Try cilium through helm

clusters/talos/cilium/cilium-helm-release.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: cilium
+  namespace: kube-system
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: cilium/cilium
+      version: '1.14.0'
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+        namespace: flux-system
+      interval: 15m
+  valuesFile: values.yaml

clusters/talos/cilium/cilium-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cilium
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://helm.cilium.io/

clusters/talos/cilium/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- cilium-repository.yaml
+- cilium-helm-release.yaml

clusters/talos/cilium/values.yaml

@@ -0,0 +1,23 @@
+k8sServiceHost: "192.168.1.101"
+k8sServicePort: "6443"
+
+operator:
+  replicas: 1
+  rollOutPods: true
+
+externalIPs:
+  enabled: true
+
+enableCiliumEndpointSlice: true
+
+kubeProxyReplacement: "disabled"
+ipam:
+  mode: "kubernetes"
+securityContext:
+  capabilities:
+    ciliumAgent: "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
+    cleanCiliumState: "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
+cgroup:
+  hostRoot: "/sys/fs/cgroup"
+  autoMount:
+    enabled: "false"

talos/controlplane.yaml

@@ -0,0 +1,112 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+    type: controlplane
+    token: 5w99jv.xwr2t1c7guxnnn7v
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFYeDdVNnppQWUzVjNpdGxJbXpjeDhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXhNalV5TVRBME1EWmFGdzB6TkRBeE1qSXlNVEEwTURaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaUJPY1N0K003dG1vL1h6ZWF0djA3NnVtcEtldVdMd242Zy9DCjJxVmNaUXlqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVb2ZmK2NNcDJ3VzBDUVB6eAo3d3hZOTZFZVV5c3dCUVlESzJWd0EwRUFVRVNzKzByNW5JajFJTWU4ZWd3QkdhVEZRbkpwVmZNcnFLcENGOWRoCjdadlZuNjB4bzZ1MW56SDJVeEk3Y1E5eHZyNzduZVNpQVppcUdETnFleUdRQkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRzI4aDd6aDdjc0VnRjF0NlFSQ09NTnVTS0pPRlZsWHVhZkZSdUFIWVdQTQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+    certSANs: []
+    kubelet:
+        image: ghcr.io/siderolabs/kubelet:v1.29.1
+        extraArgs:
+            rotate-server-certificates: "true"
+        extraMounts:
+            - destination: /var/mnt
+              type: bind
+              source: /var/mnt
+              options:
+                - bind
+                - rshared
+                - rw
+        defaultRuntimeSeccompProfileEnabled: true
+        disableManifestsDirectory: true
+    network: {}
+    install:
+        disk: /dev/sda
+        extraKernelArgs:
+            - talos.platform=metal
+            - talos.hostname=talos
+            - bond=bond0
+        image: ghcr.io/siderolabs/installer:v1.6.3
+        wipe: true
+    features:
+        rbac: true
+        stableHostname: true
+        apidCheckExtKeyUsage: true
+        diskQuotaSupport: true
+        kubePrism:
+            enabled: true
+            port: 7445
+cluster:
+    id: mAamz7knxpoVJ2yIwD9P_LMUl1SOrbOntwnFbN_-JNk=
+    secret: +6LCZC7LYhxlVC3xBCuE7T20+QrzBMB8BGgrRlR29/s=
+    controlPlane:
+        endpoint: https://192.168.1.101:6443
+    clusterName: talos
+    network:
+        cni:
+            name: none
+        dnsDomain: cluster.local
+        podSubnets:
+            - 10.244.0.0/16
+        serviceSubnets:
+            - 10.96.0.0/12
+    token: dnjew1.zp3h6tprfa7ptctz
+    secretboxEncryptionSecret: JNnpOzDpHKZ7zKrF3hFttATjuapVU4/SrX8XMupJeeE=
+    ca:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRSXlseS9GYmdlTElmcS9MQVRVaC9YREFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNREV5TlRJeE1EUXdObG9YRFRNME1ERXlNakl4TURRdwpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCSnU3QWNLaE9vTExjaWhTOHhWL21BM0RKZlRhRTRVSmpPUmlQNEFpb0FNc1Fhd29CcDRwZVZvd1RvWXkKd25rWTlSeW1VT3UxbUhwbjNUYS9qdWdHbVhhallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU4citMalUySmZpL0NhVUhNUkZYZzJLUE41UUV3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnZWlXRDJsWVMKZVNGOHE5UFJMSTVOMWxyWkd0VDRMSTVMNkl6VnY3dW5DeVVDSVFDdm4ycTRLMFozQWExbk5qZ01KV2xpRTZxTQozN2hOdGhmNWFvMkJzTDlrVXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUNNa1h5ZEs1UlZoNEZBd2VVb0hHS3BFYlNHWlZtQnBBQ0ZIdFg5aTVDWXhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbTdzQndxRTZnc3R5S0ZMekZYK1lEY01sOU5vVGhRbU01R0kvZ0NLZ0F5eEJyQ2dHbmlsNQpXakJPaGpMQ2VSajFIS1pRNjdXWWVtZmROcitPNkFhWmRnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    aggregatorCA:
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFhZ0F3SUJBZ0lSQVBTSWhCcUUvRjZ5ckgyT0dQdGFWRzB3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5EQXhNalV5TVRBME1EWmFGdzB6TkRBeE1qSXlNVEEwTURaYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVF4ZHEwbXVTUm15VGRycDE4clpISVArY0pKMWpEQUxCY0lMcko5ZGEydElNS24wbGxHCi90c1FFZW5ISWxsd2pRQm1VbE9IVElaRm5OeXRQTXA5c3lPM28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGQ3RtTjNRbFZxQ3Bmdmo5UU9mTU9mQTBwRW5JTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDCklBWmZpWlFaMUpobHIrMmV3OGZ2M3NyVzJxTCtWRzcwdUxzRmxBTFN4aXR1QWlBMlNycmMyaDNxejdYN2RMcG8KRTB3QjAwc1hBeUg0Q3E4YUxBMDBaZHhiSGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlWK0wzVnJRclp4bzZPcXZHNVc1VnNEbWI5UDUwODVXWm5vU1pVL1JDYnVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTVhhdEpya2tac2szYTZkZksyUnlEL25DU2RZd3dDd1hDQzZ5ZlhXdHJTRENwOUpaUnY3YgpFQkhweHlKWmNJMEFabEpUaDB5R1JaemNyVHpLZmJNanR3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    serviceAccount:
+        key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhKL3AxSkR3SnNYMU16dGs5VzZleVRxUWsvWlFGM2Q5WG1VSFYzeDBGN05vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaTJGZ000UnFESWZOeXloK0M2STh2T2FPY2prRkM5b09pNld1V3hBZE5NSHdLelZ5eHRGUgpyQ01TaVp6eVlQVjgyTUZLczNNMHhuMzJ4elJmbnk4cUNnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    apiServer:
+        image: registry.k8s.io/kube-apiserver:v1.29.1
+        certSANs:
+            - 192.168.1.101
+        disablePodSecurityPolicy: true
+        admissionControl:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+                defaults:
+                    audit: restricted
+                    audit-version: latest
+                    enforce: baseline
+                    enforce-version: latest
+                    warn: restricted
+                    warn-version: latest
+                exemptions:
+                    namespaces:
+                        - kube-system
+                    runtimeClasses: []
+                    usernames: []
+                kind: PodSecurityConfiguration
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: Metadata
+    controllerManager:
+        image: registry.k8s.io/kube-controller-manager:v1.29.1
+    proxy:
+        image: registry.k8s.io/kube-proxy:v1.29.1
+    scheduler:
+        image: registry.k8s.io/kube-scheduler:v1.29.1
+    discovery:
+        enabled: true
+        registries:
+            kubernetes:
+                disabled: true
+            service: {}
+    etcd:
+        ca:
+            crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNPZ0F3SUJBZ0lRSmdwZmdETWt2UVowMVNWTW4rUEUvakFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkwTURFeU5USXhNRFF3TmxvWERUTTBNREV5TWpJeE1EUXdObG93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk9uaFNGMU9iOTQ0CjB0cUxiaWJ1dHdhQzZXWCtNQXMvbjdwZFhrTVcxU3B0Y054eXVFWDZTTmpKYjBJMTV5NVU1N09ORUlGUndFaWsKaVpFZUIrRC9wZDJqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVRUU2OEpUb1hmR2pWCnlma2NVQk5mQnNsQjgrQXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBS1g5eGtESWVPZmVVVlhOUEFpbzRmb08KRXp5YWhqQjB5NVc2NTdaa2MxQnBBaUVBc2c1UFN5Y2hDdFFtcUpMZHY0Q3dvVHJRcjJCVDlMQkN1Qndra3MxTgpVR2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+            key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUthWWhobnV4bWxYcU5EMGxkUGxRNDJUN3pRdE0rb2diWGc0WnJ0V2toMnVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNmVGSVhVNXYzampTMm90dUp1NjNCb0xwWmY0d0N6K2Z1bDFlUXhiVkttMXczSEs0UmZwSQoyTWx2UWpYbkxsVG5zNDBRZ1ZIQVNLU0prUjRINFArbDNRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+    extraManifests:
+        - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+        - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
+    allowSchedulingOnControlPlanes: true

talos/readme.md

@@ -0,0 +1,36 @@
+#
+
+## Prerequisites
+
+
+
+## Commands
+
+- `talosctl -n 192.168.1.101 apply-config -f controlplane.yaml --insecure`
+- `talosctl --nodesn.168.1.101 -e 192.168.1.101 --talosconfig=./talosconfig bootstrap`
+- `talosctl --talosconfig ./talosconfig -n 192.168.1.101 -e 192.168.1.101 kubeconfig`
+- `flux bootstrap git --private-key-file=/config/.ssh/gitea --url ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git --branch main --path=clusters/talos`
+
+## Patching
+
+First create the patch file
+i.e.
+```patch.yaml
+cluster:
+  network:
+    cni:
+      name: none
+```
+
+Then apply the patch to the control plane yaml
+
+`talosctl machineconfig patch controlplane.yaml --patch @patch.yaml -o controlplane.yaml`
+
+And apply that control plane yaml with
+
+`talosctl --talosconfig ./talosconfig -n 192.168.1.101 -e 192.168.1.101 apply-config -f controlplane.yaml`
+
+## Cilium
+
+`helm repo add cilium https://helm.cilium.io/`
+`helm repo update`

talos/talosconfig

@@ -0,0 +1,8 @@
+context: talos
+contexts:
+    talos:
+        endpoints:
+            - 127.0.0.1
+        ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFYeDdVNnppQWUzVjNpdGxJbXpjeDhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXhNalV5TVRBME1EWmFGdzB6TkRBeE1qSXlNVEEwTURaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaUJPY1N0K003dG1vL1h6ZWF0djA3NnVtcEtldVdMd242Zy9DCjJxVmNaUXlqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVb2ZmK2NNcDJ3VzBDUVB6eAo3d3hZOTZFZVV5c3dCUVlESzJWd0EwRUFVRVNzKzByNW5JajFJTWU4ZWd3QkdhVEZRbkpwVmZNcnFLcENGOWRoCjdadlZuNjB4bzZ1MW56SDJVeEk3Y1E5eHZyNzduZVNpQVppcUdETnFleUdRQkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBOG1VSEU1c2JMbXMxalIvQlNmcGhRakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXdNVEkxTWpFd05EQTJXaGNOTWpVd01USTBNakV3TkRBMldqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFBalJKam1aRmR4YWxKMkQxSVN4b1FBMnZTS01nTzBxCnJ0R0FjUWNnNmNxbW8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVvZmYrY01wMndXMENRUHp4N3d4WTk2RWVVeXN3QlFZREsyVndBMEVBek9DRQowYVY3VWg4dDcxSXRqVWJxa2xMaW1hRVI1cmNWU0RkditRZExpZGM1a3BYdHAwZ1hxcGVXdnlpS0tCaFFjYjN3CjVYcVZTWVlETXE0NGp0VkNDQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+        key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRUVXU2NISk1INGVLUmZyZFZCVHRGdkZjWG1VN3R5aytMbUhjOEt2bU1rNAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K