homelab/home-cluster
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity Actions
home-cluster/talos/README.md
sujiba 114e64c309 feat: added talos image + extensions
2025-05-08 22:56:50 +02:00

135 lines
No EOL
4.3 KiB
Markdown
Raw Blame History

# Deploy Talos with the help of talhelper <!-- omit in toc -->
- [Required packages](#required-packages)
- [Helpful vscode extension](#helpful-vscode-extension)
- [Configure sops and age](#configure-sops-and-age)
- [talhelper](#talhelper)
- [Encryption setup](#encryption-setup)
- [talos secret](#talos-secret)
- [talhelper environment vars](#talhelper-environment-vars)
- [talhelper genconfig](#talhelper-genconfig)
- [talconfig.yaml](#talconfigyaml)
- [Talos image factory](#talos-image-factory)
- [Boot Image](#boot-image)
- [Cluster bootstrap](#cluster-bootstrap)
- [Cilium CNI](#cilium-cni)
# Required packages
```bash
brew install talosctl talhelper sops age
```
## Helpful vscode extension
```bash
vscode extension @signageos/vscode-sops
```
# Configure sops and age
```bash
# When decrypting a file with the corresponding identity, SOPS will look for a text
# file named keys.txt located in a sops subdirectory of your user configuration directory.
mkdir -p $HOME/Library/Application\ Support/sops/age
# Generate the key pair
age-keygen -o $HOME/Library/Application\ Support/sops/age/keys.txt
```
# talhelper
Change into the directory `$HOME/Documents/home-cluster/talos`
## Encryption setup
Create the file `.sops.yaml` and copy the following content into it. Replace `YOUR_PULBIC_AGE_KEY` with the public key that you can find in your previously genereted keys.txt.
> [!NOTE]
> Do not change the indentation!
```yaml
---
creation_rules:
- age: >-
YOUR_PULBIC_AGE_KEY
```
## talos secret
Generate and encrypt your new talos secret.
```bash
talhelper gensecret > talsecret.sops.yaml
sops -e -i talsecret.sops.yaml
```
> [!CAUTION]
> Do not update or change `talsecret.sops.yaml`.
## talhelper environment vars
Create and encrypt the talenv.yaml to store sensitive data used during `talhelper genconfig`
```bash
vi talenv.yaml
sops -e -i talenv.yaml
```
## talhelper genconfig
The command `talhelper genconfig` will create a `.gitignore`, `talosconfig` and `CLUSTERNAME_HOSTNAMEs.yaml` under clusterconfig.
> [!CAUTION]
> The `.gitignore` contains all genereted files from `talhelper genconfig` because those files contain unencrypted secrets.
## talconfig.yaml
Create a talconfig.yaml. Take inspiration from the [talhelper template](https://github.com/budimanjojo/talhelper/blob/master/example/talconfig.yaml) and the [configuration parameters](https://budimanjojo.github.io/talhelper/latest/reference/configuration/).
```bash
vi talconfig.yaml
```
## Talos image factory
Vist the website https://factory.talos.dev
1. Hardware Type: Bare-metal Machine
2. Choose Talos Linux Version: 1.10.0 (use the latest stable version)
3. Machine Architecture: amd64
4. System Extensions:
1. siderolabs/i915 (intel gpu drivers)
2. siderolabs/intel-ucode (intel microcode)
3. siderolabs/iscsi-tools (necessary for longhorn)
4. siderolabs/util-linux-tools (necessary for longhorn)
5. Customization: skip
6. Schematic Ready: Download the iso
# Boot Image
# Cluster bootstrap
```bash
talosctl apply-config --insecure -n 10.10.10.3 --file clusterconfig/home-cluster-talos-01.yaml
talosctl bootstrap -n 10.10.10.3 -e 10.10.10.3 --talosconfig talosconfig
```
# Cilium CNI
After applying the machine config and bootstrapping Talos will appear to hang on phase 18/19 with the message: retrying error: node not ready. This happens because nodes in Kubernetes are only marked as ready once the CNI is up. As there is no CNI defined, the boot process is pending and will reboot the node to retry after 10 minutes, this is expected behavior.
During this window you can install Cilium manually by running the following:
```bash
helm repo add cilium https://helm.cilium.io/
helm repo update
helm install \
cilium \
cilium/cilium \
--version 1.17.3 \
--namespace kube-system \
--set ipam.mode=kubernetes \
--set kubeProxyReplacement=true \
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set cgroup.autoMount.enabled=false \
--set cgroup.hostRoot=/sys/fs/cgroup \
--set k8sServiceHost=localhost \
--set k8sServicePort=7445 \
--set operator.replicas=1
```
```bash
# Enable and disable hubble
cilium hubble enable --ui
cilium hubble disable
```
Reference in a new issue View git blame Copy permalink