apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-vip-ds
  namespace: kube-system
spec:
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 0
  selector:
    matchLabels:
      app.kubernetes.io/name: kube-vip-ds
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kube-vip-ds
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      priorityClassName: system-node-critical
      terminationGracePeriodSeconds: 90
      serviceAccountName: kube-vip
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: NoSchedule
        - key: node-role.kubernetes.io/master
          operator: Exists
          effect: NoSchedule
        - operator: Exists
          effect: NoExecute
      containers:
        - name: kube-vip
          image: ghcr.io/kube-vip/kube-vip:v0.8.3
          imagePullPolicy: IfNotPresent
          args:
            - manager
          env:
            # Leader election identity must be the Kubernetes node name (hostNetwork
            # hostname is not always the same; without this, no leader → no VIP).
            - name: vip_nodename
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: vip_arp
              value: "true"
            - name: address
              value: "192.168.50.230"
            - name: port
              value: "6443"
            # Physical uplink from `talosctl -n <cp-ip> get links` (this cluster: ens18).
            - name: vip_interface
              value: "ens18"
            # Must include "/" — kube-vip does netlink.ParseAddr(address + subnet); "32" breaks (192.168.50.x32).
            - name: vip_subnet
              value: "/32"
            - name: vip_leaderelection
              value: "true"
            - name: cp_enable
              value: "true"
            - name: cp_namespace
              value: "kube-system"
            # Control-plane VIP only until stable: with svc_enable=true the services leader-election
            # path calls log.Fatal on many failures / leadership moves → CrashLoopBackOff on all CP nodes.
            # Re-enable "true" after pods are 1/1; if they loop again, capture: kubectl logs -n kube-system -l app.kubernetes.io/name=kube-vip-ds --previous --tail=100
            - name: svc_enable
              value: "false"
            - name: vip_leaseduration
              value: "15"
            - name: vip_renewdeadline
              value: "10"
            - name: vip_retryperiod
              value: "2"
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
                - NET_RAW
                - SYS_TIME