Add initial infra for krobot01

Author: MacroPower

.taskfiles/talos/Taskfile.yaml

@@ -5,7 +5,7 @@ version: "3"
 vars:
   TALOS_SCRIPTS_DIR: "{{.ROOT_DIR}}/.taskfiles/talos/scripts"
   EXTRAS_DIR: "{{.ROOT_DIR}}/hack/extra"
-  CLUSTER_DOMAIN: cin.macro.network
+  DEFAULT_CLUSTER_DOMAIN: cin.macro.network
   DOPPLER_PROJECT: talhelper
   TALOS_DIR: "{{.TALOS_DIR}}"
 
@@ -15,6 +15,7 @@ tasks:
     requires:
       vars: [CLUSTER_NAME]
     vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
       CLUSTER_ENDPOINT: "k{{.CLUSTER_NAME}}.{{.CLUSTER_DOMAIN}}"
       DOPPLER_CMD: "doppler run -p {{.DOPPLER_PROJECT}} -c {{.CLUSTER_NAME}}"
     dir: &dir "{{.TALOS_DIR}}/{{.CLUSTER_NAME}}"
@@ -37,6 +38,7 @@ tasks:
     requires:
       vars: [CLUSTER_NAME]
     vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
       CLUSTER_ENDPOINT: "k{{.CLUSTER_NAME}}.{{.CLUSTER_DOMAIN}}"
       DOPPLER_CMD: "doppler run -p {{.DOPPLER_PROJECT}} -c {{.CLUSTER_NAME}}"
       MODE: '{{.MODE | default "no-reboot"}}'
@@ -59,6 +61,8 @@ tasks:
         NODE: Target node (required)
     requires:
       vars: [CLUSTER_NAME, NODE]
+    vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
     dir: *dir
     cmds:
       - task: build
@@ -78,6 +82,7 @@ tasks:
     requires:
       vars: [CLUSTER_NAME]
     vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
       CLUSTER_ENDPOINT: "k{{.CLUSTER_NAME}}.{{.CLUSTER_DOMAIN}}"
     dir: *dir
     cmds:
@@ -137,7 +142,7 @@ tasks:
     desc: Bootstrap Talos cluster
     summary: |
       Args:
-        INITIAL_NODE: Node to bootstrap, e.g. kmain01.{{.CLUSTER_DOMAIN}}
+        INITIAL_NODE: Node to bootstrap, e.g. kmain01.{{.DEFAULT_CLUSTER_DOMAIN}}
         RECOVERY_SNAPSHOT: Snapshot to recover from (default: "")
     dir: *dir
     requires:
@@ -189,6 +194,8 @@ tasks:
         NODE: Node to reset (required)
     requires:
       vars: [NODE]
+    vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
     cmds:
       - |-
         talosctl reset --graceful=false --reboot \
@@ -207,6 +214,7 @@ tasks:
     requires:
       vars: [CLUSTER_NAME, NODE]
     vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
       DOPPLER_CMD: "doppler run -p {{.DOPPLER_PROJECT}} -c {{.CLUSTER_NAME}}"
     cmds:
       - |-
@@ -234,6 +242,7 @@ tasks:
     requires:
       vars: [CLUSTER_NAME, NODE]
     vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
       DOPPLER_CMD: "doppler run -p {{.DOPPLER_PROJECT}} -c {{.CLUSTER_NAME}}"
     cmds:
       - |
@@ -272,6 +281,8 @@ tasks:
     dir: *dir
     requires:
       vars: [NODE]
+    vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
     cmds:
       - rm -rf {{.NODE}}.{{.CLUSTER_DOMAIN}}/ cluster/
       - defer: unzip support.zip && rm support.zip
@@ -287,6 +298,7 @@ tasks:
     requires:
       vars: [NODE]
     vars:
+      CLUSTER_DOMAIN: "{{ .CLUSTER_DOMAIN | default .DEFAULT_CLUSTER_DOMAIN }}"
       FILENAME: '{{.FILENAME | default "db.snapshot"}}'
     cmds:
       - talosctl etcd snapshot -n {{.NODE}}.{{.CLUSTER_DOMAIN}} -e {{.NODE}}.{{.CLUSTER_DOMAIN}} {{.FILENAME}}

clusters/robot/.gitignore

@@ -0,0 +1,5 @@
+cluster/
+clusterconfig/
+*.macro.network/
+kubernetesResources/
+support.zip

clusters/robot/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "cluster_robot"
+version = "0.1.0"

clusters/robot/kcl.mod.lock

@@ -0,0 +1,3 @@
+NAME = "robot"
+DOMAIN_NAME = "robot.fsn.macro.network"
+FRIENDLY_NAME = "Robot"

clusters/robot/main.k

@@ -0,0 +1,186 @@
+clusterName: robot
+talosVersion: v1.11.1
+kubernetesVersion: v1.34.1
+endpoint: https://krobot.fsn.macro.network:6443
+cniConfig:
+  name: none
+
+additionalApiServerCertSans:
+  - "10.136.0.1"
+  - "fc42:0:0:88::1"
+
+clusterSvcNets:
+  - 10.136.0.0/16
+  - fc42:0:0:88::/108
+clusterPodNets:
+  - 10.137.0.0/16
+  - fc42:0:0:89::/64
+
+allowSchedulingOnMasters: true
+
+nodes:
+  - hostname: krobot01.fsn.macro.network
+    ipAddress: 10.42.2.20
+    controlPlane: true
+    installDisk: /dev/null
+    nodeLabels:
+      feature.node.kubernetes.io/network.max-link-speed: 1g
+      topology.kubernetes.io/region: fsn
+    networkInterfaces:
+      - deviceSelector:
+          driver: macvlan
+        dhcp: false
+        addresses:
+          - "10.42.2.20/24"
+        mtu: 1400
+        routes:
+          - network: 10.42.0.0/16
+            gateway: "10.42.2.1"
+          - network: 0.0.0.0/0
+            gateway: "162.55.243.65"
+            metric: 2048
+          - network: ::/0
+            gateway: "fe80::1"
+            metric: 4096
+    patches:
+      - |-
+        machine:
+          kubelet:
+            extraMounts:
+              - source: /var/media
+                destination: /var/media
+                type: bind
+                options:
+                  - rbind
+                  - rshared
+                  - rw
+          features:
+            hostDNS:
+              enabled: true
+              forwardKubeDNSToHost: true
+
+controlPlane:
+  certSANs:
+    - krobot.fsn.macro.network
+    - "127.0.0.1"
+  nameservers: &nameservers
+    - "185.12.64.1"
+    - "185.12.64.2"
+  disableSearchDomain: &disableSearchDomain true
+  schematic:
+    customization:
+      extraKernelArgs: &extraKernelArgs []
+  machineFiles:
+    - &spegelCriConfig
+      path: /etc/cri/conf.d/20-customization.part
+      op: create
+      content: |
+        [plugins."io.containerd.cri.v1.images"]
+          discard_unpacked_layers = false
+  patches:
+    - |-
+      - op: replace
+        path: /cluster/apiServer/admissionControl
+        value: []
+    - |-
+      cluster:
+        controllerManager:
+          extraArgs:
+            bind-address: 0.0.0.0
+            ## Node CIDR mask size for IPv4 and IPv6.
+            ## One unique subnet of this size will be cut from the clusterPodNets
+            ## for every node.
+            ##
+            node-cidr-mask-size-ipv4: "20"
+            ## The IPv6 node cidr mask size MUST be within 16 bits of the
+            ## clusterPodNets IPv6cidr. By default, the clusterPodNets IPv6 mask
+            ## size is 48 and the clusterPodNets IPv6 cidr is /64 (48+16).
+            ##
+            node-cidr-mask-size-ipv6: "80"
+            allocate-node-cidrs: "true"
+            feature-gates: MemoryQoS=true,InPlacePodVerticalScaling=true,RotateKubeletServerCertificate=true
+            tls-cipher-suites: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    - |-
+      cluster:
+        etcd:
+          extraArgs:
+            listen-metrics-urls: http://0.0.0.0:2381
+    - |-
+      cluster:
+        scheduler:
+          extraArgs:
+            bind-address: "0.0.0.0"
+            feature-gates: MemoryQoS=true,InPlacePodVerticalScaling=true,RotateKubeletServerCertificate=true
+            tls-cipher-suites: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    - |-
+      cluster:
+        proxy:
+          # Replaced by Cillium.
+          disabled: true
+    - |-
+      cluster:
+        apiServer:
+          extraArgs:
+            max-mutating-requests-inflight: 20
+            max-requests-inflight: 80
+            feature-gates: MemoryQoS=true,InPlacePodVerticalScaling=true,RotateKubeletServerCertificate=true
+            tls-cipher-suites: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    - &machineKubelet |-
+      machine:
+        kubelet:
+          nodeIP:
+            validSubnets:
+              - 10.42.2.0/24
+          extraArgs:
+            feature-gates: MemoryQoS=true,InPlacePodVerticalScaling=true,RotateKubeletServerCertificate=true
+            rotate-server-certificates: "true"
+            tls-cipher-suites: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    - &machineTime |-
+      machine:
+        time:
+          disabled: false
+          servers:
+            - 0.north-america.pool.ntp.org
+            - 1.north-america.pool.ntp.org
+            - 2.north-america.pool.ntp.org
+            - 3.north-america.pool.ntp.org
+    - &machineOpenEBS |-
+      machine:
+        sysctls:
+          vm.nr_hugepages: "1024"
+        kubelet:
+          extraMounts:
+            - source: /var/openebs/local
+              destination: /var/openebs/local
+              type: bind
+              options:
+                - rbind
+                - rshared
+                - rw
+    - &machineDNS |-
+      machine:
+        features:
+          hostDNS:
+            enabled: true
+            forwardKubeDNSToHost: false
+
+worker:
+  certSANs:
+    - "127.0.0.1"
+  nameservers: *nameservers
+  disableSearchDomain: *disableSearchDomain
+  schematic:
+    customization:
+      extraKernelArgs: *extraKernelArgs
+  machineFiles:
+    - *spegelCriConfig
+  patches:
+    - *machineKubelet
+    - *machineTime
+    - *machineOpenEBS
+    - *machineDNS
+    - |-
+      machine:
+        kubelet:
+          extraConfig:
+            maxPods: 250

clusters/robot/talconfig.yaml

@@ -0,0 +1,23 @@
+cluster:
+  id: ${CLUSTER_ID}
+  secret: ${CLUSTER_SECRET}
+secrets:
+  bootstraptoken: ${SECRETS_BOOTSTRAPTOKEN}
+  secretboxencryptionsecret: ${SECRETS_SECRETBOXENCRYPTIONSECRET}
+trustdinfo:
+  token: ${TRUSTDINFO_TOKEN}
+certs:
+  etcd:
+    crt: ${CERTS_ETCD_CRT}
+    key: ${CERTS_ETCD_KEY}
+  k8s:
+    crt: ${CERTS_K8S_CRT}
+    key: ${CERTS_K8S_KEY}
+  k8saggregator:
+    crt: ${CERTS_K8SAGGREGATOR_CRT}
+    key: ${CERTS_K8SAGGREGATOR_KEY}
+  k8sserviceaccount:
+    key: ${CERTS_K8SSERVICEACCOUNT_KEY}
+  os:
+    crt: ${CERTS_OS_CRT}
+    key: ${CERTS_OS_KEY}

clusters/robot/talsecret.yaml

@@ -0,0 +1,11 @@
+# Setup
+
+Create a shared macvlan network for docker containers:
+
+```
+docker network create -d macvlan \
+  --subnet=10.10.0.0/16 \
+  --subnet=fc42:0:0:a::/64 \
+  -o parent=bond0 \
+  shared_macvlan
+```