homelab/home-cluster
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity Actions
home-cluster/talos
History
Exact
sujiba be6bf4d98c
chore: changed order
2025-06-03 15:59:57 +02:00
..
clusterconfig feat: start with talos 2025-05-06 00:56:54 +02:00
.sops.yaml feat: start with talos 2025-05-06 00:56:54 +02:00
README.md chore: changed order 2025-06-03 15:59:57 +02:00
talconfig.yaml feat: added talos image + extensions 2025-05-08 22:56:50 +02:00
talenv.yaml feat: start with talos 2025-05-06 00:56:54 +02:00
talsecret.sops.yaml feat: start with talos 2025-05-06 00:56:54 +02:00

README.md

Deploy Talos with the help of talhelper

Required packages

brew install talosctl talhelper sops age

Helpful vscode extension

vscode extension @signageos/vscode-sops

Configure sops and age

# When decrypting a file with the corresponding identity, SOPS will look for a text 
# file named keys.txt located in a sops subdirectory of your user configuration directory.
mkdir -p $HOME/Library/Application\ Support/sops/age

# Generate the key pair
age-keygen -o  $HOME/Library/Application\ Support/sops/age/keys.txt

talhelper

Change into the directory $HOME/Documents/home-cluster/talos

Encryption setup

Create the file .sops.yaml and copy the following content into it. Replace YOUR_PULBIC_AGE_KEY with the public key that you can find in your previously genereted keys.txt.

Note

Do not change the indentation!

---
creation_rules:
  - age: >-
      YOUR_PULBIC_AGE_KEY

talos secret

Generate and encrypt your new talos secret.

talhelper gensecret > talsecret.sops.yaml

sops -e -i talsecret.sops.yaml

Caution

Do not update or change talsecret.sops.yaml.

talhelper environment vars

Create and encrypt the talenv.yaml to store sensitive data used during talhelper genconfig

vi talenv.yaml

sops -e -i talenv.yaml

talconfig.yaml

Create a talconfig.yaml. Take inspiration from the talhelper template and the configuration parameters.

vi talconfig.yaml

talhelper genconfig

The command talhelper genconfig will create a .gitignore, talosconfig and CLUSTERNAME_HOSTNAMEs.yaml under clusterconfig.

Caution

The .gitignore contains all genereted files from talhelper genconfig because those files contain unencrypted secrets.

Talos image factory

Vist the website https://factory.talos.dev

  1. Hardware Type: Bare-metal Machine
  2. Choose Talos Linux Version: 1.10.0 (use the latest stable version)
  3. Machine Architecture: amd64
  4. System Extensions:
    1. siderolabs/i915 (intel gpu drivers)
    2. siderolabs/intel-ucode (intel microcode)
    3. siderolabs/iscsi-tools (necessary for longhorn)
    4. siderolabs/util-linux-tools (necessary for longhorn)
  5. Customization: skip
  6. Schematic Ready: Download the iso

Boot Image

Cluster bootstrap

talosctl apply-config --insecure -n 10.10.10.3 --file clusterconfig/home-cluster-talos-01.yaml
talosctl bootstrap -n 10.10.10.3 -e 10.10.10.3 --talosconfig talosconfigv
talosctl -n 10.10.10.3 --talosconfig clusterconfig/talosconfig kubeconfig

Cilium CNI

After applying the machine config and bootstrapping Talos will appear to hang on phase 18/19 with the message: retrying error: node not ready. This happens because nodes in Kubernetes are only marked as ready once the CNI is up. As there is no CNI defined, the boot process is pending and will reboot the node to retry after 10 minutes, this is expected behavior.

During this window you can install Cilium manually by running the following:

helm repo add cilium https://helm.cilium.io/
helm repo update 

helm install \
  cilium \
  cilium/cilium \
  --version 1.17.3 \
  --namespace kube-system \
  --set ipam.mode=kubernetes \
  --set kubeProxyReplacement=true \
  --set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
  --set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
  --set cgroup.autoMount.enabled=false \
  --set cgroup.hostRoot=/sys/fs/cgroup \
  --set k8sServiceHost=localhost \
  --set k8sServicePort=7445 \
  --set operator.replicas=1

# Enable and disable hubble 
cilium hubble enable --ui
cilium hubble disable

ArgoCD

Create argocd namespace and install the application.

kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

Get the initial admin login password and port forward the web interface of argocd.

kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath='{.data}'
kubectl port-forward svc/argocd-server -n argocd 8080:443

Open your browser and go to https://localhost:8080. Log in with admin and the argocd-initial-admin-secret. Click on User-Info -> Update Password and change the password. You can then delete the secret.

kubectl delete secret argocd-initial-admin-secret -n argocd