feat: Bootstrap Talos k8s cluster

2025-10-28 22:46:17 +01:00 · 2025-10-28 22:46:17 +01:00 · 7d3c60325f
commit 7d3c60325f
parent 9ca0f7c431
7 changed files with 336 additions and 0 deletions
--- a/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/cilium-install.yaml.tmpl
+++ b/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/cilium-install.yaml.tmpl
@ -0,0 +1,96 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cilium-install
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: cilium-install
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cilium-install
+  namespace: kube-system
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cilium-install
+  namespace: kube-system
+spec:
+  backoffLimit: 10
+  template:
+    metadata:
+      labels:
+        app: cilium-install
+    spec:
+      restartPolicy: OnFailure
+      tolerations:
+        - operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: PreferNoSchedule
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoExecute
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: PreferNoSchedule
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+      serviceAccount: cilium-install
+      serviceAccountName: cilium-install
+      hostNetwork: true
+      containers:
+      - name: cilium-install
+        image: quay.io/cilium/cilium-cli:latest
+        env:
+        - name: KUBERNETES_SERVICE_HOST
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: KUBERNETES_SERVICE_PORT
+          value: "6443"
+        command:
+          - cilium
+          - install
+          - --set
+          - ipam.mode=kubernetes
+          - --set
+          - kubeProxyReplacement=true
+          - --set
+          - securityContext.capabilities.ciliumAgent={CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}
+          - --set
+          - securityContext.capabilities.cleanCiliumState={NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}
+          - --set
+          - cgroup.autoMount.enabled=false
+          - --set
+          - cgroup.hostRoot=/sys/fs/cgroup
+          - --set
+          - k8sServiceHost=10.13.38.11
+          - --set
+          - k8sServicePort=6443
+          - --set
+          - gatewayAPI.enabled=true
+          - --set
+          - gatewayAPI.enableAlpn=true 
+          - --set
+          - gatewayAPI.enableAppProtocol=true
--- a/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/machineconfig-cp.yaml.tmpl
+++ b/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/machineconfig-cp.yaml.tmpl
@ -0,0 +1,43 @@
+debug: false
+machine:
+  type: ${machine_type}
+  install:
+    disk: /dev/vda
+    image: factory.talos.dev/nocloud-installer-secureboot/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v${talos_version}
+  network:
+    hostname: ${hostname}
+    nameservers:
+      - 10.13.37.2
+    %{ if machine_type == "controlplane" }
+    interfaces:
+      - interface: eth0
+        dhcp: false
+        vip:
+          ip: ${vip_address}
+    %{ endif }
+  kubelet:
+    extraArgs:
+      pod-max-pids: 1000
+    extraConfig:
+      imageGCHighThresholdPercent: 75
+      imageGCLowThresholdPercent: 70
+  nodeLabels:
+    topology.kubernetes.io/region: ${cluster_name}
+    topology.kubernetes.io/zone: ${node_name}
+
+cluster:
+  apiServer:
+    auditPolicy:
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+        - level: Metadata
+  network:
+    cni:
+      name: none
+  proxy:
+    disabled: true
+  inlineManifests:
+  - name: cilium-bootstrap
+    contents: |
+      ${indent(6, cilium_install_file)}
--- a/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/machineconfig-worker.yaml.tmpl
+++ b/pve01.wheatley.in/k8s-wheatley/modules/talos-bootstrap/templates/machineconfig-worker.yaml.tmpl
@ -0,0 +1,36 @@
+debug: false
+machine:
+  type: ${machine_type}
+  install:
+    disk: /dev/vda
+    image: factory.talos.dev/nocloud-installer-secureboot/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v${talos_version}
+  network:
+    hostname: ${hostname}
+    nameservers:
+      - 10.13.37.2
+  kubelet:
+    extraArgs:
+      pod-max-pids: 1000
+    extraConfig:
+      imageGCHighThresholdPercent: 75
+      imageGCLowThresholdPercent: 70
+  nodeLabels:
+    topology.kubernetes.io/region: ${cluster_name}
+    topology.kubernetes.io/zone: ${node_name}
+
+cluster:
+  apiServer:
+    auditPolicy:
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+        - level: Metadata
+  network:
+    cni:
+      name: none
+  proxy:
+    disabled: true
+  inlineManifests:
+  - name: cilium-bootstrap
+    contents: |
+      ${indent(6, cilium_install_file)}