joe/gitops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a app kustomize and the new talos configs

Browse Source
This commit is contained in:
Joe Monk
2024-02-14 19:46:39 +00:00
parent 7980076108
commit a7c4f3f1e4
4 changed files with 534 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./whoami

549
talos/controlplane.yaml
View File

@@ -1,79 +1,449 @@
version: v1alpha1
debug: false
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: false # Enable verbose logging to the console.
persist: true
# Provides machine specific configuration options.
machine:
type: controlplane
token: 5w99jv.xwr2t1c7guxnnn7v
type: controlplane # Defines the role of the machine within the cluster.
token: n9y5eq.m7wt7dimgfl8175f # The `token` is used by a machine to join the PKI of the cluster.
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFYeDdVNnppQWUzVjNpdGxJbXpjeDhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXhNalV5TVRBME1EWmFGdzB6TkRBeE1qSXlNVEEwTURaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaUJPY1N0K003dG1vL1h6ZWF0djA3NnVtcEtldVdMd242Zy9DCjJxVmNaUXlqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVb2ZmK2NNcDJ3VzBDUVB6eAo3d3hZOTZFZVV5c3dCUVlESzJWd0EwRUFVRVNzKzByNW5JajFJTWU4ZWd3QkdhVEZRbkpwVmZNcnFLcENGOWRoCjdadlZuNjB4bzZ1MW56SDJVeEk3Y1E5eHZyNzduZVNpQVppcUdETnFleUdRQkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRzI4aDd6aDdjc0VnRjF0NlFSQ09NTnVTS0pPRlZsWHVhZkZSdUFIWVdQTQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFBemlIa1J3cjMrMnAyQWl6K1cxVmhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXlNVFF4T0RJME1qWmFGdzB6TkRBeU1URXhPREkwTWpaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBSFBmZmd2ZjZGalpIM0xEbk50aS9HSG9ITmhjMW5Ra0tQb2s1CmFSS1lwZmFqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVQitOZ05BM1FXVTBOREh1VQoxWWE5MmxOMmIrb3dCUVlESzJWd0EwRUFnZ1cva1VvcVJmSUZZRk42MTkxK0NwWk1qWXlNU0RPdE4vdW51ZGpPCmJiSlEvQTRadnVYT2pBR3loMkJmeW5MY3Y3bVFUNzhqZzYzRDY1S3BXcmtPQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTXJLYTRtTG1mUTVZeUMxazQ0cGk0MU1sMjN4V2N1NGp5TnRkZkxOdUtwMgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
# Extra certificate subject alternative names for the machine's certificate.
certSANs: []
# # Uncomment this to enable SANs.
# - 10.0.0.10
# - 172.16.0.10
# - 192.168.0.10
# Used to provide additional options to the kubelet.
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.29.1
extraArgs:
rotate-server-certificates: "true"
extraMounts:
- destination: /var/mnt
type: bind
source: /var/mnt
options:
- bind
- rshared
- rw
defaultRuntimeSeccompProfileEnabled: true
disableManifestsDirectory: true
network:
nameservers:
- 10.0.0.1
- 192.168.1.1
- 1.1.1.1
image: ghcr.io/siderolabs/kubelet:v1.29.1 # The `image` field is an optional reference to an alternative kubelet image.
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraArgs` field is used to provide additional flags to the kubelet.
# extraArgs:
# key: value
# # The `extraMounts` field is used to add additional mounts to the kubelet container.
# extraMounts:
# - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container.
# type: bind # Type specifies the mount kind.
# source: /var/lib/example # Source specifies the source path of the mount.
# # Options are fstab style mount options.
# options:
# - bind
# - rshared
# - rw
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
# Provides machine specific network configuration options.
network: {}
# # `interfaces` is used to define the network interface configuration.
# interfaces:
# - interface: enp0s1 # The interface name.
# # Assigns static IP addresses to the interface.
# addresses:
# - 192.168.2.0/24
# # A list of routes associated with the interface.
# routes:
# - network: 0.0.0.0/0 # The route's network (destination).
# gateway: 192.168.2.1 # The route's gateway (if empty, creates link scope route).
# metric: 1024 # The optional metric for the route.
# mtu: 1500 # The interface's MTU.
#
# # # Picks a network device using the selector.
# # # select a device with bus prefix 00:*.
# # deviceSelector:
# # busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # # select a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# # driver: virtio # Kernel driver, supports matching by wildcard.
# # # select a device with bus prefix 00:*, a device with mac address matching `*:f0:ab` and `virtio` kernel driver.
# # deviceSelector:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# # driver: virtio # Kernel driver, supports matching by wildcard.
# # # Bond specific options.
# # bond:
# # # The interfaces that make up the bond.
# # interfaces:
# # - enp2s0
# # - enp2s1
# # # Picks a network device using the selector.
# # deviceSelectors:
# # - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# # - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# # driver: virtio # Kernel driver, supports matching by wildcard.
# # mode: 802.3ad # A bond option.
# # lacpRate: fast # A bond option.
# # # Bridge specific options.
# # bridge:
# # # The interfaces that make up the bridge.
# # interfaces:
# # - enxda4042ca9a51
# # - enxae2a6774c259
# # # A bridge option.
# # stp:
# # enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # # Indicates if DHCP should be used to configure the interface.
# # dhcp: true
# # # DHCP specific options.
# # dhcpOptions:
# # routeMetric: 1024 # The priority of all routes received via DHCP.
# # # Wireguard specific configuration.
# # # wireguard server example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # listenPort: 51111 # Specifies a device's listening port.
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # wireguard peer example
# # wireguard:
# # privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # # Specifies a list of peer configurations to apply to a device.
# # peers:
# # - publicKey: ABCDEF... # Specifies the public key of this peer.
# # endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# # persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# # allowedIPs:
# # - 192.168.1.0/24
# # # Virtual (shared) IP address configuration.
# # # layer2 vip example
# # vip:
# # ip: 172.16.199.55 # Specifies the IP address to be used.
# # Used to statically set the nameservers for the machine.
# nameservers:
# - 8.8.8.8
# - 1.1.1.1
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
# Used to provide instructions for installations.
install:
disk: /dev/sda
disk: /dev/sda # The disk used for installations.
image: ghcr.io/siderolabs/installer:v1.6.4 # Allows for supplying the image used to perform the installation.
wipe: true # Indicates if the installation disk should be wiped at installation time.
# # Look up disk using disk attributes like model, size, serial and others.
# diskSelector:
# size: 4GB # Disk size.
# model: WDC* # Disk model `/sys/block/<dev>/device/model`.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path.
# # Allows for supplying extra kernel args via the bootloader.
extraKernelArgs:
- talos.platform=metal
- talos.hostname=talos
- bond=bond0
image: ghcr.io/siderolabs/installer:v1.6.3
wipe: true
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
# Used to configure the machine's container image registry mirrors.
registries: {}
# # Specifies mirror configuration for each registry host namespace.
# mirrors:
# ghcr.io:
# # List of endpoints (URLs) for registry mirrors to use.
# endpoints:
# - https://registry.insecure
# - https://ghcr.io/v2/
# # Specifies TLS & auth configuration for HTTPS image registries.
# config:
# registry.insecure:
# # The TLS configuration for the registry.
# tls:
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
#
# # # Enable mutual TLS authentication with the registry.
# # clientIdentity:
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
#
# # # The auth configuration for this registry.
# # auth:
# # username: username # Optional registry authentication.
# # password: password # Optional registry authentication.
# Features describe individual Talos features that can be switched on or off.
features:
rbac: true
stableHostname: true
apidCheckExtKeyUsage: true
diskQuotaSupport: true
rbac: true # Enable role-based access control (RBAC).
stableHostname: true # Enable stable default hostname.
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
enabled: true
port: 7445
enabled: true # Enable KubePrism support - will start local load balacing proxy.
port: 7445 # KubePrism port.
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
# # Provides machine specific control plane configuration options.
# # ControlPlane definition example.
# controlPlane:
# # Controller manager machine specific configuration options.
# controllerManager:
# disabled: false # Disable kube-controller-manager on the node.
# # Scheduler machine specific configuration options.
# scheduler:
# disabled: true # Disable kube-scheduler on the node.
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
# # nginx static pod.
# pods:
# - apiVersion: v1
# kind: pod
# metadata:
# name: nginx
# spec:
# containers:
# - image: nginx
# name: nginx
# # Used to partition, format and mount additional disks.
# # MachineDisks list example.
# disks:
# - device: /dev/sdb # The name of the disk to use.
# # A list of partitions to create on the disk.
# partitions:
# - mountpoint: /var/mnt/extra # Where to mount the partition.
#
# # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
# # # Human readable representation.
# # size: 100 MB
# # # Precise value in bytes.
# # size: 1073741824
# # Allows the addition of user specified files.
# # MachineFiles usage example.
# files:
# - content: '...' # The contents of the file.
# permissions: 0o666 # The file's permissions in octal.
# path: /tmp/file.txt # The path of the file.
# op: append # The operation to use
# # The `env` field allows for the addition of environment variables.
# # Environment variables definition examples.
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: info
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
# https_proxy: http://SERVER:PORT/
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: error
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
# env:
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
# # Used to configure the machine's time settings.
# # Example configuration for cloudflare ntp server.
# time:
# disabled: false # Indicates if the time service is disabled for the machine.
# # Specifies time (NTP) servers to use for setting the system time.
# servers:
# - time.cloudflare.com
# bootTimeout: 2m0s # Specifies the timeout when the node time is considered to be in sync unlocking the boot sequence.
# # Used to configure the machine's sysctls.
# # MachineSysctls usage example.
# sysctls:
# kernel.domainname: talos.dev
# net.ipv4.ip_forward: "0"
# net/ipv6/conf/eth0.100/disable_ipv6: "1"
# # Used to configure the machine's sysfs.
# # MachineSysfs usage example.
# sysfs:
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
# # Machine system disk encryption configuration.
# systemDiskEncryption:
# # Ephemeral partition encryption.
# ephemeral:
# provider: luks2 # Encryption provider to use for the encryption.
# # Defines the encryption keys generation and storage method.
# keys:
# - # Deterministically generated key from the node UUID and PartitionLabel.
# nodeID: {}
# slot: 0 # Key slot number for LUKS2 encryption.
#
# # # KMS managed encryption key.
# # kms:
# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#
# # # Cipher kind to use for the encryption. Depends on the encryption provider.
# # cipher: aes-xts-plain64
# # # Defines the encryption sector size.
# # blockSize: 4096
# # # Additional --perf parameters for the LUKS2 encryption.
# # options:
# # - no_read_workqueue
# # - no_write_workqueue
# # Configures the udev system.
# udev:
# # List of udev rules to apply to the udev system
# rules:
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
# # Configures the logging system.
# logging:
# # Logging destination.
# destinations:
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
# format: json_lines # Logs format.
# # Configures the kernel.
# kernel:
# # Kernel modules to load.
# modules:
# - name: brtfs # Module name.
# # Configures the seccomp profiles for the machine.
# seccompProfiles:
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# # The `value` field is used to provide the seccomp profile.
# value:
# defaultAction: SCMP_ACT_LOG
# # Configures the node labels for the machine.
# # node labels example.
# nodeLabels:
# exampleLabel: exampleLabelValue
# # Configures the node taints for the machine. Effect is optional.
# # node taints example.
# nodeTaints:
# exampleTaint: exampleTaintValue:NoSchedule
# Provides cluster specific configuration options.
cluster:
id: mAamz7knxpoVJ2yIwD9P_LMUl1SOrbOntwnFbN_-JNk=
secret: +6LCZC7LYhxlVC3xBCuE7T20+QrzBMB8BGgrRlR29/s=
id: VWpUbi_9bCB87F51ZcpsHZvZxZ-MAF-J5uuq_2Rz_ZM= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
secret: u1R5pV72bj7kuyTvQ0uFeM81cR3VstKVRMF4VdFeehg= # Shared secret of cluster (base64 encoded random 32 bytes).
# Provides control plane specific configuration options.
controlPlane:
endpoint: https://192.168.1.101:6443
clusterName: talos
endpoint: https://192.168.1.101:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
clusterName: talos # Configures the cluster's name.
# Provides cluster specific network configuration options.
network:
cni:
name: none
dnsDomain: cluster.local
dnsDomain: cluster.local # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.244.0.0/16
# The service subnet CIDR.
serviceSubnets:
- 10.96.0.0/12
token: dnjew1.zp3h6tprfa7ptctz
secretboxEncryptionSecret: JNnpOzDpHKZ7zKrF3hFttATjuapVU4/SrX8XMupJeeE=
# # The CNI used.
# cni:
# name: custom # Name of CNI to use.
# # URLs containing manifests to apply for the CNI.
# urls:
# - https://docs.projectcalico.org/archive/v3.20/manifests/canal.yaml
token: 2bilql.wggdk4dqypsfozwd # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
secretboxEncryptionSecret: 4tLuleOazv3jiacgmHKPySvi/2M2wbnsCG+Z0uvsq74= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRSXlseS9GYmdlTElmcS9MQVRVaC9YREFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNREV5TlRJeE1EUXdObG9YRFRNME1ERXlNakl4TURRdwpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCSnU3QWNLaE9vTExjaWhTOHhWL21BM0RKZlRhRTRVSmpPUmlQNEFpb0FNc1Fhd29CcDRwZVZvd1RvWXkKd25rWTlSeW1VT3UxbUhwbjNUYS9qdWdHbVhhallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU4citMalUySmZpL0NhVUhNUkZYZzJLUE41UUV3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnZWlXRDJsWVMKZVNGOHE5UFJMSTVOMWxyWkd0VDRMSTVMNkl6VnY3dW5DeVVDSVFDdm4ycTRLMFozQWExbk5qZ01KV2xpRTZxTQozN2hOdGhmNWFvMkJzTDlrVXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUNNa1h5ZEs1UlZoNEZBd2VVb0hHS3BFYlNHWlZtQnBBQ0ZIdFg5aTVDWXhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFbTdzQndxRTZnc3R5S0ZMekZYK1lEY01sOU5vVGhRbU01R0kvZ0NLZ0F5eEJyQ2dHbmlsNQpXakJPaGpMQ2VSajFIS1pRNjdXWWVtZmROcitPNkFhWmRnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRTDA3T0lESUVMWWd4NXJwSmM0b0l5akFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSTBNREl4TkRFNE1qUXlObG9YRFRNME1ESXhNVEU0TWpReQpObG93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCR0pwVUZiQ21tUEc2eHAwYzhBbk5ubTg4UEhSN2tOd3dmUVlJdmdKOUhQTHhUbm1GN2UyVkdzek40T0YKVnJ2MGM0MXYwTE9TYlZlbDNGQlIrajAwYXoyallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVV2UVQ5aG5MV2NwM2JsdXV4cTVOOTR5Y1RQSFl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQU9EbkhzTzQKVm5oNi9ZNmg3VEQ3ZFI3eG94OHgwR1FSTVoxMlNFUzVHbXM5QWlBKzFiZzNtRHVhRnpsU3llV2o3NHNsZ3E5bwozdXhrc25rcS9ZV3B0c2xqUGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhXQUtJQjBIVDE0TERFWmF4L2Noa0RSVFk2LzJrSnFMVEpaeUxOSlloZU1vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFWW1sUVZzS2FZOGJyR25SendDYzJlYnp3OGRIdVEzREI5QmdpK0FuMGM4dkZPZVlYdDdaVQphek0zZzRWV3UvUnpqVy9RczVKdFY2WGNVRkg2UFRSclBRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
aggregatorCA:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFhZ0F3SUJBZ0lSQVBTSWhCcUUvRjZ5ckgyT0dQdGFWRzB3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5EQXhNalV5TVRBME1EWmFGdzB6TkRBeE1qSXlNVEEwTURaYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVF4ZHEwbXVTUm15VGRycDE4clpISVArY0pKMWpEQUxCY0lMcko5ZGEydElNS24wbGxHCi90c1FFZW5ISWxsd2pRQm1VbE9IVElaRm5OeXRQTXA5c3lPM28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGQ3RtTjNRbFZxQ3Bmdmo5UU9mTU9mQTBwRW5JTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDCklBWmZpWlFaMUpobHIrMmV3OGZ2M3NyVzJxTCtWRzcwdUxzRmxBTFN4aXR1QWlBMlNycmMyaDNxejdYN2RMcG8KRTB3QjAwc1hBeUg0Q3E4YUxBMDBaZHhiSGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlWK0wzVnJRclp4bzZPcXZHNVc1VnNEbWI5UDUwODVXWm5vU1pVL1JDYnVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTVhhdEpya2tac2szYTZkZksyUnlEL25DU2RZd3dDd1hDQzZ5ZlhXdHJTRENwOUpaUnY3YgpFQkhweHlKWmNJMEFabEpUaDB5R1JaemNyVHpLZmJNanR3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZVENDQVFhZ0F3SUJBZ0lSQU95TEN4R3ZIRHR1cnZia2JteWR2UzB3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5EQXlNVFF4T0RJME1qWmFGdzB6TkRBeU1URXhPREkwTWpaYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVE3UzlpZnU4bmRQSmtXa2dBSHpGd0JSajFLSXZtUHdGMU8zUmVEa3liYmlHOXpGZmMzCkRiNFJ0S1JPSmVZMW9yMitZL2lmeXo3b2xidDBkY1o0U0FLWm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGQ01RMXNDSmJGK0w5MGdEVmtUSHBGbDJXNlloTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDCklRQ1NBajE3YWZieHFxbFVrTVF4cHN5VnpmM0JxaS84aEIra01heWoraGViRFFJaEFLSkprdFlDT2ZTUVkxRGcKRVVjUHVmTVFLbmhZNDJ2VnBSSDZEQ0JNZjhMSwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFJY3NHMDZ5MXZyOVJrVFhZaUE4OHV0UC9OdmlXaVp4WUxZbjl1WmdPRmlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFTzB2WW43dkozVHlaRnBJQUI4eGNBVVk5U2lMNWo4QmRUdDBYZzVNbTI0aHZjeFgzTncyKwpFYlNrVGlYbU5hSzl2bVA0bjhzKzZKVzdkSFhHZUVnQ21RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded private key for service account token generation.
serviceAccount:
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhKL3AxSkR3SnNYMU16dGs5VzZleVRxUWsvWlFGM2Q5WG1VSFYzeDBGN05vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaTJGZ000UnFESWZOeXloK0M2STh2T2FPY2prRkM5b09pNld1V3hBZE5NSHdLelZ5eHRGUgpyQ01TaVp6eVlQVjgyTUZLczNNMHhuMzJ4elJmbnk4cUNnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSVBsQ25lSlFydFc0bm9hbTJheDhUVHVFRVVBSlhJaXZWUjAvc0ZDRVJEemZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFcnVCWWxTSi9zYi92VlIxL1FUdWZmU1hFZFMzQ0VOSU5NY3poZHh2eDdoektURVh5WWxuZwoxRGNJTnBPc2taT0E1YTNjUDhhV1JVQ3FKTWlJbzdNN2ZnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# API server specific configuration options.
apiServer:
image: registry.k8s.io/kube-apiserver:v1.29.1
image: registry.k8s.io/kube-apiserver:v1.29.1 # The container image used in the API server manifest.
# Extra certificate subject alternative names for the API server's certificate.
certSANs:
- 192.168.1.101
disablePodSecurityPolicy: true
disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
# Configure the API server admission plugins.
admissionControl:
- name: PodSecurity
- name: PodSecurity # Name is the name of the admission controller.
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1alpha1
defaults:
@@ -89,28 +459,89 @@ cluster:
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
# Configure the API server audit policy.
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
# Controller manager server specific configuration options.
controllerManager:
image: registry.k8s.io/kube-controller-manager:v1.29.1
image: registry.k8s.io/kube-controller-manager:v1.29.1 # The container image used in the controller manager manifest.
# Kube-proxy server-specific configuration options
proxy:
image: registry.k8s.io/kube-proxy:v1.29.1
image: registry.k8s.io/kube-proxy:v1.29.1 # The container image used in the kube-proxy manifest.
# # Disable kube-proxy deployment on cluster bootstrap.
# disabled: false
# Scheduler server specific configuration options.
scheduler:
image: registry.k8s.io/kube-scheduler:v1.29.1
image: registry.k8s.io/kube-scheduler:v1.29.1 # The container image used in the scheduler manifest.
# Configures cluster member discovery.
discovery:
enabled: true
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
disabled: true
disabled: true # Disable Kubernetes discovery registry.
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# # External service endpoint.
# endpoint: https://discovery.talos.dev/
# Etcd specific configuration options.
etcd:
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNPZ0F3SUJBZ0lRSmdwZmdETWt2UVowMVNWTW4rUEUvakFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkwTURFeU5USXhNRFF3TmxvWERUTTBNREV5TWpJeE1EUXdObG93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk9uaFNGMU9iOTQ0CjB0cUxiaWJ1dHdhQzZXWCtNQXMvbjdwZFhrTVcxU3B0Y054eXVFWDZTTmpKYjBJMTV5NVU1N09ORUlGUndFaWsKaVpFZUIrRC9wZDJqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVRUU2OEpUb1hmR2pWCnlma2NVQk5mQnNsQjgrQXdDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBS1g5eGtESWVPZmVVVlhOUEFpbzRmb08KRXp5YWhqQjB5NVc2NTdaa2MxQnBBaUVBc2c1UFN5Y2hDdFFtcUpMZHY0Q3dvVHJRcjJCVDlMQkN1Qndra3MxTgpVR2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUthWWhobnV4bWxYcU5EMGxkUGxRNDJUN3pRdE0rb2diWGc0WnJ0V2toMnVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNmVGSVhVNXYzampTMm90dUp1NjNCb0xwWmY0d0N6K2Z1bDFlUXhiVkttMXczSEs0UmZwSQoyTWx2UWpYbkxsVG5zNDBRZ1ZIQVNLU0prUjRINFArbDNRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
extraManifests:
- https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmVENDQVNPZ0F3SUJBZ0lRS0J1MjNwTi9PUzNDZ0RqNk5WNUw2VEFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkwTURJeE5ERTRNalF5TmxvWERUTTBNREl4TVRFNE1qUXlObG93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkJjYkg2OWpJVlU4CmE1NWhJY3Bsb3pnc0JkWjBPUGxiSEZEYnV6ay9NYytsSEtNZFhTenhiSVRFTnV4QUxBRGtDRXlQQldQTzlvaDAKcDY2bGt3MnNqZVdqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVWnptMmFBVzRqcnhFCk9uQXE1V0FvdlpuYVJwVXdDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdYZXgxMWpXTnBLK0tZTTB3ZkJWUnQwbU4KOWNtbW1vT0lPRm5MYjVPUER5UUNJUUNQbzZQS3B0dHdueGVXRlNobVA3aEhaR0N1MlFDb2VvWU5ydVRWdUdXUQpBUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdjU3EvSVhFK0s2bUJVV1cxdXNWcFdPQ3hUYTYrZGFZMlorK3pETk81aHNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFRnhzZnIyTWhWVHhybm1FaHltV2pPQ3dGMW5RNCtWc2NVTnU3T1Q4eHo2VWNveDFkTFBGcwpoTVEyN0VBc0FPUUlUSThGWTg3MmlIU25ycVdURGF5TjVRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# # The container image used to create the etcd service.
# image: gcr.io/etcd-development/etcd:v3.5.11
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
# A list of urls that point to additional manifests.
extraManifests: []
# - https://www.example.com/manifest1.yaml
# - https://www.example.com/manifest2.yaml
# A list of inline Kubernetes manifests.
inlineManifests: []
# - name: namespace-ci # Name of the manifest.
# contents: |- # Manifest contents as a string.
# apiVersion: v1
# kind: Namespace
# metadata:
# name: ci
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # Core DNS specific configuration options.
# coreDNS:
# image: registry.k8s.io/coredns/coredns:v1.11.1 # The `image` field is an override to the default coredns image.
# # External cloud provider configuration.
# externalCloudProvider:
# enabled: true # Enable external cloud provider.
# # A list of urls that point to additional manifests for an external cloud provider.
# manifests:
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
# # A map of key value pairs that will be added while fetching the extraManifests.
# extraManifestHeaders:
# Token: "1234567"
# X-ExtraInfo: info
# # Settings for admin kubeconfig generation.
# adminKubeconfig:
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).
# # Allows running workload on control-plane nodes.
allowSchedulingOnControlPlanes: true

41
talos/readme.md
View File

@@ -1,20 +1,51 @@
#
# Set up
## Prerequisites
Boot from talos iso memory stick (dd mode in rufus).
## Commands
### Talos
- `talosctl -n 192.168.1.101 apply-config -f controlplane.yaml --insecure`
- `talosctl --nodesn.168.1.101 -e 192.168.1.101 --talosconfig=./talosconfig bootstrap`
- `talosctl --talosconfig ./talosconfig -n 192.168.1.101 -e 192.168.1.101 kubeconfig`
- `talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig=./talosconfig bootstrap`
- `talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig ./talosconfig kubeconfig`
## Cilium
- `helm repo add cilium https://helm.cilium.io/`
- `helm repo update`
```sh
helm install \
cilium \
cilium/cilium \
--version 1.14.0 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set=kubeProxyReplacement=true \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=cgroup.autoMount.enabled=false \
--set=cgroup.hostRoot=/sys/fs/cgroup \
--set=k8sServiceHost=localhost \
--set=k8sServicePort=7445
```
## Flux
- `flux bootstrap git --private-key-file=/config/.ssh/gitea --url ssh://git@gitea.home.joemonk.co.uk:2222/joe/gitops.git --branch main --path=clusters/talos`
### Resetting
Boot the above memory stick and click reset installation, then carry on as above.
## Patching
First create the patch file
i.e.
```patch.yaml
cluster:
network:
@@ -28,7 +59,7 @@ Then apply the patch to the control plane yaml
And apply that control plane yaml with
`talosctl --talosconfig ./talosconfig -n 192.168.1.101 -e 192.168.1.101 apply-config -f controlplane.yaml`
`talosctl -n 192.168.1.101 -e 192.168.1.101 --talosconfig ./talosconfig apply-config -f controlplane.yaml`
## Cilium

6
talos/talosconfig
View File

@@ -3,6 +3,6 @@ contexts:
talos:
endpoints:
- 127.0.0.1
ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFYeDdVNnppQWUzVjNpdGxJbXpjeDhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXhNalV5TVRBME1EWmFGdzB6TkRBeE1qSXlNVEEwTURaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaUJPY1N0K003dG1vL1h6ZWF0djA3NnVtcEtldVdMd242Zy9DCjJxVmNaUXlqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVb2ZmK2NNcDJ3VzBDUVB6eAo3d3hZOTZFZVV5c3dCUVlESzJWd0EwRUFVRVNzKzByNW5JajFJTWU4ZWd3QkdhVEZRbkpwVmZNcnFLcENGOWRoCjdadlZuNjB4bzZ1MW56SDJVeEk3Y1E5eHZyNzduZVNpQVppcUdETnFleUdRQkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBOG1VSEU1c2JMbXMxalIvQlNmcGhRakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXdNVEkxTWpFd05EQTJXaGNOTWpVd01USTBNakV3TkRBMldqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFBalJKam1aRmR4YWxKMkQxSVN4b1FBMnZTS01nTzBxCnJ0R0FjUWNnNmNxbW8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVvZmYrY01wMndXMENRUHp4N3d4WTk2RWVVeXN3QlFZREsyVndBMEVBek9DRQowYVY3VWg4dDcxSXRqVWJxa2xMaW1hRVI1cmNWU0RkditRZExpZGM1a3BYdHAwZ1hxcGVXdnlpS0tCaFFjYjN3CjVYcVZTWVlETXE0NGp0VkNDQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRUVXU2NISk1INGVLUmZyZFZCVHRGdkZjWG1VN3R5aytMbUhjOEt2bU1rNAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEFBemlIa1J3cjMrMnAyQWl6K1cxVmhNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXlNVFF4T0RJME1qWmFGdzB6TkRBeU1URXhPREkwTWpaYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBSFBmZmd2ZjZGalpIM0xEbk50aS9HSG9ITmhjMW5Ra0tQb2s1CmFSS1lwZmFqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVQitOZ05BM1FXVTBOREh1VQoxWWE5MmxOMmIrb3dCUVlESzJWd0EwRUFnZ1cva1VvcVJmSUZZRk42MTkxK0NwWk1qWXlNU0RPdE4vdW51ZGpPCmJiSlEvQTRadnVYT2pBR3loMkJmeW5MY3Y3bVFUNzhqZzYzRDY1S3BXcmtPQUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLRENCMjZBREFnRUNBaEJwSGtPUld0Q1Z4cHBQdjJpeVJHOWJNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU5EQXlNVFF4T0RJME1qWmFGdzB5TlRBeU1UTXhPREkwTWpaYU1CTXhFVEFQQmdOVgpCQW9UQ0c5ek9tRmtiV2x1TUNvd0JRWURLMlZ3QXlFQW5Wd1lhUjkvN2lEZTVoNVFmb1F4U093RHQ2YjVHUXRwCmlBMnRRRStmUHhtalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0QKQWpBZkJnTlZIU01FR0RBV2dCUUg0MkEwRGRCWlRRME1lNVRWaHIzYVUzWnY2akFGQmdNclpYQURRUUNDd1RwcwpFWUVCTElvYmZJSmVGS1U0T0tJZHNYaFVaUU9mSC9ubmUxdy9iNE9DdnV0ZVQvK2VLWVVkdnA5QlVtb0k0Ylc2Cm9FVTF2elR6aUdtT0tYNEIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJQ1ROcTREZFFUcmZxRFk2L0xYSmNnQURZNjcxcU5Rd0JVQjhMKzVYeUtZVAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K