-
Notifications
You must be signed in to change notification settings - Fork 1
/
example.yaml
68 lines (66 loc) · 4.71 KB
/
example.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
cluster:
name: my-cluster # The name of the cluster. The domain is appended to this to form a FQDN.
domain: example.com # The network domain that the cluster resides in, used for all nodes (optional)
secrets: secrets/my-cluster/secrets.yaml # Cluster secrets file. Generate one with `talosctl gen secrets`.
cilium: # Specify additional configuration for the Cilium installation (optional)
metrics: false # Enable cilium-agent and cilium-operator metrics (optional)
hubble: # Configure Cilium Hubble (optional)
enabled: false # Enable Hubble with Hubble UI
metrics: false # Enable Hubble metrics collection (optional)
hardening: # Hardening options for Cilium (optional)
enabled: true # Harden the Cilium installation: all permitted traffic must have a matching NetworkPolicy
# Start in audit mode: NetworkPolicy violations (including lack of policies) will be logged instead of denied
# IMPORTANT: NetworkPolicies MUST be configured to permit API access to the cluster before switching this to
# false, otherwise the cluster will be rendered INACCESSIBLE! Production deployments MUST set this to false,
# otherwise NetworkPolicies will NOT BE ENFORCED!
audit-mode: true
gateway-api: # Configure Cilium Gateway API support (optional)
# Enable Gateway API support, note that the CRDs must still be installed separately according to
# https://docs.cilium.io/en/latest/network/servicemesh/gateway-api/gateway-api/
enabled: false
# Enable host network mode, this allows Envoy to bind directly to host ports
# (in the style of NodePort) without requiring a LoadBalancer service (optional)
host-network: false
privileged-ports: false # Allow Envoy to bind to ports <1024 when using Gateway API (optional)
sops: my-cluster.example.com # GPG ID/fingerprint of Mozilla SOPS key (https://github.com/mozilla/sops) (optional)
flux: # Configuration for Flux (GitOps) (optional)
# Install specific (extra) Flux components, see https://fluxcd.io/flux/components/ for details
components: source-controller,kustomize-controller # (optional)
components-extra: image-reflector-controller,image-automation-controller # (optional)
all-namespaces: true # Set to "false" to make Flux only watch the installation namespace (optional)
ssh: # Bootstrap Flux in SSH mode, otherwise, install without configuration (optional)
url: ssh://[email protected]/my-cluster/flux # The source repository and path for Flux to track
branch: master # The branch in the repository for Flux to track
# Flux SSH key file for accessing the configuration repo. Generate with `ssh-keygen`.
key: secrets/my-cluster/flux.key
# Specify a customized installation image, for example, from https://factory.talos.dev/ (optional).
# Applied to all nodes. If no tag is given, the CLI version is used, enabling automatic upgrades.
image: factory.talos.dev/installer-secureboot/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba
patches: # Any cluster-wide patches to apply when creating the configuration with `talosctl gen config` (optional)
# Patch options can either be inline like described in
# https://www.talos.dev/latest/talos-guides/configuration/patching/#configuration-patching-with-talosctl-cli
# or loaded from a file by prefixing a path relative to the repository root with an @ character.
- '[{"op": "add", "path": "/machine/network/hostname", "value": "worker1"}]'
- "@patch/example.yaml"
# Kustomization directory for additional manifests to be applied into the cluster (optional)
manifests: manifests/my-cluster
controlplane:
record: my-cluster-control-plane # The control plane IP or DNS record. The domain is appended to this to form a FQDN.
# Use the record above as the Talos API endpoint instead of the control plane node addresses, for remote clusters.
# Do NOT use with Talos VIP, see https://www.talos.dev/latest/introduction/prodnotes/#load-balancing-the-talos-api
record-as-endpoint: false # (optional)
patches: # Patches to apply to all control plane nodes (optional)
- "@patch/example.yaml"
nodes: # Addresses of the control plane nodes. DNS names are recommended, but static IPs should work as well.
talos-master-1: # Node-specific patches can be applied here as a list (optional)
- "@patch/example.yaml"
talos-master-2:
talos-master-3:
worker:
patches: # Patches to apply to all worker nodes (optional)
- "@patch/example.yaml"
nodes: # Addresses of the worker nodes. DNS names are recommended, but static IPs should work as well. (optional)
talos-worker-1: # Node-specific patches can be applied here as a list (optional)
- "@patch/example.yaml"
talos-worker-2:
talos-worker-3: