-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcontrolplane.yaml
More file actions
240 lines (240 loc) · 21.5 KB
/
controlplane.yaml
File metadata and controls
240 lines (240 loc) · 21.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
# Indicates the schema used to decode the contents.
version: v1alpha1
# Enable verbose logging to the console.
debug: false
persist: true
# Provides machine specific configuration options.
machine:
files:
# https://docs.siderolabs.com/talos/v1.11/configure-your-talos-cluster/images-container-runtime/containerd#set-cdi-plugin-spec-dirs-to-writable-directories
- path: /etc/cri/conf.d/20-customization.part
op: create
content: |
[plugins."io.containerd.cri.v1.runtime"]
cdi_spec_dirs = ["/var/cdi/static", "/var/cdi/dynamic"]
# Defines the role of the machine within the cluster.
type: controlplane
# The `token` is used by a machine to join the PKI of the cluster.
token: ENC[AES256_GCM,data:ITwDMqNOEKLGwaQxI1M7zpRYtAAPXF4=,iv:Cak999XF+tBawo2PfL/vGGoXIDlBd6m1HJF3qD2s1U8=,tag:C1yQ/d8yfoD4ayXKELE0VQ==,type:str]
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBK01pSVRyVExpOEJVQ1k5RWtMaGxhVEFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qVXdPREkwTURVMU9ETXlXaGNOTXpVd09ESXlNRFUxT0RNeVdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQUtwTkIrdjRUSmtJUDVYZnROcHBkMnhSK1RtYVpaSEhVOU1yClhEOWEvbHczbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkRqTWlnUFFYMTl2TEIzWQpYL0dQcW11UElPd0RNQVVHQXl0bGNBTkJBSEJFMU1jR3poSEM3cVljcVpqVVhETDcxZCtmNm40WE9OMUdqSCt5Cm1UekJlYTIxbjFsMVM2T0lkU1N5RVlJYXptZWFpdHJNTjNQU2l0UU9JTFhVYndrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: ENC[AES256_GCM,data:NFS/yfob7lqIC9fWpRFdjx6Ob66Zdf35LEZrdIaSIWkj8c4nMwgdpz8HuF3uHJBxExNJ8S6gay+dx8dFVT+OepI2NKR9HKeSmmqaWgisrD/KeJQ2Tf8nMbVFXSpZqsPFtLxRAwoVbZcIA5zW1t0dyl3yOQTqeVFgeSw/jQalWq0A1aN97TTdxtXkzm0o9O9k8PYEV/qrHK7YO1BTJXNhspUlfJp6RVNMhAr8lRLjzRc+ETRO,iv:XY0P9BfXf1Tar8VZ6vQGJygy9a8ketoVCRY05wcT3RE=,tag:yl/OGV1GotnodEGVMc6bzw==,type:str]
# Extra certificate subject alternative names for the machine's certificate.
certSANs:
- 10.0.2.50
# Used to provide additional options to the kubelet.
kubelet:
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
image: ghcr.io/siderolabs/kubelet:v1.35.4
# Feature gates
extraArgs:
# https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
feature-gates: EnvFiles=true
rotate-server-certificates: true
# Enable container runtime default Seccomp profile.
defaultRuntimeSeccompProfileEnabled: true
# The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
disableManifestsDirectory: true
# Used to provide instructions for installations.
install:
# The disk used for installations.
disk: /dev/nvme0n1
# renovate: datasource=docker depName=ghcr.io/siderolabs/installer
image: factory.talos.dev/metal-installer-secureboot/056d8e12ba2b9711c613665c43f0ebf86eb451839a22f360a42110362f84faa1:v1.12.6
# Indicates if the installation disk should be wiped at installation time.
wipe: true
# Used to configure the machine's container image registry mirrors.
registries: {}
# Machine system disk encryption configuration.
systemDiskEncryption:
# State partition encryption.
state:
# Encryption provider to use for the encryption.
provider: luks2
# Defines the encryption keys generation and storage method.
keys:
# Key slot number for LUKS2 encryption.
- slot: 0
# Enable TPM based disk encryption.
tpm: {}
# Ephemeral partition encryption.
ephemeral:
# Encryption provider to use for the encryption.
provider: luks2
# Defines the encryption keys generation and storage method.
keys:
# Key slot number for LUKS2 encryption.
- slot: 0
# Enable TPM based disk encryption.
tpm: {}
# Features describe individual Talos features that can be switched on or off.
features:
# Enable role-based access control (RBAC).
rbac: true
# Enable stable default hostname.
stableHostname: true
# Enable checks for extended key usage of client certificates in apid.
apidCheckExtKeyUsage: true
# Enable XFS project quota support for EPHEMERAL partition and user disks.
diskQuotaSupport: true
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
# Enable KubePrism support - will start local load balancing proxy.
enabled: true
# KubePrism port.
port: 7445
# Configures host DNS caching resolver.
hostDNS:
# Enable host DNS caching resolver.
enabled: true
# Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
forwardKubeDNSToHost: true
# Configures the node labels for the machine.
# nodeLabels:
# node.kubernetes.io/exclude-from-external-load-balancers: ""
# https://github.com/home-operations/tuppr?tab=readme-ov-file#installation
kubernetesTalosAPIAccess:
allowedKubernetesNamespaces:
- system-upgrade
allowedRoles:
- os:admin
enabled: true
# Provides cluster specific configuration options.
cluster:
# Globally unique identifier for this cluster (base64 encoded random 32 bytes).
id: hTtC30_7eyWphfHBFAArhsEuNEAPb-V_yjWMMUb8pac=
# Shared secret of cluster (base64 encoded random 32 bytes).
secret: ENC[AES256_GCM,data:PSVG3m6g9UNZkz3gV8WN34Zch2ZJ2XE4xKVkOD44wqCuUPolJIVhkICS8PY=,iv:O5vLhNjrO2z2+E87niI//vk92loRWUyMJm3JwNk2c64=,tag:/2KWsauk4pk1xEcCTE+QYg==,type:str]
# Provides control plane specific configuration options.
controlPlane:
# Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
endpoint: https://10.0.2.50:6443
# Configures the cluster's name.
clusterName: escargatoire
# Provides cluster specific network configuration options.
network:
cni:
name: none
# The domain used by Kubernetes DNS.
dnsDomain: cluster.local
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
# The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
token: ENC[AES256_GCM,data:X/VjnbX8bxQlPEibFBqXzaBoMnwVrXw=,iv:Jks5AWa/ulhu/7vG9wxNydQDPeEXJSD/RhiQLvFJyS4=,tag:gNJXCTBGSaV1KV1s54KurA==,type:str]
# A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
secretboxEncryptionSecret: ENC[AES256_GCM,data:mHHxLeKmeEsLFH90LEUE1aiMuH6N2bSJoRClm8NNW1DurBkyuc3sztickts=,iv:54O5F2gYtCJ3IQa4g3oZ2Ng9fiFCaoVBCZNMdRM1vhQ=,tag:IChvkZaZV5MDds/U0JESrw==,type:str]
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVRDZ0F3SUJBZ0lSQU9NWU1NUnlSQnM3SVlSYVhMV2JOcE13Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOVEE0TWpRd05UVTRNekphRncwek5UQTRNakl3TlRVNApNekphTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVRsV1BoM2ZMWHh0ZWorb0JtWU5pY1ZneFpVS3VYRFFkMVF5c200a3FPMFM1OVJIMy9aRGU0V3BqWkMKWE9vZ1RabVNIVk1YWHRDbTVJVERFUzJlOGtEUG8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGSy9TZ0ZEZzB6V1pib3U5UExCRVVmamhBT2ZKTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSUZkc3V0NkYKRHhuYnMzQXdaWVl4d292SHVPeVlvS1BMZ2FvVTV0ZmIrUm5lQWlCUlpaaXhOUW04M1FjUEJELzV0c3hUV0JTOApEZXV2UDlRUnJ1Q3NKY2VRU1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: ENC[AES256_GCM,data:zbxh5SnGi5XfMFw9EpBuQXblmVKNDTvHo62oNMwcfiPQ51yZDwm0W4dYsdbacbiQPN7XHGYK1KTMXneQr+ASFs/VHrdnZOToEVg2Ba4g7+L4mCjDw88fgCW3ggFFhA3WHWSokg8SsnPY7COtXEqmXsnHd4tyeTQ04l5F9l86oGQEkoYUz3sQocMKHoZwdUreTVqESUmbVPfqFfSV8O90yQq6oi0+krm8FnaQ06OFTj13G8nQxmehXCVP+zOq+EYQeVux7hGwnfS4eAw+1DbTdVNO796D3Vgs9wMR5rA1zSfCZ+Obasc8E8jV7OOGHl2xpHgQywiGhVur6H04aF14Nled3MjqaU17xHDtaZ7JGPV5JYjeCM4/J9qvYNm79hEG3SxvizJWcrQQo/UQvqmEaQ==,iv:n1DKVRekupK6HdYdSAsGZnVEiZKKJ8u+dhlM+rCG3ZM=,tag:beM+2ydk40kGEhfTSvwmAQ==,type:str]
# The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
aggregatorCA:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZRENDQVFhZ0F3SUJBZ0lSQU44c2F1S2NEd3JaZ3dtOGNvbHVKMFV3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5UQTRNalF3TlRVNE16SmFGdzB6TlRBNE1qSXdOVFU0TXpKYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVNOb2NJakVhTER1WVVzdVZnMEw1d2NrOGNIYW9HdUtWVDZwR1ZZaDcxaGRzM0tJREJsCkp6RmRLcjVnMnl0S0RQYmpJS2lWSFNEZllIZ25sakRTNzAzM28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGT3Q5YTRvc0JqbitPbGtaMGlidnFTYTkzcURVTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDCklGcmY0SWFTRyttL2d4NDBIc0piS0RaUUJzVVVQeVhlREVoTEN3U0N3NERQQWlFQXpYb2t2VU90RlJVMVd4WjcKOXpoMSs5aFdQY1dwUUxwRWkwcEU3ZU5OS0RvPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: ENC[AES256_GCM,data:shtXRiQfDv+UXjlICBEzRgxwQNf6IL/V0DQsrznrQ6z2v64I1Yb1oq7FgytlnNHTxsScAkgJ9+GnbgOLqeRABi/IayRPgWoalY35/fqcrwd9VW22DaHpR0EWruWM1C6XmscxarP1uXZA0/1vvW728c57aTV7rUvSWam8fjKBFy2sd6KiyO+CYaT9WYtlzwHHpd2TXPD8lUXMDnELZ4MJJgadMMG4879FP7skFBuoD9Bo0Tn81MJ27szv8D5UZjFWq7oN7vMu9u9idet5k+ckYXm207Ds3kq0Ul8E8AK3WNnMNg5ZDfu8y4frh8BQhdwKonx2QG4o8Qs2lC3I67ibqnPO9CRZOgMZEwD5nWiOi373wusueoqev/pYUzp7HOxXWhin1zZo57TJS0TUSmGu7g==,iv:DPQy4MQ61Q+NQ6//QFHL4Td2HpM9YoV9B3TX/QEHt8A=,tag:M/2/oaTghdReso1XsRkolA==,type:str]
# The base64 encoded private key for service account token generation.
serviceAccount:
key: ENC[AES256_GCM,data:S+UjO/VPMcNfN0TaR2/wNOreEJMpGc6nEWrdN6Layc1AsXk2liHIZwfMuoXznZIaKdlH4aIAgbiIBP7jb94INVCYjLs1A7ydi/9vqGWsTggTFBWT29fYGf9sbRtTRO/bPF5vZCv2xY/1Pmiac7ut4AT+U97p+fzJk32ytN+2l+vxg/mvQO8FclpcuJmINwA1blgpA2etut6HQQLSOOOoYlD0KI/x5POdzBi5TO1eHRPI8eHU4jSsFnsRohcADQvHgTx+IMEIakFJGV8P8PQyWdEFWsEeuAFXjW0Nnx4sPvmJXg7kveP25ms16mIizt+CMiPeneyLs1TilStH/ydcTYTQE2Y3cPI4vnq8BMSC+PvqNx+kf0wQO609f/u4nKZx1PCoc7edBqQIVtx8oB76oHrgb02Y14fZ8kf5cpo4cfGHk052GukwjaYi7Vzr85TJtT5df8Nz9EYx9JCvT+lDoRM6EHpyl4N0WeR3TmuPKvzmZZSots18eeRTRpiyEFd0H7aNZOcet2mfnHn5oT7idudrGXAxmBn/6Sr8m9SGJyXixiySSF9y3tGSpzeJTQ679GqcGRzoWGz9IboED4fI1FYOP6YGmU6q+g/xgvUWjVzAJGr5SiUPjPpPyStsMDb8K+qKZUluVPVXfpCLbnjGxciTzbomFo5bPI/Hm3mcCBn+Nh7HzjO4QAvoImtltojPZzxVzS69MWG+ush4FvSiTYbfTAd7YJeg/Yoml7GSjbkWFdvAcHAs2UPmm6HtNt+x3j48iy6KBogdmgip+NEf1FK5ANDbQoNvNHZJMN2dBy3pdcMDYLQD/IyT80nPpwCh1+MnyPR/vPqO60GGHb2xRL+EmFXjQTAPcoXzd5D8si/r5bJ6GQL5/JdECw1NjtQzJck2c2vzBQDu2EoJ5CIUcpJ9Pt5jJC2wtPZAcfwo6rfrXL/tVIGkqI9oBrlvZVQWiVdiBYkXAmFfcO/yXsObt5xvsjksCNX9soWyi/3jt/xlrke79mvp+TDAJc2uRLUtUawJmS1gWoukEbWYJiMYtmBHovmJ08nSyDVvmm/Hi3WNWGmyLiGTasnVsEU0/C0Qkk3t3ppKbYeeJ8/GRKI74ZQ6mfOtgPJ+beUqK3g1RQsPgFHMIB0D4ljgJ2uX2mKbo0lRva4M+3MZevdcE9GY3cDtkuPv9EvsoYmpBeBMhT4PMS3jj8lk7xPLZGbNKD8pzaokWGNJR+CoAjOV016FMfsDg7F4ZKBrfUWzT9cG3G09aREQ+1G6KcErYbdoZZjCtgWLPaRvIdC7kBZmpmLgy1qqjw+J8452H+gQ2ekLoCWnWBrduFZLuT2SscsMpvjBS+PWgsadl3Rif/Lk3aaXIGL1ZH6AoujwsVXpCJJeTekNIXrJRgRLCqW8hBckvk4FG6n0A+arb9Bvxa5H1R/SBJlv8cN6UN2FVaawvMIAl3/oJ9puZEKS3SI3nS8lrPiK+ZiT7di/mDVEz/FLI/8aqNlQQ5Hjm3MbS0OPQ6ZACI9oNvfplYF5egdYAEq3RpPvhDMhyDZPLsgoQah6QEODGX+IHRjSj7Fr1zLp0Uk4SFBRpkGhPwJF6bl6F8G/7zvbSA5wY6Xs2oF+RBU3/NkejraGVh6uuINdfv94cTzQsqxQ3xzbInYlYTBg1ctRoDbFZLGtq5jzfItFT5fFCtyGqvZyhOXO6E3iV76k4J1BdA+j150tvZdzMG7jgSi5kp0idtpgjPCK0W2LdxRilk6iDuz77+pRnjvMuyIVnjTegYulAQN4kXUpW/3woRm1Xu3IXO4GUO6/PkCbKTB+DAfx+isE2W1rGPyg8UIK3nqsJPrzHaIvB0Z1apU7WPJ6UQ2TUbMoAEkoPhq3KwNA4llgxA0+HUyLfvqE79I6nzJis7WfZd68xDPBVixQpPTV/Q1BbpktHE0zwQ6BCthgVCAwP6YJq84BajCvSK2dAMkvBi+3SoH7oAPYwnnOSuBKz3dMsgy5d+Qfv9taRoV6hHFis357+X41fv/310aeSby6KFJ/5eNyQ9rb7cWPAZXDP4BB9Csl3eibRu65H4ph0E44IOahhlqCPWlMFxUGaduV1VNixyvjU4u7hPgXKj3YAo+lClE3DwBOf52ld926G82SILEUL6z7bQagWgdH9NyhPq4MD6yXUKGNTjBhBnRmHAZ84gx2jm5xiebWPQiC5BHf1gU6SDqsm1RKftW30dDZ2sSoo+Iu1EaUkvHVDisx+ry0PYei09DnzHMm+5E/jJxA/8VSv5yiavkTQraJvnj28ScuXGFc/b86bYmAerZnhfajq1cLKDHe2JyBRY9lVraccLIEYqBAxOJxjn4p3pc/OLJlL4/j7ai2UTXDWWFFcGL2LBMJ4bh1wD5OeH5A2zYxupInz3Vjuyf2LerN81nS2/wXweioPQODUkuYW2GgkQ70AXDn7TPBTNUMX1GnclV7qLzqrcnhUxu1QtsZFDUEIptRmFeg/2vLvX8HJoUE1IfGpfs6K8qNssIAo/VKUL9wtW3dzDdB4/gZxjzWY7RKodlJJfSDDTixILq8tnmagFLUhf76Cz7KOMwccAW84YO+ea0+YMpOXepTVvZKd//8ek1jLZ4Lb4kqp5sL1XqqHJnllMiPU6pset6Ty/Jy7YPcPEXOV783m9wt67g1mwIC1Etod56ZnFsECT9Bf+rjoDPkrvw5MwcU2lf0B9A7C8nHtnLWYp0IZEjVQ7eVR8fHk2VTmN/TZSqBVXL4vIzeYHBUX6UH3B94S4JsxsI82UmGsIZr4X3k3cAmEwyji5jwQZ4EWgCKYmuO/QOwTeJyInmm23fg9kyDPFcErA52jwph4c6M7P2rBv2u5ZuhbXS61034Zl4gJltiQl47iNZ+JqLhm4ia7bhgWFxIqFgBdYyfwMTDqDPSQv3AUfCK8SXYwsI5YVMlM5TJLHy6V+01OV4aYsgWO5wzHV5JriwTz1KAW6woLDvL1ujyw1n3TtEhWhi9hKxQvhykOEIKhpxZZh7C76MfXO89RMwpHVc6yYh+YLvLcu6xNcpdF3Tmt6xvH1UaUse9J1VrrZESxYFbqcbNNDumKaUirmPgssaLVoFtA148kngdoXdn8p8w0wZATC2FbiVL1H7xdIqba3V4zjTDYeMTE63mN6bcYzAJ3wTiGi5iKMwvfj2GfDU579bvISOU0kkoEcIjzJM58uL95PZXZkdAszHrV4Xfeea6g3uff/7lFE150TcoaszFhWxqYuLsOGlWIBIUCgKNZtwv4OsvvRMvpzdweFdxrC+bXwPo9H6NN2vjsONweboqumksEFwKJMBmVY+PU0jhlaJOrZCZckCqW3kmFRbxiP2qWWgK2UEPFA3q0/2mdV04/Fiwjblma686GX85pL4dG8e0FWvJQnOMXilwBZEOZWeynnKqxEZj6A4/hoH4063N3yj2O82UroPccc5XRoWYSmLpXbkue3g9S7nXnGbQKhw3WQFugG1I/BfohaTIiRtrhVtLwp70344VQaL6irJEI1A843VXb8LnmwEZRntSfWLmPylpCV0WTwKXT1kJhpP9aIohR3W0Gi/damAcbhUDhKPA/bU6OiNEYW3BZjsrgeVcDuB1We6yCoNrMExr9VlibUjjetE3F8WbvK8ErIfwi8f+CBn83I+hoKq5CNUzJ8HURtnhloOJwtUaOg10EZJAVwWYCoz34ggNyRdATEoBqAprP6Xvoz4TsY3FqFb3pcK7Ntx4L2iEP7dzGK1QqvNqyrjFVShkBGMV0y81vEu5093AMe8avsi3vlERhOOMi8sTTXOBSgX8MUoQupi7Nof2FslW4MnCEW9VRifsBIqKHOWBgON9IJbNplN1FZMlGXvRsbXpXNZF8qT9uBFHewIlJzx91KHPd6VO8sq/rWwejZPaUVgVCQnO3JL6lmeoN+4DsvPEiTgmKxXZlT1Esms5A5PmS2fi8YwdzuZT9i/TTO1wIQeqX+2ALnqqsqONiBjQ5rbF5Em5aHI7uu6upfsrOfst9dqo9hSa/dxG/mZjNXNYX0wjR7zjz8wmkcmMfwo46nauSlDHxU2PpBIFBn/thV6OF+vHfib7LpaLvp72KwRqBDlSPZpb50Y6LG5aZZ4jG2ZPk/mS78z+deGOxMdYKdBFFK9bS6wXsDd1P/EOfZ7vGB+ASuEgJeZ0gDFD4tOh60TYe25a7GH2GU2becBpRgd8InZe8tyUsuLFLTEHt0r6fK2z8Yc9kSE/3MGZUKyd2ZYDttmh1sWfdsLuy4n9n0+MxOm8xiHs7OGGFW3SavxbwP9fBKpJkJZN3Hvxf6VigD2pXmVX35glUWZcX3DsuDGqXAwwvqu63YI2MS7QaSoV07GwxDkFKKK8Q5KFzg0k/v4or0Fx57M9/dfzCvoZaE487+zjohBxUcrct1/q//jkV9F4n1sTb5rvJJPxlVk6w34LMeZ10+xw/xItcU9xQeIsxFHXiReXVUMF/bU7OvC+nCvtlNJTuealIFqtpZMYz2icxuVCSwuceNXeqHH2jfzIfjnSmCy3h/gFxyqhkh+LMpe7TaULufogvDcIZIem8+Xe12/gE5noHm7P6jtVo69ZhwIyTq6HSKOujBVz8jBbXRFy4ErujiLcKIoxG6VoiSh5Ut6ciG/nkN1Xmc4CxX0BGb40a+Lch5X9wSZVERJaIivKAgtsizq+oggtLaMgGoRXeozzXZkx/eOsTVxnmWoPnsRJrqiaQNkQVP8fWCIN+Dxooyc/BC7QWm1REiJj2M7vKYIT6WVzaJREiKcCRdg5zyZdo+rXixh3aBnE7MyHPtNojhrRZz8xennR1BLndnxL/d5rC16vSPyYU6N6bH4HRUKz+MDsnlACtKODn5GwbMBlNasMToM8rVbTY0cD1Evoyj2A0A71JVcNWTxbJNkVkhbIbICaQBg8drSF1Qr82FHvUGnNicCB7d9wD0ogjy/5jBRvaRyCDyGy/G3UEM001tNnMZ9q+LiQisoojOw7QiqXYAg2/u9lqpBJ1Lh0J0/IDipjIPaUmM7y9e2dmhkdqbF0FAIUxAhe+1d3CTkHn3F8RJtFaH8rkAGLAkcp/lhl96sjVkYq1xGAGGu29g+xB4jNDiWgRgJaEmzy83iZFK44IsqAa9CHrY2z15rlcyrlMLCmsi8pN6/YnCTBtZSJS7urCEN0QbQcAggdG1n1lrcL+LicITg2bgEH05d1jnSefwMp8v9JIy/fjygqGLzwUYmGY2/nGAS7BYbLPjqIpD19RympE3PGEkRPsrDOuEsy861BTrj8iJ4S6yMtz7fG2zgxF5KzP+arf+gBhN5X2HRqrqonaitmjo7PZzGp53n65or3m2wGyaxte9wZmeqBHOdx2ldZ/aNzP/lb5dpyFcyz6zpid2yosZl9WJS6KRo2COVAStP91RKQIGjl4HJhEl3Mq11zXn3PLlOg8mqKyDfaQIwKudy979XaWCyVkX7z1Jy2OhblJ8dpqjWHOV+AeloETe+jfAgw117kTgdlpyoT8ZpsV0XjgAR053hZ1E9b6FKJ28wK05svdIJjj5duvRfrJHWidK/Z7YlkwxfMdhcJWwIkicC9fV/oqhjahWJVVjufQm1ASBj6ONG1ZzlG5v1Z1qgb+9rpXfCoWThBemLIM8qJeJn+bLxXeJ14bObwJ406+53grakFjPERqfugFqeJ+KtVWAB0dioLLzgDYzmhUcuyy6+PhrRGA+tCSeyYTevE8n70UO8yopPJ51JWiInKUmMyX3FJ81atDRUtpX2/RLUD5Q==,iv:IJbeI8/IbwgzdPPB5+aRXMUKKs5/eAvlly27ZJ4nEZc=,tag:B8v7fUEOOsts3YHBS1VZLw==,type:str]
# API server specific configuration options.
apiServer:
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
image: registry.k8s.io/kube-apiserver:v1.35.4
# Feature gates
extraArgs:
# https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
feature-gates: EnvFiles=true
# Extra certificate subject alternative names for the API server's certificate.
certSANs:
- 10.0.2.50
# Disable PodSecurityPolicy in the API server and default manifests.
disablePodSecurityPolicy: true
# Configure the API server admission plugins.
admissionControl:
# Name is the name of the admission controller.
- name: PodSecurity
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
# Configure the API server audit policy.
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
# Controller manager server specific configuration options.
controllerManager:
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
image: registry.k8s.io/kube-controller-manager:v1.35.4
extraArgs:
# Needed for metrics
bind-address: 0.0.0.0
# Kube-proxy server-specific configuration options
proxy:
# The container image used in the kube-proxy manifest.
disabled: true
# Scheduler server specific configuration options.
scheduler:
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
image: registry.k8s.io/kube-scheduler:v1.35.4
extraArgs:
# Needed for metrics
bind-address: 0.0.0.0
# Configures cluster member discovery.
discovery:
# Enable the cluster membership discovery feature.
enabled: true
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
# Disable Kubernetes discovery registry.
disabled: true
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# Etcd specific configuration options.
etcd:
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQUxsRll2bU1IbmdpUE45cTVXYU5DbGd3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TlRBNE1qUXdOVFU0TXpKYUZ3MHpOVEE0TWpJd05UVTRNekphTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFTUHhhYUJ0bnZJClpoNkVFU1ZUd0ZTd0o3QUtwd2QxRy9xSEViTDNaZDUyR1dsR29WZ0JzZHRRZjBDRmNhdWtmcCtWWHhENmpLdWsKaVBHdXJ5UnJic3ZEbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkZuOHVzQnZFT0tHCk9YNTl1QStFWHdROVh3VlNNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJSHEzTFp5aFJBd0szOGFVLzY2NmFZMkEKM0tFOE1HcDNOMjVrVzVid3JaanpBaUVBN1ovM0thR3ZqcGF0S2NQU2M0QjY1dUwwUi9VUkhzamxYQk9FU1NyeApCRGs9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: ENC[AES256_GCM,data:LeRyNeTkrNwnqcccnQiouH4liLzpm8m6HkeofNXjv7K6Atp49P4m+2P7tRLG9MRvVU17OUT1yX9tC7OiOfN5JkVDLc0EUWr9ntLjOL8HQTr38RuOH0whmtA/gB6ko7KRLsaFhp+32r9yioAMriwcKttqcdVO49jWtauHsA906z2LeK9lELYXX+U0Zpc7cYuNyURrw49nS3xCzq2iT3JV4ohgW3M7TB+g54h2lWBh+84UqTW0sTiih47tFsnm/RyhJyHmhJldr0y9z7fzMzzJz40eY9//22wGsFldSQ3O05aBhb0RJWrWLmGPxVO95aZZXK0hBphOjlqXhhMyQPqlzx68f9snZgTKy/VR3qRWjVO71DvJrjUUoOcvkvdnlfqFUpxoW7eH4k0Thi2bZNSUyQ==,iv:Im80P91UgREGuIKqs+uAxba7W0FQG+bnIJiLpR4nr3M=,tag:rv2bBCXkGbmQQhZqDmlGgg==,type:str]
# extraArgs:
# For etcd metrics endpoint
# listen-metrics-urls: http://0.0.0.0:2381
# A list of urls that point to additional manifests.
extraManifests: []
# A list of inline Kubernetes manifests.
inlineManifests: []
# # Allows running workload on control-plane nodes.
allowSchedulingOnControlPlanes: true
sops:
age:
- recipient: age1dm2uej5x6cpvclx7azp5h3ez4dp5kdggx6a30eqf0uul2deead9q2w29sf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvNmVLUkZ6Uld3ZkhKQjg2
akZiN3dwVjFuZkx6MXlDTzV5b1VISlRlcDFJCmowbHY5dWFOM0ZucG1HSDB6bGMz
RGpRT1FCZXUwcGVyK0Z3U2ZEaWU5c2MKLS0tIGJxcktyZTRFQ0ZsL0Q5MEsrWjN2
QUxGMFNzK2Fsemx6TnVXOVl6MDllV28Kt6Il+7YNc+EzPHb7G0t2HwdNE3I+iDXO
9uqW33Cjq2fnSzGBU3lHZTXMgRHXvh9L6ODiQ7bXpocK6WQUHQ/0Ow==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-29T18:37:49Z"
mac: ENC[AES256_GCM,data:N6L52GM870fF27veOY6IPp7ezwyt7oZgYOFghsT/aa5gHaa6Z9Bo8IZH7GAjVFtu8Q1/GF973D+U6HGfFd22rqY9I6mFuV51vuU1ZX+Igb5Kle2Y4l13gb63asSKBeaAhvK4rOsj1aJg2WsKaDmqQy4SOr66Q5W8I0sM/26PIvk=,iv:+vAcCNPseETOwucoFFrV4QC7MxY2UeWlXXniwFVVPrY=,tag:ddSje6d6Nnu/T/HoNneLjw==,type:str]
encrypted_regex: ^(secret|bootstraptoken|secretboxEncryptionSecret|token|key|password)$
version: 3.11.0