diff --git a/.github/renovate/autoMerge.json5 b/.github/renovate/autoMerge.json5 index 4af40537e2..074927e8aa 100644 --- a/.github/renovate/autoMerge.json5 +++ b/.github/renovate/autoMerge.json5 @@ -1,4 +1,5 @@ { + "$schema": "https://docs.renovatebot.com/renovate-schema.json", "packageRules": [ { "description": "Auto Merge GitHub Actions", diff --git a/.github/renovate/commitMessage.json5 b/.github/renovate/commitMessage.json5 index a69173fec6..3fea628721 100644 --- a/.github/renovate/commitMessage.json5 +++ b/.github/renovate/commitMessage.json5 @@ -1,4 +1,5 @@ { + "$schema": "https://docs.renovatebot.com/renovate-schema.json", "commitMessageTopic": "{{depName}}", "commitMessageExtra": "to {{newVersion}}", "commitMessageSuffix": "", diff --git a/.github/renovate/labels.json5 b/.github/renovate/labels.json5 index 70cd2bbcb5..19617ae542 100644 --- a/.github/renovate/labels.json5 +++ b/.github/renovate/labels.json5 @@ -1,4 +1,5 @@ { + "$schema": "https://docs.renovatebot.com/renovate-schema.json", "packageRules": [ { "matchUpdateTypes": ["major"], diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml index 73dab71fe1..bbb5d46bee 100644 --- a/.github/workflows/flux-diff.yaml +++ b/.github/workflows/flux-diff.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Flux: Diff" on: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 847fe5fc0a..3aebab15c0 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Lint" on: diff --git a/.github/workflows/oidc.yaml b/.github/workflows/oidc.yaml index 3a9ee2f401..5b47b6c5bb 100644 --- a/.github/workflows/oidc.yaml +++ b/.github/workflows/oidc.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Example: GCP Workload identity Federation" on: diff --git a/.github/workflows/publish-cluster-oci.yaml b/.github/workflows/publish-cluster-oci.yaml index bc6dc0134a..26f86f7033 100644 --- a/.github/workflows/publish-cluster-oci.yaml +++ b/.github/workflows/publish-cluster-oci.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Publish OCI artifact" on: diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 0d4207dc30..e69e6cbdda 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Docs: Release to GitHub pages" on: diff --git a/.github/workflows/publish-kubernetes-schemas.yaml b/.github/workflows/publish-kubernetes-schemas.yaml index 5f6188f1d3..c8f5c44988 100644 --- a/.github/workflows/publish-kubernetes-schemas.yaml +++ b/.github/workflows/publish-kubernetes-schemas.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json # This Github Action is responsible for publishing Kubernetes schemas to an OCI registry. # It is triggered by a push to the main branch, a weekly schedule, or a manual dispatch. name: "Publish Kubernetes Schemas" diff --git a/.github/workflows/schedule-renovate.yaml b/.github/workflows/schedule-renovate.yaml index c5454da0df..1126e3d2c7 100644 --- a/.github/workflows/schedule-renovate.yaml +++ b/.github/workflows/schedule-renovate.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Schedule: Renovate" on: @@ -24,13 +26,13 @@ on: - ".github/renovate/*" env: - LOG_LEVEL: debug - RENOVATE_DRY_RUN: false + LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}" + RENOVATE_DRY_RUN: "${{ inputs.dryRun == true }}" RENOVATE_PLATFORM: github RENOVATE_PLATFORM_COMMIT: true - RENOVATE_ONBOARDING_CONFIG_FILE_NAME: .github/renovate.json5 RENOVATE_AUTODISCOVER: true RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}" + WORKFLOW_RENOVATE_VERSION: "${{ inputs.version || 'latest' }}" RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]" RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>" @@ -41,11 +43,6 @@ jobs: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - - name: Override default config from dispatch variables - run: | - echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" >> "${GITHUB_ENV}" - echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}" - - name: Validate Renovate Configuration uses: suzuki-shunsuke/github-action-renovate-config-validator@b54483862375f51910a60c4f498e927d4f3df466 # v1.0.1 @@ -61,3 +58,4 @@ jobs: with: configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}" token: "x-access-token:${{ steps.generate-token.outputs.token }}" + renovate-version: "${{ env.WORKFLOW_RENOVATE_VERSION }}" diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 16a40ba793..e75fbe0315 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Terraform: Plan And Apply" on: diff --git a/.github/workflows/test-e2e.yaml b/.github/workflows/test-e2e.yaml index 81cd700b62..0c0b75e044 100644 --- a/.github/workflows/test-e2e.yaml +++ b/.github/workflows/test-e2e.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: "Flux: Run E2E Tests In KIND" on: diff --git a/kubernetes/namespaces/base/kube-system/cilium/app/1.14.x.yaml b/kubernetes/namespaces/base/kube-system/cilium/app/1.14.x.yaml index 048c2a560e..74bae04398 100644 --- a/kubernetes/namespaces/base/kube-system/cilium/app/1.14.x.yaml +++ b/kubernetes/namespaces/base/kube-system/cilium/app/1.14.x.yaml @@ -36,9 +36,9 @@ imagePullSecrets: # @default -- `"~/.kube/config"` # kubeConfigPath: "" # -- (string) Kubernetes service host -k8sServiceHost: 192.168.50.200 +k8sServiceHost: localhost # -- (string) Kubernetes service port -k8sServicePort: 6443 +k8sServicePort: 7445 cluster: # -- Name of the cluster. Only required for Cluster Mesh and mutual authentication with SPIRE. diff --git a/talos/generated/controlplane.enc.yaml b/talos/generated/controlplane.enc.yaml index 348c9f690e..1bd4d01dec 100644 --- a/talos/generated/controlplane.enc.yaml +++ b/talos/generated/controlplane.enc.yaml @@ -2,18 +2,17 @@ version: v1alpha1 # Enable verbose logging to the console. debug: false -# Indicates whether to pull the machine config upon every boot. -persist: false +persist: true # Provides machine specific configuration options. machine: # Defines the role of the machine within the cluster. type: controlplane # The `token` is used by a machine to join the PKI of the cluster. - token: ENC[AES256_GCM,data:XMAISKw7wqjtIMIg8XsEfKHAJhd1mt0=,iv:ew8C5kzmOeFFwBAcX9VtUy0a7kTvE7Q7NGI4M/HFQ4s=,tag:9TMIfydfyykLqoZQoW7uaQ==,type:str] + token: ENC[AES256_GCM,data:4zHVZ+PVq6TvXShJweJrDYnYjE9UbLM=,iv:ulQklHjrcS0qPUhLwBGplu0P4PZy3XIiQQvEs9A1XR8=,tag:tpmGlmJFZHsH+uZi7gYn1g==,type:str] # The root certificate authority of the PKI. ca: - crt: ENC[AES256_GCM,data:6Io/RDGo/VaWXx8IsjByo3x3vbS2rSH0VQa9pZGvZ/9juphjm17bfnCHUj4RynhwNanP5ayQO98HqieTkRMcI5ralryYVk1M2D3LamB0R459Zc2TrP4VjMWJRIsSn7K/jwN/Iq1i6ycLuMwkpiOB3nRxbmIXjuiwRsnLwxU51KIwgKyLebdjNQjz63HTMUz6De2JE6zskFI9DhydXb3nBRVIUSb1VkEWZkWxEVdwpnWka+9FeMU1uTZ+H18gFZ+aVW344i9clnmFVpNhvnZZkfxGi6TRnojoLAjnqm221SwH0xfQaIzVefsDIwU5nnyqIBWkYwQp3X06rRB2NHtnQpb1xQUATmB+KKKx29PEYoDourekcQ7bMVpcrzKjmNNt3lDldvhx7bNviowWfBmrMEay8Dk4U8y7bdJH0WLVL9+DL21bnlkNo0TlUePlvVOlffBm6Xsh6fAPZlYb/L5Yq1BwwEjWdsQXT2OrSqzA7Jy5XBIY+C+Gy4PocAU5oV/mGFhFp9if6e0mmbcNCMj0AF7Mal8MI5IZSUOcE7Gh0Qc8MnCQOv20SxR90W3I+GW9vr169PGr0hnSKSKPP3s62lXnVSdh3jdsv5h0GY3jKZvZVfRtPW7te2Ap/NKI6F5tdr5xf+DXu6Sz9H3935kTPwjOGvgDwXII1xb2TGL4VNk0vf5Y0o73oqXQLsszuDkGk/Crg26s/lrMQnkK2F52uCKCoP9jU2HNwJ3UuPjXJ8LJrg7/o7pQY7iTqrDxtLN4O3uNnMGBJplPGhPWLWvzL6e5owJC9jhIpqmtZ2KQtKOqUv+7/rA3x4mqvwWGP4eeRIfJ3oMTJ7C/0zeGdtO1ukToSWYH51eMLuriTMRTZsnMgfsz,iv:YLtFChDbt+S5GXbBomTkUZe/8SBXTygNSIN7iKDProA=,tag:wD1ZJQRLY0Fy8PEcmNOlmQ==,type:str] - key: ENC[AES256_GCM,data:5NSFGzkNBrY18KvtXPOt8R9Ia071nJDEgAwaE2av1fjl4HMHmzZgYISBTOyscF1DPiq4tMR6mpXsrzL2owUAAsmwy0fErwIGsLiYp92dqPrtRAeOO9oPpW667E9A581ZYj8AWWUTj9b8cArdDEIn5VQcHxWzmyCjzLghmo4A8Wh3+TRBQa8qrvjNGiBQAckor3dLOChAGyMYOaNPtfETfnNdbtsF2uq4KjcrfTT3VYhJTNmj,iv:ehyNWa+w/WWSfzb3APudLhaw6Inhv1JmEUIyk1PBKBo=,tag:pJqbz7mOAB7+L60hXsGHNA==,type:str] + crt: ENC[AES256_GCM,data:SxNGbXhYS8amEXp0QRIFnH0T73MB7Qm27S43kTTRjeRK2nGdmwsInGi+MIHvqcNGJ5eEIoSZaCI7lsJrOnjgoQSGadqI9HfGlZYru9OG3cQQsxOMKRZIyJcGtpp7h5rGuX9YjKVd8JYKHKrlrxlfTqhkHu9eqv5cpUm8e7E51v55IbqenOyCO524niOyZVtkwqNORZWyxoWsqdJydcOd3fW8zRryJLaRLGhAJ+YFO03HSpQHbs6aF8Ev/GTVVXxUZZE8Noszo/9iY8G0KxXMMGKSI7bgD6Hn+UR8iYCLh5gXytPCpp+13ICWyYDWSaH6y/lFzAjNoZcyZqOmINKVqrnVULxc02aPYSmPeNGiP+MbCe5akXsy9Y9y43CAecDICYb7yxasWOmRb9bT+GSOHtdiJjbu41C81m1K89hbfc6xmHu+uLzPrcFmiyfarfhzboyLf+HNaBI9S7dhcRr0jqRa1nJEWrPbTvkhivQZmsMfPapgrF9bFMYc8TzqAnW+XtptPL6o2LMxpZWBNuGfWZ6+zWkCQfhcJqpFAH2bUBZRFZCT71dsGNYnI0shH9xurx6CmPo9Gs/RK5ZJdYKu9F6Ca24KvXXQginr3ltZvwrMoMLTu2DwfQdrqI9QteE1flpQTQu7XmL1E9xTl+QgfxzWKqO6PM+g2EUgq6XvSvNiDEAADbup9/PJ+imEwWZHlwwSneEZjAlx5QHrpspw+04msgC6xmPz9Kx3Cs0nslGtNw4jJRCHaT4r9vvEFex1AYtYX29NB416W/hLPOM1kQVrIjz8feOrTBpSJBFQ6gGqv/m/R7m5x/IOqMkUwRdicJzcOYa+VZWCOIKllYVQ21tfcPpTLhipHcPngLCEGk/kg/zQ,iv:nASrFmBSutCuKbl0PAmu292qYycSMZColvl+f60dd2c=,tag:joWNIfBRQmbrk1+f4FTWlQ==,type:str] + key: ENC[AES256_GCM,data:3taG0gwR0Jic0l63C8To7mKLag1aweWlOemZZ27UZn9UEsxWpZiNakvWv6WMsnV1t7K7XmZBueuX8tFV6MBoXakEqBfIHp8Dsc+Btp8MbPj8A/xuksZt2ZV86BKVCg6xSsbT8yoakyLBnZOoWvLJk+BcxNoFAZO0W/CkZ4CdbfFvLYvxGLcHZqKenPRrF0dVROOQnAXLOUzNjjWqJWC1r2gVGQav0NVxrgd7NPbHPsEBCmQ8,iv:E68fcfasFZ/DaWejAo09s4hXBgYZOpQaa33hjp8/jsk=,tag:f9N67GTNxTu5yqSPZf6oJg==,type:str] # Extra certificate subject alternative names for the machine's certificate. certSANs: - api.raspbernetes.com @@ -22,7 +21,7 @@ machine: # Used to provide additional options to the kubelet. kubelet: # The `image` field is an optional reference to an alternative kubelet image. - image: ghcr.io/siderolabs/kubelet:v1.28.2 + image: ghcr.io/siderolabs/kubelet:v1.29.3 # Enable container runtime default Seccomp profile. defaultRuntimeSeccompProfileEnabled: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. @@ -36,9 +35,10 @@ machine: # key: value # # The `extraMounts` field is used to add additional mounts to the kubelet container. # extraMounts: - # - destination: /var/lib/example - # type: bind - # source: /var/lib/example + # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. + # type: bind # Type specifies the mount kind. + # source: /var/lib/example # Source specifies the source path of the mount. + # # Options are fstab style mount options. # options: # - bind # - rshared @@ -46,6 +46,20 @@ machine: # # The `extraConfig` field is used to provide kubelet configuration overrides. # extraConfig: # serverTLSBootstrap: true + # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. + # credentialProviderConfig: + # apiVersion: kubelet.config.k8s.io/v1 + # kind: CredentialProviderConfig + # providers: + # - apiVersion: credentialprovider.kubelet.k8s.io/v1 + # defaultCacheDuration: 12h + # matchImages: + # - '*.dkr.ecr.*.amazonaws.com' + # - '*.dkr.ecr.*.amazonaws.com.cn' + # - '*.dkr.ecr-fips.*.amazonaws.com' + # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' + # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' + # name: ecr-credential-provider # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. # nodeIP: # # The `validSubnets` field configures the networks to pick kubelet node IP from. @@ -77,24 +91,34 @@ machine: # # deviceSelector: # # hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard. # # driver: virtio # Kernel driver, supports matching by wildcard. + # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. + # # deviceSelector: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard. + # # driver: virtio # Kernel driver, supports matching by wildcard. # # # Bond specific options. # # bond: # # # The interfaces that make up the bond. # # interfaces: - # # - eth0 - # # - eth1 + # # - enp2s0 + # # - enp2s1 + # # # Picks a network device using the selector. + # # deviceSelectors: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard. + # # driver: virtio # Kernel driver, supports matching by wildcard. # # mode: 802.3ad # A bond option. # # lacpRate: fast # A bond option. # # # Bridge specific options. # # bridge: # # # The interfaces that make up the bridge. # # interfaces: - # # - eth0 - # # - eth1 + # # - enxda4042ca9a51 + # # - enxae2a6774c259 # # # A bridge option. # # stp: # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. - # # # Indicates if DHCP should be used to configure the interface. + # Indicates if DHCP should be used to configure the interface. dhcp: true # # # DHCP specific options. # # dhcpOptions: @@ -117,13 +141,13 @@ machine: # # # Specifies a list of peer configurations to apply to a device. # # peers: # # - publicKey: ABCDEF... # Specifies the public key of this peer. - # # endpoint: 192.168.1.2 # Specifies the endpoint of this peer entry. + # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. # # allowedIPs: # # - 192.168.1.0/24 # # # Virtual (shared) IP address configuration. - # # # layer2 vip example + # layer2 vip example vip: # Specifies the IP address to be used. ip: 192.168.50.200 @@ -144,11 +168,9 @@ machine: # Used to provide instructions for installations. install: # The disk used for installations. - disk: /dev/sda + disk: /dev/mmcblk0 # Allows for supplying the image used to perform the installation. - image: ghcr.io/siderolabs/installer:v1.5.5 - # Indicates if a bootloader should be installed. - bootloader: true + image: ghcr.io/siderolabs/installer:v1.6.7 # Indicates if the installation disk should be wiped at installation time. wipe: true # # Look up disk using disk attributes like model, size, serial and others. @@ -165,7 +187,7 @@ machine: # - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image. # Used to configure the machine's container image registry mirrors. registries: {} - # # Specifies mirror configuration for each registry. + # # Specifies mirror configuration for each registry host namespace. # mirrors: # ghcr.io: # # List of endpoints (URLs) for registry mirrors to use. @@ -196,6 +218,14 @@ machine: stableHostname: true # Enable checks for extended key usage of client certificates in apid. apidCheckExtKeyUsage: ENC[AES256_GCM,data:xivlXQ==,iv:Cxw+IQaDkLxo+Ex0VE+odvSWadqZeP42xjai5VmBqa4=,tag:E12SBpJ3Asq+gM995PQnZg==,type:bool] + # Enable XFS project quota support for EPHEMERAL partition and user disks. + diskQuotaSupport: true + # KubePrism - local proxy/load balancer on defined port that will distribute + kubePrism: + # Enable KubePrism support - will start local load balacing proxy. + enabled: true + # KubePrism port. + port: 7445 # Configure Talos API access from Kubernetes pods. kubernetesTalosAPIAccess: # Enable Talos API access from Kubernetes pods. @@ -206,131 +236,134 @@ machine: # The list of Kubernetes namespaces Talos API access is available from. allowedKubernetesNamespaces: - kube-system + # # Provides machine specific control plane configuration options. + # # ControlPlane definition example. + # controlPlane: + # # Controller manager machine specific configuration options. + # controllerManager: + # disabled: false # Disable kube-controller-manager on the node. + # # Scheduler machine specific configuration options. + # scheduler: + # disabled: true # Disable kube-scheduler on the node. + # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. + # # nginx static pod. + # pods: + # - apiVersion: v1 + # kind: pod + # metadata: + # name: nginx + # spec: + # containers: + # - image: nginx + # name: nginx + # # Used to partition, format and mount additional disks. + # # MachineDisks list example. + # disks: + # - device: /dev/sdb # The name of the disk to use. + # # A list of partitions to create on the disk. + # partitions: + # - mountpoint: /var/mnt/extra # Where to mount the partition. + # + # # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk. + # # # Human readable representation. + # # size: 100 MB + # # # Precise value in bytes. + # # size: 1073741824 + # # Allows the addition of user specified files. + # # MachineFiles usage example. + # files: + # - content: '...' # The contents of the file. + # permissions: 0o666 # The file's permissions in octal. + # path: /tmp/file.txt # The path of the file. + # op: append # The operation to use + # # The `env` field allows for the addition of environment variables. + # # Environment variables definition examples. + # env: + # GRPC_GO_LOG_SEVERITY_LEVEL: info + # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" + # https_proxy: http://SERVER:PORT/ + # env: + # GRPC_GO_LOG_SEVERITY_LEVEL: error + # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ + # env: + # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ + # # Used to configure the machine's time settings. + # # Example configuration for cloudflare ntp server. + # time: + # disabled: false # Indicates if the time service is disabled for the machine. + # # Specifies time (NTP) servers to use for setting the system time. + # servers: + # - time.cloudflare.com + # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. + # # Used to configure the machine's sysctls. + # # MachineSysctls usage example. + # sysctls: + # kernel.domainname: talos.dev + # net.ipv4.ip_forward: "0" + # net/ipv6/conf/eth0.100/disable_ipv6: "1" + # # Used to configure the machine's sysfs. + # # MachineSysfs usage example. + # sysfs: + # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance + # # Machine system disk encryption configuration. + # systemDiskEncryption: + # # Ephemeral partition encryption. + # ephemeral: + # provider: luks2 # Encryption provider to use for the encryption. + # # Defines the encryption keys generation and storage method. + # keys: + # - # Deterministically generated key from the node UUID and PartitionLabel. + # nodeID: {} + # slot: 0 # Key slot number for LUKS2 encryption. + # + # # # KMS managed encryption key. + # # kms: + # # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key. + # + # # # Cipher kind to use for the encryption. Depends on the encryption provider. + # # cipher: aes-xts-plain64 + # # # Defines the encryption sector size. + # # blockSize: 4096 + # # # Additional --perf parameters for the LUKS2 encryption. + # # options: + # # - no_read_workqueue + # # - no_write_workqueue + # # Configures the udev system. + # udev: + # # List of udev rules to apply to the udev system + # rules: + # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" + # # Configures the logging system. + # logging: + # # Logging destination. + # destinations: + # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". + # format: json_lines # Logs format. + # # Configures the kernel. + # kernel: + # # Kernel modules to load. + # modules: + # - name: brtfs # Module name. + # # Configures the seccomp profiles for the machine. + # seccompProfiles: + # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. + # # The `value` field is used to provide the seccomp profile. + # value: + # defaultAction: SCMP_ACT_LOG + # # Configures the node labels for the machine. + # # node labels example. + # nodeLabels: + # exampleLabel: exampleLabelValue + # # Configures the node taints for the machine. Effect is optional. + # # node taints example. + # nodeTaints: + # exampleTaint: exampleTaintValue:NoSchedule # Provides cluster specific configuration options. cluster: - # # Provides machine specific control plane configuration options. - # # ControlPlane definition example. - # controlPlane: - # # Controller manager machine specific configuration options. - # controllerManager: - # disabled: false # Disable kube-controller-manager on the node. - # # Scheduler machine specific configuration options. - # scheduler: - # disabled: true # Disable kube-scheduler on the node. - # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. - # # nginx static pod. - # pods: - # - apiVersion: v1 - # kind: pod - # metadata: - # name: nginx - # spec: - # containers: - # - image: nginx - # name: nginx - # # Used to partition, format and mount additional disks. - # # MachineDisks list example. - # disks: - # - device: /dev/sdb # The name of the disk to use. - # # A list of partitions to create on the disk. - # partitions: - # - mountpoint: /var/mnt/extra # Where to mount the partition. - # - # # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk. - # # # Human readable representation. - # # size: 100 MB - # # # Precise value in bytes. - # # size: 1073741824 - # # Allows the addition of user specified files. - # # MachineFiles usage example. - files: - # https://www.talos.dev/v1.4/talos-guides/configuration/containerd/#exposing-metrics - - content: | - [metrics] - address = "0.0.0.0:11234" - path: /etc/cri/conf.d/20-customization.part - op: create - # - content: '...' # The contents of the file. - # permissions: 0o666 # The file's permissions in octal. - # path: /tmp/file.txt # The path of the file. - # op: append # The operation to use - # # The `env` field allows for the addition of environment variables. - # # Environment variables definition examples. - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: info - # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" - # https_proxy: http://SERVER:PORT/ - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: error - # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ - # env: - # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ - # # Used to configure the machine's time settings. - # # Example configuration for cloudflare ntp server. - # time: - # disabled: false # Indicates if the time service is disabled for the machine. - # # Specifies time (NTP) servers to use for setting the system time. - # servers: - # - time.cloudflare.com - # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. - # # Used to configure the machine's sysctls. - # # MachineSysctls usage example. - # sysctls: - # kernel.domainname: talos.dev - # net.ipv4.ip_forward: "0" - # # Used to configure the machine's sysfs. - # # MachineSysfs usage example. - # sysfs: - # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance - # # Machine system disk encryption configuration. - # systemDiskEncryption: - # # Ephemeral partition encryption. - # ephemeral: - # provider: luks2 # Encryption provider to use for the encryption. - # # Defines the encryption keys generation and storage method. - # keys: - # - # Deterministically generated key from the node UUID and PartitionLabel. - # nodeID: {} - # slot: 0 # Key slot number for LUKS2 encryption. - # - # # # Cipher kind to use for the encryption. Depends on the encryption provider. - # # cipher: aes-xts-plain64 - # # # Defines the encryption sector size. - # # blockSize: 4096 - # # # Additional --perf parameters for the LUKS2 encryption. - # # options: - # # - no_read_workqueue - # # - no_write_workqueue - # # Configures the udev system. - # udev: - # # List of udev rules to apply to the udev system - # rules: - # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" - # # Configures the logging system. - # logging: - # # Logging destination. - # destinations: - # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". - # format: json_lines # Logs format. - # # Configures the kernel. - # kernel: - # # Kernel modules to load. - # modules: - # - name: brtfs # Module name. - # # Configures the seccomp profiles for the machine. - # seccompProfiles: - # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. - # # The `value` field is used to provide the seccomp profile. - # value: - # defaultAction: SCMP_ACT_LOG - # # Configures the node labels for the machine. - # # node labels example. - # nodeLabels: - # exampleLabel: exampleLabelValue # Globally unique identifier for this cluster (base64 encoded random 32 bytes). - id: Uyj95Xbi-Vzyb69hSO_bUc7dyGSKO-Pz-vWsrNHz_as= + id: v-bEFwPI9So3weaq5tJIdzKIwzL2CrvK4-Qrc4CGRIs= # Shared secret of cluster (base64 encoded random 32 bytes). - secret: ENC[AES256_GCM,data:M0NlNSnSERLim/B77kl6RF/ufaQlEOWZ3toV38iccXOcp3e5Emay5z2DbzE=,iv:wSUQ11+hQ6uwNikLr8lDJ8rXvCJ8KBSg8AShYiXHndY=,tag:M4uW02TQlT4JLQQOcVQs8Q==,type:str] + secret: ENC[AES256_GCM,data:n9QSCg7a7lyelBzYak53f1G777ql6D6z9Ac6VJN26yqSq5sDLDXGV2RltyY=,iv:lmJG3qCkgXbE9K5azvX0AXJWS+tR7O81sJa9o4E123k=,tag:8PfLPtAXGdrUf6RBIsXlAw==,type:str] # Provides control plane specific configuration options. controlPlane: # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. @@ -355,24 +388,24 @@ cluster: urls: - https://raw.githubusercontent.com/xUnholy/k8s-gitops/main/talos/integrations/cilium/cilium.yaml # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. - token: ENC[AES256_GCM,data:eoYRd87pZ8nR3tE0M5iwQY5nuv5Wa4Q=,iv:aEsMA1n2GvgiTX3PBjjlSzz+8BdRaypDIU//Z4zbJgE=,tag:Fmn5+QGjp5hhQRDG/oy1Bg==,type:str] + token: ENC[AES256_GCM,data:L8jk21E13sk5dMMGDA0Dq+5HVIa25d0=,iv:CXXCBBBBdYEGPr23r9P2pHudgQqqzJ+SRR5nflczKQQ=,tag:moTPz3hQIAErFyPduEnYjw==,type:str] # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). - secretboxEncryptionSecret: ENC[AES256_GCM,data:bLOA5ISjhONQuAwlyKxhURlDab6+vHUccjy7b3aAnF7aDlGrXi8I60jHULg=,iv:7ISg7YPysyNsfsA55ld2H7XKVzuzf0RmlkoQ2Ir0FF0=,tag:ULAQOuqO7j/sfJ+AncpvCQ==,type:str] + secretboxEncryptionSecret: ENC[AES256_GCM,data:yWMGnEy5x1Q0eiPweRMcAgWr4ehqxIiGiXfILRdwBKAngTCdsUEEwuU/ol4=,iv:PIC3NcOCWcSskB9yd+6u7PWyOe3E+R9oIkjcCnR64aM=,tag:X2Mv0iGUqGol3CFcZZj98w==,type:str] # The base64 encoded root certificate authority used by Kubernetes. ca: - crt: ENC[AES256_GCM,data:CCiTfD/5fsZdWY15e5gV7uyjb8NxUxHTqYp/5Cv4S8qF39xL8c+iQWlbUx0UPXW7Ud07jue/ckCzy7shW3nomnboAnzlVBam18hawqLJZVgRJH3n+n5ELbynuOiRHx945iQ5ak7MP1Q4LSVsNB57hN1/1ao4IpNwcJJbqFSpfJ5MKVZHmHO2IukxNDDHrAUbo7EXcnh99+1F2Mnm5OiFxx9AX20fUSOuR0KSI1H8GSUJvqA2mTUyncRlUX9db7+akfB6YGteRgOTJMTp0bfO+2fSJf93ZmMyCItveKy6a6nSghYTNrdWqRPY4fZqVIg77F1lMJ7ehi3W82c5QrK6F0TSCHTfcyhV/JIOlCJ9KUNP8e23NO/SbVwGn6T2eXhTT2nHVUjcw4WQ/d0aMEFS4eOapF5l02x7iiINEdSdcS9Iz9Cyt18J/KdgIIWnjKjQ04Lpbko8LYRb9jD42gQC+5rLWHkoOYk1Uvzhr/c/SbmFmAvC4SvBX0or7lKWx1wjf7HA0tURvGaXITqfTuJUmfdvnINYkPt1QvV1WXIPCw06JvH8+ChJsh/scz2OTVtTSHg3Og3wzBXsBhKMBdTLD9pBGNYQtp0r3rMXwK2Q2x08XSQGzpnxLDsThB/P+2fsq7gxKM3t5VhlFwP8ZOtK/2LenIp6HLSUJRj70sgJCdz09HqHwZUiUQW1ntYDVKIUgUi0D9Vl60y2fXtowIUTU0k3c6e0No/F3/yyvRM7zb7+Ze3NjcJpACxligNxp3WQzWQudl2gKp6r+vPhaX898IDX1023r2/xzjRln0ejS+4ge5FbKnlV85HmrORIQjTSeZRbqnLb/HyNg/5h6nOfo4jn3FesYPSFyca4jFtywl1jip8Gjhuguoz/+ZqFwxa0/gbw80LixWp1J+zc865MFyntZTCWB/7nL5d+ArdWCMDhLp4n3RKtJ2OYzRQUizeDD83tTsMU46V4F+0SbLjTrslQKLpN81wqz60MBIOpHdUWuhl9+C7W3bTZXBWmP27etD9bp5I3xWoZ0jZIJ1p7wqKxO3fxS1MdVl3I1Q==,iv:sWJfFuvZ90Nm9niMCPa+AZlMbEUrG84Usnu9gQCHPJs=,tag:Vi3f8AaG6C21whtjjUhcLQ==,type:str] - key: ENC[AES256_GCM,data:v7Ob+lnnEWBlHNR0C3cJ0+FjQAYa0aP/BYyMY6gc7qQWGC7id46kDcy0BpOM//mriC6SLB0NiqqBJDVRzkSvNC5QMXmY5y5B1J4UEDB2J+IRNrv7olie4SNNoD8hljqJbWQOlotWSn4jciCSYBxncxyTTohL9dt3ADmKLh8s6Xbwg03khap2Ksg55hBwSfLLXTijoSCYpVkQ9PJmbEDNJ8gIdd5rr36K1SRUF/OulvoZelVKzvoFTX9Wk/3nihb2MzDwYaQxH/QYZT2nQnhZLTK0HrJtKXh9Lay74AjXDOUKNQ2CCgHDmaqblApoBQeIRpVKUVB7o7Tggsk1kKFAwye1dnt5/5w6k8zHUxOrhtsTps35D4gaxkUHv3oOxkm92jQT3QTxXOZOIKRhXk2LMA==,iv:8a15bN7uE2hf3QIoigTP4AW4dC3pwyiZSvPSdiWxN5k=,tag:Jm3VouSC9rlNXGPIES8fIQ==,type:str] + crt: ENC[AES256_GCM,data:GyS0S1/T1glperXlquxpbhtD1MLVOJYfS9LermUhCdgiEwWGZ1iHPj9y8aF8EitB0WUArOcZ28nJZJ9LYMIcMu7PmI2a87L3kAwURl5LM0u5DJ3MrVIikbmoYHHG9SM/aHlRjFapSPrKmXWoNyvm/VuRp0Vquq1CcgKxH5t6hezLa66s1UMlZR3pMf2A1v2lphktrFfgaBIdAghhAZMa5HUDHppj66sosBjGMTsMuo726UAcVhMqt9PcrnNyeEs1sv+Mk9yyqqiiTRc+SExqttZPZbGyAoxM1IRZh/yBtNfoMWQM8mGl8UHo4B+CzxkvrEyO6WO1A3sDtolBK3WEXxQI6sZnHRHhprqeIAp1s3TVIn3QKBXXuhlnXNQw+AxJ+/smitz3X379euhOmbS2FA8jHvbEO2WV1+QqqOwPsVsblwnK11IlQTWU+EfzXOwETKpByN9eJ0Jkj+ydrEz/1ZqpypSxen6/V8leiIOcQXvynPdodXCLWIcMtYGfAj/VpkBpWG3E42/CbdtPmOMHrfsm8L2K9aiNqdwSMsR0VM35JkN7nXvGr7/VwSKFgHC5vBrHpDsMwzXvpbvTSbOdRLjMfdDtsq1UXq8AiqldO7CmLQsb4jTTzpYzzXH5pvQfvVQQYbi4rbDBqfE2llxMGSKnpMi/Jx6R8fFWrk7F8CxG3zrzZ57H0/7QlI/e+7s9G3izqDk1sBozQ5Yqit/Qr7YGNoAagU38Xxao9a7iXTWjeLZm2o9gCMT+bi7lt8oH9Wdp1FgCiQ/Ace+gGjhShk84bZtVyOaE4UG2zMhA6WB0Zam1UUGuw/x9pmsv4S+ZaMQbSzhq83sm4szMVp5eBWdYfGg4ZkXAVrEzklv4heuQGzf4JPkstYGoPbFyHWvQg2tv/SdV+/ZSP9a4HaxaFaQInctEtycBXtBCByhdBEsG9KoKXcU5mSa45yZUJGK5wJ+siTarncfo/sQePVhAIcDJJUn87wdfXNIWO46ACd9TccGMusq77kjrlu/5wDBrwn18CjoE9GGyIj2ku6BmDKzCSyZeK9sl713Vcw==,iv:/lxsSvUUaBEyP7rEIoypoC89RfbD8iKibl70HoAoJA8=,tag:dZVFd1fldhFVH1Cj1WgEXQ==,type:str] + key: ENC[AES256_GCM,data:EBTLUKB8Ms42LGzVhZDcG/D5A7LFiLUpzVD8FvuszNJMQybQCEhXcv82CruP1BKbXFGbrgagjfZYkgm0FeV8/CJyhIOD5flcjxd5kBYqGECqWx7AqgbGwm1CYyIjmMjlXQ/W2umIQjcm7b2gLdlKBHqw2PT8TA8H/rHcaIwYbSBvQu/ddQQS92tY6c1e+xnvFyWtkHbxu/QW3CSHMzGKPE3KfuxXoeS/Hjm1YmoJR3dGj/pLGclJOErn9LnYvKsN90VtZdtxXTyh0UML1ru2CM3zePR5lGSNQD4GbCL5QD8zIpR+VA5X2N9jKjElXDdpjQ7qqrSqRxWtnKQUpP8jCMwbwa8CNWoLGwUxqx7IXYmtWYrWRhFy4TfKThpp3MwfJXDvBE++vDAuhj9ti+HtlQ==,iv:tdvAk+pY2NpayOHVWYRfSv/ry+dV/qyUssQiXwXzXu4=,tag:H+/sULLjLqfwGu9bjKqToA==,type:str] # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. aggregatorCA: - crt: ENC[AES256_GCM,data:i+naI54nrrfAPMehD72+elezX0DnRmJfyY5+z980OFWsxDjn03nugnmPqd5pJaRQEFHq5tsbirNVFkmRevyDm6Cznf6z+R3Xd82I/BZsz8onihoIcMNDC034LGT85D29ZYNNAjM92zPdhYrIJaI2YdqWxvbnG1AFpJrhnhifGD/VJlyTyTh+Utur3R9MQMvk0Jd/GXr0yLz6Vd41xkI8s/f6QSOyKyDN/bhoigmbIPue8q9+y7tH9fp9DtoxMHZKR0Z+q3spsMNgTNdmvmJ04XHSi7+liUBw6lL9DOPG61DKtGTOWN11N+956FVMC+W/jvilngqxEaDC5g3KXI3hGDg0pFPHlQiB+fA3+TfLYSGKUbPnQjqSq5bvxswA9s/OnYf+BLAbt0hMEzyaTXiXbYf7wbgQ3mbZkIS2uqxRwDxIEC+wOYnpjEirjt3UlBwzIGYAGKAN9pca/tIwKjN2CIbZcN+JBfGEAfn1pJqRGpOX0HUFqc0Bahihb3QOlYUZb4ewqJHYI5j0LbOYE/lVVVP6JPFzN2mygwPFd7No0gKm+zrnQqMbw/pivEMs1GqTSGNu6Yr8CTbhDYha3ModvFdBS0zMO+PRkX36/8et175PZEsx3Gldnotj1cbPgpe5UyEVkNcnCYEMIPAdBHC4siKqGy9J0Z4N6+CMdQEoobkp5qQC7dLGHMSwGzTVJLmLesVJgwC3D1GLUFZ6fPXWXeouXsSuqepXDNM7Mhb0KXWeacQXK556yfxF+38SpKTICowq8GsQTPOsihG5IBVxnDnIRq7GAwliKf0MZUx5vwib7v26Y99oAqSWAro6B+1KF22d/gRqudBEfphAn/VadvGtC0frODdakFGGGtztTZIzy7OGz5G6rk042vKnFuE7TT9lGMlN7p5mCBpB1OwhCz21tvN5RsqTNxIWcFQkEr3HKEu2gWZg86qSVBiGlBbV,iv:7KmFHXneUabRR3vCP94qwK/MKoL2PXOpJCjzGwmwSSo=,tag:LyvV5W5dcsftO31aN1ZX+Q==,type:str] - key: ENC[AES256_GCM,data:aQ14Nr04S8XXC3RWwhBqlgmkDnELytNxtIPs+hbl3vi+gsjvul6FgYvDMrZUWZ3dXMBks7mUtiPdrTLPxr1Z3LvPsKZxedZes1yd/Ior+1T0JJqwYBnvXsVdDsRQyoglQ/gLDMRHLh2n6x/hPnaM8QDMUjoxyr9us9nhNavjTveDLAeO9Qewqy6JuBlLO6XgK3jWg/IY6ktoUmnTmqvMkg2qEtvONO1QkL6UdWHhNKvs6wqWvqDiQxWlVtmXLiMKXf8wXbPfCXiOa1RIvniZDrNq0MeZpNO1Sj/IsOEvZeQ9k0vBJsaHpI8Jc2hbBMBw9LJvuqi9TcsGOCkcXT42O09F6bXtopLikeGvLFSfImiciSyS2a971IPRi3sLN9SmDbtgchfbOXvboda+J9gKtQ==,iv:IlTGZwyLC+mC7kBjg+xF0K63K+EkoSMXufld9AsJA8s=,tag:vnZzKwo+4uG/USSE+Wsd6Q==,type:str] + crt: ENC[AES256_GCM,data:Pv7sRIQgFL1BFk+o+B9b+E4yhdeoyWfk1vrRVbCx6chibOuoXxKrYCvJW03ihAGCvsq7Cwec5ZVBjcSMRnF4Hjb0Ft9SXeeWmFjcQ2FMpZ5xjHzfcgv1BPDiRYU9hYQeEWw7N2HUhHVrgNseJIVPHgh5A608VsCCze+m22SRGPHUatSA1qI4EhvXgpQpnW7JjePGQ1lQ3E+8othHghtTKv8MhjI6pImOuSOFl30JTNl5Q650MGu40LNXkP0NSii2fcsrmv6tzCtKmj8YRyl+IJQ2Xld5XrBOuceUTBiFrATeK68j4EMz4yBHgdrnMG6Hn9bZi8NFwbYhTdz0RNAlrwQ5/LyVt4psIdWQ+RVLmhV0a7oaP13EfvyUFrLtrzPKwYZn3MT6Af9iBhELQOaLXbxD7zTeseoUa1EKHiA4ze4alJzK9Xoj6LOfJxBpIDo5jbPeoSpapZC/HTaoZA1Wfchtqd7Z0NAIGv2ySywHWmrtAuf7a6OtgyxHBEvMLchAIsPxiTC4dHWSLtg4rYizwAypFBj+HWLDf8+pSLOqNc+A1Qvc3vvEm3K92y0DTqTTcFFoA8nD5q864YerKaQRMPls+HUFj3GmI/MRs5GL7VXULCg5VD1BTaPfznrkqDAHOuHLRNV/TDHzNa/9nAoEpy2pMVeK8lF6/w4nMqGUAtMUIR3b/5QsMKS6e6mHzvDdEqsl+6KcDVtvNH/gXu0AwvBEo74rCT+6hOw+o+zArdvTO9kjEta6OZTDfHvCtKCWh1bKx6U2sLeSMcxBoMDz0CaTi1FgoJsaRFY6CT66/iSeUihu/PEcX0mQ19rfwfLjYr2sNvGksbKu+OFWLhKT0I5DbBky9cO6/hxW4CsSc6wT7S/suQKqxzvp0zgrjH6UcZavRwquN5F6R4ZCEsjjC0XFlUnxsSWIH18EN+lSr0omtw7CnsFMgm5HqesTyjd/,iv:bn0sdfz39nAqRi61r4UQOfeLRHXsHai5phusEcKwRWs=,tag:/lNTR/bVN5ttd1xphBAAXQ==,type:str] + key: ENC[AES256_GCM,data:ZpNM1By4eDGAsgw9wfZRbSUXefJ8l15LX6U7n8Xd7Exy+janEksYH+/DMoay2xDM6QipdbGbhMJo3ko2gpfzrY0oK+BTR+FRiNppyXKC/r8KVOZvH59SDSVugWBFLvRzhB/jfuGlbykwl4/7cw6UJ17PHLING8uFD/Cw5fuR64ZFFXUdTxgKVYyow/huuw74O1mpwakKqTJXC4Au+hiJshdyZX84jZOKiFgMWI8ebhKyxsJhBpBZLpEy89Ijt1jLEfEygiA+Li3a4ji5UO7pQM70rK94HwQi2+oR4IKs3qj9a66sDV/grdRSGT9soG43ecq/MPynk3AwqQJRZ3QDYzP0Rh9YziD5dPs1ip2WAC35Yt6KcvzMnso+ClOwhb4rnWjIgwvjyb27Ynv1On9CDA==,iv:Y5xspRvFPpZJ7RP3Ca4iLxAE7o7rcLrckre5J10zodI=,tag:7MOWsYlpxvvnenQeTscU5A==,type:str] # The base64 encoded private key for service account token generation. serviceAccount: - key: ENC[AES256_GCM,data:RG4hboric9vnOQZAFtbP3F/RiKJb9wFxgy4Uf87HjKIDzJDvSazUtASIaS9uYPDhRriC9cZm2LCEVetFWVa1BpTmT2J1JWYwCiWuT2IEArrwomYWaQTP93YBadWfyfDkRI1b44QXlL7S/4NQ+yn5bRWK1Vb4sOpfgQNgkb8ua1SMgLQMcZ/HFNwU63cgI9FG/AiXRUiwmLSHi2G3yugtGxQaQiNy8fR9uem9gpCc8ZNwgSxdHVdADrr2ihqQKk8Nsk/IiRlz816SI59+hshUIUrz6qNtsygjGr6hfFjDjEiD7VKblFSE1bVLoGjQsgpNHhjSIGwc1ncrjFJLD9yW5abeLKnEyt/5hVRGK3CzRCVtQbN1qz3XOkYD77YofatQl2giHbHT8QoKfMEJdisKpQ==,iv:RKCgByC/ojSa8tKKGUV6qaOLMbr7lw9m8yFfAKMP/8A=,tag:wTTw0OtX/7yaUNjNaI0QHg==,type:str] + key: ENC[AES256_GCM,data:aCXLadIlpOk5A5C8UO7XNlUW2XQJJM7/2awWzmDV3zDob9zuHSFC48rlle/agw2c5RHGfl5c4BI12xFf0ClpNb9R0U/QUFRxvRhq8HXjY3v7m0wRds4ejhyWg9Z8z8BjIdqXND5GCXv/NhNjEjH0povTUiR/LrqW34MvdvpiJ29hPgNZcoRKT/Q09QlNpMnc5+xwUKs8azFjH/FymUAxJDUhXictQ54P1WQGWv6HMa3HaVw3SHYc8rrg0DjSI0uEMxQZNL1ABzFL324XxGG09/eupb5vv7UvsCGwM37tO+2dm/0WtYtTrGXM5a6vr5toNFGE7UCWhNRHo9Uz8hFwf1F3Ku59Z59jb488EBjxH/mO+yUrPp/CI0raLv5YSQpXyqw1vfXNXoUFVVEe0084Dw==,iv:vfrsDBxtUsUDJBYmakZzA2xeknbftGlFSwFNCMsGEWk=,tag:lRdsJqqhqM5ZM4IeKoR+lw==,type:str] # API server specific configuration options. apiServer: # The container image used in the API server manifest. - image: registry.k8s.io/kube-apiserver:v1.28.2 + image: registry.k8s.io/kube-apiserver:v1.29.3 # Extra certificate subject alternative names for the API server's certificate. certSANs: - api.raspbernetes.com @@ -415,17 +448,17 @@ cluster: # Controller manager server specific configuration options. controllerManager: # The container image used in the controller manager manifest. - image: registry.k8s.io/kube-controller-manager:v1.28.2 + image: registry.k8s.io/kube-controller-manager:v1.29.3 # Kube-proxy server-specific configuration options proxy: # The container image used in the kube-proxy manifest. - image: registry.k8s.io/kube-proxy:v1.28.2 - # # Disable kube-proxy deployment on cluster bootstrap. + image: registry.k8s.io/kube-proxy:v1.29.3 + # Disable kube-proxy deployment on cluster bootstrap. disabled: true # Scheduler server specific configuration options. scheduler: # The container image used in the scheduler manifest. - image: registry.k8s.io/kube-scheduler:v1.28.2 + image: registry.k8s.io/kube-scheduler:v1.29.3 # Configures cluster member discovery. discovery: # Enable the cluster membership discovery feature. @@ -444,10 +477,10 @@ cluster: etcd: # The `ca` is the root certificate authority of the PKI. ca: - crt: ENC[AES256_GCM,data:+o2suNc6+KOSHqUkpkMc2yxDWrzRyEY/VVevlaDo6uh4I7SNYNUNHqzyaEg2orlNaLtXX+Okvd7oSHqUfQq4epZfEVZCkV5Mhwr91XpTSDEmKJLuZ2EIPYq+rer63DC6uIgJ1iz77UD/ettx2b86ZmFfsgYPWioILPKBcaRQSfPnGpJdHZwH4qTXld4MLYxTxiyheOHK3+Njf2iKqdKRC/W4qepMI0fESnw+2E2RQDRKbLlLjAVNOE6v1Uwry+sGOwSTALC7Lyk2B6RCCpKNybKb4vs0r1GeQghP2CI9B5QwxxpJH0E3z/FrweLVqg00cG+yqs8qx+OHuziZFSkzdK7W/GoMkYVF/+/RtRT5En0rKmiigz6/+6KrX0RXvcdeq2WEX4oGxtUoE5C/76dAA8rfupM+yV8eklUBI3lRscHQTCKzqs3/gQLs5y6JwFZaoQGOXysY8NlcxChH/mkiAJkEXHJx0zFkavlgz+FCJs12ImwjtJl47EHW9QJowkTSRaVnm/HI9mJSZEqpmpM4vpdjqqyprWUKEU7UtHWCtaV3lSJqr5sAnTbIkuQT/2QRf0uCOGrvwO29SZr7G9F1abq/sUaNGtSiKyynG2HWPt/9WBj638l9ZUmkiaUCSZ69eetEWzQDNc0KpdgWAcbAhrmTOVBYmRB5ge7+zEIhtmd+DRoTiL8gOgHDkwtgT3jh93yH9kmQBw/78qnh44Bif5+A4/A2BJprJjm0xZbPJxrtUT2KNEBpR3iyv30nEw1/GW+oIwnKAcwwEdmat90OUMImqaWv0SyzFKwcIjcTAn3TSOQbcnCimWVaVuekNAUr6eM7qwqb/wltzPFBppn9vFudt5iRV0drECRw4Tu5h1InywHIg135UdnVVcmouWStw/W2ECWLBJmJwdpX0oJ33LALE7J7gBXoeC6zqCaR3CkKzoC2sDo1V54STxmLlmUvL60UH0FYisY+k099u/OX45VaLn8skejOKqrrSZk87E9pxFjyTg04SYT8Pt5nkCnS28TcvQ==,iv:lCseR1ONHqJT5/CtNumaSNVOe5YOlfvdOilQLEZ+fK4=,tag:qFDvSac67opoIJ0xL458FQ==,type:str] - key: ENC[AES256_GCM,data:GCMF5d+H9LTw3vd5JdBmD97tB4ZhPKsJK+4YAi1mJuBXA+1Dz5bSZU+2CERGRuC/sj6egcjo3G4uecBMFqFqIIohZhK7/R2FgYrX/sBYMuW+/E7Qt9DHPB/Ew+QT349As4XVKaV/hb4KRu3wgs72WzbxS5Ir7x/fBC6PtxdYG5Nak0d4FWpiYIC4/2fEQyLzJj7GkJAjSJCNeXcNfWCfOLAXlj1AQV22GeV0CexKtOcaINhyMywffW3BWBOHURZX8Z4iG2AA0A87O3zPliy0FQBFvKaaf7k38N1y2NdFl9cg0zbfSMAfhex+ZAia+fgq4J1ghGQZliPx6glCZfzKB3+/ieFI/R5AZ0k+itMVwSPOW69zcIMWGLlqRhrLBOX9ESknxAUy0AZgYs4VTzEEcw==,iv:AdEj/prbm4ih+BwpyUTDJL6eVLdWOWYaQGSqwL9bQEg=,tag:BZSLqusJsMeL6K1EvTiTwQ==,type:str] + crt: ENC[AES256_GCM,data:IhX1KyGb0CWRaq/G3O6P+Zd6kCj2V0h6U6OZGmZ7nKZyGuyIaJhHBK8EQ9xlrjI2Ydq7L7Y5JocbbIT40UGqxwiS0Utm9WVNdeNZOsnQZv4I+6a8QWQ7lVoLs2zvBYlKWt9eTsKt6krrMsqrXEOgKIHF3odXUF2Avn0FRFQyI4eFck7tqOzAjWMw1yV05QMJ+7oHsDnMY6JOwb1SheRwpvc+tlNkTu2wbmBkYPCNk1IvnTcZWCtwSsAabL7hPixS7lqCXvN2Z9pZNBVrtTraOvU1losMsAK9lSoQc4TI6pbLiXAFMWeJ9HhYG/u/NUmb1BuruZJ7V/rDQnKM6EL7xzTGd3kCppg2AGOyG3GaEXjgeP0L4+REBMAVJbZKgBfrGf6gZZpT5lhoVqGWgueZIn1ZcbqRFJ8szP9PWUQbkiSuOQNn7DqQ6tpOnA3FM762yc1F4zN77bbSJmWaG+kB805NRSZ3uJPQVH0YT0EH7DwHzdxuOrDRyu8SoeqqC7anoaLfDKj5mjhYKzOdB3/7+gsrG8jayHt9nSm9ri9Sqpq5WV1U+jEDjv4lkfZPJ/gAsOahXMvcXUD3SAyqZ/f+0AA+L16cOM1/BDF7DqLENqoOiLj2nBT50Ks7zVnr9TwmqIO2lmekP+zJG7P4CKgfvLrOkNVVjncNnV4Td37aHv++Cm15RJyZaujf8s1cY7Dso9pO4U11TQm3klW/XD8S+3omVj1XOkz5gj+JJjpvcoPggaH9U7PPjSbGPYraH9W2YdzofKS0ag78YKR2ol9Q791RaGHRmepZa6OJheZgFnK54v3+O7ZELJb3VAmTEIxWUaq7D/tuM/q9oyEwvt5yaXCZaJYGw3TU69ihlqDjB6wNmxVyqtGTgsKzKiEvtyITUnfQeFwNb403zRsiAQhGK4OKf37/HyYVVebW7Cwpmw1Xh4VzU+ut4LZPnmqCFijuR5UDFpXOQkYDYRxKKkLYATJXU+XtXk8GCA5ZD/IxKOZ6Ak1I1RLFBA0324b7AvORoPMn0w==,iv:3zCGChXnL7bxpUdXHYXOyz/+QQ41qjSxPefuJnwRnbc=,tag:JBegFD/hMzednzZFVcD4sQ==,type:str] + key: ENC[AES256_GCM,data:wvdcJcdV8RLLZ8Qm/0JtdNihwTJ68fEh8Oe0SjVeIqIMGkW1IVhNRJrzkOzLq4hgM8AlEl7s0S5t0FP/5VYcLAFJslHvYAZTcM8DX18fg/9uvF8+O5KiQ5d3QQxSdBfGoPBtAOwdtYfgd3pmLGeTGegZ8iasz3MCQC+MQqXaGY2aF7LxixiU6qX86OFoy7DyTKt/ltluXXK+ptBzv4Lyj3sCTXIJebc3vPGDtrLZu3pClRguezgXFrs3SheZwMEuuEoWUyTwcwY3+U0rAiG0KSu5WIEJC+HZJt+IZW7+HFVf+NHiP/RmhqCoxY/6UVJvzbr4Nch4+iLwA7e6ywDzPduKD+0yFU0mChGoqwM/rSiVgZZvWt3Y60iPrkSP9G9oY8ltL6v2mH9usfQFZEfU6w==,iv:oVddMd4GgUF8HOy5DhQIO4EoogEz8f6c279PEez4hWM=,tag:efipltyYER4c1PesvY7lHg==,type:str] #ENC[AES256_GCM,data:Pzs+JMfS98htXli1GmNHA7GQ/BcSAamPKXgR5Gdpo5/mR9eoDtVUpmfd0hqor7pJAmILuRr/lA==,iv:JPOORYsVpb7jaDiEg+gjPIcUqZjAJKiZxvN5kEPmA0U=,tag:nlXigqI2u9EE4vNzWDOmXw==,type:comment] - #ENC[AES256_GCM,data:F0rd5B0VRwjmzHtbd/81jlcvCx0KuL8gaGJn9MsHujgn2TYq/1t8kqFtDQ==,iv:cQ6rf9djsz2S9DZhIkcO3VEibmNbalr1Qc3uIn5tv6w=,tag:Td/QSQ4FMOxEx47x00aHQQ==,type:comment] + #ENC[AES256_GCM,data:SctDCkiyadNrxoYXX1oddq3j1bKhzoJfH3ei80DagvRikDPhVls9jrYozSo=,iv:r2u8OrC01dT+V06JVsYwhI6t5vKd88Yc4T0xz8Dc+gE=,tag:sHJE7yV428G+PivyQFSQNg==,type:comment] #ENC[AES256_GCM,data:dNGpOC9m6+aOsc4YO3dVbjdNZ3xtlhfRpYSwIf8S5vE9GymLM+A6jSjLuAVKmtJUEQUMQw6k/doFiyNQC9xksR+j+t6pGTYLVx7Zvtt7jk/lNStKe8koMZA=,iv:1S1nAScNPbdl39eCT0sPjJjcxgGKgFLGZyCQs4aafFk=,tag:9r7hMzVcFpVc8uYKU26ULA==,type:comment] #ENC[AES256_GCM,data:1MsLchlwThNGoKqruz0HvjTC6g==,iv:LgrKd75J4cl14YZQD2GVAUimqs+Lc28JJWSB7MHlr/s=,tag:Iwg5G3nPrHAMAbIMR8Zatg==,type:comment] #ENC[AES256_GCM,data:KGibLCyOzga5MmLUyhDqy/M=,iv:4s90/7T5tGRapP+ODfFDAv75Dpy83vAsVmpkn/gRLcA=,tag:lkMbGTOB3XaBG6Zphk/LFQ==,type:comment] @@ -468,7 +501,7 @@ cluster: - https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml # Install the Gateway API CRDs # https://gateway-api.sigs.k8s.io/guides/?h=crds#install-standard-channel - - https://github.com/kubernetes-sigs/gateway-api/releases/download/v0.8.1/standard-install.yaml + - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml # - https://www.example.com/manifest1.yaml # - https://www.example.com/manifest2.yaml # A list of inline Kubernetes manifests. @@ -479,9 +512,12 @@ cluster: # kind: Namespace # metadata: # name: ci +# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). +# # Decryption secret example (do not use in production!). +# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= # # Core DNS specific configuration options. # coreDNS: -# image: docker.io/coredns/coredns:1.10.0 # The `image` field is an override to the default coredns image. +# image: registry.k8s.io/coredns/coredns:v1.11.1 # The `image` field is an override to the default coredns image. # # External cloud provider configuration. # externalCloudProvider: # enabled: true # Enable external cloud provider. @@ -496,14 +532,16 @@ cluster: # # Settings for admin kubeconfig generation. # adminKubeconfig: # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). +# # Allows running workload on control-plane nodes. +# allowSchedulingOnControlPlanes: true sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-12-14T23:23:43Z" - mac: ENC[AES256_GCM,data:baN6iVkOZZl/DGzYmRgmodXSBJb8CNcuwac+gClZzjQwMakain5rNw39IC5UDduzi7mwcXi1TBdsCfLhvGDOZ3G1TVBc2BNZloXcO5T6qOoK8jV1/NmIucqzLf0sH+xnKlX6AXNU+nTVdKSoCQAobyBV9fvpClp6Ixo9VoIUy9E=,iv:OjoT0+Yqy7HVRJli1inP7ys6BGnYF92XTKrUZ23Pl0I=,tag:nh/lGCePqjMzZwpJww35TQ==,type:str] + lastmodified: "2024-05-04T23:34:07Z" + mac: ENC[AES256_GCM,data:keTNFHRB7vrwx3O2vrQ247C5A32LacastTvJ+tuCTQ07+6aaMkjzRbW1/UXZkPlhomFIsQOq2dingl3O7sWYEu+aejqGDmg/henbzTBVMSXOMjynC4zH0vWLB9ba4er5bj1CFsfbHwMFnPwCt9/1aKdaESjKrXgNvc2ery1ydwA=,iv:ZT1TTMobS0K/+5NvKJdl8XRBniLaNpXwQmJ0+RmlouA=,tag:PQg6skjJGALtIAZ9cnJV1A==,type:str] pgp: - created_at: "2023-03-01T22:28:05Z" enc: | diff --git a/talos/generated/node.enc.yaml b/talos/generated/node.enc.yaml index a8bc16fdfd..7913f6fa9e 100644 --- a/talos/generated/node.enc.yaml +++ b/talos/generated/node.enc.yaml @@ -2,17 +2,16 @@ version: v1alpha1 # Enable verbose logging to the console. debug: false -# Indicates whether to pull the machine config upon every boot. -persist: false +persist: true # Provides machine specific configuration options. machine: # Defines the role of the machine within the cluster. type: worker # The `token` is used by a machine to join the PKI of the cluster. - token: ENC[AES256_GCM,data:xz95DhsAIWDeILb/wzmLw99lSBt21C4=,iv:cOhI9IJkmzyW4/sIaXOIi1vZV1+nqLcEqrpBOcBREts=,tag:55OREUo/YyzkroW9Ez1bUQ==,type:str] + token: ENC[AES256_GCM,data:wFxxARESm1yXZ0yh4YIUGiGPlPX4VQM=,iv:m6O4aFeG+YCCHNTJxKIxTURungDa+3qxSbPNonw2D28=,tag:WUscHlJJKE0yOH2dvg125A==,type:str] # The root certificate authority of the PKI. ca: - crt: ENC[AES256_GCM,data:mIyerV5fvp4HDcW8X4CyAdBNhymxkkKcvcCIzWWR5Vx9zGhz/4/vNNPRPp8pZWYVevXMlsEw85CmLNMTdnioW5sg2Vzqh4yj7UsOXRugYSTm1BnHfnkrwtezV1uMzfSgCj35fwZtGIktny/Siq6f9pbknH+9Qi8b1eIoijJCUqN1HrQ9O3aO/I3gDjD5yo6RI8MRdfoLLBLhDulyOjx8L748t4MAFWCd9NsoLP+5erBbJCBtVGP/opNM1AzY9gITJ1+hDBrjNlaeblMsTh8XYQS3VQ7Y+J2haO1aIO+7yO72YoOPC1ohZ9lxMQQLQ5V6csyHQcEzhALlN6v6l75TDkrZFW24ZTiVGW7cHsJyJw004g4hfNqtAJdm0Sak0eHCUGyu1dyUi9xFhPoMLBmNwrz/O2fjIMhwkfWzFWPViz1SQrcPDrewzMvHjcNIhpaWTxosUmv3uq8Flx0gVYd3uVxsnUcSk8yC+wbAsPZPfry/e6Gmy3qvv6TMB5LouuuztsudhTXvsqj9XPnYdT1k6pZAtmMp8vo/ZlQTAmI9mfyop9mVG/XwIyAD3h8XfWp4zsdAbE1/0ALIV4p/pwHJAG/qkfPmZOqxLqXK9RFnwDfOKDjwDRFioNv2kO6X1tbnMGf47oo7lRCbr0B73cXxBEMPpPFTTGJZf+mIl2tEbW1McmIS1/19rNNkejmO/R0EQY+8FtwcHFYyC7nXr4ceIDdlHSJH1Mexy9ugdI6tRkSUX61BYzNk/DU37ghmGjSztTzVgk+UyCo6v47rIrrf/OVhSFiwJm4rVTLVE/XrqU2c8S1zkeaD4P9ijiwb0eRwdMEL6luN02xjWZAoGYXuS0e8YxG+jKAOR+WkB/4nEMbvjKMp,iv:1FTU+Xx4P5dEf81m91bzt5vCj5SL/jix8ki69Dm9Fm8=,tag:Wi7oImjGJT/qk9Jllma2EA==,type:str] + crt: ENC[AES256_GCM,data:VeDYcJVcv5xLtIj+8Z3ZSbWo/6ssScFnMgMzC6rp8zReksO8vEJnA+PLDD+XV0gHp8t/zSQSkdW1iL20whxT7hxCcmN9Ed7j0OO9mZg4MQVcO9RI2xMmO8V3s1O0+DxNcKLvoxyab6GhKC/edq3BVX1RRigHxJTqhaMDwVdsC9JctXSywcn1tfMEwto09xBUWwf4dYBiI8qcRiFSXb9N8SO9mGF81tAFckWonLQnXRoEkfgbmZ4ozJpdARHls8FZXJve4rX5l6/SvdFPwFslhorGpG1ZkX0TH5ZwBFEeVc/uZ4De0u5u/sLTNu3LF147Ab1fsLrppyQDiG9vh02NN7Qof13v0d32DEb6MpiJAQdkyUPRcjP/vmM6b44UKsg9T8ARddtYzsuJPOGhPIfszJEE7QF6reTbzG++8zy4m3USVisc6rhzQjPfR4EMqtEBMjUT2CN1woW49QIl4UqZZBKkeW+qU9nAt2n8dS7omQz2wnp3A4kZoktNZ5vxOLabVFe+rHdmr3wUFn0OOKt5C2XJ9PGq+QawI4NOdMJ91qaR84SEMkwR1NziuZmCVGKiVAB9rSx4X5VYih/i/OitNGy5B8wKWWoYxBvizEYsaIBx4s06lyf2WOdt/4CDTCDGcN0x3nUrn6Y8Bm1X8OeykEhn52NgL8isJoe/zbCxjO4WmpvOg/+Ce4+b+GSLAc0UJ2oIJDI94pkvVP/XEtzKECAdCqApo7Kl5ArhG3lFBD6QXUxpKZ/6//ukqQdgiVn073jp1CuHvFdrClRhcRdhXsEj8Xp/Q/f8sW6i7J6hBA6Wu6rs5jMf2H3vP6yIaYpeRkTStUEJQwsjEi91p7Cr62+pPnmX3Es595513RZMWPGD7q/J,iv:4gVkfV489JR+YjHiCUcfSmLYy2qHf0OX+LeOVS8PGk8=,tag:i1JISLdlRzKwY5ssveV54A==,type:str] key: "" # Extra certificate subject alternative names for the machine's certificate. certSANs: [] @@ -23,7 +22,7 @@ machine: # Used to provide additional options to the kubelet. kubelet: # The `image` field is an optional reference to an alternative kubelet image. - image: ghcr.io/siderolabs/kubelet:v1.28.2 + image: ghcr.io/siderolabs/kubelet:v1.29.3 # Enable container runtime default Seccomp profile. defaultRuntimeSeccompProfileEnabled: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory. @@ -33,32 +32,47 @@ machine: # - 10.96.0.10 # - 169.254.2.53 # # The `extraArgs` field is used to provide additional flags to the kubelet. - extraArgs: - rotate-server-certificates: ENC[AES256_GCM,data:O0ti1w==,iv:ZDJoLozHNbE1ve6LmiqYOfKNZ0XuFWhXvWHkI1AXRkk=,tag:m1DqeRJLPtOw5bYYbOYu4Q==,type:bool] - # # The `extraMounts` field is used to add additional mounts to the kubelet container. - # extraMounts: - # - destination: /var/lib/example - # type: bind - # source: /var/lib/example - # options: - # - bind - # - rshared - # - rw - # # The `extraConfig` field is used to provide kubelet configuration overrides. - # extraConfig: - # serverTLSBootstrap: true - # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. - # nodeIP: - # # The `validSubnets` field configures the networks to pick kubelet node IP from. - # validSubnets: - # - 10.0.0.0/8 - # - '!10.0.0.3/32' - # - fdc7::/16 + # extraArgs: + # key: value + # # The `extraMounts` field is used to add additional mounts to the kubelet container. + # extraMounts: + # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. + # type: bind # Type specifies the mount kind. + # source: /var/lib/example # Source specifies the source path of the mount. + # # Options are fstab style mount options. + # options: + # - bind + # - rshared + # - rw + # # The `extraConfig` field is used to provide kubelet configuration overrides. + # extraConfig: + # serverTLSBootstrap: true + # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. + # credentialProviderConfig: + # apiVersion: kubelet.config.k8s.io/v1 + # kind: CredentialProviderConfig + # providers: + # - apiVersion: credentialprovider.kubelet.k8s.io/v1 + # defaultCacheDuration: 12h + # matchImages: + # - '*.dkr.ecr.*.amazonaws.com' + # - '*.dkr.ecr.*.amazonaws.com.cn' + # - '*.dkr.ecr-fips.*.amazonaws.com' + # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' + # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' + # name: ecr-credential-provider + # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. + # nodeIP: + # # The `validSubnets` field configures the networks to pick kubelet node IP from. + # validSubnets: + # - 10.0.0.0/8 + # - '!10.0.0.3/32' + # - fdc7::/16 # Provides machine specific network configuration options. network: {} # # `interfaces` is used to define the network interface configuration. # interfaces: - # - interface: eth0 # The interface name. + # - interface: enp0s1 # The interface name. # # Assigns static IP addresses to the interface. # addresses: # - 192.168.2.0/24 @@ -77,20 +91,30 @@ machine: # # deviceSelector: # # hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard. # # driver: virtio # Kernel driver, supports matching by wildcard. + # # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver. + # # deviceSelector: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard. + # # driver: virtio # Kernel driver, supports matching by wildcard. # # # Bond specific options. # # bond: # # # The interfaces that make up the bond. # # interfaces: - # # - eth0 - # # - eth1 + # # - enp2s0 + # # - enp2s1 + # # # Picks a network device using the selector. + # # deviceSelectors: + # # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard. + # # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard. + # # driver: virtio # Kernel driver, supports matching by wildcard. # # mode: 802.3ad # A bond option. # # lacpRate: fast # A bond option. # # # Bridge specific options. # # bridge: # # # The interfaces that make up the bridge. # # interfaces: - # # - eth0 - # # - eth1 + # # - enxda4042ca9a51 + # # - enxae2a6774c259 # # # A bridge option. # # stp: # # enabled: true # Whether Spanning Tree Protocol (STP) is enabled. @@ -117,7 +141,7 @@ machine: # # # Specifies a list of peer configurations to apply to a device. # # peers: # # - publicKey: ABCDEF... # Specifies the public key of this peer. - # # endpoint: 192.168.1.2 # Specifies the endpoint of this peer entry. + # # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry. # # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer. # # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer. # # allowedIPs: @@ -143,14 +167,11 @@ machine: # Used to provide instructions for installations. install: # The disk used for installations. - # RockPi eMMC /dev/mmcblk0 disk: /dev/sda # Allows for supplying the image used to perform the installation. - image: ghcr.io/siderolabs/installer:v1.5.5 - # Indicates if a bootloader should be installed. - bootloader: true + image: ghcr.io/siderolabs/installer:v1.6.7 # Indicates if the installation disk should be wiped at installation time. - wipe: true + wipe: false # # Look up disk using disk attributes like model, size, serial and others. # diskSelector: # size: 4GB # Disk size. @@ -165,7 +186,7 @@ machine: # - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image. # Used to configure the machine's container image registry mirrors. registries: {} - # # Specifies mirror configuration for each registry. + # # Specifies mirror configuration for each registry host namespace. # mirrors: # ghcr.io: # # List of endpoints (URLs) for registry mirrors to use. @@ -196,125 +217,151 @@ machine: stableHostname: true # Enable checks for extended key usage of client certificates in apid. apidCheckExtKeyUsage: ENC[AES256_GCM,data:w2IduA==,iv:a15Ht2jBHUdXq13pTxxfhpPDDvRYOIaqXIrxoPJAZdo=,tag:I8AE8T3CAbbNbeoUjnvvPQ==,type:bool] - # # Provides machine specific control plane configuration options. - # # ControlPlane definition example. - # controlPlane: - # # Controller manager machine specific configuration options. - # controllerManager: - # disabled: false # Disable kube-controller-manager on the node. - # # Scheduler machine specific configuration options. - # scheduler: - # disabled: true # Disable kube-scheduler on the node. - # # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. - # # nginx static pod. - # pods: - # - apiVersion: v1 - # kind: pod - # metadata: - # name: nginx - # spec: - # containers: - # - image: nginx - # name: nginx - # # Used to partition, format and mount additional disks. - # # MachineDisks list example. - # disks: - # - device: /dev/sdb # The name of the disk to use. - # # A list of partitions to create on the disk. - # partitions: - # - mountpoint: /var/mnt/extra # Where to mount the partition. - # - # # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk. - # # # Human readable representation. - # # size: 100 MB - # # # Precise value in bytes. - # # size: 1073741824 - # # Allows the addition of user specified files. - # # MachineFiles usage example. - # files: - # - content: '...' # The contents of the file. - # permissions: 0o666 # The file's permissions in octal. - # path: /tmp/file.txt # The path of the file. - # op: append # The operation to use - # # The `env` field allows for the addition of environment variables. - # # Environment variables definition examples. - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: info - # GRPC_GO_LOG_VERBOSITY_LEVEL: "99" - # https_proxy: http://SERVER:PORT/ - # env: - # GRPC_GO_LOG_SEVERITY_LEVEL: error - # https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ - # env: - # https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ - # # Used to configure the machine's time settings. - # # Example configuration for cloudflare ntp server. - # time: - # disabled: false # Indicates if the time service is disabled for the machine. - # # Specifies time (NTP) servers to use for setting the system time. - # servers: - # - time.cloudflare.com - # bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. - # # Used to configure the machine's sysctls. - # # MachineSysctls usage example. - # sysctls: - # kernel.domainname: talos.dev - # net.ipv4.ip_forward: "0" - # # Used to configure the machine's sysfs. - # # MachineSysfs usage example. - # sysfs: - # devices.system.cpu.cpu0.cpufreq.scaling_governor: performance - # # Machine system disk encryption configuration. - # systemDiskEncryption: - # # Ephemeral partition encryption. - # ephemeral: - # provider: luks2 # Encryption provider to use for the encryption. - # # Defines the encryption keys generation and storage method. - # keys: - # - # Deterministically generated key from the node UUID and PartitionLabel. - # nodeID: {} - # slot: 0 # Key slot number for LUKS2 encryption. - # - # # # Cipher kind to use for the encryption. Depends on the encryption provider. - # # cipher: aes-xts-plain64 - # # # Defines the encryption sector size. - # # blockSize: 4096 - # # # Additional --perf parameters for the LUKS2 encryption. - # # options: - # # - no_read_workqueue - # # - no_write_workqueue - # # Configures the udev system. - # udev: - # # List of udev rules to apply to the udev system - # rules: - # - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" - # # Configures the logging system. - # logging: - # # Logging destination. - # destinations: - # - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". - # format: json_lines # Logs format. - # # Configures the kernel. - # kernel: - # # Kernel modules to load. - # modules: - # - name: brtfs # Module name. - # # Configures the seccomp profiles for the machine. - # seccompProfiles: - # - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. - # # The `value` field is used to provide the seccomp profile. - # value: - # defaultAction: SCMP_ACT_LOG - # # Configures the node labels for the machine. - # # node labels example. - # nodeLabels: - # exampleLabel: exampleLabelValue + # Enable XFS project quota support for EPHEMERAL partition and user disks. + diskQuotaSupport: true + # KubePrism - local proxy/load balancer on defined port that will distribute + kubePrism: + # Enable KubePrism support - will start local load balacing proxy. + enabled: true + # KubePrism port. + port: 7445 + # # Configure Talos API access from Kubernetes pods. + # kubernetesTalosAPIAccess: + # enabled: true # Enable Talos API access from Kubernetes pods. + # # The list of Talos API roles which can be granted for access from Kubernetes pods. + # allowedRoles: + # - os:reader + # # The list of Kubernetes namespaces Talos API access is available from. + # allowedKubernetesNamespaces: + # - kube-system # Provides cluster specific configuration options. cluster: +# # Provides machine specific control plane configuration options. +# # ControlPlane definition example. +# controlPlane: +# # Controller manager machine specific configuration options. +# controllerManager: +# disabled: false # Disable kube-controller-manager on the node. +# # Scheduler machine specific configuration options. +# scheduler: +# disabled: true # Disable kube-scheduler on the node. +# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver. +# # nginx static pod. +# pods: +# - apiVersion: v1 +# kind: pod +# metadata: +# name: nginx +# spec: +# containers: +# - image: nginx +# name: nginx +# # Used to partition, format and mount additional disks. +# # MachineDisks list example. +# disks: +# - device: /dev/sdb # The name of the disk to use. +# # A list of partitions to create on the disk. +# partitions: +# - mountpoint: /var/mnt/extra # Where to mount the partition. +# +# # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk. +# # # Human readable representation. +# # size: 100 MB +# # # Precise value in bytes. +# # size: 1073741824 +# # Allows the addition of user specified files. +# # MachineFiles usage example. +# files: +# - content: '...' # The contents of the file. +# permissions: 0o666 # The file's permissions in octal. +# path: /tmp/file.txt # The path of the file. +# op: append # The operation to use +# # The `env` field allows for the addition of environment variables. +# # Environment variables definition examples. +# env: +# GRPC_GO_LOG_SEVERITY_LEVEL: info +# GRPC_GO_LOG_VERBOSITY_LEVEL: "99" +# https_proxy: http://SERVER:PORT/ +# env: +# GRPC_GO_LOG_SEVERITY_LEVEL: error +# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/ +# env: +# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/ +# # Used to configure the machine's time settings. +# # Example configuration for cloudflare ntp server. +# time: +# disabled: false # Indicates if the time service is disabled for the machine. +# # Specifies time (NTP) servers to use for setting the system time. +# servers: +# - time.cloudflare.com +# bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence. +# # Used to configure the machine's sysctls. +# # MachineSysctls usage example. +# sysctls: +# kernel.domainname: talos.dev +# net.ipv4.ip_forward: "0" +# net/ipv6/conf/eth0.100/disable_ipv6: "1" +# # Used to configure the machine's sysfs. +# # MachineSysfs usage example. +# sysfs: +# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance +# # Machine system disk encryption configuration. +# systemDiskEncryption: +# # Ephemeral partition encryption. +# ephemeral: +# provider: luks2 # Encryption provider to use for the encryption. +# # Defines the encryption keys generation and storage method. +# keys: +# - # Deterministically generated key from the node UUID and PartitionLabel. +# nodeID: {} +# slot: 0 # Key slot number for LUKS2 encryption. +# +# # # KMS managed encryption key. +# # kms: +# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key. +# +# # # Cipher kind to use for the encryption. Depends on the encryption provider. +# # cipher: aes-xts-plain64 +# # # Defines the encryption sector size. +# # blockSize: 4096 +# # # Additional --perf parameters for the LUKS2 encryption. +# # options: +# # - no_read_workqueue +# # - no_write_workqueue +# # Configures the udev system. +# udev: +# # List of udev rules to apply to the udev system +# rules: +# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660" +# # Configures the logging system. +# logging: +# # Logging destination. +# destinations: +# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp". +# format: json_lines # Logs format. +# # Configures the kernel. +# kernel: +# # Kernel modules to load. +# modules: +# - name: brtfs # Module name. +# # Configures the seccomp profiles for the machine. +# seccompProfiles: +# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile. +# # The `value` field is used to provide the seccomp profile. +# value: +# defaultAction: SCMP_ACT_LOG +# # Configures the node labels for the machine. +# # node labels example. +# nodeLabels: +# exampleLabel: exampleLabelValue +# # Configures the node taints for the machine. Effect is optional. +# # node taints example. +# nodeTaints: +# exampleTaint: exampleTaintValue:NoSchedule # Globally unique identifier for this cluster (base64 encoded random 32 bytes). - id: Uyj95Xbi-Vzyb69hSO_bUc7dyGSKO-Pz-vWsrNHz_as= + id: v-bEFwPI9So3weaq5tJIdzKIwzL2CrvK4-Qrc4CGRIs= # Shared secret of cluster (base64 encoded random 32 bytes). - secret: ENC[AES256_GCM,data:LZGnKbyP+ClLUvGT6lNHfSo7IT5hz/E8XZGuPw4mCBpl+L5iHxAPhsNdlsc=,iv:AsdNnqrYJSrhqKitREzl69p63YM7H2R/wgILDYZjoIs=,tag:+ycyrIxT7vpQXqmQk0uC0Q==,type:str] + secret: ENC[AES256_GCM,data:pTmwsxTm7anFISdGVHNPN9Y2xmMNtkzhVo+UaHL+RhnSDnWZXzEOeOdXFos=,iv:QSmMsogcpPJ1haGEqysj58qhKZahSyjRftXAMCPTpwM=,tag:FNhERd4PVOK3oO4rVsE+tQ==,type:str] # Provides control plane specific configuration options. controlPlane: # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname. @@ -336,10 +383,10 @@ cluster: # urls: # - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster. - token: ENC[AES256_GCM,data:2Xos6DvgyVIn4SYc0NM2En7Oekfi6Ms=,iv:cOwWyu1kC2QNJ5SUtUY/EKnNNuzRPmfTdDrNA96ygEo=,tag:I/8hrT9XoW6R/LN9AaOHnw==,type:str] + token: ENC[AES256_GCM,data:XoT8ZgJZtgFtNLICtpxC87YfEHLHZF8=,iv:BYyAKkcJOQwYjuzs2ovDEHZGpw2eJOusgLW/4dG1Lgo=,tag:S6ViJjgnRPmZvQqoy5IKBg==,type:str] # The base64 encoded root certificate authority used by Kubernetes. ca: - crt: ENC[AES256_GCM,data:9+eB+nKyzv+igZNSgdHq4RT7g76E0ECmyUiVtSDF7IhM7fULNrs8v3EuMFLWfWydwddVNBPMuif1uNOn8cgYEtDXbQ6XlVyNm9cZKVpw5mMT+qxmbwIu124+3IQ3kWMcWQnx0J4dKLC6Y9KN/BTanHJSevgWIqS+2wzt7IPFFWZPsiFYmr+bdtXfMwWDwfqQ5VqjSIxVNCLqlh5tpKIJQy+9qA6lUwGbGgaflOSp6u2y1BAZ2kqzTwEP33LCaq/lusd4f9S18Ft6mYGOBueTXMGmdH2+Z1z91TzExGjxLSIJgv/5YHdis64MLo+BQhPC4AVDdndI9WymC59H86jiCQN3bMuyk2wHDFqC4xRhkaTVQDA9Ily4dFXEiOmPViEunpqLIFKJ5v8QQWP5bYe/5x/m7WG79AFzvm5+T/FHDcBMRt+dKfwgUnnys9zo0nnwbyiYJiMLAMuK6mznzOqv43loSFDmiCoPod/e/JbYbj9LAeHYhru/Q3+MCNaWZpEEFxacfbxTGKZpqPV9Nz1E9wdixeAbWBuJKvjD9454jZXGDlJcwZZQl0iu0p29VMp3pbW5nBNbOsLYeaWwwT6W0sMnA9/2A63tKJS73eZbOb8bqett8rhszMWk3aajTdXUtP7XNxLEQDA4WVD4yNctL6uKsBK+UTM+0kusGjmGWGtgRmIRe3TFg96w8wWh8NdN0elfBmIyLswptJNeUswOzrQ1WvRyofZWF7wqY//6bniqUkbix24Qt6HhjN2Hca7XGJ+tzKMvsRTR9lMdgbGUEainn24TDvTxNC3J7m/zH6rO3/irSkdUxnJDDNSgdrE6fEqHs0DcXMbhlFmmnxlnlCmnHhaLpXA2B//MMCl4mYK8FjV0eyFPsQMHhdckvp8wiqCo7KoAzwXJrC0JjgFEFGA33FvBHsdGRxEQha8t0hGk3pE6ysCq/6Ek6LvQlWi89QIJXiVDByxCYjsXb937gaVVnO60EuzazVDzn/uRJYJx9K8gOON7YJB/TD8+IcvjH/wH5qEalFvU8f246yHdnat38108jXYVC8a1nA==,iv:qLI0f4W7ifWEfYorqKU7I6D0SGWh104mz5uEprWB0EM=,tag:W576zq6MDeYfk5cF1g/Wdw==,type:str] + crt: ENC[AES256_GCM,data:mnzlvO19TY37HlUGUyFYnnI4EQL0/DaXgRdrNs9sWsTsFvPYTDkiWS8ebLmGUHyQ7ZLh7w5KlU/bfK62VsKxTJqrf2HsANgcuNorDTue7CdiFYKQS6JxOg6fY6X7i17F/80gypfs+jtsYMWdsXS6F/BAEK0YfxsTqfM7s1hy/MRPgKW/7xukYEcAjYA/pAjykhkOcPmbnlP0Ti8N0bG+bXdXmL24ykTvFTY84bOhsdM5M8eWAH62lJA/x0eqnGSoYdkyKEYsFic2XEdkDTAt4vFJIYPi4stZVC4Ug4He43WM5f0YD1CjiTLyzd/jg3NelvcOnA9IUDfwueoK7p4mReQUC6gFexq94uel+kS7L+f41QHpC8kbj3hzhOQMSsHHf4uwlOQ+Vo5sKPBiY+50CoQo+nnFu+kwe1HOxGIAHAUCcq9q5kmLXRRQK5yKhOmlpt/OfCUtn5BtvO/86F8O+9Jr6BgWliZPhOt4EqV/nbKIwS6L/rThBOW5YHp4M+WTkp5RlplgYUZYmthJLQEBz17fcijsnoXga39HiionrlUsFyA04HIigNpq92I90/CbPPUzsGpP+CFOKzcGXbaaRuO/cPZSckWUr5Bq9V1oyPk2fyprKLtUUGk0+iDpEaA8CK3hR+zrShnEbOC6ySKDzdmBWprbp6jWNyuHC0cIPTIu4bXz+qQxijQhQqMQTOh1tgbYzLFx28lDrM+Bg2+YsYzGzGURzU9gBWTVkJ8qg1Q1D858TDTQ6ODT87PZgQivrXcVMBO2+4YEC3oPFaXFzuBKKIsIfRigBt3seYu6KxhmHnmfk8Tp+MH44B+wCV9KULI7FMVWFKOAx0Wk/JtNQ2fGKxyaxz4DC7sgVE0zAvDhwF5L9YZ6m85uhJjFOvg9VvVARbKl++BtpFM44rz8c7d9CqXYA0LHWxWXHCafhe9Uf1KIorMO0rhSit8+Jv/IsMKMdqY1XlFjnQ5GpgINcCBOHQJWAP8aROlPr7aHpl0KnCCdPn6W1zZN0tK1/gwsg4O/YsGIVcqTZvQjD4YJlwlq3Dq313k33EmfRg==,iv:HjDk2ZmtVY/WITQYqIRMUdi0KbwE1fI9VdS8a/+EtnA=,tag:mfH+rr3LhsAuaHROkXokuQ==,type:str] key: "" # Configures cluster member discovery. discovery: @@ -357,6 +404,9 @@ cluster: # endpoint: https://discovery.talos.dev/ # # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). # # Decryption secret example (do not use in production!). +# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= +# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). +# # Decryption secret example (do not use in production!). # secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM= # # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. # # AggregatorCA example. @@ -369,7 +419,7 @@ cluster: # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== # # API server specific configuration options. # apiServer: -# image: registry.k8s.io/kube-apiserver:v1.26.0 # The container image used in the API server manifest. +# image: registry.k8s.io/kube-apiserver:v1.29.3 # The container image used in the API server manifest. # # Extra arguments to supply to the API server. # extraArgs: # feature-gates: ServerSideApply=true @@ -405,27 +455,27 @@ cluster: # - level: Metadata # # Controller manager server specific configuration options. # controllerManager: -# image: registry.k8s.io/kube-controller-manager:v1.26.0 # The container image used in the controller manager manifest. +# image: registry.k8s.io/kube-controller-manager:v1.29.3 # The container image used in the controller manager manifest. # # Extra arguments to supply to the controller manager. # extraArgs: # feature-gates: ServerSideApply=true # # Kube-proxy server-specific configuration options # proxy: # disabled: false # Disable kube-proxy deployment on cluster bootstrap. -# image: registry.k8s.io/kube-proxy:v1.26.0 # The container image used in the kube-proxy manifest. +# image: registry.k8s.io/kube-proxy:v1.29.3 # The container image used in the kube-proxy manifest. # mode: ipvs # proxy mode of kube-proxy. # # Extra arguments to supply to kube-proxy. # extraArgs: # proxy-mode: iptables # # Scheduler server specific configuration options. # scheduler: -# image: registry.k8s.io/kube-scheduler:v1.26.0 # The container image used in the scheduler manifest. +# image: registry.k8s.io/kube-scheduler:v1.29.3 # The container image used in the scheduler manifest. # # Extra arguments to supply to the scheduler. # extraArgs: # feature-gates: AllBeta=true # # Etcd specific configuration options. # etcd: -# image: gcr.io/etcd-development/etcd:v3.5.6 # The container image used to create the etcd service. +# image: gcr.io/etcd-development/etcd:v3.5.11 # The container image used to create the etcd service. # # The `ca` is the root certificate authority of the PKI. # ca: # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t @@ -438,7 +488,7 @@ cluster: # - 10.0.0.0/8 # # Core DNS specific configuration options. # coreDNS: -# image: docker.io/coredns/coredns:1.10.0 # The `image` field is an override to the default coredns image. +# image: registry.k8s.io/coredns/coredns:v1.11.1 # The `image` field is an override to the default coredns image. # # External cloud provider configuration. # externalCloudProvider: # enabled: true # Enable external cloud provider. @@ -465,14 +515,16 @@ cluster: # # Settings for admin kubeconfig generation. # adminKubeconfig: # certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year). +# # Allows running workload on control-plane nodes. +# allowSchedulingOnControlPlanes: true sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-12-14T23:24:06Z" - mac: ENC[AES256_GCM,data:Ry++F27hOi+lDHHtiPNuXLG8m6yrFPoR8425e57V3BtbYXY4VhFciScWHRGIpezgFcRf/aAZzeWxiqKhQHDaAQXVvs53XKXL3og84DzwzRv4ktD4lXwFdLKNHoFw95C5Ornic8SSuZyAMpstWsLHYf2GvGgBvPgil9GweYwVi8c=,iv:QNxcGru9b0Dz0O4acbIC3fhjrdSORtTwTgKI+YOrJ2M=,tag:FYQahanXf7t8L8AlgZkYvA==,type:str] + lastmodified: "2024-05-04T23:34:22Z" + mac: ENC[AES256_GCM,data:3g2s6azz9nHwbY1L6ptlrcEplqJIJlS2b5llH9EUyjvl3CQlKUlQRmUaa/0bMV3LFesP8j+Pvg3PJc/ZTh2Oh23aeQ2gGz8d1NjG/f2Zv7Flup4TBA3KrhfB2VLvIwULPaiK345n4Udlw5MY1gEs6PO31RegyuHgkL+Aw4BCQqk=,iv:Lo+voIMN4h7/8G+F58+ZbrCLdc8E+YLmLgFTOVRe14I=,tag:IEmjx/Fo/ytXucF31vj9jA==,type:str] pgp: - created_at: "2023-03-02T05:48:23Z" enc: | diff --git a/talos/generated/talosconfig.enc.yaml b/talos/generated/talosconfig.enc.yaml index 3fb066a9ed..905e7d802e 100644 --- a/talos/generated/talosconfig.enc.yaml +++ b/talos/generated/talosconfig.enc.yaml @@ -2,18 +2,18 @@ context: talos-default contexts: talos-default: endpoints: - - 192.168.50.200 - ca: ENC[AES256_GCM,data:bWojgek/wyqM5O0G6na1EkanskCc+xGJF2+pEZ5JNXI1ru55X4ttQaTnd4Y72609PRrn8eJBKuvv30wIG8ovnRAuGt59C05NYDPRu1GdIZmGvjrF+5sl1jWbt8kUh7c7jMds/alExSbpO6TCXq8UuSTki9U6X5N0wI494ZkqoGmLI0YoLxNzJOdLYvVK+wLOwhtpbmoE4aoKGwiIpkNdlx5Ddf22xJjKTeuE56kQUH9wjXgOgvzIe5WCnQsojICpkJ5YBHIsiYdQU0Tt89OneNl8h4ew78zb1bIe3inUvwq8KGJEN55sH36kgDm1nI6tVz+ImDEHDdOJgf40bisSiyFtuNNSHRCa7N7TbWQ4Sg5poe7rQLUxZ/Y3VmAsP7hTBGs3RprBKInBDf+gxwd439oGLfD/U48lADvZF7SObhylCa0Uljhe8a8NcXHmltu/0zmk/zlGI+GMMJsQV9xYDLZDGK7IdyFoAgnQf+Hmvw4aQdxWSMLIorjS9pqzyJUfApHfGGWpgh4U7EtWahXAiS9/mzfv2aSrGyM0laTUFcpaUZfORL3plEcIr+++uCZUdQPlGxi1m5J1OXR1EoP7VzWp6+Qyw3aosXlorPKHisam2MkU9DqtXvLkZJr8CXlZX023v2e/5fhrRt5ff5BqH8jmun1aYfzZ0ID5v9vxaxC8WCMwcbaE7av0lpEmMM5bBsGAOf3n+M8OavK0DPTsF2/qMDnQoTTT6RZxFcD6WYyoMA+6grRHMaTU1xX43aSOum8kHrn6eiv8CG52IV6GmZhXGkem9szzelibFYz8kNvI6tGbylOH6E6mzI02SqW/FLc0iwQvqCdcNzTiSqvUP72GYnBfVHM2oPxCt2Kd+BKrt+6l,iv:krGgL7t1/icXmENB5sZl6b4I3OnlXmXE3b+pDDMkyMU=,tag:OmRdpRbWBEl2W71Gn7cd9A==,type:str] - crt: ENC[AES256_GCM,data:r/MPMUPcfjR0hKDx14SE37OzL53yzzz5RbSAYlSwsX7N9VCwl2dGKHRYqpGcGEu0e7/mCgyYZnbfxGBg9rUuEUKmQAWmOXJ3cHrJjS2WBmdxzyVOobgu1IsspcUl6nvZxr8Bx/CobI47uTYsGdZhz1/UbvvHkpGeBYEpkyT8v2BJEd1sabx8Ail6mrHPqSovgqWdD1QykOImWtNSyAgmA/1aZOVrCDeboRJ8PDTTxUGhABnfMy9YAAqvlL0YIRhnu7EB/7kp+/5yoapTV5k2EIv1SM/jCf1zLAbDlbXXruWn7maN8141BrJdTXurftaQr/TAdOCUaBYc5/RAfocB15mORV1oh6uYS2jau8U5F5pQlTUWPlak9UUNmgj55eQO8vdUC2PdIOqVnY+m7ZyQfM4CqeWNfO8251rXGXkcGBi6Nt7+XGo1mn72/sHd6j29GpFTq+uHJYSeR8qwJO/PPkdxFcy1I66WDSCy1aFynIAMYc1p85HJFRuqa9wfwlfDR1ZfxRhdzMXYBFPvGCxyLpYbGiUznPalbhDfkCtF10hAFKNjr6tQHj8SiLvclF2ok3VhUhdP7zACIb6zHawSXRSDzn2OOwMvCQVFjo6wnv1nye1TIHFZw5nWvTwQr5/a1eiE9uTPZQNYEVCpAQZYwuTgJjAKfCYtCf1chqpnLkzbyqEmre07hPERP4sWad0rvzGlHx5hxpiJN8bW8oDQSScVBoWTmxbtfcwQW6ad9BsdH/3ubbWIxjsyohQiWXFI+uwtB7f4vmpYyy8IcBXGZ/f9MmedauxuMOUvjmMz+0ZOuXMJTcLo4w==,iv:aIqZUCUy1rVSou+jKW6VRyFkejqUnQ9qMBjb0E9T860=,tag:QLb8mkjMEVBcjo8DHXqgwg==,type:str] - key: ENC[AES256_GCM,data:L/k+CrAozQsBzHuS0+EDTPSECMBCbR4I8T2+k7mbdGZafI8v1QIlFpLzM1CRLaGrmzHWRIuDKCizczOMk8f2Jr7ySJK7vfz83ShkKba/NR0FY24HHW+vfJLwH+QeHKrmmYTzpTm/o85uesWTTM4f2Rs7+18CmxEJeU95gfV6OlDSGmvhobAEYPy/icd1m3DZUtm8Q/R9zPdTVL84RymFFGdC3oXLNp7JuyK+evVUuNLke9C1,iv:hMBpAc2q8lLN6s+GGB4ZEfPYuKuHE1NZ+949AhxpO44=,tag:/ueGsIEhFI7OuRL2HyoMLA==,type:str] + - 127.0.0.1 + ca: ENC[AES256_GCM,data:DhO5VdKzXxHZ0oLlerIFbTJlcW6OI3UBMdEHRE1d50/AwK9EP9ArfR0ZZ6Espi9ei7iS1uuWerN661a090xBgxikRoWi4HEkIVyx8HuinVdMPFDB6AsvR95ymzzpgdN/PfB++0APXgL0adiAe3zIZFtgaWtctVNMPInqkrbzyD8ouGOT8FipqYqd8JKm+F80yxL5X3Zc1mitu4ugIJNUCs6kRFdBG35TS0MUCoSF3P80oSKtRRBKz9qgoguUQ7G9h//Pe79YBlsVxwEPl+8VTMxrS+ku/nPk1D52JquGfQH1yTMAxFtSM2mdH4kEL6RqSxaC849WGLzCzc3UG5jHZYIGbeX2RLG1/HzOo9wrVnrcQX8H0zSEGYSEQVVY0WaF440hqXuDwG4cSLL6JGvm1aL/1Xgf3A2pML1MPz4kbIUSOTGPNH6R4gh6VkbhqGKNoEjTVNOpxFJjnYK/R5kn/RQcF5xq7sKjPXSpyhNrpzzkQ2H86b+QrolOlKx5Fu/tQQr+qZPizoXEbwf31v0Cex1Akylcgy7dvl1Xfwwmr5id2rGUZRO9RmclpykccQ0S96JTTlpIJ7wpyGVUWzoK8Q+JKNn0jvRUKldGWWPJTt6XzkP1U//eEOs3e8yOfy787yE66TC4o+69v4ESCsBK2Ys1PlM/lIRMg7cmvRTB1q8bkFB1sFh2MKaAfHt2twGySoEkIl9xUh4XDgo+fRlBb4ElEGy4R1XqGPElxuc2AMXrbgJMwWjwKBQIBW63FcPO656bbgAwMNR8FPYKwMwE3N3q2B3e68Qw8iV0IBdpDz+s/c8PLdk14THzb5D5ZP1nc+XxqJrXd1Jd5uq/iq+E+lqORQtK4E+cfqltRd8TVouAByQn,iv:QAEU1Lt4SOXR1C8roW7mOGBH16poDpCubC976X2iFIU=,tag:PuPdtDMBgM0xgbmr4Fsa0g==,type:str] + crt: ENC[AES256_GCM,data:Wwq1QjTUTRtB3BAjNIyyxMHHRQQ1CrwYeePE2Ly9agJrK0dByG5qZtLhagI1Ou5baGV2g0heUyQeI7FRwCJ67c5kwPJF6gMitAOj/AQ9m2zCvcg0cALsH3qAzGuQ52do2mIz+kn/oGGR40MlHifjdR5VMs8ETAus42MfN79WZ2kQou47TBDTf0MERT5Fj+5YzVzjS8VqF1KnquTQ0P9WgspE0RKkgrf41Wr4hEoFNFCSzkcdWbTP0cOrZic2iJTbxbB0+Tr8U+VI8uhGM9EMc3rrLYgmjOGfLRlPnBHY5oKpv+m+8DxIImb/lpmearJohXnyaiTjaMR3MkriYSkkbHTAtYHBpC91mSjN4puk2S0Xj2D+u3XRwxcv8Kwcz9uyYkWKUvbAEdaYio2rgnfTpHsjcmIn4+8NEjfwiOmXSSgof7GDqvyq0myqupplhMkmGhyUOtUU7uiHE/Nr2Ah/5C68YaCkeHnrkE5RxPml76/51poIBWevG+E3zTiVs+Jh8bpmlAJbuz3FuL6tXgdtd2/6edhbjo56CD1mIPEQWNE46urWAuH2YdEjYVCrg2sUFJfyRM3aq9Si3doeoZAsXXuuxMoBV5FGtQD7xrrw6tC5GZSp3Jybjz+VkA4rPNE87o8mmAhPpbsp8Fle3J2VgkTDl3AviiAQOE4CKMZHGH+MooOmkvtEc8zw7CLScguLYxNqHCKHdlwWh1ZmXEBypvWLtoOeoBrwNLoza0pBT7T/zGaYihnCrOooRvtlV5WA5Xcyc0CZtSn8/egPqj6/sBrV6x1HWPMjF+Fic1ahMpPAvVolLWeurQ==,iv:xuUp2c9X70ZPKIOu2LNhu0sG2ZaMJ+FjHTwhhIb6ecQ=,tag:bO/1spiIxNuetN5On8CwQw==,type:str] + key: ENC[AES256_GCM,data:EtOYqikMIcpjrN4nN6c9nHdAx2tVpfgUiGjb3sLu9HgUdq24GzFxW7RoZGFsatIq5p72x+axKUUNXYMgWE4p6CtfZG4f6mzFhpS3MWbFrGoND1QJdghF86+7IYwptN3alZ73N43powd1okd8/hnkFmVLJVvVPaztjpySTynbkGUypqvESu7mk0oFqWNj9GmYWOIA8shICOcrluV57HAdU3CTIfhPen90pdcqb5M2ahQj4pLa,iv:5VXvmN6ZxhEsQ39reJE+LaAYNXtZFT7syxxOCqQm+7Q=,tag:Q71BJfpw1ift5o6h3wJt3Q==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-03-02T07:39:53Z" - mac: ENC[AES256_GCM,data:MzFTl8Sf4RmOzVdn/VLWFVCHncyU3LNNO2LsJ9zuH1HaN3UNt5qGqU3ECxWp9jG7hdYbwzx0UfhptyHYG3QXQdDA36QDKtbl0MmRqF/GdWXxQy2XT3KHrvUTSjNLH3r9l7Gsw4t4vyFbOgj25wBEHBmkiQZzP+dfjw0vUJJBBsk=,iv:KXt+ydJZRK4boWcgwK8pqWHFw1Gl/DVZKE+DrxQa+6A=,tag:zvF8FIm90SpyIUAZJW+/CQ==,type:str] + lastmodified: "2024-05-04T23:34:43Z" + mac: ENC[AES256_GCM,data:cy3km17xKtsEv9/8b/DhtXmB+yueEaUr95MnYaDDgx750rg/l3P+abX2zzG1AXPdWh9NrjsSID6g9BK1g4pbrvUaV9r1g/Gr/qVFfdZV6D6K/z+tqhNF+jy4PC90bk5Pbm6VEhapRn2RzK3eEOJf3iDZLQyplJNTJL1nr3hMJNI=,iv:50xOxcGA7t2vssvHJ/hPMeUQYt9zcHT5Slu6Se1ShVc=,tag:7l9BbC3HK+5gR83irBKXxw==,type:str] pgp: - created_at: "2023-03-02T05:49:10Z" enc: | diff --git a/talos/integrations/cilium/README.md b/talos/integrations/cilium/README.md index b6f043ab88..00b0f301ce 100644 --- a/talos/integrations/cilium/README.md +++ b/talos/integrations/cilium/README.md @@ -14,9 +14,9 @@ helm repo add cilium https://helm.cilium.io/ ```bash helm install cilium cilium/cilium \ - --version=1.12.1 \ + --version=1.14.5 \ --namespace=kube-system \ - --values=kubernetes/namespaces/base/kube-system/cilium/install/1.12.1.yaml + --values=kubernetes/namespaces/base/kube-system/cilium/install/1.14.5.yaml ``` Post successful installation of Cilium it's option to run the Cilium network connectivity tests @@ -27,9 +27,9 @@ Upgrade path ```bash helm upgrade cilium cilium/cilium \ - --version 1.21.1 \ + --version 1.14.5 \ --namespace=kube-system \ - --values=kubernetes/namespaces/base/kube-system/cilium/install/1.12.1.yaml + --values=kubernetes/namespaces/base/kube-system/cilium/install/1.14.5.yaml ``` ## Service Mesh @@ -45,9 +45,9 @@ helm upgrade -n kube-system cilium ./install/kubernetes/cilium --values=../k8s-g ```bash helm template cilium/cilium \ - --version=1.12.1 \ + --version=1.14.5 \ --namespace=kube-system \ - --values=kubernetes/namespaces/base/kube-system/cilium/install/1.12.1.yaml > kubernetes/namespaces/base/kube-system/cilium/install/cilium-1-12-1.yaml + --values=kubernetes/namespaces/base/kube-system/cilium/install/1.14.5.yaml > kubernetes/namespaces/base/kube-system/cilium/install/cilium-1-12-1.yaml ``` ```bash @@ -55,8 +55,8 @@ flux create helmrelease cilium \ --source=HelmRepository/cilium-chart \ --namespace=kube-system \ --chart=cilium \ - --chart-version=1.12.1 \ - --values=kubernetes/namespaces/base/kube-system/cilium/install/1.12.1.yaml \ + --chart-version=1.14.5 \ + --values=kubernetes/namespaces/base/kube-system/cilium/install/1.14.5.yaml \ --export > kubernetes/namespaces/base/kube-system/cilium/install/helmrelease.yaml ``` diff --git a/talos/integrations/cilium/cilium.yaml b/talos/integrations/cilium/cilium.yaml index 3c24098c00..f1945476c7 100644 --- a/talos/integrations/cilium/cilium.yaml +++ b/talos/integrations/cilium/cilium.yaml @@ -631,7 +631,7 @@ data: cilium-endpoint-gc-interval: 5m0s cluster-id: "1" cluster-name: talos-default - cni-exclusive: "true" + cni-exclusive: "false" cni-log-file: /var/run/cilium/cilium-cni.log cnp-node-status-gc-interval: 0s custom-cni-conf: "false" @@ -790,8 +790,8 @@ metadata: --- apiVersion: v1 data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRUjBFc0NEMG5TdGlPcS8yVEZ6S3hJakFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05Nak14TURBNU1EZzBOVEkyV2hjTk1qWXhNREE0TURnMApOVEkyV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3BXSG0wTXAzVEM3OG9FbW1oS2xHVkcwU29JYmV5QjNnK1Y3aWVUbHUyYWNsNnQzc1QKSWJkMVNlUlllTVBoN3ltUDJTKzd4amphY2hKeDE4MjBwanVkU3E2NXlPZXZZa2lPS0dTU3VBTzVzUldFTG1zbgpXRVJEMFRnME1pWUlORk5SOVd1czc3bVJ1bEZEZk41eG9kTEE4Z3NNc2hLUGJ5azJMUVJJVkJtYmNRVUIvb1h2CmJ5blJqZTAxSXBvVXpNNWMwa2VhWHgxb2UySG1KUllUcTNlaUxUMHV2TlI1YkdVYk9QaHo4TmZVdEFiQ2F4RjQKOTFKanJWN3NhcG5XU3RNOUJIeWY2ZW5YdGgxdlJTUjR1UXcrQnNJbEVpRFVGL24rN2tTZGVCc3M4SmVMc0gwUQpMQ21ieDJNNVVuazhpZnAvUXN2UnV1VkZPRG1xalZrOUkwN3hBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVV4Skp6YWlmcStyNUJJZVo5VG1vTFErUVJvQWt3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFDL2szT0NheEgycExOd3pndGxGMDcwaFdxNjJLNWsyR1dNbmNSUnJqQVZXdzE1dXlJZW5hM0hSCkxXWEJ2bnNoUnQzTFE2VXNKVzNjWElScmhBRms0bEhsbUFQNDBtVDlKTGtGWE1JdWtBYXZHWi9kd05wTG9oY1kKVDNHMXpwVHAvUFRwRTJWaHdWS1FMeVlkZkFSNHlrcHFHQmk3all3VWl0WENwc3FUbHhqOC84UlQrMVVRRUg3bgp1dy9sZEpoMVlUMk11bCtiNEE4aGw5U044N3hZWW1pK2h1QVE0ejBuR2htdEVpNUcrRmpDcU42QjdNTDlROXUwCksyNDJLbTcxZWoxbmRlZU5rMTNSK1QyMjhnRUtqUzV3SVFxMlJCamdJY2IzQWpCUWd1UHc2RWVZZExhTjVabHUKaTJmVjhiVVQ0WDJ0NXJDU0toYTNKMThZS29LODZNWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcVZoNXRES2Qwd3UvS0JKcG9TcFJsUnRFcUNHM3NnZDRQbGU0bms1YnRtbkplcmQ3CkV5RzNkVW5rV0hqRDRlOHBqOWt2dThZNDJuSVNjZGZOdEtZN25VcXV1Y2pucjJKSWppaGtrcmdEdWJFVmhDNXIKSjFoRVE5RTROREltQ0RSVFVmVnJyTys1a2JwUlEzemVjYUhTd1BJTERMSVNqMjhwTmkwRVNGUVptM0VGQWY2Rgo3MjhwMFkzdE5TS2FGTXpPWE5KSG1sOGRhSHRoNWlVV0U2dDNvaTA5THJ6VWVXeGxHemo0Yy9EWDFMUUd3bXNSCmVQZFNZNjFlN0dxWjFrclRQUVI4bitucDE3WWRiMFVrZUxrTVBnYkNKUklnMUJmNS91NUVuWGdiTFBDWGk3QjkKRUN3cG04ZGpPVko1UEluNmYwTEwwYnJsUlRnNXFvMVpQU05POFFJREFRQUJBb0lCQVFDUTFZWEpjMXorS2xiRQpPL014anRNVmxxdkNySXZDYkpjUG90RFlQQ1krUGYyK3dmdzJJYWtaWENnNjdwYUJ2cDJxVk5ONVlwQXZiRTZRCkpVVGUweW03WGl0UDVCOGJKaER0M0dnZi85ZlgwamVYeEdlS3ovZ2FsRzdnWFYrZnRyam9LT0Y5bDgzN2NBR2UKbWNaYUkwL3dDMU1kK1pMY0wvTnNUVllUVWpKUWVSWGx4a3lRM0s2ZE1JeUFsN0drRmduTnhiRjZDYnREN0F1Kwo3a0trVi9rWlJaT095RTlnTTdVbmR2VldNZk5kcGxJVmhXOWlKTkhiNFgvWFlEV2JTd2g0ekxxRStmUmNrWFozCmxnajl3bDZTSHVCZCtQckxCT2ZYMW05TmhNWGM4WHhhRy8xN2JqZ3BrQ0c4eGNHN3RCT3BkTU1aRVJwOXJLejIKb1RidEdjd0JBb0dCQU5KU1lYVkJhR2JjUndUUys3OFpGbXV3Ymg4UDRrdHVQTW1yQldOdUVaTnB6MWNaMHpRaQpTTVRXZ2xiWjFoczhWSGo5SUcwQjlaM0czYU16UHdRRml2TnZ3RDd0azBDTnJJM04rakZZSEdTNjhIRmd4Y0J1ClBKMWdtek1ISUVneC9DeGdGd2JraXZMcldNeFFZSjVWc1BUWUdsMjNCaFhwaVlWYllSa0ovUEF4QW9HQkFNNGYKM3gyTjN5Z1dVTng1MDkzM2VJM2p4K05iY1pvRUw1L3B4OTNjRUNHcG0vRDZRUW5mdWorV2NiVWZMTklOMXh6Rwo4NkcvMEFTbndlL1U5UkRZb2w3bzRSMjQ5OURhWXY0YVdiczRhMkdTUEJrcE5lZ2E2eU5FdDh5VytrSGYrRUQ0CmVNMk1xLyt5R1FMZDdra21JZmdGbEdndFFmTWpubEs4di8yQjBWckJBb0dCQUpVTVpKeWdHY2lyV25rRXUvdVYKWDlvNVVoRVpSSm1JS2ZRUkN1U0g0RlREcTNoaWlOWnRaWHg1T0Mwc2V4c2FDaE1qNzVMUXpLdGZmenBrMnNlUwoxZ0htdENya1duSm85RndhR0xCWGJPZkZ3eGZXS001U1VRcUdwL1hsbXU4TzNWTGxWZXhBa21mTWVVVnh3TWIwCm0wOG94cWFiU2VqRmMvdlo0bG5JUmtSQkFvR0FBVnZVYksxeXV5RHFoNG1HREFDRm11blZkM295MVlFUmoweEwKTlBzdVlBcHVMTGg1bFVjVVF6Y0txTmI3eEtheXRFM2JiVVdHYVlGeGxkTWhpbXJqSngwQjN1QkpRZWN1bjk0cwptVDlWOWQ2dzVybU8wV2pjQSsrQUJxazRIUmNNMitESGF4TnlUczB0dlFjWmV3SDFWMTB5RFQyL0lZc3FrQUVPCmd1MUlKQUVDZ1lCd3hrM0E0dDVVbTVwSzJGZkNIUXhobFhqWEptOW0vU2Jsc1hXQWdLK3VQMERQK09EZEVqd1AKbUpHUEpoZ0t3WG1CUVU1dCs5R0NzNm9uN3BvVGpJR284RWVXQzJMd3BlVW5mWk56NUVLazByRTA5c3pCSjlvWgpsWUY0MDFxTmNiRVA1MmJHQzVMSFpiVkNMMEJUTFRkY2ZJYkZqK3VGZ0M0Y0QrV1FPWGpnQXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWCtxQWZxMjA4TmVxWFRsZVpsdFZFVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF3TlRBME1qTXpNelExV2hjTk1qY3dOVEEwTWpNegpNelExV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRFk0SFlkd1RyVEpKK2xaT2k0S3AzYWFIdEdRekNxV1ZQczk4Q2crVDJ6T2hhSFNSUDUKc1ZtS0YzZzl1ODByK3krVzNKWmo1emYxNTdzYWo1Z1B6am9CbGRhVWplcGtYR3hBdFZDR2FOSHFNOWF3ZWIyVQpFaDdldzBjWnZKWW16YXpTaUtBVUY3V2RmcUFaOU1CMDhxRmYydXdISWorWEswYmpKK3hCbCs4c3owL2FJYTFhCllxQmNlbERQeUpsUXNMNjdlK21JdnlZcFdDci9nNTVuRUZaK0lzcldoWkRRY2RTU0k3ZW1VaDVMT0RPTE4yMjUKdmZhNk1NVmFlWGo0YmUzQksrcmpXQnNCdzIxWnVRV3JyOXA1QXF3b3Z4UW1QRHdmeXFEMmwzbjhqdklIWVRFMgozN25PaG5JdjkxS1ZMYno4SjdrRzlpNkczRTNLa25sK3ZRTjFBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVjQmxHNmNHMTBlRnRjK1Q0bUQ2Z0g1NEdqSkV3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFMdU5uYWx1RjU1VTFNdDF4ZzhWcFMrQUVuSjZ4MXNJMU1JUmxlRHZISGk3QjFtTytEYjdyV2tiCktHU3dCdlFjVHJ3ZmNvNkQ4Nlk0bktJVHpQQWx0NE5GZVFNbXV5TUZ2ZURqNTMrMStZQkpZcnFqbW5TbDgwNlQKd1d1QnpmbENHYzY0dFpmTFpYUjBYRVlJSFhLOEZjaXJ3RjZQa0U0TW5WU3psck9Ma3dFTVYwYVExQm84K3VKZApZd0J4QW4rL21aUTJtY1FScVFEZ0haL0QxdEZtN1l5L0RZOEY0bGxyd2IxVHU1ZlhUT2JNVWxad2tDdzBjcE8vCmRDUFZmT05XajNXbnVGV3V2OTZURG9UZ2VPaGtVZ3Vybi9zaUF0Qlo1NnE4TmcyRFFGSkRDTFZZelJBVUNmQ28KVWtQenM5MUhkSTcrZ0g4VFhZQkNxS2I4TXkrVVJmST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ca.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBMk9CMkhjRTYweVNmcFdUb3VDcWQybWg3UmtNd3FsbFQ3UGZBb1BrOXN6b1doMGtUCitiRlppaGQ0UGJ2Tksvc3ZsdHlXWStjMzllZTdHbytZRDg0NkFaWFdsSTNxWkZ4c1FMVlFobWpSNmpQV3NIbTkKbEJJZTNzTkhHYnlXSnMyczBvaWdGQmUxblg2Z0dmVEFkUEtoWDlyc0J5SS9seXRHNHlmc1FaZnZMTTlQMmlHdApXbUtnWEhwUXo4aVpVTEMrdTN2cGlMOG1LVmdxLzRPZVp4QldmaUxLMW9XUTBISFVraU8zcGxJZVN6Z3ppemR0CnViMzJ1akRGV25sNCtHM3R3U3ZxNDFnYkFjTnRXYmtGcTYvYWVRS3NLTDhVSmp3OEg4cWc5cGQ1L0k3eUIyRXgKTnQrNXpvWnlML2RTbFMyOC9DZTVCdll1aHR4TnlwSjVmcjBEZFFJREFRQUJBb0lCQUNRcW9tZnAzbFp4cUJIYgoxeGRIUEJXOUVMbXg0TDYzc05BMnJLL3JnSWVQNjB2YU92T0x5TVBIa0N5elVjN0F6N25YeFZpWnFYSmZsNHNoCllSbFpxY0N6N1JuTzVNU2h5UWV0ZE9WRk82UlR5cnlaUUswZHJIbzNsSGJOUlRqcFdhV3VWUXVrdkl1c0h5VFUKOVBkTHN1K2FRWHdiRVFHem5ObXF3YkphbE84aXdLejZYbTZvSkpETGl4QTJzOWhUNmV0azBsa0QzclUvSitlSAptR0p2dlBYNndGdEFuN014NjdvMHBhUkRzY3pKa1V4Mm1QMnVpUDBRNkhRS3FYcGZldDIwMU1nMTRlMkJqS1paCk9wREl4emdTSkFaRFgyWXV1TTEvT2JiQWZjTEYzbXN0aENWU3VLbjZESHpGNzN1T2dIbkxpUStidEhnUjRMdksKUUJuRTZhRUNnWUVBOHc5amthK2U0YThSTE9nWC8vWE5YdEcxRU1RU0NQemtpZ0xTcEpYUG1NSTlQanhwM0FGUgpGQnNTcUI3OHdTcGIvQ3VBRENEVE1LeHVLdlZ1VktvMHJWRGFEdDhqTnRldjQyaUd0SVFFRHRVb3FvbExrOExLClkrUTFOUEV0VnAycGJmNytiWmRBOFNVMHZwcFIyYUZCK3RBQllpMFE0OGg4OTBnVEVOaFdPSmtDZ1lFQTVHdzUKM3RXajdoQy92ZVpLTmpOc3JneFZSUzJRUFI4Q2NPRzMrMHJYOU9kbTBXWGZsQVVWQkt3dTdnTFhBMzlGL3lmZwpTc3lmOFNQQjlWL1hPT1QxSVIzWjZ1Ty91TG94U0plQ1c4b0RvcFRhRXdweFBNQW5XMkROdW1YcWxUcHBKMWZkClczd0szTElvSFBrU0xVZ3pWMW81YnVGM2twRVArM2dCRUE5dkh6MENnWUJaRjJ6eHU2UExLWFpzTlc2R25ieDMKWXZxeGVJejd5bWFpeDhJYUhlZUlJTHArRTNyaDc0R2Vrd1hWcGZZVGY4bFR0MFlxSytYOVUxYldYRHZpd0xpcQpScGFIR1BjNVpQbk5xMFNrNmpicWtPdGxCd295MFJXS1k5MjAyQ284TTNJbEpYQnhEeDM0eGlCOU5PZUhrL294ClN3a1d5Vm9GaERsNkVtc2FvNUdIRVFLQmdEaHFLbGpJdHZZREdQZ1R1bHhza3ZqaGZ1WFkvUGk3Z2VUVE9wZEwKd3M1dm9Fc3pOK2JjNG5ZRytJZzhGMUo3eXBQY0MxOHQ3b3FsNUM5di9qM0UvbTJ4YTdMQmtRWlVwZnRod0FaZgpmRXBaTFFycTExRER2SFNyRWVScGEyaHp4cWk2NEtiSm1mMHIyeEJjeTRwM2ZJYWtkKzdVcksxOE9sQkhNU3dBClE5ZVpBb0dBQTNETFBqM2oyWGVYWFk1QXoyVWpDWVlFV25nbWpzWGgza1VIdkdxYTZvZVdBMlc4bmh1OUNYa0QKbU5tMndnb1cxdnVJMzJHaHJzNGxVT2dMZkVYVm1iS2o4azBTZVdCTXVkNFQyZVNDU3ZoNW5hd29xTjlPemdoeQovZldmalBnYjVOQzBrbDFpQ2s0VkovZWpxdE5McEg1TG5rZkQ1bmRPbjkzQmw3OG5sNjg9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: annotations: @@ -804,9 +804,9 @@ metadata: --- apiVersion: v1 data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRUjBFc0NEMG5TdGlPcS8yVEZ6S3hJakFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05Nak14TURBNU1EZzBOVEkyV2hjTk1qWXhNREE0TURnMApOVEkyV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3BXSG0wTXAzVEM3OG9FbW1oS2xHVkcwU29JYmV5QjNnK1Y3aWVUbHUyYWNsNnQzc1QKSWJkMVNlUlllTVBoN3ltUDJTKzd4amphY2hKeDE4MjBwanVkU3E2NXlPZXZZa2lPS0dTU3VBTzVzUldFTG1zbgpXRVJEMFRnME1pWUlORk5SOVd1czc3bVJ1bEZEZk41eG9kTEE4Z3NNc2hLUGJ5azJMUVJJVkJtYmNRVUIvb1h2CmJ5blJqZTAxSXBvVXpNNWMwa2VhWHgxb2UySG1KUllUcTNlaUxUMHV2TlI1YkdVYk9QaHo4TmZVdEFiQ2F4RjQKOTFKanJWN3NhcG5XU3RNOUJIeWY2ZW5YdGgxdlJTUjR1UXcrQnNJbEVpRFVGL24rN2tTZGVCc3M4SmVMc0gwUQpMQ21ieDJNNVVuazhpZnAvUXN2UnV1VkZPRG1xalZrOUkwN3hBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVV4Skp6YWlmcStyNUJJZVo5VG1vTFErUVJvQWt3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFDL2szT0NheEgycExOd3pndGxGMDcwaFdxNjJLNWsyR1dNbmNSUnJqQVZXdzE1dXlJZW5hM0hSCkxXWEJ2bnNoUnQzTFE2VXNKVzNjWElScmhBRms0bEhsbUFQNDBtVDlKTGtGWE1JdWtBYXZHWi9kd05wTG9oY1kKVDNHMXpwVHAvUFRwRTJWaHdWS1FMeVlkZkFSNHlrcHFHQmk3all3VWl0WENwc3FUbHhqOC84UlQrMVVRRUg3bgp1dy9sZEpoMVlUMk11bCtiNEE4aGw5U044N3hZWW1pK2h1QVE0ejBuR2htdEVpNUcrRmpDcU42QjdNTDlROXUwCksyNDJLbTcxZWoxbmRlZU5rMTNSK1QyMjhnRUtqUzV3SVFxMlJCamdJY2IzQWpCUWd1UHc2RWVZZExhTjVabHUKaTJmVjhiVVQ0WDJ0NXJDU0toYTNKMThZS29LODZNWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTRENDQWpDZ0F3SUJBZ0lRVnJQTVZKYjhxMGtSUThrWXBrODlwREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05Nak14TURBNU1EZzBOVEkzV2hjTk1qWXhNREE0TURnMApOVEkzV2pBak1TRXdId1lEVlFRRERCZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEZnVuQ1EvRzZiQ2pqa2g3MXRlZmxlSEZvMHRFdzQKOStESEJQQXc3M3E2MUZ2d3BtMHVnY3J6ZURNRVJKdFRrWHRhaUgrZzQ5bXJENXg2THlpQVZzaWg4aDZEMERSdwoxVU85RHhhOGtMQmJhZXVSLzFybllsSTc2UEEwQlM1VFhrRVVqZUNBWFc4bkZ2TFJnc3kvWjlHN3pEbjJpYlJGCkF3L01jUzFzODhqNkJFQkRoREFJVEFkek1YMllwbSttdWlaRFJTR0lCcldsUjlnckhjdHF2SWE3THkxU3Bna0EKZzArbEIwMWFLTWtyWEdGdWRmMVF4dHl2c3owd3lkTkQvY1dCc1VjVUl1YlVNTHRwRWZzbTRGenovUStvZmpsOQpxQjhTQ2ZoZDVUWTkwbHk2d0JoUmFta3k3aVB0UWRBY0x3OTg5TllqMDZmWDNTOExxZEFKVGp3N0FnTUJBQUdqCmdZWXdnWU13RGdZRFZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQU1CZ05WSFJNQkFmOEVBakFBTUI4R0ExVWRJd1FZTUJhQUZNU1NjMm9uNnZxK1FTSG1mVTVxQzBQawpFYUFKTUNNR0ExVWRFUVFjTUJxQ0dDb3VhSFZpWW14bExYSmxiR0Y1TG1OcGJHbDFiUzVwYnpBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFReHZXN0szbVFCZDUxc2V4bHo3UGRIeW5HeFNtejJJSzJwdXgwUHY1MzVSYXdITHIKdFFPemd2MzA0L2lMazZJWnlPWjkyNnhLTVFYamF0eVJCOTZ6bVhlL3NmNzJqZHN2bUN3QmdBYzBxVkVsd1VzcQp4amtpTHhxRnBxbDQ2WDRaTktvQWhPTjJSRlZlZFFTRTlvUDZkVFZVang0YjEweG5GSG1MTzdvQXYveG10LzJzCnAzWE44VEVsRGhuM2x6N3NZejZEQzhBczlYY0hyYzJ4eGVQY2kxcTBlWTJBK2d1MFJ2UVljSDNXZmdsNWx3L1EKbTBGd1JUYitFUEhwRzd0WVo1RC9vTHk3ODJiRjFOMFI1eE56Vy85UkpndTBCTmtHVFplb2ZiSTJJSkRXNlorSApuVWlTMjNwUjRrSm1kdU1tazZWZ1l3S3NxNkZjWXo2R1U1dTZ3dz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMzdwd2tQeHVtd280NUllOWJYbjVYaHhhTkxSTU9QZmd4d1R3TU85NnV0UmI4S1p0CkxvSEs4M2d6QkVTYlU1RjdXb2gvb09QWnF3K2NlaThvZ0ZiSW9mSWVnOUEwY05WRHZROFd2SkN3VzJucmtmOWEKNTJKU08randOQVV1VTE1QkZJM2dnRjF2SnhieTBZTE12MmZSdTh3NTlvbTBSUU1QekhFdGJQUEkrZ1JBUTRRdwpDRXdIY3pGOW1LWnZwcm9tUTBVaGlBYTFwVWZZS3gzTGFyeUd1eTh0VXFZSkFJTlBwUWROV2lqSksxeGhiblg5ClVNYmNyN005TU1uVFEvM0ZnYkZIRkNMbTFEQzdhUkg3SnVCYzgvMFBxSDQ1ZmFnZkVnbjRYZVUyUGRKY3VzQVkKVVdwcE11NGo3VUhRSEM4UGZQVFdJOU9uMTkwdkM2blFDVTQ4T3dJREFRQUJBb0lCQUZ1R3oyUlJFUUsyWk40QgpOaHFpYXNUNGZtTFBXOXQyZE91V2RwamViK3djMGx3YUNkS2I0S1pJQno3NHZqNnE1cmI3M3BLNGhDVDZKdjdKCmFoMU80NWQxRU16R0VaNFRjVG5ZQVdvMUd5RGFyVGUyS3I4OE52NHhab3N4ajJrbHh5UWNncnFnL3NjVUdWUmkKMlZaNHA1SFhrK0xySk9lU3dCVFlQRWcxVjRRSUV5R2pIbVFwTWFLQVdYZnVIcFg2SmxKNjdTemQ4T0RyRVVkZwpZODdZR05pVElLS1V2UW5ad01kQy94NlhReWd4RmljclBJWWsxNytUNUdWZmpXVGw3c0xKSHQwZjEyelhWL3hoCjlydHZxalpBcFplajBSaGx6STZDYzJ4VjluMmIzU2l6NUZhRlJqVW15V2dEZGFZZFNHN1RPelE1SUcwRElhTmgKaVZmY0tCa0NnWUVBKzFuWVAvTTBySkN0M3F1bE5VZW02L3kzQ3RhSlM2OHErZ1d6UFpVd2hqOUxIdzZuRHcyMQplSW9GYUtRMkh0NThpUlZHR1NSU1dMRUh6VVNzeE5qbWVKQ3h5ZytnV09iVkJhaWg0SC8zbm1MNE8zY0VTdXN5CmEwQnZUcFpSaWpYVlZobjU4cWtqa1B3bk5qWEdZR09nMVRoWmk3aEYxS1ZQaGluVEhoZVp2UTBDZ1lFQTQ5M00KK1loVmVBS1dUQy9iUkwxc3NVb1Y1YzdTTyt1MG91eFpYWVIycFMrZzhFYnhYNmJLdUxRWkJueXhTbEQxY0t1WQpTNm9NM0MzWGdNRGpoVGJXNlBITkd1OVlHMXdqMnB4ZjE1d0N2M0lhVGZYUzlCUldSNEpjMGNLc3hFSm0wRjU2CncwSUpldW5NYnNFdlBubUpqYUlpdHRpMURZYmVoeHJabWJUczNHY0NnWUVBOExKVjhzK01wcUFaMEgxZ3hNZnIKNGxyc1VsV2x2ck50SFdadUFkQW5XcmVyMFg3dm5ldkwxeldjL2xzYWRLOHNaUDNaVmVSQmN5dDhSQ2E2cC9ycApvWlUybkVBZ2xtSGVwditZbk9zT2pqOUtaVytRemNtelM1KzF0M1VkZXBRWXlzNHZYQ0I2cmJHNlB5QjU2djRkCkczSk4xZzNOMlZmQThzS0VxSEdEU05VQ2dZQTl6SFBBNFRhODI0YkRsdDhTMzRUUStGVEVCTG1Ed3NNMHhJRGcKR2dMTGZnVlo1UU9sZTJqVGV4U21hNzd4ZHM5NkJTL0NwWlhqU1JOL09kRDYyZ3FqRnFFWHd2M1VQY01Ea1JGMQpPanlNaTNlUzJTNmpQN2krb0I1b1RUSHA4RkJPQnJHb3J3by9LWlZtSEVLaDRQaHJUeU8zRDBMYkxrNi91WXAyClkxa3gxUUtCZ1FEQ0JZenMyVzhyUUIyMzdiNzNNeStVRVpIemVSS051Y3NrQW9xWEFOVjhoaXErOURUOEU0NVMKYUU5aTQ5OU05c2JibzQ4RnRKY0oyek5zRlhTa3BvdFc0MHdVbWQwU2dCYktZT0tSbDBFZW1NT09pYlRMUm9MUQpIOHBQeklRVDR5OUJDRWVkMUdvbU4vNmJoVjNCSlVGbERTRVlqWGtMc1pHL0k3bHQvUGxscXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWCtxQWZxMjA4TmVxWFRsZVpsdFZFVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF3TlRBME1qTXpNelExV2hjTk1qY3dOVEEwTWpNegpNelExV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRFk0SFlkd1RyVEpKK2xaT2k0S3AzYWFIdEdRekNxV1ZQczk4Q2crVDJ6T2hhSFNSUDUKc1ZtS0YzZzl1ODByK3krVzNKWmo1emYxNTdzYWo1Z1B6am9CbGRhVWplcGtYR3hBdFZDR2FOSHFNOWF3ZWIyVQpFaDdldzBjWnZKWW16YXpTaUtBVUY3V2RmcUFaOU1CMDhxRmYydXdISWorWEswYmpKK3hCbCs4c3owL2FJYTFhCllxQmNlbERQeUpsUXNMNjdlK21JdnlZcFdDci9nNTVuRUZaK0lzcldoWkRRY2RTU0k3ZW1VaDVMT0RPTE4yMjUKdmZhNk1NVmFlWGo0YmUzQksrcmpXQnNCdzIxWnVRV3JyOXA1QXF3b3Z4UW1QRHdmeXFEMmwzbjhqdklIWVRFMgozN25PaG5JdjkxS1ZMYno4SjdrRzlpNkczRTNLa25sK3ZRTjFBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVjQmxHNmNHMTBlRnRjK1Q0bUQ2Z0g1NEdqSkV3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFMdU5uYWx1RjU1VTFNdDF4ZzhWcFMrQUVuSjZ4MXNJMU1JUmxlRHZISGk3QjFtTytEYjdyV2tiCktHU3dCdlFjVHJ3ZmNvNkQ4Nlk0bktJVHpQQWx0NE5GZVFNbXV5TUZ2ZURqNTMrMStZQkpZcnFqbW5TbDgwNlQKd1d1QnpmbENHYzY0dFpmTFpYUjBYRVlJSFhLOEZjaXJ3RjZQa0U0TW5WU3psck9Ma3dFTVYwYVExQm84K3VKZApZd0J4QW4rL21aUTJtY1FScVFEZ0haL0QxdEZtN1l5L0RZOEY0bGxyd2IxVHU1ZlhUT2JNVWxad2tDdzBjcE8vCmRDUFZmT05XajNXbnVGV3V2OTZURG9UZ2VPaGtVZ3Vybi9zaUF0Qlo1NnE4TmcyRFFGSkRDTFZZelJBVUNmQ28KVWtQenM5MUhkSTcrZ0g4VFhZQkNxS2I4TXkrVVJmST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lSQVBiWFY4T1pjTzhvVjFYMmU3OXA1WVl3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEkwTURVd05ESXpNek0wTlZvWERUSTNNRFV3TkRJegpNek0wTlZvd0l6RWhNQjhHQTFVRUF3d1lLaTVvZFdKaWJHVXRjbVZzWVhrdVkybHNhWFZ0TG1sdk1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW84MUI1QW1pR3NXK0gyLy9hKzlFcEhkd2RtNncKdll3OFR4SjlhdlFjZXhBdWZXdXE3WWUzSXliLzg3bWkxcGF3bERuOFJHODVPYzZDSDB2dVZpNVRUSDl6Sm5peAp6c1pYZ2U3UGlha2JtSUs1NnN2RGptenpWMDlGUmpSUUNtOXg1THZLc3BzcXVacmxBNTZzaVNFTWQ2VUVSYlNFCnYxYkhUeW1sOUg1OE5rVHJ6WjArVVBpVDU3WTVjS00xaWdxeEpmd2dvK2E0RkZiVkNEQ2ZlNGxwVVgxVjdpWUEKT2NTUVBCNjN1ZVQ5bG96Mnd3QitxQ1FMUklLUlNsTWRYSWYwM3EzalJoczFOMC9YTUl5MnFEeUNJWldXMmhRSQoyWUpCMTRRV0dSTURZWjViTUUrbzhSaS83UnB6VTQ4MTVxYWEwdFpUazNOL0czd2pYbG10OFlaaW93SURBUUFCCm80R0dNSUdETUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUIKQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUndHVWJwd2JYUjRXMXo1UGlZUHFBZgpuZ2FNa1RBakJnTlZIUkVFSERBYWdoZ3FMbWgxWW1Kc1pTMXlaV3hoZVM1amFXeHBkVzB1YVc4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBRFB2ZHl5N1JrbW4wejc5NDFuL3NEbDBhWDlvRzh4QkpreVMvVzd6UXNSRFRCWE8KUTMwbGdtS281TjFtSm9UVUtxcGZySnB0RDVjaHdUMmhEcjN6d1h3OEdGQk9wazV0bDAzN20xUi83S0YvZ005SQo4TUptV21UcHZtT3VYOGVidnFSRW95TklLNUxPb3lRclVwNFFzWHptSktYSmlQUDZuOURyTXg3b2NaVGJMTW1UCml3dSswWE9HYUNJNC9uU3haQk9JWWRhVmljelVORzMrb3dZaDk2OWRSbE5DSjZEYXdHTUh6MGdtQm5hWE1aVU0KQ0drK0l3VjhNejl2ajFkUXJPV1lSTFdteU42ajd3V1RqTzdRT2ZNTmVhYXVvT0l6RkRRbHY3K1pqN2JEQ0x4RQpEbDJTVGlEVTVpY3BZYVcxSVFYMFVCR1NTL1FzVHJVNWpVNVlLZUk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbzgxQjVBbWlHc1crSDIvL2ErOUVwSGR3ZG02d3ZZdzhUeEo5YXZRY2V4QXVmV3VxCjdZZTNJeWIvODdtaTFwYXdsRG44Ukc4NU9jNkNIMHZ1Vmk1VFRIOXpKbml4enNaWGdlN1BpYWtibUlLNTZzdkQKam16elYwOUZSalJRQ205eDVMdktzcHNxdVpybEE1NnNpU0VNZDZVRVJiU0V2MWJIVHltbDlINThOa1RyelowKwpVUGlUNTdZNWNLTTFpZ3F4SmZ3Z28rYTRGRmJWQ0RDZmU0bHBVWDFWN2lZQU9jU1FQQjYzdWVUOWxvejJ3d0IrCnFDUUxSSUtSU2xNZFhJZjAzcTNqUmhzMU4wL1hNSXkycUR5Q0laV1cyaFFJMllKQjE0UVdHUk1EWVo1Yk1FK28KOFJpLzdScHpVNDgxNXFhYTB0WlRrM04vRzN3alhsbXQ4WVppb3dJREFRQUJBb0lCQUI0S1A2SkZqZ0FnOGJ3cwpPd2lkYWRaTHZVbExCWWpObGlYZU96Z0pLc3Y2N0x1OXFpeERybmQ0NkluWEtxRDJJODRiVUVOd3Jtc0dqMkNUCitWSyt6aklDVWFqbGk1NWpTNXNkbzl3WU1tSm0zeGZMWk1MVEFsR3B6UWVTQW5mWGRtaS9jKzRMZk90ckY4THgKTDYwNmJXSG4xbisrR25aSXdPYW91Ykc4SEtXSzlSbHhHYmdMQnFuekZ0bDBNYWllODR1bktNTXJmSk1CRXZvdQp1N1piN3ZEV3hST0ZpZmJYUmJnb3MzcCtNeTBtNXpNUnhlSFM4bjkzekdLSmYvSlRwYW9nUjcwYUFEelNhVTZYCmtCTzd3NEhVMmVyNzNRNWo1cXAyQ0s5QmRQTGFkOGZscnRwMW1xYVRPYlNoSzdPNzZyeHFlZEQvNWRURDQxWGEKL2gyYTJZa0NnWUVBeGpVOW1ZQ1JQM290L2FVbTR4MTROMmdQNWpocElTbXNLZFlsY1NveEFCZmthc3Q0amw1RgpMcHIreFlVTnhEVy9OVld1VEthOXNadTFmcHY5eGk2VlZEWWZOcWdGdlM1YXJhck43TmZZMlN3TzJFQ1lORWF1CnV3SkQ2TlFEcm1rR3ZXTUtPMnIxQ0NySzhzT0E1d1hjckZ0S2IyUWdEdlVpUUVXZ2ZZYVF1YWNDZ1lFQTA0L1oKZVdHUTNzcG5XZXdZS3pjcE93dFU4eFNhcXo5Um5ZN3FoK2JsdjdUTTZhTm1OV0UySkRFdnR5NVo1MzYwNmFtZQo4RmpzYktaWVpaZmRYdSt0SmYreCtIcUU0VUpDMXREa241ejV0ZXI1dERBRFFKNzlRRjIrdHZjdmZXOEh6eXFqCmlPbUkrVXRLZmFYVHBGV0tRY2l4aGRhNXc5Zll4RWdRd0ovdXRxVUNnWUE2N2dkamhTc3FJVXhkTm1ZS2JtK1kKb1pMZ2t2TUd6aG9HMGttTmpNckd5Vk83UU1XV0pvY1JKVG9NUmRQaSswdmZNcHRBNU81UFNRazhIR3JtS21GeAppU25jbVRZam1nMlJ4cyswMURQLzFhNlFNeHhOcHBvNnRhQzFMNXZzbGdOUCtZdElRVE9hK3dZZUNXeGd3NGhwCm9qYk9TWW1TaU9WbkVJeDM1Yk5QendLQmdRQ1I4bXVwcytmMytoT2dVaUkrTmRpSXRnR05pOHBEbHZQYnlNcjgKcEFvYzNVSjdiMURFUkdMUVJ1cE82WGYySGsvNTNoMGFXNDRHU2g4elByZmxsVnlTbVRtU1hCc3ROc1BiWTlKRQpWa3RoOTA3NXdpR01RK0lidEZBcjhveGRjT29uUFpnQmpISUU0SzdyelNrYTlqUGh1K3pUa3RVbVNOSnVYZlRJCm5jeFZUUUtCZ0RKTjZ2cDZYVFFHSVBZRkZyWFBWS1I5aU5BSGlRL3JJNVZSQzRqVkU4M2RQTXZwT251Y0o0ekEKcFhJTnltTzM0QU1RSEtLZDhhNXk4MUpkSExrZlpKR245ejcrbmN5MEpJZjVYNE55cmtNQ3pQSG9Ob1NyVm5ReQpmVnlJLzZVQWxvbDZQa096RzF2bWtzQnRndjZ1aEZVVWJ5WDdXTWpCdW9Ram5BMXpVK2dKCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: annotations: @@ -820,9 +820,9 @@ type: kubernetes.io/tls --- apiVersion: v1 data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRUjBFc0NEMG5TdGlPcS8yVEZ6S3hJakFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05Nak14TURBNU1EZzBOVEkyV2hjTk1qWXhNREE0TURnMApOVEkyV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ3BXSG0wTXAzVEM3OG9FbW1oS2xHVkcwU29JYmV5QjNnK1Y3aWVUbHUyYWNsNnQzc1QKSWJkMVNlUlllTVBoN3ltUDJTKzd4amphY2hKeDE4MjBwanVkU3E2NXlPZXZZa2lPS0dTU3VBTzVzUldFTG1zbgpXRVJEMFRnME1pWUlORk5SOVd1czc3bVJ1bEZEZk41eG9kTEE4Z3NNc2hLUGJ5azJMUVJJVkJtYmNRVUIvb1h2CmJ5blJqZTAxSXBvVXpNNWMwa2VhWHgxb2UySG1KUllUcTNlaUxUMHV2TlI1YkdVYk9QaHo4TmZVdEFiQ2F4RjQKOTFKanJWN3NhcG5XU3RNOUJIeWY2ZW5YdGgxdlJTUjR1UXcrQnNJbEVpRFVGL24rN2tTZGVCc3M4SmVMc0gwUQpMQ21ieDJNNVVuazhpZnAvUXN2UnV1VkZPRG1xalZrOUkwN3hBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVV4Skp6YWlmcStyNUJJZVo5VG1vTFErUVJvQWt3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFDL2szT0NheEgycExOd3pndGxGMDcwaFdxNjJLNWsyR1dNbmNSUnJqQVZXdzE1dXlJZW5hM0hSCkxXWEJ2bnNoUnQzTFE2VXNKVzNjWElScmhBRms0bEhsbUFQNDBtVDlKTGtGWE1JdWtBYXZHWi9kd05wTG9oY1kKVDNHMXpwVHAvUFRwRTJWaHdWS1FMeVlkZkFSNHlrcHFHQmk3all3VWl0WENwc3FUbHhqOC84UlQrMVVRRUg3bgp1dy9sZEpoMVlUMk11bCtiNEE4aGw5U044N3hZWW1pK2h1QVE0ejBuR2htdEVpNUcrRmpDcU42QjdNTDlROXUwCksyNDJLbTcxZWoxbmRlZU5rMTNSK1QyMjhnRUtqUzV3SVFxMlJCamdJY2IzQWpCUWd1UHc2RWVZZExhTjVabHUKaTJmVjhiVVQ0WDJ0NXJDU0toYTNKMThZS29LODZNWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lSQU5ETUhmQ3BSbXM5WjN1SjRuVEZ1QmN3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSlEybHNhWFZ0SUVOQk1CNFhEVEl6TVRBd09UQTRORFV5TmxvWERUSTJNVEF3T0RBNApORFV5Tmxvd01ERXVNQ3dHQTFVRUF3d2xLaTUwWVd4dmN5MWtaV1poZFd4MExtaDFZbUpzWlMxbmNuQmpMbU5wCmJHbDFiUzVwYnpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT3BpcFFRaGtrM0MKdDdBSEpkcU5KR0N2T0JPVU5NSzE0SEYvN0NubVRsWUUxOVV5Sk9HbDVlQ29VbndSNjZQNUxjcW4vd2tBTHREMQpDZFJqVllTRjIvMEErM3Qxb0lIaUxGbEJpRnZNL1ZDNXJkMmtSd0I2bjdlbWhPVzBnd2VMdVovakZuNGJMQnJPCmZKTFpGT1BLTmdESk4vMnQ0RmlqcXZxWlRFT0h1ZlB2TFlWZ1BXQnB6YmJ3NzNvTitMeldIZXlqNmZXbkNrSDgKUjVhRHBJcW43YUp4Z1Y3RmVQY2hJeURBYWZjQmtPNUdKSDF3dzhTZWxycjk3SFpGVHRIeWJUTUF1Y09aSFJUdgpTeGtNVjJYUGdLc3F3WThaZFpvQWhacHhXUzg3aVlHSW5waW5yUjlOR1ltRW55UmhXSW1YcjIvWWJqZ3B1Z1MwCmk0ZjZtQjFpM2VrQ0F3RUFBYU9Ca3pDQmtEQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUkKS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVeEpKegphaWZxK3I1QkllWjlUbW9MUStRUm9Ba3dNQVlEVlIwUkJDa3dKNElsS2k1MFlXeHZjeTFrWldaaGRXeDBMbWgxClltSnNaUzFuY25CakxtTnBiR2wxYlM1cGJ6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFJM1BBTTNESVJEbUoKemlXWkNPS0lkNWdmRFJKT3RCdW8rL0JvYXFyRXVuUlI2UG4yNDhLaUgrSUpLM014ZlNCVG5uNGFqSncvNzAwSQpzQUYwVndveC9MZkZhVGNtc2xUM3BSdlpER2FpekpZSDZjR1lab0Z4elk1K3E3a3BXenYyTXJ6c2cwTVlpbElxCitiaEZsRWhyMXNpQ3hvb241cG5CalM3b1dNMENmdmF3Z0taRlRWQ0hkN21MWmRlTWc4bkFlTnM5b2Z2ZUtpZG4KZnhvc0RUaWRoRUF3OC9sOHREdDhJNUtQUkw0cUJFdkxQTXU1enEzUDNid3NqMjJLdjlQN0FBOU5LQ2lTMjNxZgpycit2WUZFTWdWUk0vRXZNQ0JQeDRteFRBdXQ2djBZUnM5VEgxOVUzT0JpTk90bzJSM0xjaElMSDdvNlFTOTFYCnIrc0c1Njd5U2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNm1LbEJDR1NUY0szc0FjbDJvMGtZSzg0RTVRMHdyWGdjWC9zS2VaT1ZnVFgxVElrCjRhWGw0S2hTZkJIcm8va3R5cWYvQ1FBdTBQVUoxR05WaElYYi9RRDdlM1dnZ2VJc1dVR0lXOHo5VUxtdDNhUkgKQUhxZnQ2YUU1YlNEQjR1NW4rTVdmaHNzR3M1OGt0a1U0OG8yQU1rMy9hM2dXS09xK3BsTVE0ZTU4Kzh0aFdBOQpZR25OdHZEdmVnMzR2TllkN0tQcDlhY0tRZnhIbG9Pa2lxZnRvbkdCWHNWNDl5RWpJTUJwOXdHUTdrWWtmWERECnhKNld1djNzZGtWTzBmSnRNd0M1dzVrZEZPOUxHUXhYWmMrQXF5ckJqeGwxbWdDRm1uRlpMenVKZ1lpZW1LZXQKSDAwWmlZU2ZKR0ZZaVpldmI5aHVPQ202QkxTTGgvcVlIV0xkNlFJREFRQUJBb0lCQVFDSGM2Nk5ycUVRVTBFNApkMGtHL3A1UlNiR01qdy9XbnFrd3JvN2F2Ly94Y2ljUlRFTklMRW1uQlY5MTJCMW55NjhNK1AxSVJGVEo2WEplCnpYRTBmdTlkVFY0SVFUZ2JGNHd0b05PZXlkNXk4bnRxSlcvcTlQS3NmWTA3K28vbW9uY0owWURFTEF2WENoR3cKQThnd3hFRmxQdVFldElkOGNrbHpQWGgzWms2dWl5V0RxVFF3c0pubTF1cDY1aytrM1NQTEFhTEsvQW9wc0JwQwpBUWNKQkFheXgxSExUVEh6TTVmblRCckZBb2RidFJ2eFJpL052Z2pRZHluZ3pkUjdJSmJUbThkSXkwT0hQSTVtCjhtSmNZNjJvL0UydWE0eHhkNk9yeHVSbWZaVG1wdURjYnpjVlY3ZnhnNzRHZWRqL3BNYVhaeUw3UlVOUTRPd0IKaHBzdS96T2hBb0dCQVBuVjR1RTVmdUZGbmpHanNrd0dtTWVQQlFuL3JWU0hxU1JwSGhFdUdkSG1wbmtXUS9VagpNbWVQdXl5SkcyYTZsNjhEWk5HNDZNQnNnWUxMNmlKT0FoVGZ3WGNOejR0U2xMRTc3T1ZKd1FiZGVvemVSN1VTCmRWUFpWVUVaL0FveDdnVDM3WEVoRmRxZnpzVVFzM3RXTzFmOWdwT2NaKzZWdFhkVTVpNnN0YVNsQW9HQkFQQXIKS21sUjNGSFNYZmR0YkE0dmx3YzZOTHFYYTkydFJ4RFUvWldRbEtjNXdpa01Rc0RxVW9GZEFFNGs1MlI5K2Q0VQprMnV6QkRhMEpUUFpOcGordE9yLzZqa2ZJaWRyVWpqVXpic2xGaTVXc3RuWGFBZ1FBelEzK1dRUHFqNWFXa1RSClByRWtBaFVRbDNxWUczbkdndDRrMG5PUlRqaVJTbzl1WlJKd0RWejFBb0dBSlFFY0lMWHVhQmx5cS9HT0dCcW0KQ0hEVGt6Nk9nc1d4Tk5acEFLeHVZSnVrTHEwd2xaK0grTFRlU1dOcGJwYlducktHL1ZWQkREZEdHNFJ1Z25SQgpkS3dMc01HWDZ3L3BQRE1mREhzWEh4Z3c3YXFDdm53a2FxMzNKYlJlazNmL3hEYWdzYS92MTdqeDNGaHo3U0hCCm1tL1BKbVAxTk81eHVXSVcwZlQ4MW8wQ2dZQWE0VW5xNWIyWjdzaVRrOHlmUGRaU2VjSkREQVdIbHdnNEt3NkMKdWQ3WlpJNkZsNWkxRE1UVk03cUFCSU5kYlBnVlVnbzU2SnhWSHc1MjRoM0pPK0MxMkpTM2RmT1ZvOTVjKy94VwpzTXp0dk1oaHQwa3VkZFJWK05uUnlDc090WUFhNmF4eG1RMGVuRy9IeWRSeGFiVmw5WXNVWWpQMkF0VHNmcmVUCk83VlRMUUtCZ1FEcEM2OTVubDZXbGY0K0lveE42bmlsV2VMUjdRYmlIeEhUOXk5K0ZIZHU3Vm80cVNzMzZoUWMKYTlhZkVXZ1l3Vlk4S3dmRXFQSms4OVc0dzNaMTFWVUhSRE9pZVB0UUs4UjFhdUpOVUdIMTBOMVlzUm5FNTlBRQpGbEUxVitLWTRBUVBxL282dnNvNWpscTZMa1lSRGFtcUIycEdRa1hzTnFXUjFzaFRYUjVicVE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFekNDQWZ1Z0F3SUJBZ0lRWCtxQWZxMjA4TmVxWFRsZVpsdFZFVEFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF3TlRBME1qTXpNelExV2hjTk1qY3dOVEEwTWpNegpNelExV2pBVU1SSXdFQVlEVlFRREV3bERhV3hwZFcwZ1EwRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRFk0SFlkd1RyVEpKK2xaT2k0S3AzYWFIdEdRekNxV1ZQczk4Q2crVDJ6T2hhSFNSUDUKc1ZtS0YzZzl1ODByK3krVzNKWmo1emYxNTdzYWo1Z1B6am9CbGRhVWplcGtYR3hBdFZDR2FOSHFNOWF3ZWIyVQpFaDdldzBjWnZKWW16YXpTaUtBVUY3V2RmcUFaOU1CMDhxRmYydXdISWorWEswYmpKK3hCbCs4c3owL2FJYTFhCllxQmNlbERQeUpsUXNMNjdlK21JdnlZcFdDci9nNTVuRUZaK0lzcldoWkRRY2RTU0k3ZW1VaDVMT0RPTE4yMjUKdmZhNk1NVmFlWGo0YmUzQksrcmpXQnNCdzIxWnVRV3JyOXA1QXF3b3Z4UW1QRHdmeXFEMmwzbjhqdklIWVRFMgozN25PaG5JdjkxS1ZMYno4SjdrRzlpNkczRTNLa25sK3ZRTjFBZ01CQUFHallUQmZNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QWRCZ05WSFE0RUZnUVVjQmxHNmNHMTBlRnRjK1Q0bUQ2Z0g1NEdqSkV3RFFZSktvWklodmNOQVFFTApCUUFEZ2dFQkFMdU5uYWx1RjU1VTFNdDF4ZzhWcFMrQUVuSjZ4MXNJMU1JUmxlRHZISGk3QjFtTytEYjdyV2tiCktHU3dCdlFjVHJ3ZmNvNkQ4Nlk0bktJVHpQQWx0NE5GZVFNbXV5TUZ2ZURqNTMrMStZQkpZcnFqbW5TbDgwNlQKd1d1QnpmbENHYzY0dFpmTFpYUjBYRVlJSFhLOEZjaXJ3RjZQa0U0TW5WU3psck9Ma3dFTVYwYVExQm84K3VKZApZd0J4QW4rL21aUTJtY1FScVFEZ0haL0QxdEZtN1l5L0RZOEY0bGxyd2IxVHU1ZlhUT2JNVWxad2tDdzBjcE8vCmRDUFZmT05XajNXbnVGV3V2OTZURG9UZ2VPaGtVZ3Vybi9zaUF0Qlo1NnE4TmcyRFFGSkRDTFZZelJBVUNmQ28KVWtQenM5MUhkSTcrZ0g4VFhZQkNxS2I4TXkrVVJmST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZakNDQWtxZ0F3SUJBZ0lRUXFEbW9vWmd1bzNkU1IrQjBwczNiREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsRGFXeHBkVzBnUTBFd0hoY05NalF3TlRBME1qTXpNelExV2hjTk1qY3dOVEEwTWpNegpNelExV2pBd01TNHdMQVlEVlFRRERDVXFMblJoYkc5ekxXUmxabUYxYkhRdWFIVmlZbXhsTFdkeWNHTXVZMmxzCmFYVnRMbWx2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF3VVhxQTFSZzEyU1MKcVNXWlB3MkJlTkl1cHJlUFFTMWFKRW5jWnpsZXNJL2FrQUplV0x6MG44dzkrcjJlUTBQSm9CcDN6SSszSlVqaAo0WG5rWncrbGtVMHFWNTlERmpCdFUzZnVFUHhtUWw4bHRFNEYwTmU4b0x1WmZEYUF5aTRCbng1cmE3REtRclAxCkJIdkpYYTdUb3pxMk9laEhkelk2TklYV0lzM3pHOVQ3OU9JTUJQQndxUTUrTWVtRnpKbkJWV1N5K09adVBqYVcKby85U1NRaHpNT0dVUUJxV2ZYMkxrNTFaTllNWExtdTR4d0ZmU1lMeGd4aDVJQ0lQRElGYlhPUnFOdGplK2UxMgpvcVIyaDR5NkI0MGtwNUxjQSsxOUtPbTdadmQ3NFlSNEdOM3VkalZiVEthM2Z0aEZLTFhZU1NubUJaUjQ3a1NnCnlBaFp3QklFd3dJREFRQUJvNEdUTUlHUU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3IKQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlJ3R1VicAp3YlhSNFcxejVQaVlQcUFmbmdhTWtUQXdCZ05WSFJFRUtUQW5naVVxTG5SaGJHOXpMV1JsWm1GMWJIUXVhSFZpCllteGxMV2R5Y0dNdVkybHNhWFZ0TG1sdk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnNFd1lVZlFTUFdZUHkKeGhVUEl3a1ZwdjMrV1NwdUc0R2NmUitMUVhHVmNsbzE3anh4YUdNamdYNU0raWJZMmNSV1ZjM2Q5eVdPcmRFTQo1L1dYdW1EaUl6cnVMTjhtcGJETDg4TzhDbjNkYjFRdHhhemVEMmNPSHRBMVAvK3BLeks1Rmk2VEtYRkpjeW5tCll3WVIzTXlrb0ZneTE1WU1IMEgydFlxd1RoSFVrSzdOYkdPVnNyOVNYalgxb0h0S3ZpbDcrZ25iUGMwT0RFbHAKcFpCZnVuQ1hENVErTmNxYkx5UGFORVhIMG9TM3AzaFJkZmlpZXFwVUtrUGxYTlpVdk1wZ3Y2VFRPbzR6ZXpqNwpvNFovWWpmZ0pMY2prczZyNWVUbTRuV2pUM0VQeDkva3o4YklZY0EyejlLN2prUnRQbzlXQWg2a2N4QmxmZjNFCkV5Qk1FUy9oCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd1VYcUExUmcxMlNTcVNXWlB3MkJlTkl1cHJlUFFTMWFKRW5jWnpsZXNJL2FrQUplCldMejBuOHc5K3IyZVEwUEpvQnAzekkrM0pVamg0WG5rWncrbGtVMHFWNTlERmpCdFUzZnVFUHhtUWw4bHRFNEYKME5lOG9MdVpmRGFBeWk0Qm54NXJhN0RLUXJQMUJIdkpYYTdUb3pxMk9laEhkelk2TklYV0lzM3pHOVQ3OU9JTQpCUEJ3cVE1K01lbUZ6Sm5CVldTeStPWnVQamFXby85U1NRaHpNT0dVUUJxV2ZYMkxrNTFaTllNWExtdTR4d0ZmClNZTHhneGg1SUNJUERJRmJYT1JxTnRqZStlMTJvcVIyaDR5NkI0MGtwNUxjQSsxOUtPbTdadmQ3NFlSNEdOM3UKZGpWYlRLYTNmdGhGS0xYWVNTbm1CWlI0N2tTZ3lBaFp3QklFd3dJREFRQUJBb0lCQUZyY1hXbDNUNWV6Um1lUwpyM3EvQkxFaVRxQStCM0RpdTAvNEVVL04zc0F1d05lVzVYZmVUVHFhc0VDaXlEWmpOZlM0dkwxRWl4dFNLaTd3Ck9QcGlscm02aHo5dU5nSEdmbjhSRUxDWG1CTjMyNmZxVGoyaVRxRlowSXhlcXlsaGU0MnNwVitaVzEwRWNSbk0KZ0J3MHhuWWtjZXJEVW1XdTdxb21pVWNQZjAwRGZ1S1FNdmFYR0tlNDVBb3V3QnJvdE8rZkxuVkp3VWJxdkpjUAp3ZjFzbDZOcXlZWGlFd1NFd0I4MEdyRlRZR0x5ZHlkMHBUNnl0S1BZYm5TWGpwanBpZnAwVWNNb253enBVUis3Ck9FNzYvd3hlKzhCakthVkhKK1luNFFqdXFLWmJtdVdLTm1ROWZTNDZYZ1QweGxvVlJHK0Y5YnVJZS90enNwY2cKUDRnMVAzRUNnWUVBd2lUNlJNZ29JWm93SmhHcjRHMWpsR20za05kZkRPNFh1QVVoL1c0T2FrSjBqQ2gyYU1WbQplbHJ3dk4vc0x5MldMU2FUU0VrbHFxK00vbnRTM0hvUVNBMHNod3RRajdPdURxcjNqSjF5N2NPU2N6UXE1ZUgwCnFvU1g1TEZjcVJ4dlBJZzVxVjhlVTlsK2tOL2RHT1hMcUdaZUx5VitSQW1HbWFKT3R2dG1Mb1VDZ1lFQS90bmQKL29UV2FEbyt4OFh5NFJtSzFDbEhOdTdLMkMwQnRZcm5TeVFDQlBGbG9QamlnVkc1cXp5Nko3c083SGlHd2p2bwoxMDltWDBpUFRIaDBzK2ZvSndsNHZMeXJ0RWhKNUV0azI1ck9PQmFZWlpRTmhyQlpJWC82WGs0dFVIVzJuYmZJCjBEcVNBY2tUVjlVZHJYV0ZDN08ydHlVN2ZCb2pkcmF4aFZGQXZLY0NnWUJ1aFJaanFYNFBBdk45K0hsYjNXbmUKeHYvVTJJWW5takt1YzEyU0krRFk1TlBzSmV5aVlCMmljYnF5Q3RjdFZFbzFrY3d1VGxXL0FRakdwZlhaeFRNWAprVWhUNkVFSVRVVTgzRjdvRVltbmlMb0tFeHlJbVVUcS9XaHFxLzBQMkR3S3ZaSDF0VXhTZDNIeGp6OFNPVjdpCmtzUHpHdWp5V21uaGMrQlRrbkhzOFFLQmdRQ24xYU0xTXhaZ25ic3FwVnBHbENPeGhWMjQ5NW51cy9Va01jNFEKMWkzZVEzdkNmeVhzTkg0cUgxd1pQaitkeStJem1IREhHeXM0SlBqNlMzblA0VElxUXpxWVVVaGkraGh2bUpkYgphSi9Xb0VyTTJxdnR2OFZ6SW0wb0hpUUprUHdxOGhYMXpCekx3RGhVNTYwYnh3RlBxNUx4R2p3S2hzeEVLaHpPCng2dnlrUUtCZ0RiRWFXR3ZzdE9DYjRiNTRteFU5ZURLMG55aTZIZnFYSEc3dTVGNXMvR1d6cXpCQk5Ib1k3TVQKbExvMVBzZVhubnhEM0RYTDFIK0dRUGJCb1JOM29MempVbHI0UTFKTTlScW1TdVJ1SWhZRDJzNFJ5Q2twZGJZSQo3TWs1YStrYTJFdzJSTjJnM3BCUS9icWcyemxmcjRqYmQxSzA1MzRHSnQ3aUtOTkNVMGpGCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== kind: Secret metadata: annotations: @@ -1044,7 +1044,7 @@ spec: template: metadata: annotations: - cilium.io/cilium-configmap-checksum: 0efd90b230059d5f365972ac9f23f8740104c8df11451a92187a5a7cf2048d2b + cilium.io/cilium-configmap-checksum: ad705f4cae0ce149034f98e06bdb7a49fe38c52ad23770c6bad2fba71c5e6b1f prometheus.io/port: "9963" prometheus.io/scrape: "true" labels: @@ -1085,10 +1085,10 @@ spec: name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST - value: 192.168.50.200 + value: localhost - name: KUBERNETES_SERVICE_PORT - value: "6443" - image: quay.io/cilium/operator-generic:v1.14.2@sha256:52f70250dea22e506959439a7c4ea31b10fe8375db62f5c27ab746e3a2af866d + value: "7445" + image: quay.io/cilium/operator-generic:v1.14.5@sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -1178,7 +1178,7 @@ spec: - serve command: - hubble-relay - image: quay.io/cilium/hubble-relay:v1.14.2@sha256:a89030b31f333e8fb1c10d2473250399a1a537c27d022cd8becc1a65d1bef1d6 + image: quay.io/cilium/hubble-relay:v1.14.5@sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4 imagePullPolicy: IfNotPresent livenessProbe: tcpSocket: @@ -1271,7 +1271,7 @@ spec: spec: automountServiceAccountToken: true containers: - - image: quay.io/cilium/hubble-ui:v0.12.0@sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f + - image: quay.io/cilium/hubble-ui:v0.12.1@sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267 imagePullPolicy: IfNotPresent name: frontend ports: @@ -1289,7 +1289,7 @@ spec: value: "8090" - name: FLOWS_API_ADDR value: hubble-relay:80 - image: quay.io/cilium/hubble-ui-backend:v0.12.0@sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e + image: quay.io/cilium/hubble-ui-backend:v0.12.1@sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe imagePullPolicy: IfNotPresent name: backend ports: @@ -1330,6 +1330,7 @@ spec: template: metadata: annotations: + cilium.io/cilium-configmap-checksum: ad705f4cae0ce149034f98e06bdb7a49fe38c52ad23770c6bad2fba71c5e6b1f container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined prometheus.io/port: "9962" @@ -1366,12 +1367,37 @@ spec: - name: CILIUM_CLUSTERMESH_CONFIG value: /var/lib/cilium/clustermesh/ - name: KUBERNETES_SERVICE_HOST - value: 192.168.50.200 + value: localhost - name: KUBERNETES_SERVICE_PORT - value: "6443" - image: quay.io/cilium/cilium:v1.14.2@sha256:6263f3a3d5d63b267b538298dbeb5ae87da3efacf09a2c620446c873ba807d35 + value: "7445" + image: quay.io/cilium/cilium:v1.14.5@sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b imagePullPolicy: IfNotPresent lifecycle: + postStart: + exec: + command: + - bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + # When running in AWS ENI mode, it's likely that 'aws-node' has + # had a chance to install SNAT iptables rules. These can result + # in dropped traffic, so we should attempt to remove them. + # We do it using a 'postStart' hook since this may need to run + # for nodes which might have already been init'ed but may still + # have dangling rules. This is safe because there are no + # dependencies on anything that is part of the startup script + # itself, and can be safely run multiple times per node (e.g. in + # case of a restart). + if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]]; + then + echo 'Deleting iptables rules created by the AWS CNI VPC plugin' + iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore + fi + echo 'Done!' preStop: exec: command: @@ -1496,10 +1522,10 @@ spec: apiVersion: v1 fieldPath: metadata.namespace - name: KUBERNETES_SERVICE_HOST - value: 192.168.50.200 + value: localhost - name: KUBERNETES_SERVICE_PORT - value: "6443" - image: quay.io/cilium/cilium:v1.14.2@sha256:6263f3a3d5d63b267b538298dbeb5ae87da3efacf09a2c620446c873ba807d35 + value: "7445" + image: quay.io/cilium/cilium:v1.14.5@sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b imagePullPolicy: IfNotPresent name: config terminationMessagePolicy: FallbackToLogsOnError @@ -1512,7 +1538,7 @@ spec: - /bin/bash - -c - -- - image: quay.io/cilium/cilium:v1.14.2@sha256:6263f3a3d5d63b267b538298dbeb5ae87da3efacf09a2c620446c873ba807d35 + image: quay.io/cilium/cilium:v1.14.5@sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b imagePullPolicy: IfNotPresent name: mount-bpf-fs securityContext: @@ -1538,16 +1564,12 @@ spec: name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST - value: 192.168.50.200 + value: localhost - name: KUBERNETES_SERVICE_PORT - value: "6443" - image: quay.io/cilium/cilium:v1.14.2@sha256:6263f3a3d5d63b267b538298dbeb5ae87da3efacf09a2c620446c873ba807d35 + value: "7445" + image: quay.io/cilium/cilium:v1.14.5@sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b imagePullPolicy: IfNotPresent name: clean-cilium-state - resources: - requests: - cpu: 100m - memory: 100Mi securityContext: capabilities: add: @@ -1570,7 +1592,7 @@ spec: name: cilium-run - command: - /install-plugin.sh - image: quay.io/cilium/cilium:v1.14.2@sha256:6263f3a3d5d63b267b538298dbeb5ae87da3efacf09a2c620446c873ba807d35 + image: quay.io/cilium/cilium:v1.14.5@sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b imagePullPolicy: IfNotPresent name: install-cni-binaries resources: diff --git a/talos/patches/metrics.yaml b/talos/patches/metrics.yaml new file mode 100644 index 0000000000..9a6c31a117 --- /dev/null +++ b/talos/patches/metrics.yaml @@ -0,0 +1,7 @@ +machine: + files: + - content: | + [metrics] + address = "0.0.0.0:11234" + path: /etc/cri/conf.d/20-customization.part + op: create