..9c41c4866 100644 --- a/kubernetes/main/apps/default/kustomization.yaml +++ b/kubernetes/main/apps/default/kustomization.yaml @@ -24,7 +24,7 @@ resources: - ./sabnzbd/ks.yaml - ./smtp-relay/ks.yaml - ./sonarr-kids/ks.yaml - # - ./sonarr/ks.yaml + - ./sonarr/ks.yaml - ./tautulli/ks.yaml - ./unpackerr/ks.yaml # - ./authelia/ks.yaml diff --git a/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-0.secret.sops.yaml b/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-0.secret.sops.yaml new file mode 100644 index 000000000..22dc0b734 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-0.secret.sops.yaml @@ -0,0 +1,183 @@ +version: v1alpha1 +debug: false +persist: true +machine: + type: controlplane + token: ENC[AES256_GCM,data:+5rwSMhG2eKwXkgv6ogrFa/s/M7h9Dw=,iv:8YjOB6bkYhbunOxX6W9xbbta5o+qtWTOM25Cg+JWIvg=,tag:syBUjgr/hOnMDPX7mpfCjg==,type:str] + ca: + crt: ENC[AES256_GCM,data:/ByLOKvDHnYFn1hPqbjI6Tq7hvC5T5DNn5Z7hDY3Wp0BBrSUIzZAMegRd8yA/5tYfQlDtHGsA8iW3GVtyBncNJ2XsJnxVS8A9MAMzM88D3+GRQZZSPPudmZmXiEdcMBgL7Jn3XnBfX9CMMCQzB+da6JkJmcMoEi5mAP7G3eXTMVXtm/djmJScXGhIYmtw3HLiViWYpKHGKH2x5UPjBqpf9EYb96CA3Dw42vO8I39ESDFGLOiPVYYFMcrBhP9PiQMr/pKFlpfI6XzejXZsO6AWVS+TrKhfn4CjinPOoYyWUsqIHjhA14ma6hEYG9xO+QWbgzJiNaQbuYQTHkvs9VSsrvc9VuhbnFT9hW8IjKKTkjmVB5sCjZSjorAVkMjA4sEGVxW/ddr/E0/SNBivwknTGvAXczQNyQktk4v8rL5FXiK7ZfkBeXQ5KBcGf95Jn78IOLYIzDhRKSoCV8/c1roymdDB3DEo4I6J05xv8h2Xg4ezpQh57q5A/ufLFcEItk7pCVKWRYW7d4dOWm3hPWoHb7YbJ9kPn5Mg0MuwQLpsoQiEDBe6XOPlCQrcb2tw/W3qKbNveCXUWyiVQng7T4JlbwYb0rRcPtF+Hcu37NCMlrzqAtHKfHEnukoCV/CRp/Wsmtg1ZPw9jeLmT0jvhhIry+oybhnkBu5piG+t/vbxkeSHowwKGH1kP0GE7qGRWONGq4LrPxvVH/BH/6IG6un+SxyRk0y5KELJYd+tzJ04x+6b6uzmGW8tZjdTC6qSKx1yly229x9+ZYfqTB6YILYMC1Of+Fhx+PqRWnf+++wDYwNRZWzH/W+gHTxyEl0iK7ww2E8i1zezrSiYfTZEB+Rng1uTmsr+m+yEqAThtql7FV8c+Gy,iv:hmC2sTV0wIMxA/UxTXzoTAMpldEokO+Abtguhn9S5UI=,tag:M3cM5KMjbTwq9qeOX63DKw==,type:str] + key: ENC[AES256_GCM,data:s+16FAzGtK6Uf9G7bAHT1UgMFOR6GR1A0kRsl+3oOjz/wdHOjA6fj3mOhSkbP5JXwLxjX2v4yLIzg3+nEyjLART3kx7vr1BOOlaK+0C//cXcRkebW2EuZcQYWVmW5G17UGqoMflAIrp5bbCNSi+Tvfr3/QwBha/0738lfgyZ8P8FTvZuOZC3PYr903S0DC1BofEkdOOuJjyvVR7mjOH+4ULutbF1rmT10j0xK8/c7XzNxppc,iv:2e6k2MSEDLFHgW7WcNu5gstC6suhIVhVi65U1ihYT9Q=,tag:db9EG0vyVLHlM7ijLI9kvw==,type:str] + certSANs: + - 127.0.0.1 + - 10.88.0.20 + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.29.2 + extraArgs: + image-gc-high-threshold: "55" + image-gc-low-threshold: "50" + rotate-server-certificates: "true" + extraMounts: + - destination: /var/openebs/local + type: bind + source: /var/openebs/local + options: + - bind + - rshared + - rw + defaultRuntimeSeccompProfileEnabled: true + nodeIP: + validSubnets: + - 10.88.0.0/24 + disableManifestsDirectory: true + network: + hostname: k8s-0 + interfaces: + - interface: eth0 + dhcp: false + addresses: + - 10.88.0.10/24 + routes: + # The route's network (destination). + - network: 0.0.0.0/0 + gateway: 10.88.0.1 + mtu: 1500 + # vip: + # ip: 10.88.0.20 + nameservers: + - 10.88.0.1 + install: + disk: /dev/sda + extraKernelArgs: + - net.ifnames=0 + image: factory.talos.dev/installer/76d744fe4579923f39f364e8975d0886f86efe0ca30dcb74d92f16a5ee1ab2fd:v1.6.5 + wipe: false + files: + - content: |- + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false + permissions: 0 + path: /etc/cri/conf.d/20-customization.part + op: create + - content: |- + [ NFSMount_Global_Options ] + nfsvers=4.2 + hard=True + noatime=True + nodiratime=True + rsize=131072 + wsize=131072 + nconnect=8 + permissions: 420 + path: /etc/nfsmount.conf + op: overwrite + time: + disabled: false + servers: + - time.cloudflare.com + sysctls: + fs.inotify.max_queued_events: "65536" + fs.inotify.max_user_instances: "8192" + fs.inotify.max_user_watches: "524288" + features: + rbac: true + stableHostname: true + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade + apidCheckExtKeyUsage: true + diskQuotaSupport: true + kubePrism: + enabled: true + port: 7445 +cluster: + id: ENC[AES256_GCM,data:+NH+6abtMs0ZfGNV4l4JHJlDwjmQDXAWIkIqOux/Bgi+xQI69YxvCc/irqs=,iv:RP9DAD03YqljB6FjXUu/tvb+SqUWnWPI0tPH+zlnGnM=,tag:JH9dDKDZidGX/XF+eeQkVA==,type:str] + secret: ENC[AES256_GCM,data:2dTvrNR03byxwBRS3jPKZ1gNj0DGR9M4pveQ6qPbMyHbbeAvgO6GWKI2Oy8=,iv:KnNX1cdJRfdBDGsqfXFZhcL7sWsMF/Xrxl2KtNd9HeI=,tag:50aaAIOUBwVTJA8H9X/UMQ==,type:str] + controlPlane: + endpoint: https://10.88.0.20:6443 + clusterName: main + network: + cni: + name: none + dnsDomain: cluster.local + podSubnets: + - 10.42.0.0/16 + serviceSubnets: + - 10.43.0.0/16 + coreDNS: + disabled: true + token: ENC[AES256_GCM,data:RlobXTDVmBBL3eFdNpyItZbP5OErtS8=,iv:888sF0Heor3/xgZ5q85e8PklB9KP54Fpw2/27s5qRmQ=,tag:riofqKrlSgOjgYSYCAVPpQ==,type:str] + secretboxEncryptionSecret: ENC[AES256_GCM,data:O5EJof1Khg66ghasQuMjLH4FnIdk1buuguVK6SIJBKb81C9YdINcFCd00YY=,iv:zIBvw9cqxdyMaL354MT21pvpkuDrgy5G5BWmecRZGZE=,tag:5wbHjaWYRBWnwddtmQrpDA==,type:str] + ca: + crt: ENC[AES256_GCM,data:7BGJuPBrdZvBLE+DnMQmUH/WZj9vH7jPrp/qSXOq5k7wFvCHQt6/FmjkmO6u3lYHE2QlzWSqA7UuLW2oU8NHnLqw8eVCenKs4lspvTm5gmGu0ufYOaRzkQMifaKF+GUxDxosRBpL7j6/4uxNpqkOf1krWkm9UnkdZqPFdC8Kj9sImqLns6+F+qUKLOhsSH7e3MnzO53lZqKnuAUvwwMH6xFSGykZ5X40JvHaSjAQ7gO0Kqp4pyD6BR8iDDuFIuOQpBjA3mLHE2CszXY6kXdeokMAYTLPJd1VLFZ2tHXvj2YJy1jZw0Yo9b064iH5GFBDq8cgSbCMIL59uV5xEDb90BWwwiS/vNmxwX0Hk2affo0hPU4pLzqM+ava6z/730JZb+Ji7JD0yopQULGEa0AhWgUmJOIO4SaGSG7PC5gbPyxr4T7JSvs0MPvH/Km504Wrhf42NPX3Dv5JeYJUy6xzg0/OQKdH9kWZSOu0BYh8zVH29IjW/AwTuoHPQyDyMHGnlBUSo26+FpCigxmRko2DlD+1UAP9M/W3SBxHs4AKNrnVZi2qE1avYCNUCRab0dWgnS1HVW4F8ptHhwJ0+jdXlTN7pAsfaSsLdom2E/fvHkbdTRSeeF60AodzBnSQ/6Zr7+8PIG/rFfP9209k4XgzL6mWWk4FmE2PTCtTyXYfhRTZVBa24mP8cSPlJdciESYztFeyrMmsAYRhr+4kgxJjAHoHgAbuRGOo4ANlujNWq56DamtRW70OoPfK4D6F5gDgW5vOa/jSiCtmWXKPBBj5WncogNj9UmPk8YhYn0O+K+KT0Dot3q1pYw+6bQovPXEZ226NLscnnO13C9+IVcF9jX8u0yyy4aSLiXrb/Zf4CU5Z95Q25BUdtHGprw2W96L7m1h4yH+56uXU2yUdPlUljpkh/p4eDQqkknPAx6ftjwR78ZzDqHC6XtzeoRGjMxlRhn2ItQVOU9+fW6NTAmAwarCL27T2Cl6USLUPAFN1sc2nRQGqFuKZmXaPYDK1HHuZ6QaCErQ/976+QIAPJSbdyJrQa9psWN7BWFmB+g==,iv:HMSoLaSoMBr6TJmccT2aQkDGbtrsnRYb0He3Hc5+ZG8=,tag:3dY3p6WlFxBbXbpYulrE0A==,type:str] + key: ENC[AES256_GCM,data:7rn7xw9G6ODiqzKES+0Sf6xlr6aP5Mb5GcPPyS1K1+tmaILQaNSjfnJxSSpGKHmW4O3MStkTpIVsiW5yZ4SfrcrwzqyAwe8ndyyNf/+JaabjuCCq6ff8Ww3f95rQMY17L7snOMD1lwSNHj1ZrZ19+UCgn3VRH8hLJKortbkfC7K47UBz3IWKoWP/xDrghSHLLVwCxAv3RHGGJtik3qGS4qYBxnewEJmOF4gnh8lf13kjVH6668JcS0xPV38Js31iIYPWXSimPwGSNDMcOQdp13rxEoepKAcJsfh6X9M8XxzJFXgjNK7+JmSx5A0Lzk0HtrDQZKi26UYlSg3tbnBe3IhMfjuNqksXFZxD8D4ZqJZFMrD5y36/NJhZqrD2hdIOxMMiToHI9IPTjPa10mgvVg==,iv:GeGRvTsRmY2EpCFY833Q99PwZv+zo8WoGgHWAWW4uRs=,tag:kBw7QwgzsS2sKCRdYpdkcA==,type:str] + aggregatorCA: + crt: ENC[AES256_GCM,data:WuKSvCIhpZrcJNhcy8MCRWIk+h7nxwuXIwWFFM01uHLCXrugErgimSgsPkF5mQRlZcWQH+u4x2LyNhC/jXBU9eOBbS1eUxYubHL+O4pMsJGGpx/ML9MUtMwBZdMvSxtbEsKXRyjowTJXmUOv1dXoeWtdUjVMnBtXlGCGfppAeiGXvuVVAdsXZdsFqIB0fx8hBq03GC6A/INq8s3D4kLnXMV12rpWiKrfMcqye0pu5t8IfTT9EEcdrpwwVDGyXkPMdUM5884pM/9BsZ5PWjwTlJrvK6jJ1rkGXjFBjMRr//ynsnsPXn1VbyovWXomW//FrapKlS4n4RjCqwy8GO1oeXJElgnAYgbn2OzKCqC27YcYM+wr7nyEn1OnPRZOWAoqww/vrnM2YqETMB+H4n2KCg49AfSuxKuVY15R84c7GuRN0i9PBSO87dJRfRa1+e6NSNNImpw2ti++G/Z9RMDEAzenS+cXOAbenaHLKap/RALx3EU31dPr6Nx3gmMyBL2o1MDskxcPiPlQKAQCsl3Uef0v+dOVwlRu2O5lyton/w0w/fFsr/gfC7EijAYNXVDAKh6Qutqi1Ho0RZH4Vx3g1eljsLWRB42FztALpA708YT5wDA1d83kPjaIpb2+REtzHTnVy21JG/FxTuX0FqF2SkNcg8fHHYTSpj7oVNmyl2ay+YtEm18YMwPhK9YVE81iCESC8TxQj+IC3TjJxsfPEbfjhMstPGO7Q2X1tWLyOjDwSUP6Y6nB5V2XV1kZ9Z1UexnRxu+TEfO7m0ptTd9kBHYKN+h1hr9FePfpiBtZ3/HT/oju6Sve5EiTtdyDoLOfO0AWTf+IREpWkcIt6vvEeeuouLJ6Cxj8EHHWorQXvZcrHhFp2wKQ0HH/UKWftxkkGH5vKzFiw8g2F7hGBkhJNbdc0P0GAtO61VTxMwi0W8kFIDQ2GDR6486nuEIqTVK0,iv:hAxnfQQVlceNbuOqwgwQM/GO3kWYn9yr+NgfWK4kKNw=,tag:KmZU411h4L39uyk7/UN78w==,type:str] + key: ENC[AES256_GCM,data:u9+aXoLY7un3mBszLzk0Rma9BO999dv3wdquCrm5jFU5fLTXJtmSrrdgNzrdjqNH+1xL2oQBtaSyhnRcpK+bGw7TSxcAq6Xlvovoh01gAS3zMQZ046Bjc7epDCEm5qHMEGqdjlzw6U79bwBjqiTSsMpAFyUf3i0ovyBYwZ3xYTb+JVUuia7pjg0CrF27LdKNjZExyAFhZoG0WasnrZVzurzktzRdDmJ+CCM3bg28D8lCM6ICVVZqVFfckUVEM8ez334givZ7gBIciHnju0YN9stUvd9Sm9CimGe5xenFFgU625MiNUBAWojR1QwzCmO7d45RjrZqwcCQyhC7RpiKauKX54KwVTSlLxXsUncyBgpWs7SAfKods3Z3YV6C0HG+4etUA8bZjeQUE27N48TgtA==,iv:RBUyyssdTtHO56x3k/FFbr3J+s9Hry/Qfj7+4R2mLX8=,tag:/Z/pyFL5qxdjAC5vhyIPSg==,type:str] + serviceAccount: + key: ENC[AES256_GCM,data:7qQSeXBKUNSXNftNV7A7CNNCxJRpN+T6ruaWpLK6gzPTzydkVWJQEdWKCYmSpvNWwl0NWzEe605qqH3nVgEg1KfzN/sq19Bl/3x5u2nuTa9wxEc+tLtAJE2uGRVE8jNjC2Uq7C6r84BWkV+bCQCwZh7Yr6OUqTTK5iZ5Ws0Xti4ZoQQ/mAYpggjwJP6HLBkRBy6x9vTT+xR+dZOiu54oGySSPuziF+Rcl/IN1FJ6noxEtDuuFaA4cCL+hlCUM65Fx1iRg6m/c3MsbotlhvvecYVjVD+6SnmBDtPMuXp/tAximB8uuaT7pYXi7Rq4d3MqhlZGTxgIof8t3YM9CwDuUVigDsdCi0HodCM0fRpLZIrvA4uzXuj4X5HorbW9eI3MpoAsw/z4kn6U7w+CSRuAyQ==,iv:p3xuX51jUmH8uWgoq0pOGHqb5ZdcG6LxmygmGxxEZpo=,tag:EEplHbeUup9RjGFGcjhTyg==,type:str] + apiServer: + image: registry.k8s.io/kube-apiserver:v1.29.2 + certSANs: + - 127.0.0.1 + - 10.88.0.20 + disablePodSecurityPolicy: true + auditPolicy: + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadata + controllerManager: + image: registry.k8s.io/kube-controller-manager:v1.29.2 + extraArgs: + bind-address: 0.0.0.0 + proxy: + disabled: true + image: registry.k8s.io/kube-proxy:v1.29.2 + scheduler: + image: registry.k8s.io/kube-scheduler:v1.29.2 + extraArgs: + bind-address: 0.0.0.0 + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: false + etcd: + ca: + crt: ENC[AES256_GCM,data:p9OZ4mvUOuUsPldjSSDIq13yYthIVFrOqqW3Mn6GB/6cBZj1VsMOB6K7zN8I/UUefsN7n4QbUezTV6Iwbs1tAkbe8pj5Bsw6SWJHHVivyxeO9zFwoLfhPc5vbwp/HV5t8e7xh6JcYJ7o+UZEVrd/DvclBJJyVsKJWI1uKHLQknxc8yof4nNgfTRn8ArlhFhGa+WlfT70G+WUKoE0RlFHWN9sTpHsmBbbQuyBZz57+GqIoL3n4tYbR1JATJr25lss7LaNrbzWqylNC19aO0rfWQYiTexIdQWWd2crxYEXD3v0Ryuaffa/ql0UH6D2omYvHQAOMEQmsqOTDBFh9QAfXwEsZY9/f/3y/XW7clH8CpUHp3WeLhA+besLbq7IO/5Np7EViaprusUm4BfcqmEhVsmshCHCty5jvHhyAJ2IhjrGE2QZosG64k00+9Y40uf6Xr6M5KJzERF9DSOwAt88f1Uc3WXTmzh3B9tKWHYL242uBREwzgQDy5FZ+6xW9TFDNM5WxnDwsmaf26r55PJyYqylH3ZkKuHiLJji8CYEF6t6t4wHR9rPMetVthujre0UKlku49FSaZeoxC7DZQSrY1wvK1NtZYlf1nU9n5j1XdZOMZ66KyGs6EXHwbLN6iF+dP9xpbf3DNKuWEYCOeTRt/894nFMm5qslb/9KjHv1K5J4V0+Q6C80JDO1gO2l1hJx5FNrqThyNCBhgsr7PAHdv8YEVXTUR7md9BM9gff/jr16Eg5EQZmlEY2aMc7X+qW3mP2MW2Aht3NNrGBjxzXfkzUgoeVyvVUPW50i42f5djxfZKs1LuGCExL1N6uw5weamLR6KlSQH/O7no1ib448QQGaJdGAuZD9AqEO6mec44UE0boTJQyXTQ3C3nQNVN44LqLpkIUwI70q/yiwEkIqoO+jQSGhk6BhDJxXZIlgWfX/q+d3bwkDq3Sic7NU9muotR8BKRSxFW1PA7tc95XIzTpBChaPz/T3P5BRM5h/RcISgjKLx444ZDBOIWRKoazonD7fA==,iv:myG0wbbocAhAl0MT8fKN/jK6WJ/K/64KLGk0rS8rOkM=,tag:lVjxQ8WjjeoCAnIzom4wgg==,type:str] + key: ENC[AES256_GCM,data:ILQorV60NhnZ4l5LO8opZ6cgUyomQRc6Dov7vOHIdvseIL1VdxRDXsWLZb2eM2HzC7V5GjcIlIfSt+HGQ8K7v5vxlYlVwl+8ElMPzxKbHWPidgt5UGxvO2rKWDuLppYc2tAXfkpWmdHs9E5KEcFgeBKWbTRfmTCUC+RqZDT0xlOkWt/RAXPEXDnaBs64rqoLJmMTCtBLw/jXcOLjz1VY+U4DMLuB8CTT1e/4v1jV7/ATOE1qTbsv0M2gO4wj/fVdI5OHNcSsbtjEX2TPTo7Hb9zOFXA4hcbVRWHeoT4VNCQxIyD/Wx0+ab722Zz2EQtN69LSsoFK+rFHMcUlLyRVkQvXxdgq0HxpHtvEUPBNr11jFkivpr0VynACR+LHc5RCju/psUW1RwpP0oO/EEg4ow==,iv:JKmIf7kIKDNvyyZmnMauFq1QruDLePDQ6t943tkQLPE=,tag:+vEXoSFe0jBgioKfWZrO3A==,type:str] + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + advertisedSubnets: + - 10.88.0.0/24 + allowSchedulingOnMasters: true +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zucujcrr89pecplrme76f4vxcc05lg3hm8849mmfggvcvcv4ppls7cquw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWGN3bk8wOEdJek40MUI1 + c2IyQlZtZEYrMmZUaW5vS2NCTVRhdGxCV0M0CnpoQjJ1K29xMXJFMFM1Nm1iQVdW + SS94cllGbTRDWWVVOXpEVEZxNXlweHcKLS0tIGtlS0xhTE9zTENmQzgxdHcwR3lv + YlFiVElUZEEreGlGZ3NvdlJKQ0NyQXMKTHuhLeE+ebE5q9OyNlTIk6i3TNNE/ygo + RUCOEBntSKIwattjSpdoXZtDS+RQ2gEliIGfBq5L7mn9ntSya1OOMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-15T14:18:46Z" + mac: ENC[AES256_GCM,data:O6M/63nG0F8Estf4rErY+651S4n5VDIFA+70I5UbuDLv66DYLNyqkJ8zPuVjhCZxjudoP0H8xqNTEXeFNhDvd5OD7DP2mHVvYXKgAYgk0eCj9JnVKM5QTrcJrYE5lVvSOLaJSFB2mqIL3VUr+uGwF3lyx8XgKldMZIYR9EKn5rA=,iv:P4kRQqMlfhf6+iaN3TU6zW90whKTQ2YBV/2TZy/Koqk=,tag:kzxfiB7O6GJ8WoAXom9yXA==,type:str] + pgp: [] + encrypted_regex: ^(token|crt|key|id|secret|secretboxEncryptionSecret|ca)$ + version: 3.8.1 diff --git a/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-1.secret.sops.yaml b/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-1.secret.sops.yaml new file mode 100644 index 000000000..cf6c92aec --- /dev/null +++ b/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-1.secret.sops.yaml @@ -0,0 +1,183 @@ +version: v1alpha1 +debug: false +persist: true +machine: + type: controlplane + token: ENC[AES256_GCM,data:+5rwSMhG2eKwXkgv6ogrFa/s/M7h9Dw=,iv:8YjOB6bkYhbunOxX6W9xbbta5o+qtWTOM25Cg+JWIvg=,tag:syBUjgr/hOnMDPX7mpfCjg==,type:str] + ca: + crt: ENC[AES256_GCM,data:/ByLOKvDHnYFn1hPqbjI6Tq7hvC5T5DNn5Z7hDY3Wp0BBrSUIzZAMegRd8yA/5tYfQlDtHGsA8iW3GVtyBncNJ2XsJnxVS8A9MAMzM88D3+GRQZZSPPudmZmXiEdcMBgL7Jn3XnBfX9CMMCQzB+da6JkJmcMoEi5mAP7G3eXTMVXtm/djmJScXGhIYmtw3HLiViWYpKHGKH2x5UPjBqpf9EYb96CA3Dw42vO8I39ESDFGLOiPVYYFMcrBhP9PiQMr/pKFlpfI6XzejXZsO6AWVS+TrKhfn4CjinPOoYyWUsqIHjhA14ma6hEYG9xO+QWbgzJiNaQbuYQTHkvs9VSsrvc9VuhbnFT9hW8IjKKTkjmVB5sCjZSjorAVkMjA4sEGVxW/ddr/E0/SNBivwknTGvAXczQNyQktk4v8rL5FXiK7ZfkBeXQ5KBcGf95Jn78IOLYIzDhRKSoCV8/c1roymdDB3DEo4I6J05xv8h2Xg4ezpQh57q5A/ufLFcEItk7pCVKWRYW7d4dOWm3hPWoHb7YbJ9kPn5Mg0MuwQLpsoQiEDBe6XOPlCQrcb2tw/W3qKbNveCXUWyiVQng7T4JlbwYb0rRcPtF+Hcu37NCMlrzqAtHKfHEnukoCV/CRp/Wsmtg1ZPw9jeLmT0jvhhIry+oybhnkBu5piG+t/vbxkeSHowwKGH1kP0GE7qGRWONGq4LrPxvVH/BH/6IG6un+SxyRk0y5KELJYd+tzJ04x+6b6uzmGW8tZjdTC6qSKx1yly229x9+ZYfqTB6YILYMC1Of+Fhx+PqRWnf+++wDYwNRZWzH/W+gHTxyEl0iK7ww2E8i1zezrSiYfTZEB+Rng1uTmsr+m+yEqAThtql7FV8c+Gy,iv:hmC2sTV0wIMxA/UxTXzoTAMpldEokO+Abtguhn9S5UI=,tag:M3cM5KMjbTwq9qeOX63DKw==,type:str] + key: ENC[AES256_GCM,data:s+16FAzGtK6Uf9G7bAHT1UgMFOR6GR1A0kRsl+3oOjz/wdHOjA6fj3mOhSkbP5JXwLxjX2v4yLIzg3+nEyjLART3kx7vr1BOOlaK+0C//cXcRkebW2EuZcQYWVmW5G17UGqoMflAIrp5bbCNSi+Tvfr3/QwBha/0738lfgyZ8P8FTvZuOZC3PYr903S0DC1BofEkdOOuJjyvVR7mjOH+4ULutbF1rmT10j0xK8/c7XzNxppc,iv:2e6k2MSEDLFHgW7WcNu5gstC6suhIVhVi65U1ihYT9Q=,tag:db9EG0vyVLHlM7ijLI9kvw==,type:str] + certSANs: + - 127.0.0.1 + - 10.88.0.20 + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.29.2 + extraArgs: + image-gc-high-threshold: "55" + image-gc-low-threshold: "50" + rotate-server-certificates: "true" + extraMounts: + - destination: /var/openebs/local + type: bind + source: /var/openebs/local + options: + - bind + - rshared + - rw + defaultRuntimeSeccompProfileEnabled: true + nodeIP: + validSubnets: + - 10.88.0.0/24 + disableManifestsDirectory: true + network: + hostname: k8s-1 + interfaces: + - interface: eth0 + dhcp: false + addresses: + - 10.88.0.11/24 + routes: + # The route's network (destination). + - network: 0.0.0.0/0 + gateway: 10.88.0.1 + mtu: 1500 + # vip: + # ip: 10.88.0.20 + nameservers: + - 10.88.0.1 + install: + disk: /dev/sda + extraKernelArgs: + - net.ifnames=0 + image: factory.talos.dev/installer/76d744fe4579923f39f364e8975d0886f86efe0ca30dcb74d92f16a5ee1ab2fd:v1.6.5 + wipe: false + files: + - content: |- + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false + permissions: 0 + path: /etc/cri/conf.d/20-customization.part + op: create + - content: |- + [ NFSMount_Global_Options ] + nfsvers=4.2 + hard=True + noatime=True + nodiratime=True + rsize=131072 + wsize=131072 + nconnect=8 + permissions: 420 + path: /etc/nfsmount.conf + op: overwrite + time: + disabled: false + servers: + - time.cloudflare.com + sysctls: + fs.inotify.max_queued_events: "65536" + fs.inotify.max_user_instances: "8192" + fs.inotify.max_user_watches: "524288" + features: + rbac: true + stableHostname: true + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade + apidCheckExtKeyUsage: true + diskQuotaSupport: true + kubePrism: + enabled: true + port: 7445 +cluster: + id: ENC[AES256_GCM,data:+NH+6abtMs0ZfGNV4l4JHJlDwjmQDXAWIkIqOux/Bgi+xQI69YxvCc/irqs=,iv:RP9DAD03YqljB6FjXUu/tvb+SqUWnWPI0tPH+zlnGnM=,tag:JH9dDKDZidGX/XF+eeQkVA==,type:str] + secret: ENC[AES256_GCM,data:2dTvrNR03byxwBRS3jPKZ1gNj0DGR9M4pveQ6qPbMyHbbeAvgO6GWKI2Oy8=,iv:KnNX1cdJRfdBDGsqfXFZhcL7sWsMF/Xrxl2KtNd9HeI=,tag:50aaAIOUBwVTJA8H9X/UMQ==,type:str] + controlPlane: + endpoint: https://10.88.0.20:6443 + clusterName: main + network: + cni: + name: none + dnsDomain: cluster.local + podSubnets: + - 10.42.0.0/16 + serviceSubnets: + - 10.43.0.0/16 + coreDNS: + disabled: true + token: ENC[AES256_GCM,data:RlobXTDVmBBL3eFdNpyItZbP5OErtS8=,iv:888sF0Heor3/xgZ5q85e8PklB9KP54Fpw2/27s5qRmQ=,tag:riofqKrlSgOjgYSYCAVPpQ==,type:str] + secretboxEncryptionSecret: ENC[AES256_GCM,data:O5EJof1Khg66ghasQuMjLH4FnIdk1buuguVK6SIJBKb81C9YdINcFCd00YY=,iv:zIBvw9cqxdyMaL354MT21pvpkuDrgy5G5BWmecRZGZE=,tag:5wbHjaWYRBWnwddtmQrpDA==,type:str] + ca: + crt: ENC[AES256_GCM,data:7BGJuPBrdZvBLE+DnMQmUH/WZj9vH7jPrp/qSXOq5k7wFvCHQt6/FmjkmO6u3lYHE2QlzWSqA7UuLW2oU8NHnLqw8eVCenKs4lspvTm5gmGu0ufYOaRzkQMifaKF+GUxDxosRBpL7j6/4uxNpqkOf1krWkm9UnkdZqPFdC8Kj9sImqLns6+F+qUKLOhsSH7e3MnzO53lZqKnuAUvwwMH6xFSGykZ5X40JvHaSjAQ7gO0Kqp4pyD6BR8iDDuFIuOQpBjA3mLHE2CszXY6kXdeokMAYTLPJd1VLFZ2tHXvj2YJy1jZw0Yo9b064iH5GFBDq8cgSbCMIL59uV5xEDb90BWwwiS/vNmxwX0Hk2affo0hPU4pLzqM+ava6z/730JZb+Ji7JD0yopQULGEa0AhWgUmJOIO4SaGSG7PC5gbPyxr4T7JSvs0MPvH/Km504Wrhf42NPX3Dv5JeYJUy6xzg0/OQKdH9kWZSOu0BYh8zVH29IjW/AwTuoHPQyDyMHGnlBUSo26+FpCigxmRko2DlD+1UAP9M/W3SBxHs4AKNrnVZi2qE1avYCNUCRab0dWgnS1HVW4F8ptHhwJ0+jdXlTN7pAsfaSsLdom2E/fvHkbdTRSeeF60AodzBnSQ/6Zr7+8PIG/rFfP9209k4XgzL6mWWk4FmE2PTCtTyXYfhRTZVBa24mP8cSPlJdciESYztFeyrMmsAYRhr+4kgxJjAHoHgAbuRGOo4ANlujNWq56DamtRW70OoPfK4D6F5gDgW5vOa/jSiCtmWXKPBBj5WncogNj9UmPk8YhYn0O+K+KT0Dot3q1pYw+6bQovPXEZ226NLscnnO13C9+IVcF9jX8u0yyy4aSLiXrb/Zf4CU5Z95Q25BUdtHGprw2W96L7m1h4yH+56uXU2yUdPlUljpkh/p4eDQqkknPAx6ftjwR78ZzDqHC6XtzeoRGjMxlRhn2ItQVOU9+fW6NTAmAwarCL27T2Cl6USLUPAFN1sc2nRQGqFuKZmXaPYDK1HHuZ6QaCErQ/976+QIAPJSbdyJrQa9psWN7BWFmB+g==,iv:HMSoLaSoMBr6TJmccT2aQkDGbtrsnRYb0He3Hc5+ZG8=,tag:3dY3p6WlFxBbXbpYulrE0A==,type:str] + key: ENC[AES256_GCM,data:7rn7xw9G6ODiqzKES+0Sf6xlr6aP5Mb5GcPPyS1K1+tmaILQaNSjfnJxSSpGKHmW4O3MStkTpIVsiW5yZ4SfrcrwzqyAwe8ndyyNf/+JaabjuCCq6ff8Ww3f95rQMY17L7snOMD1lwSNHj1ZrZ19+UCgn3VRH8hLJKortbkfC7K47UBz3IWKoWP/xDrghSHLLVwCxAv3RHGGJtik3qGS4qYBxnewEJmOF4gnh8lf13kjVH6668JcS0xPV38Js31iIYPWXSimPwGSNDMcOQdp13rxEoepKAcJsfh6X9M8XxzJFXgjNK7+JmSx5A0Lzk0HtrDQZKi26UYlSg3tbnBe3IhMfjuNqksXFZxD8D4ZqJZFMrD5y36/NJhZqrD2hdIOxMMiToHI9IPTjPa10mgvVg==,iv:GeGRvTsRmY2EpCFY833Q99PwZv+zo8WoGgHWAWW4uRs=,tag:kBw7QwgzsS2sKCRdYpdkcA==,type:str] + aggregatorCA: + crt: ENC[AES256_GCM,data:WuKSvCIhpZrcJNhcy8MCRWIk+h7nxwuXIwWFFM01uHLCXrugErgimSgsPkF5mQRlZcWQH+u4x2LyNhC/jXBU9eOBbS1eUxYubHL+O4pMsJGGpx/ML9MUtMwBZdMvSxtbEsKXRyjowTJXmUOv1dXoeWtdUjVMnBtXlGCGfppAeiGXvuVVAdsXZdsFqIB0fx8hBq03GC6A/INq8s3D4kLnXMV12rpWiKrfMcqye0pu5t8IfTT9EEcdrpwwVDGyXkPMdUM5884pM/9BsZ5PWjwTlJrvK6jJ1rkGXjFBjMRr//ynsnsPXn1VbyovWXomW//FrapKlS4n4RjCqwy8GO1oeXJElgnAYgbn2OzKCqC27YcYM+wr7nyEn1OnPRZOWAoqww/vrnM2YqETMB+H4n2KCg49AfSuxKuVY15R84c7GuRN0i9PBSO87dJRfRa1+e6NSNNImpw2ti++G/Z9RMDEAzenS+cXOAbenaHLKap/RALx3EU31dPr6Nx3gmMyBL2o1MDskxcPiPlQKAQCsl3Uef0v+dOVwlRu2O5lyton/w0w/fFsr/gfC7EijAYNXVDAKh6Qutqi1Ho0RZH4Vx3g1eljsLWRB42FztALpA708YT5wDA1d83kPjaIpb2+REtzHTnVy21JG/FxTuX0FqF2SkNcg8fHHYTSpj7oVNmyl2ay+YtEm18YMwPhK9YVE81iCESC8TxQj+IC3TjJxsfPEbfjhMstPGO7Q2X1tWLyOjDwSUP6Y6nB5V2XV1kZ9Z1UexnRxu+TEfO7m0ptTd9kBHYKN+h1hr9FePfpiBtZ3/HT/oju6Sve5EiTtdyDoLOfO0AWTf+IREpWkcIt6vvEeeuouLJ6Cxj8EHHWorQXvZcrHhFp2wKQ0HH/UKWftxkkGH5vKzFiw8g2F7hGBkhJNbdc0P0GAtO61VTxMwi0W8kFIDQ2GDR6486nuEIqTVK0,iv:hAxnfQQVlceNbuOqwgwQM/GO3kWYn9yr+NgfWK4kKNw=,tag:KmZU411h4L39uyk7/UN78w==,type:str] + key: ENC[AES256_GCM,data:u9+aXoLY7un3mBszLzk0Rma9BO999dv3wdquCrm5jFU5fLTXJtmSrrdgNzrdjqNH+1xL2oQBtaSyhnRcpK+bGw7TSxcAq6Xlvovoh01gAS3zMQZ046Bjc7epDCEm5qHMEGqdjlzw6U79bwBjqiTSsMpAFyUf3i0ovyBYwZ3xYTb+JVUuia7pjg0CrF27LdKNjZExyAFhZoG0WasnrZVzurzktzRdDmJ+CCM3bg28D8lCM6ICVVZqVFfckUVEM8ez334givZ7gBIciHnju0YN9stUvd9Sm9CimGe5xenFFgU625MiNUBAWojR1QwzCmO7d45RjrZqwcCQyhC7RpiKauKX54KwVTSlLxXsUncyBgpWs7SAfKods3Z3YV6C0HG+4etUA8bZjeQUE27N48TgtA==,iv:RBUyyssdTtHO56x3k/FFbr3J+s9Hry/Qfj7+4R2mLX8=,tag:/Z/pyFL5qxdjAC5vhyIPSg==,type:str] + serviceAccount: + key: ENC[AES256_GCM,data:7qQSeXBKUNSXNftNV7A7CNNCxJRpN+T6ruaWpLK6gzPTzydkVWJQEdWKCYmSpvNWwl0NWzEe605qqH3nVgEg1KfzN/sq19Bl/3x5u2nuTa9wxEc+tLtAJE2uGRVE8jNjC2Uq7C6r84BWkV+bCQCwZh7Yr6OUqTTK5iZ5Ws0Xti4ZoQQ/mAYpggjwJP6HLBkRBy6x9vTT+xR+dZOiu54oGySSPuziF+Rcl/IN1FJ6noxEtDuuFaA4cCL+hlCUM65Fx1iRg6m/c3MsbotlhvvecYVjVD+6SnmBDtPMuXp/tAximB8uuaT7pYXi7Rq4d3MqhlZGTxgIof8t3YM9CwDuUVigDsdCi0HodCM0fRpLZIrvA4uzXuj4X5HorbW9eI3MpoAsw/z4kn6U7w+CSRuAyQ==,iv:p3xuX51jUmH8uWgoq0pOGHqb5ZdcG6LxmygmGxxEZpo=,tag:EEplHbeUup9RjGFGcjhTyg==,type:str] + apiServer: + image: registry.k8s.io/kube-apiserver:v1.29.2 + certSANs: + - 127.0.0.1 + - 10.88.0.20 + disablePodSecurityPolicy: true + auditPolicy: + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadata + controllerManager: + image: registry.k8s.io/kube-controller-manager:v1.29.2 + extraArgs: + bind-address: 0.0.0.0 + proxy: + disabled: true + image: registry.k8s.io/kube-proxy:v1.29.2 + scheduler: + image: registry.k8s.io/kube-scheduler:v1.29.2 + extraArgs: + bind-address: 0.0.0.0 + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: false + etcd: + ca: + crt: ENC[AES256_GCM,data:p9OZ4mvUOuUsPldjSSDIq13yYthIVFrOqqW3Mn6GB/6cBZj1VsMOB6K7zN8I/UUefsN7n4QbUezTV6Iwbs1tAkbe8pj5Bsw6SWJHHVivyxeO9zFwoLfhPc5vbwp/HV5t8e7xh6JcYJ7o+UZEVrd/DvclBJJyVsKJWI1uKHLQknxc8yof4nNgfTRn8ArlhFhGa+WlfT70G+WUKoE0RlFHWN9sTpHsmBbbQuyBZz57+GqIoL3n4tYbR1JATJr25lss7LaNrbzWqylNC19aO0rfWQYiTexIdQWWd2crxYEXD3v0Ryuaffa/ql0UH6D2omYvHQAOMEQmsqOTDBFh9QAfXwEsZY9/f/3y/XW7clH8CpUHp3WeLhA+besLbq7IO/5Np7EViaprusUm4BfcqmEhVsmshCHCty5jvHhyAJ2IhjrGE2QZosG64k00+9Y40uf6Xr6M5KJzERF9DSOwAt88f1Uc3WXTmzh3B9tKWHYL242uBREwzgQDy5FZ+6xW9TFDNM5WxnDwsmaf26r55PJyYqylH3ZkKuHiLJji8CYEF6t6t4wHR9rPMetVthujre0UKlku49FSaZeoxC7DZQSrY1wvK1NtZYlf1nU9n5j1XdZOMZ66KyGs6EXHwbLN6iF+dP9xpbf3DNKuWEYCOeTRt/894nFMm5qslb/9KjHv1K5J4V0+Q6C80JDO1gO2l1hJx5FNrqThyNCBhgsr7PAHdv8YEVXTUR7md9BM9gff/jr16Eg5EQZmlEY2aMc7X+qW3mP2MW2Aht3NNrGBjxzXfkzUgoeVyvVUPW50i42f5djxfZKs1LuGCExL1N6uw5weamLR6KlSQH/O7no1ib448QQGaJdGAuZD9AqEO6mec44UE0boTJQyXTQ3C3nQNVN44LqLpkIUwI70q/yiwEkIqoO+jQSGhk6BhDJxXZIlgWfX/q+d3bwkDq3Sic7NU9muotR8BKRSxFW1PA7tc95XIzTpBChaPz/T3P5BRM5h/RcISgjKLx444ZDBOIWRKoazonD7fA==,iv:myG0wbbocAhAl0MT8fKN/jK6WJ/K/64KLGk0rS8rOkM=,tag:lVjxQ8WjjeoCAnIzom4wgg==,type:str] + key: ENC[AES256_GCM,data:ILQorV60NhnZ4l5LO8opZ6cgUyomQRc6Dov7vOHIdvseIL1VdxRDXsWLZb2eM2HzC7V5GjcIlIfSt+HGQ8K7v5vxlYlVwl+8ElMPzxKbHWPidgt5UGxvO2rKWDuLppYc2tAXfkpWmdHs9E5KEcFgeBKWbTRfmTCUC+RqZDT0xlOkWt/RAXPEXDnaBs64rqoLJmMTCtBLw/jXcOLjz1VY+U4DMLuB8CTT1e/4v1jV7/ATOE1qTbsv0M2gO4wj/fVdI5OHNcSsbtjEX2TPTo7Hb9zOFXA4hcbVRWHeoT4VNCQxIyD/Wx0+ab722Zz2EQtN69LSsoFK+rFHMcUlLyRVkQvXxdgq0HxpHtvEUPBNr11jFkivpr0VynACR+LHc5RCju/psUW1RwpP0oO/EEg4ow==,iv:JKmIf7kIKDNvyyZmnMauFq1QruDLePDQ6t943tkQLPE=,tag:+vEXoSFe0jBgioKfWZrO3A==,type:str] + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + advertisedSubnets: + - 10.88.0.0/24 + allowSchedulingOnMasters: true +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zucujcrr89pecplrme76f4vxcc05lg3hm8849mmfggvcvcv4ppls7cquw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWGN3bk8wOEdJek40MUI1 + c2IyQlZtZEYrMmZUaW5vS2NCTVRhdGxCV0M0CnpoQjJ1K29xMXJFMFM1Nm1iQVdW + SS94cllGbTRDWWVVOXpEVEZxNXlweHcKLS0tIGtlS0xhTE9zTENmQzgxdHcwR3lv + YlFiVElUZEEreGlGZ3NvdlJKQ0NyQXMKTHuhLeE+ebE5q9OyNlTIk6i3TNNE/ygo + RUCOEBntSKIwattjSpdoXZtDS+RQ2gEliIGfBq5L7mn9ntSya1OOMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-15T14:35:59Z" + mac: ENC[AES256_GCM,data:4bRRrmMbeqzYc9mMipCcNbYiGcVF6a1/05J9IO1ZBywKdmnxS7SlJiXFnsxirSmIipfnbuS22jrPnV0o4lRtI3d8aa0sCZ3BFErdL8hDOeokRy8l3KHN9Uxg+dQNA+6WQ8oIzfeJ5AOzDHxVvKQCBfpvb/o+3s4jBL26MQ3pap0=,iv:JNy7z3L3+C0zqhHQicaeXd8bYg3TvjAuZMRytUCoAZw=,tag:SEExGaU9MGv2kCz+UVSx2Q==,type:str] + pgp: [] + encrypted_regex: ^(token|crt|key|id|secret|secretboxEncryptionSecret|ca)$ + version: 3.8.1 diff --git a/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-2.secret.sops.yaml b/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-2.secret.sops.yaml new file mode 100644 index 000000000..e3adad69f --- /dev/null +++ b/kubernetes/main/bootstrap/talos/matchbox/assets/k8s-2.secret.sops.yaml @@ -0,0 +1,183 @@ +version: v1alpha1 +debug: false +persist: true +machine: + type: controlplane + token: ENC[AES256_GCM,data:+5rwSMhG2eKwXkgv6ogrFa/s/M7h9Dw=,iv:8YjOB6bkYhbunOxX6W9xbbta5o+qtWTOM25Cg+JWIvg=,tag:syBUjgr/hOnMDPX7mpfCjg==,type:str] + ca: + crt: ENC[AES256_GCM,data:/ByLOKvDHnYFn1hPqbjI6Tq7hvC5T5DNn5Z7hDY3Wp0BBrSUIzZAMegRd8yA/5tYfQlDtHGsA8iW3GVtyBncNJ2XsJnxVS8A9MAMzM88D3+GRQZZSPPudmZmXiEdcMBgL7Jn3XnBfX9CMMCQzB+da6JkJmcMoEi5mAP7G3eXTMVXtm/djmJScXGhIYmtw3HLiViWYpKHGKH2x5UPjBqpf9EYb96CA3Dw42vO8I39ESDFGLOiPVYYFMcrBhP9PiQMr/pKFlpfI6XzejXZsO6AWVS+TrKhfn4CjinPOoYyWUsqIHjhA14ma6hEYG9xO+QWbgzJiNaQbuYQTHkvs9VSsrvc9VuhbnFT9hW8IjKKTkjmVB5sCjZSjorAVkMjA4sEGVxW/ddr/E0/SNBivwknTGvAXczQNyQktk4v8rL5FXiK7ZfkBeXQ5KBcGf95Jn78IOLYIzDhRKSoCV8/c1roymdDB3DEo4I6J05xv8h2Xg4ezpQh57q5A/ufLFcEItk7pCVKWRYW7d4dOWm3hPWoHb7YbJ9kPn5Mg0MuwQLpsoQiEDBe6XOPlCQrcb2tw/W3qKbNveCXUWyiVQng7T4JlbwYb0rRcPtF+Hcu37NCMlrzqAtHKfHEnukoCV/CRp/Wsmtg1ZPw9jeLmT0jvhhIry+oybhnkBu5piG+t/vbxkeSHowwKGH1kP0GE7qGRWONGq4LrPxvVH/BH/6IG6un+SxyRk0y5KELJYd+tzJ04x+6b6uzmGW8tZjdTC6qSKx1yly229x9+ZYfqTB6YILYMC1Of+Fhx+PqRWnf+++wDYwNRZWzH/W+gHTxyEl0iK7ww2E8i1zezrSiYfTZEB+Rng1uTmsr+m+yEqAThtql7FV8c+Gy,iv:hmC2sTV0wIMxA/UxTXzoTAMpldEokO+Abtguhn9S5UI=,tag:M3cM5KMjbTwq9qeOX63DKw==,type:str] + key: ENC[AES256_GCM,data:s+16FAzGtK6Uf9G7bAHT1UgMFOR6GR1A0kRsl+3oOjz/wdHOjA6fj3mOhSkbP5JXwLxjX2v4yLIzg3+nEyjLART3kx7vr1BOOlaK+0C//cXcRkebW2EuZcQYWVmW5G17UGqoMflAIrp5bbCNSi+Tvfr3/QwBha/0738lfgyZ8P8FTvZuOZC3PYr903S0DC1BofEkdOOuJjyvVR7mjOH+4ULutbF1rmT10j0xK8/c7XzNxppc,iv:2e6k2MSEDLFHgW7WcNu5gstC6suhIVhVi65U1ihYT9Q=,tag:db9EG0vyVLHlM7ijLI9kvw==,type:str] + certSANs: + - 127.0.0.1 + - 10.88.0.20 + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.29.2 + extraArgs: + image-gc-high-threshold: "55" + image-gc-low-threshold: "50" + rotate-server-certificates: "true" + extraMounts: + - destination: /var/openebs/local + type: bind + source: /var/openebs/local + options: + - bind + - rshared + - rw + defaultRuntimeSeccompProfileEnabled: true + nodeIP: + validSubnets: + - 10.88.0.0/24 + disableManifestsDirectory: true + network: + hostname: k8s-2 + interfaces: + - interface: eth0 + dhcp: false + addresses: + - 10.88.0.12/24 + routes: + # The route's network (destination). + - network: 0.0.0.0/0 + gateway: 10.88.0.1 + mtu: 1500 + # vip: + # ip: 10.88.0.20 + nameservers: + - 10.88.0.1 + install: + disk: /dev/sda + extraKernelArgs: + - net.ifnames=0 + image: factory.talos.dev/installer/76d744fe4579923f39f364e8975d0886f86efe0ca30dcb74d92f16a5ee1ab2fd:v1.6.5 + wipe: false + files: + - content: |- + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + [plugins."io.containerd.grpc.v1.cri".containerd] + discard_unpacked_layers = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + discard_unpacked_layers = false + permissions: 0 + path: /etc/cri/conf.d/20-customization.part + op: create + - content: |- + [ NFSMount_Global_Options ] + nfsvers=4.2 + hard=True + noatime=True + nodiratime=True + rsize=131072 + wsize=131072 + nconnect=8 + permissions: 420 + path: /etc/nfsmount.conf + op: overwrite + time: + disabled: false + servers: + - time.cloudflare.com + sysctls: + fs.inotify.max_queued_events: "65536" + fs.inotify.max_user_instances: "8192" + fs.inotify.max_user_watches: "524288" + features: + rbac: true + stableHostname: true + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:admin + allowedKubernetesNamespaces: + - system-upgrade + apidCheckExtKeyUsage: true + diskQuotaSupport: true + kubePrism: + enabled: true + port: 7445 +cluster: + id: ENC[AES256_GCM,data:+NH+6abtMs0ZfGNV4l4JHJlDwjmQDXAWIkIqOux/Bgi+xQI69YxvCc/irqs=,iv:RP9DAD03YqljB6FjXUu/tvb+SqUWnWPI0tPH+zlnGnM=,tag:JH9dDKDZidGX/XF+eeQkVA==,type:str] + secret: ENC[AES256_GCM,data:2dTvrNR03byxwBRS3jPKZ1gNj0DGR9M4pveQ6qPbMyHbbeAvgO6GWKI2Oy8=,iv:KnNX1cdJRfdBDGsqfXFZhcL7sWsMF/Xrxl2KtNd9HeI=,tag:50aaAIOUBwVTJA8H9X/UMQ==,type:str] + controlPlane: + endpoint: https://10.88.0.20:6443 + clusterName: main + network: + cni: + name: none + dnsDomain: cluster.local + podSubnets: + - 10.42.0.0/16 + serviceSubnets: + - 10.43.0.0/16 + coreDNS: + disabled: true + token: ENC[AES256_GCM,data:RlobXTDVmBBL3eFdNpyItZbP5OErtS8=,iv:888sF0Heor3/xgZ5q85e8PklB9KP54Fpw2/27s5qRmQ=,tag:riofqKrlSgOjgYSYCAVPpQ==,type:str] + secretboxEncryptionSecret: ENC[AES256_GCM,data:O5EJof1Khg66ghasQuMjLH4FnIdk1buuguVK6SIJBKb81C9YdINcFCd00YY=,iv:zIBvw9cqxdyMaL354MT21pvpkuDrgy5G5BWmecRZGZE=,tag:5wbHjaWYRBWnwddtmQrpDA==,type:str] + ca: + crt: ENC[AES256_GCM,data:7BGJuPBrdZvBLE+DnMQmUH/WZj9vH7jPrp/qSXOq5k7wFvCHQt6/FmjkmO6u3lYHE2QlzWSqA7UuLW2oU8NHnLqw8eVCenKs4lspvTm5gmGu0ufYOaRzkQMifaKF+GUxDxosRBpL7j6/4uxNpqkOf1krWkm9UnkdZqPFdC8Kj9sImqLns6+F+qUKLOhsSH7e3MnzO53lZqKnuAUvwwMH6xFSGykZ5X40JvHaSjAQ7gO0Kqp4pyD6BR8iDDuFIuOQpBjA3mLHE2CszXY6kXdeokMAYTLPJd1VLFZ2tHXvj2YJy1jZw0Yo9b064iH5GFBDq8cgSbCMIL59uV5xEDb90BWwwiS/vNmxwX0Hk2affo0hPU4pLzqM+ava6z/730JZb+Ji7JD0yopQULGEa0AhWgUmJOIO4SaGSG7PC5gbPyxr4T7JSvs0MPvH/Km504Wrhf42NPX3Dv5JeYJUy6xzg0/OQKdH9kWZSOu0BYh8zVH29IjW/AwTuoHPQyDyMHGnlBUSo26+FpCigxmRko2DlD+1UAP9M/W3SBxHs4AKNrnVZi2qE1avYCNUCRab0dWgnS1HVW4F8ptHhwJ0+jdXlTN7pAsfaSsLdom2E/fvHkbdTRSeeF60AodzBnSQ/6Zr7+8PIG/rFfP9209k4XgzL6mWWk4FmE2PTCtTyXYfhRTZVBa24mP8cSPlJdciESYztFeyrMmsAYRhr+4kgxJjAHoHgAbuRGOo4ANlujNWq56DamtRW70OoPfK4D6F5gDgW5vOa/jSiCtmWXKPBBj5WncogNj9UmPk8YhYn0O+K+KT0Dot3q1pYw+6bQovPXEZ226NLscnnO13C9+IVcF9jX8u0yyy4aSLiXrb/Zf4CU5Z95Q25BUdtHGprw2W96L7m1h4yH+56uXU2yUdPlUljpkh/p4eDQqkknPAx6ftjwR78ZzDqHC6XtzeoRGjMxlRhn2ItQVOU9+fW6NTAmAwarCL27T2Cl6USLUPAFN1sc2nRQGqFuKZmXaPYDK1HHuZ6QaCErQ/976+QIAPJSbdyJrQa9psWN7BWFmB+g==,iv:HMSoLaSoMBr6TJmccT2aQkDGbtrsnRYb0He3Hc5+ZG8=,tag:3dY3p6WlFxBbXbpYulrE0A==,type:str] + key: ENC[AES256_GCM,data:7rn7xw9G6ODiqzKES+0Sf6xlr6aP5Mb5GcPPyS1K1+tmaILQaNSjfnJxSSpGKHmW4O3MStkTpIVsiW5yZ4SfrcrwzqyAwe8ndyyNf/+JaabjuCCq6ff8Ww3f95rQMY17L7snOMD1lwSNHj1ZrZ19+UCgn3VRH8hLJKortbkfC7K47UBz3IWKoWP/xDrghSHLLVwCxAv3RHGGJtik3qGS4qYBxnewEJmOF4gnh8lf13kjVH6668JcS0xPV38Js31iIYPWXSimPwGSNDMcOQdp13rxEoepKAcJsfh6X9M8XxzJFXgjNK7+JmSx5A0Lzk0HtrDQZKi26UYlSg3tbnBe3IhMfjuNqksXFZxD8D4ZqJZFMrD5y36/NJhZqrD2hdIOxMMiToHI9IPTjPa10mgvVg==,iv:GeGRvTsRmY2EpCFY833Q99PwZv+zo8WoGgHWAWW4uRs=,tag:kBw7QwgzsS2sKCRdYpdkcA==,type:str] + aggregatorCA: + crt: ENC[AES256_GCM,data:WuKSvCIhpZrcJNhcy8MCRWIk+h7nxwuXIwWFFM01uHLCXrugErgimSgsPkF5mQRlZcWQH+u4x2LyNhC/jXBU9eOBbS1eUxYubHL+O4pMsJGGpx/ML9MUtMwBZdMvSxtbEsKXRyjowTJXmUOv1dXoeWtdUjVMnBtXlGCGfppAeiGXvuVVAdsXZdsFqIB0fx8hBq03GC6A/INq8s3D4kLnXMV12rpWiKrfMcqye0pu5t8IfTT9EEcdrpwwVDGyXkPMdUM5884pM/9BsZ5PWjwTlJrvK6jJ1rkGXjFBjMRr//ynsnsPXn1VbyovWXomW//FrapKlS4n4RjCqwy8GO1oeXJElgnAYgbn2OzKCqC27YcYM+wr7nyEn1OnPRZOWAoqww/vrnM2YqETMB+H4n2KCg49AfSuxKuVY15R84c7GuRN0i9PBSO87dJRfRa1+e6NSNNImpw2ti++G/Z9RMDEAzenS+cXOAbenaHLKap/RALx3EU31dPr6Nx3gmMyBL2o1MDskxcPiPlQKAQCsl3Uef0v+dOVwlRu2O5lyton/w0w/fFsr/gfC7EijAYNXVDAKh6Qutqi1Ho0RZH4Vx3g1eljsLWRB42FztALpA708YT5wDA1d83kPjaIpb2+REtzHTnVy21JG/FxTuX0FqF2SkNcg8fHHYTSpj7oVNmyl2ay+YtEm18YMwPhK9YVE81iCESC8TxQj+IC3TjJxsfPEbfjhMstPGO7Q2X1tWLyOjDwSUP6Y6nB5V2XV1kZ9Z1UexnRxu+TEfO7m0ptTd9kBHYKN+h1hr9FePfpiBtZ3/HT/oju6Sve5EiTtdyDoLOfO0AWTf+IREpWkcIt6vvEeeuouLJ6Cxj8EHHWorQXvZcrHhFp2wKQ0HH/UKWftxkkGH5vKzFiw8g2F7hGBkhJNbdc0P0GAtO61VTxMwi0W8kFIDQ2GDR6486nuEIqTVK0,iv:hAxnfQQVlceNbuOqwgwQM/GO3kWYn9yr+NgfWK4kKNw=,tag:KmZU411h4L39uyk7/UN78w==,type:str] + key: ENC[AES256_GCM,data:u9+aXoLY7un3mBszLzk0Rma9BO999dv3wdquCrm5jFU5fLTXJtmSrrdgNzrdjqNH+1xL2oQBtaSyhnRcpK+bGw7TSxcAq6Xlvovoh01gAS3zMQZ046Bjc7epDCEm5qHMEGqdjlzw6U79bwBjqiTSsMpAFyUf3i0ovyBYwZ3xYTb+JVUuia7pjg0CrF27LdKNjZExyAFhZoG0WasnrZVzurzktzRdDmJ+CCM3bg28D8lCM6ICVVZqVFfckUVEM8ez334givZ7gBIciHnju0YN9stUvd9Sm9CimGe5xenFFgU625MiNUBAWojR1QwzCmO7d45RjrZqwcCQyhC7RpiKauKX54KwVTSlLxXsUncyBgpWs7SAfKods3Z3YV6C0HG+4etUA8bZjeQUE27N48TgtA==,iv:RBUyyssdTtHO56x3k/FFbr3J+s9Hry/Qfj7+4R2mLX8=,tag:/Z/pyFL5qxdjAC5vhyIPSg==,type:str] + serviceAccount: + key: ENC[AES256_GCM,data:7qQSeXBKUNSXNftNV7A7CNNCxJRpN+T6ruaWpLK6gzPTzydkVWJQEdWKCYmSpvNWwl0NWzEe605qqH3nVgEg1KfzN/sq19Bl/3x5u2nuTa9wxEc+tLtAJE2uGRVE8jNjC2Uq7C6r84BWkV+bCQCwZh7Yr6OUqTTK5iZ5Ws0Xti4ZoQQ/mAYpggjwJP6HLBkRBy6x9vTT+xR+dZOiu54oGySSPuziF+Rcl/IN1FJ6noxEtDuuFaA4cCL+hlCUM65Fx1iRg6m/c3MsbotlhvvecYVjVD+6SnmBDtPMuXp/tAximB8uuaT7pYXi7Rq4d3MqhlZGTxgIof8t3YM9CwDuUVigDsdCi0HodCM0fRpLZIrvA4uzXuj4X5HorbW9eI3MpoAsw/z4kn6U7w+CSRuAyQ==,iv:p3xuX51jUmH8uWgoq0pOGHqb5ZdcG6LxmygmGxxEZpo=,tag:EEplHbeUup9RjGFGcjhTyg==,type:str] + apiServer: + image: registry.k8s.io/kube-apiserver:v1.29.2 + certSANs: + - 127.0.0.1 + - 10.88.0.20 + disablePodSecurityPolicy: true + auditPolicy: + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadata + controllerManager: + image: registry.k8s.io/kube-controller-manager:v1.29.2 + extraArgs: + bind-address: 0.0.0.0 + proxy: + disabled: true + image: registry.k8s.io/kube-proxy:v1.29.2 + scheduler: + image: registry.k8s.io/kube-scheduler:v1.29.2 + extraArgs: + bind-address: 0.0.0.0 + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: false + etcd: + ca: + crt: ENC[AES256_GCM,data:p9OZ4mvUOuUsPldjSSDIq13yYthIVFrOqqW3Mn6GB/6cBZj1VsMOB6K7zN8I/UUefsN7n4QbUezTV6Iwbs1tAkbe8pj5Bsw6SWJHHVivyxeO9zFwoLfhPc5vbwp/HV5t8e7xh6JcYJ7o+UZEVrd/DvclBJJyVsKJWI1uKHLQknxc8yof4nNgfTRn8ArlhFhGa+WlfT70G+WUKoE0RlFHWN9sTpHsmBbbQuyBZz57+GqIoL3n4tYbR1JATJr25lss7LaNrbzWqylNC19aO0rfWQYiTexIdQWWd2crxYEXD3v0Ryuaffa/ql0UH6D2omYvHQAOMEQmsqOTDBFh9QAfXwEsZY9/f/3y/XW7clH8CpUHp3WeLhA+besLbq7IO/5Np7EViaprusUm4BfcqmEhVsmshCHCty5jvHhyAJ2IhjrGE2QZosG64k00+9Y40uf6Xr6M5KJzERF9DSOwAt88f1Uc3WXTmzh3B9tKWHYL242uBREwzgQDy5FZ+6xW9TFDNM5WxnDwsmaf26r55PJyYqylH3ZkKuHiLJji8CYEF6t6t4wHR9rPMetVthujre0UKlku49FSaZeoxC7DZQSrY1wvK1NtZYlf1nU9n5j1XdZOMZ66KyGs6EXHwbLN6iF+dP9xpbf3DNKuWEYCOeTRt/894nFMm5qslb/9KjHv1K5J4V0+Q6C80JDO1gO2l1hJx5FNrqThyNCBhgsr7PAHdv8YEVXTUR7md9BM9gff/jr16Eg5EQZmlEY2aMc7X+qW3mP2MW2Aht3NNrGBjxzXfkzUgoeVyvVUPW50i42f5djxfZKs1LuGCExL1N6uw5weamLR6KlSQH/O7no1ib448QQGaJdGAuZD9AqEO6mec44UE0boTJQyXTQ3C3nQNVN44LqLpkIUwI70q/yiwEkIqoO+jQSGhk6BhDJxXZIlgWfX/q+d3bwkDq3Sic7NU9muotR8BKRSxFW1PA7tc95XIzTpBChaPz/T3P5BRM5h/RcISgjKLx444ZDBOIWRKoazonD7fA==,iv:myG0wbbocAhAl0MT8fKN/jK6WJ/K/64KLGk0rS8rOkM=,tag:lVjxQ8WjjeoCAnIzom4wgg==,type:str] + key: ENC[AES256_GCM,data:ILQorV60NhnZ4l5LO8opZ6cgUyomQRc6Dov7vOHIdvseIL1VdxRDXsWLZb2eM2HzC7V5GjcIlIfSt+HGQ8K7v5vxlYlVwl+8ElMPzxKbHWPidgt5UGxvO2rKWDuLppYc2tAXfkpWmdHs9E5KEcFgeBKWbTRfmTCUC+RqZDT0xlOkWt/RAXPEXDnaBs64rqoLJmMTCtBLw/jXcOLjz1VY+U4DMLuB8CTT1e/4v1jV7/ATOE1qTbsv0M2gO4wj/fVdI5OHNcSsbtjEX2TPTo7Hb9zOFXA4hcbVRWHeoT4VNCQxIyD/Wx0+ab722Zz2EQtN69LSsoFK+rFHMcUlLyRVkQvXxdgq0HxpHtvEUPBNr11jFkivpr0VynACR+LHc5RCju/psUW1RwpP0oO/EEg4ow==,iv:JKmIf7kIKDNvyyZmnMauFq1QruDLePDQ6t943tkQLPE=,tag:+vEXoSFe0jBgioKfWZrO3A==,type:str] + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + advertisedSubnets: + - 10.88.0.0/24 + allowSchedulingOnMasters: true +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zucujcrr89pecplrme76f4vxcc05lg3hm8849mmfggvcvcv4ppls7cquw8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwWGN3bk8wOEdJek40MUI1 + c2IyQlZtZEYrMmZUaW5vS2NCTVRhdGxCV0M0CnpoQjJ1K29xMXJFMFM1Nm1iQVdW + SS94cllGbTRDWWVVOXpEVEZxNXlweHcKLS0tIGtlS0xhTE9zTENmQzgxdHcwR3lv + YlFiVElUZEEreGlGZ3NvdlJKQ0NyQXMKTHuhLeE+ebE5q9OyNlTIk6i3TNNE/ygo + RUCOEBntSKIwattjSpdoXZtDS+RQ2gEliIGfBq5L7mn9ntSya1OOMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-15T14:39:41Z" + mac: ENC[AES256_GCM,data:gq9QQYSnjcYQn4eJiHrClTmTY0bqoBvr37pISBWOdhi7DysfOBURWv1/qReENKbUUfn5H0Ox8UyH4rKyXGDFuJgAuz78FWh0zRn+q6jGNBPhtohvIXefVdExAdJurY3PTDq0YhQh8dgIhG/ntv9D7gwKDkg2q2AysM7zM4tu2nM=,iv:P46Bjfxn4d5Vb4P6stdGl2+KOsFtA5WbhDhHOk7ePJg=,tag:FRZ2P1s4L+eXzR9gDywWnA==,type:str] + pgp: [] + encrypted_regex: ^(token|crt|key|id|secret|secretboxEncryptionSecret|ca)$ + version: 3.8.1 diff --git a/kubernetes/main/bootstrap/talos/matchbox/groups/k8s-0.json b/kubernetes/main/bootstrap/talos/matchbox/groups/k8s-0.json index 1c7df5f4d..6804758c4 100644 --- a/kubernetes/main/bootstrap/talos/matchbox/groups/k8s-0.json +++ b/kubernetes/main/bootstrap/talos/matchbox/groups/k8s-0.json @@ -1,7 +1,7 @@ { "id": "k8s-0", "name": "k8s-0", - "profile": "talos-controller", + "profile": "k8s-0-talos-controller", "selector": { "mac": "6C:4B:90:A7:77:BB", "uuid": "ba828200-5a41-11e9-820f-fb7388631500" diff --git a/kubernetes/main/bootstrap/talos/matchbox/profiles/k8s-0-talos-controller.json b/kubernetes/main/bootstrap/talos/matchbox/profiles/k8s-0-talos-controller.json new file mode 100644 index 000000000..300101233 --- /dev/null +++ b/kubernetes/main/bootstrap/talos/matchbox/profiles/k8s-0-talos-controller.json @@ -0,0 +1,21 @@ +{ + "id": "talos-controller", + "name": "talos-controller", + "boot": { + "kernel": "/assets/kernel-amd64", + "initrd": [ + "/assets/initramfs-amd64.xz" + ], + "args": [ + "initrd=initramfs-amd64.xz", + "init_on_alloc=1", + "slab_nomerge", + "pti=on", + "console=tty0", + "console=ttyS0", + "printk.devkmsg=on", + "talos.platform=metal", + "talos.config=http://matchbox.mullan.net.au/assets/controller.yaml" + ] + } +}