Setup or kairos

2024-08-03 23:44:00 +01:00
parent 5de3c8ae6e
commit 2dfe4f5ca4
24 changed files with 44 additions and 12769 deletions
--- a/apps/apps-namespace.yaml
+++ b/apps/apps-namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: apps
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - apps-namespace.yaml
 - whoami
--- a/apps/whoami/deployment.yaml
+++ b/apps/whoami/deployment.yaml
@@ -1,20 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: whoami
  namespace: apps
 spec:
  selector:
    matchLabels:
      app: whoami
  replicas: 1
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - containerPort: 80
--- a/apps/whoami/ingress.yaml
+++ b/apps/whoami/ingress.yaml
@@ -1,17 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: whoami-ingress
  namespace: apps
 spec:
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: whoami
            port:
              name: web
              number: 80
--- a/apps/whoami/kustomization.yaml
+++ b/apps/whoami/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: apps
 resources:
 - deployment.yaml
 - service.yaml
 - ingress.yaml
--- a/apps/whoami/service.yaml
+++ b/apps/whoami/service.yaml
@@ -1,12 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: whoami
  namespace: apps
 spec:
  ports:
    - name: web
      port: 80
      targetPort: web
  selector:
    app: whoami
--- a/clusters/talos/apps.yaml
+++ b/clusters/talos/apps.yaml
@@ -1,14 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: apps
  namespace: flux-system
 spec:
  interval: 10m
  path: ./apps
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system
  dependsOn:
    - name: infra
--- a/clusters/talos/flux-system/gotk-components.yaml
+++ b/clusters/talos/flux-system/gotk-components.yaml
--- a/clusters/talos/flux-system/gotk-sync.yaml
+++ b/clusters/talos/flux-system/gotk-sync.yaml
@@ -1,27 +0,0 @@
 # This manifest was generated by flux. DO NOT EDIT.
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: flux-system
  namespace: flux-system
 spec:
  interval: 1m0s
  ref:
    branch: main
  secretRef:
    name: flux-system
  url: ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: flux-system
  namespace: flux-system
 spec:
  interval: 10m0s
  path: ./clusters/talos
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system
--- a/clusters/talos/flux-system/kustomization.yaml
+++ b/clusters/talos/flux-system/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gotk-components.yaml
 - gotk-sync.yaml
--- a/clusters/talos/infra.yaml
+++ b/clusters/talos/infra.yaml
@@ -1,12 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra
  namespace: flux-system
 spec:
  interval: 10m0s
  path: ./infra
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system
--- a/infra/cilium/announce.yaml
+++ b/infra/cilium/announce.yaml
@@ -1,8 +0,0 @@
 apiVersion: cilium.io/v2alpha1
 kind: CiliumL2AnnouncementPolicy
 metadata:
  name: default-l2-announcement-policy
  namespace: kube-system
 spec:
  externalIPs: true
  loadBalancerIPs: true
--- a/infra/cilium/ip-pool.yaml
+++ b/infra/cilium/ip-pool.yaml
@@ -1,8 +0,0 @@
 apiVersion: cilium.io/v2alpha1
 kind: CiliumLoadBalancerIPPool
 metadata:
  name: default-pool
  namespace: kube-system
 spec:
  blocks:
    - cidr: 192.168.16.0/20
--- a/infra/cilium/kustomization.yaml
+++ b/infra/cilium/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ip-pool.yaml
 - announce.yaml
--- a/infra/ingress-namespace.yaml
+++ b/infra/ingress-namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: ingress
--- a/infra/kustomization.yaml
+++ b/infra/kustomization.yaml
@@ -1,6 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ingress-namespace.yaml
 - cilium
 - traefik
--- a/infra/traefik/kustomization.yaml
+++ b/infra/traefik/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - traefik-repository.yaml
 - traefik-helm-release.yaml
--- a/infra/traefik/traefik-helm-release.yaml
+++ b/infra/traefik/traefik-helm-release.yaml
@@ -1,28 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
  name: traefik
  namespace: ingress
 spec:
  interval: 5m
  chart:
    spec:
      chart: traefik
      version: '28.1.0'
      sourceRef:
        kind: HelmRepository
        name: traefik
        namespace: ingress
      interval: 15m
      valuesFiles:
        - values.yaml
  values:
    service:
      annotations:
        io.cilium/lb-ipam-ips: 192.168.1.102
    providers:
      kubernetesIngress:
        # -- Load Kubernetes Ingress provider
        enabled: true
        # -- Allows to reference ExternalName services in Ingress
        allowExternalNameServices: true
--- a/infra/traefik/traefik-repository.yaml
+++ b/infra/traefik/traefik-repository.yaml
@@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
  name: traefik
  namespace: ingress
 spec:
  interval: 15m
  url: https://traefik.github.io/charts
--- a/kairos_config.yaml
+++ b/kairos_config.yaml
@@ -0,0 +1,23 @@
 #cloud-config
 users:
 - name: "kairos"
  passwd: "kairos"
  groups:
  - "admin"
  ssh_authorized_keys:
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjAjv9cWzwoJhTlzdrDw47eIg9t51vMbXbf0he96mRK joemonk@hotmail.co.uk" # VSCode Container
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOzNQet/Vm/EXU8GR0D4I+QYIPiGL5rCKPgDPhjWKIU joemonk@hotmail.co.uk" # Laptop
 # Enable K3s on the node.
 k3s:
  enabled: true                         # Set to true to enable K3s.
 stages:
  boot:
  - name: "Setup hostname"
    hostname: "kairos"
  - name: "Setup dns"
    dns:
      nameservers:
      - 192.168.1.1
--- a/readme.md
+++ b/readme.md
@@ -1,4 +1,4 @@
-## Laptop
+# Laptop Flux
 `choco install kind`  
 `choco install flux`
@@ -6,3 +6,23 @@
 `kind create cluster`  
 `flux bootstrap git --private-key-file=C:/Users/Joe/.ssh/gitea --url ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git --branch main --path=clusters/kind`
 # Kairos
 - Grab the latest image from https://github.com/kairos-io/kairos/releases, the image should have the format `kairos-debian-bookworm-standard-amd64-generic-v3.1.1-k3sv1.30.2+k3s1`.
  The main things we're looking for are the latest debian, standard, amd64, then the versions of kairos (v3.1.1) and k3s (1.30.2).
 - Burn to usb
 - Boot from usb, live install and go to the config webui
 - Add the public keys to the config (from ~/.ssh - `ssh-keygen -t ed25519 -C "joemonk@hotmail.co.uk"`)
 - Put the kairos_config in, check the shutdown button and let it install
 - Remove the usb, ssh in with using the specific private key (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`)
 ```
 Host 192.168.1.101
    HostName 192.168.1.101
    User kairos
    IdentityFile ~/.ssh/kairos
 ```
 ## Flux CD
 - `flux bootstrap git --private-key-file=/config/.ssh/kairos --url ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git --branch main --path=clusters/kairos`
--- a/talos/controlplane.yaml
+++ b/talos/controlplane.yaml
@@ -1,98 +0,0 @@
 version: v1alpha1
 debug: false
 persist: true
 machine:
    type: controlplane
    token: n9y5eq.m7wt7dimgfl8175f
    ca:
        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFBemlIa1J3cjMrMnAyQWl6K1cxVmhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXlNVFF4T0RJME1qWmFGdzB6TkRBeU1URXhPREkwTWpaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBSFBmZmd2ZjZGalpIM0xEbk50aS9HSG9ITmhjMW5Ra0tQb2s1CmFSS1lwZmFqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVQitOZ05BM1FXVTBOREh1VQoxWWE5MmxOMmIrb3dCUVlESzJWd0EwRUFnZ1cva1VvcVJmSUZZRk42MTkxK0NwWk1qWXlNU0RPdE4vdW51ZGpPCmJiSlEvQTRadnVYT2pBR3loMkJmeW5MY3Y3bVFUNzhqZzYzRDY1S3BXcmtPQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTXJLYTRtTG1mUTVZeUMxazQ0cGk0MU1sMjN4V2N1NGp5TnRkZkxOdUtwMgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
    certSANs: []
    kubelet:
        image: ghcr.io/siderolabs/kubelet:v1.29.1
        defaultRuntimeSeccompProfileEnabled: true
        disableManifestsDirectory: true
    network: {}
    install:
        disk: /dev/sda
        extraKernelArgs:
            - talos.platform=metal
            - talos.hostname=talos
        image: ghcr.io/siderolabs/installer:v1.6.4
        wipe: true
    features:
        rbac: true
        stableHostname: true
        apidCheckExtKeyUsage: true
        diskQuotaSupport: true
        kubePrism:
            enabled: true
            port: 7445
 cluster:
    id: VWpUbi_9bCB87F51ZcpsHZvZxZ-MAF-J5uuq_2Rz_ZM=
    secret: u1R5pV72bj7kuyTvQ0uFeM81cR3VstKVRMF4VdFeehg=
    controlPlane:
        endpoint: https://192.168.1.101:6443
    clusterName: talos
    network:
        cni:
            name: none
        dnsDomain: cluster.local
        podSubnets:
            - 10.244.0.0/16
        serviceSubnets:
            - 10.96.0.0/12
    token: 2bilql.wggdk4dqypsfozwd
    secretboxEncryptionSecret: 4tLuleOazv3jiacgmHKPySvi/2M2wbnsCG+Z0uvsq74=
    ca:
        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRTDA3T0lESUVMWWd4NXJwSmM0b0l5akFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNREl4TkRFNE1qUXlObG9YRFRNME1ESXhNVEU0TWpReQpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCR0pwVUZiQ21tUEc2eHAwYzhBbk5ubTg4UEhSN2tOd3dmUVlJdmdKOUhQTHhUbm1GN2UyVkdzek40T0YKVnJ2MGM0MXYwTE9TYlZlbDNGQlIrajAwYXoyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVV2UVQ5aG5MV2NwM2JsdXV4cTVOOTR5Y1RQSFl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQU9EbkhzTzQKVm5oNi9ZNmg3VEQ3ZFI3eG94OHgwR1FSTVoxMlNFUzVHbXM5QWlBKzFiZzNtRHVhRnpsU3llV2o3NHNsZ3E5bwozdXhrc25rcS9ZV3B0c2xqUGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhXQUtJQjBIVDE0TERFWmF4L2Noa0RSVFk2LzJrSnFMVEpaeUxOSlloZU1vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWW1sUVZzS2FZOGJyR25SendDYzJlYnp3OGRIdVEzREI5QmdpK0FuMGM4dkZPZVlYdDdaVQphek0zZzRWV3UvUnpqVy9RczVKdFY2WGNVRkg2UFRSclBRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
    aggregatorCA:
        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQU95TEN4R3ZIRHR1cnZia2JteWR2UzB3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5EQXlNVFF4T0RJME1qWmFGdzB6TkRBeU1URXhPREkwTWpaYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVE3UzlpZnU4bmRQSmtXa2dBSHpGd0JSajFLSXZtUHdGMU8zUmVEa3liYmlHOXpGZmMzCkRiNFJ0S1JPSmVZMW9yMitZL2lmeXo3b2xidDBkY1o0U0FLWm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGQ01RMXNDSmJGK0w5MGdEVmtUSHBGbDJXNlloTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRQ1NBajE3YWZieHFxbFVrTVF4cHN5VnpmM0JxaS84aEIra01heWoraGViRFFJaEFLSkprdFlDT2ZTUVkxRGcKRVVjUHVmTVFLbmhZNDJ2VnBSSDZEQ0JNZjhMSwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFJY3NHMDZ5MXZyOVJrVFhZaUE4OHV0UC9OdmlXaVp4WUxZbjl1WmdPRmlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTzB2WW43dkozVHlaRnBJQUI4eGNBVVk5U2lMNWo4QmRUdDBYZzVNbTI0aHZjeFgzTncyKwpFYlNrVGlYbU5hSzl2bVA0bjhzKzZKVzdkSFhHZUVnQ21RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
    serviceAccount:
        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBsQ25lSlFydFc0bm9hbTJheDhUVHVFRVVBSlhJaXZWUjAvc0ZDRVJEemZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcnVCWWxTSi9zYi92VlIxL1FUdWZmU1hFZFMzQ0VOSU5NY3poZHh2eDdoektURVh5WWxuZwoxRGNJTnBPc2taT0E1YTNjUDhhV1JVQ3FKTWlJbzdNN2ZnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
    apiServer:
        image: registry.k8s.io/kube-apiserver:v1.29.1
        certSANs:
            - 192.168.1.101
        disablePodSecurityPolicy: true
        admissionControl:
            - name: PodSecurity
              configuration:
                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
                defaults:
                    audit: restricted
                    audit-version: latest
                    enforce: baseline
                    enforce-version: latest
                    warn: restricted
                    warn-version: latest
                exemptions:
                    namespaces:
                        - kube-system
                    runtimeClasses: []
                    usernames: []
                kind: PodSecurityConfiguration
        auditPolicy:
            apiVersion: audit.k8s.io/v1
            kind: Policy
            rules:
                - level: Metadata
    controllerManager:
        image: registry.k8s.io/kube-controller-manager:v1.29.1
    proxy:
        disabled: true
    scheduler:
        image: registry.k8s.io/kube-scheduler:v1.29.1
    discovery:
        enabled: true
        registries:
            kubernetes:
                disabled: true
            service: {}
    etcd:
        ca:
            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmVENDQVNPZ0F3SUJBZ0lRS0J1MjNwTi9PUzNDZ0RqNk5WNUw2VEFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkwTURJeE5ERTRNalF5TmxvWERUTTBNREl4TVRFNE1qUXlObG93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkJjYkg2OWpJVlU4CmE1NWhJY3Bsb3pnc0JkWjBPUGxiSEZEYnV6ay9NYytsSEtNZFhTenhiSVRFTnV4QUxBRGtDRXlQQldQTzlvaDAKcDY2bGt3MnNqZVdqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVWnptMmFBVzRqcnhFCk9uQXE1V0FvdlpuYVJwVXdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdYZXgxMWpXTnBLK0tZTTB3ZkJWUnQwbU4KOWNtbW1vT0lPRm5MYjVPUER5UUNJUUNQbzZQS3B0dHdueGVXRlNobVA3aEhaR0N1MlFDb2VvWU5ydVRWdUdXUQpBUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdjU3EvSVhFK0s2bUJVV1cxdXNWcFdPQ3hUYTYrZGFZMlorK3pETk81aHNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFRnhzZnIyTWhWVHhybm1FaHltV2pPQ3dGMW5RNCtWc2NVTnU3T1Q4eHo2VWNveDFkTFBGcwpoTVEyN0VBc0FPUUlUSThGWTg3MmlIU25ycVdURGF5TjVRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
    allowSchedulingOnControlPlanes: true
--- a/talos/readme.md
+++ b/talos/readme.md
@@ -1,82 +0,0 @@
 # Set up
 ## Prerequisites
 Boot from talos iso memory stick (dd mode in rufus).
 ## Talos
 - `talosctl -n 192.168.1.101 apply-config -f controlplane.yaml --insecure`
 - `talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig=./talosconfig bootstrap`
 - `talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig ./talosconfig kubeconfig`
 ### Resetting
 Boot the above memory stick and click reset installation, then carry on as above.
 ### Upgrading
 `talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig ./talosconfig upgrade --preserve --image ghcr.io/siderolabs/installer:v1.7.2`
 ## Patching
 First create the patch file
 i.e.
 ```patch.yaml
 cluster:
  network:
    cni:
      name: none
  proxy:
    disabled: true
 ```
 Then apply the patch to the control plane yaml
 `talosctl machineconfig patch controlplane.yaml --patch @patch.yaml -o controlplane.yaml`
 And apply that control plane yaml with
 `talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig ./talosconfig apply-config -f controlplane.yaml`
 ## Cilium
 - `helm repo add cilium https://helm.cilium.io/`
 - `helm repo update`
 ```sh
 helm install \
    cilium \
    cilium/cilium \
    --version 1.15.1 \
    --namespace kube-system \
    --set=ipam.mode=kubernetes \
    --set=kubeProxyReplacement=true \
    --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
    --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
    --set=cgroup.autoMount.enabled=false \
    --set=cgroup.hostRoot=/sys/fs/cgroup \
    --set=k8sServiceHost=localhost \
    --set=k8sServicePort=7445 \
    --set=hubble.relay.enabled=true \
    --set=hubble.ui.enabled=true \
    --set=l2announcements.enabled=true \
    --set=externalIPs.enabled=true \
    --set operator.replicas=1
 ```
 You can modify this after install with:
 ```sh
 helm upgrade cilium cilium/cilium --version 1.15.1 \
    --namespace kube-system \
    --reuse-values \
    --set operator.replicas=1 \
    --set externalIPs.enabled=true \
    --set enableCiliumEndpointSlice=true
 ```
 ## Flux
 - `flux bootstrap git --private-key-file=/config/.ssh/gitea --url ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git --branch main --path=clusters/talos`
--- a/talos/talosconfig
+++ b/talos/talosconfig
@@ -1,8 +0,0 @@
 context: talos
 contexts:
    talos:
        endpoints:
            - 127.0.0.1
        ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFBemlIa1J3cjMrMnAyQWl6K1cxVmhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXlNVFF4T0RJME1qWmFGdzB6TkRBeU1URXhPREkwTWpaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBSFBmZmd2ZjZGalpIM0xEbk50aS9HSG9ITmhjMW5Ra0tQb2s1CmFSS1lwZmFqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVQitOZ05BM1FXVTBOREh1VQoxWWE5MmxOMmIrb3dCUVlESzJWd0EwRUFnZ1cva1VvcVJmSUZZRk42MTkxK0NwWk1qWXlNU0RPdE4vdW51ZGpPCmJiSlEvQTRadnVYT2pBR3loMkJmeW5MY3Y3bVFUNzhqZzYzRDY1S3BXcmtPQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEJwSGtPUld0Q1Z4cHBQdjJpeVJHOWJNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXlNVFF4T0RJME1qWmFGdzB5TlRBeU1UTXhPREkwTWpaYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQW5Wd1lhUjkvN2lEZTVoNVFmb1F4U093RHQ2YjVHUXRwCmlBMnRRRStmUHhtalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCUUg0MkEwRGRCWlRRME1lNVRWaHIzYVUzWnY2akFGQmdNclpYQURRUUNDd1RwcwpFWUVCTElvYmZJSmVGS1U0T0tJZHNYaFVaUU9mSC9ubmUxdy9iNE9DdnV0ZVQvK2VLWVVkdnA5QlVtb0k0Ylc2Cm9FVTF2elR6aUdtT0tYNEIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQ1ROcTREZFFUcmZxRFk2L0xYSmNnQURZNjcxcU5Rd0JVQjhMKzVYeUtZVAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K