135 lines
No EOL
4.3 KiB
Markdown
135 lines
No EOL
4.3 KiB
Markdown
# Deploy Talos with the help of talhelper <!-- omit in toc -->
|
|
|
|
- [Required packages](#required-packages)
|
|
- [Helpful vscode extension](#helpful-vscode-extension)
|
|
- [Configure sops and age](#configure-sops-and-age)
|
|
- [talhelper](#talhelper)
|
|
- [Encryption setup](#encryption-setup)
|
|
- [talos secret](#talos-secret)
|
|
- [talhelper environment vars](#talhelper-environment-vars)
|
|
- [talhelper genconfig](#talhelper-genconfig)
|
|
- [talconfig.yaml](#talconfigyaml)
|
|
- [Talos image factory](#talos-image-factory)
|
|
- [Boot Image](#boot-image)
|
|
- [Cluster bootstrap](#cluster-bootstrap)
|
|
- [Cilium CNI](#cilium-cni)
|
|
|
|
# Required packages
|
|
```bash
|
|
brew install talosctl talhelper sops age
|
|
```
|
|
## Helpful vscode extension
|
|
```bash
|
|
vscode extension @signageos/vscode-sops
|
|
```
|
|
|
|
# Configure sops and age
|
|
```bash
|
|
# When decrypting a file with the corresponding identity, SOPS will look for a text
|
|
# file named keys.txt located in a sops subdirectory of your user configuration directory.
|
|
mkdir -p $HOME/Library/Application\ Support/sops/age
|
|
|
|
# Generate the key pair
|
|
age-keygen -o $HOME/Library/Application\ Support/sops/age/keys.txt
|
|
```
|
|
|
|
# talhelper
|
|
Change into the directory `$HOME/Documents/home-cluster/talos`
|
|
|
|
## Encryption setup
|
|
Create the file `.sops.yaml` and copy the following content into it. Replace `YOUR_PULBIC_AGE_KEY` with the public key that you can find in your previously genereted keys.txt.
|
|
|
|
> [!NOTE]
|
|
> Do not change the indentation!
|
|
|
|
```yaml
|
|
---
|
|
creation_rules:
|
|
- age: >-
|
|
YOUR_PULBIC_AGE_KEY
|
|
```
|
|
|
|
## talos secret
|
|
Generate and encrypt your new talos secret.
|
|
```bash
|
|
talhelper gensecret > talsecret.sops.yaml
|
|
|
|
sops -e -i talsecret.sops.yaml
|
|
```
|
|
|
|
> [!CAUTION]
|
|
> Do not update or change `talsecret.sops.yaml`.
|
|
|
|
## talhelper environment vars
|
|
Create and encrypt the talenv.yaml to store sensitive data used during `talhelper genconfig`
|
|
```bash
|
|
vi talenv.yaml
|
|
|
|
sops -e -i talenv.yaml
|
|
```
|
|
|
|
## talhelper genconfig
|
|
The command `talhelper genconfig` will create a `.gitignore`, `talosconfig` and `CLUSTERNAME_HOSTNAMEs.yaml` under clusterconfig.
|
|
|
|
> [!CAUTION]
|
|
> The `.gitignore` contains all genereted files from `talhelper genconfig` because those files contain unencrypted secrets.
|
|
|
|
## talconfig.yaml
|
|
Create a talconfig.yaml. Take inspiration from the [talhelper template](https://github.com/budimanjojo/talhelper/blob/master/example/talconfig.yaml) and the [configuration parameters](https://budimanjojo.github.io/talhelper/latest/reference/configuration/).
|
|
|
|
```bash
|
|
vi talconfig.yaml
|
|
```
|
|
|
|
## Talos image factory
|
|
Vist the website https://factory.talos.dev
|
|
|
|
1. Hardware Type: Bare-metal Machine
|
|
2. Choose Talos Linux Version: 1.10.0 (use the latest stable version)
|
|
3. Machine Architecture: amd64
|
|
4. System Extensions:
|
|
1. siderolabs/i915 (intel gpu drivers)
|
|
2. siderolabs/intel-ucode (intel microcode)
|
|
3. siderolabs/iscsi-tools (necessary for longhorn)
|
|
4. siderolabs/util-linux-tools (necessary for longhorn)
|
|
5. Customization: skip
|
|
6. Schematic Ready: Download the iso
|
|
|
|
# Boot Image
|
|
|
|
# Cluster bootstrap
|
|
```bash
|
|
talosctl apply-config --insecure -n 10.10.10.3 --file clusterconfig/home-cluster-talos-01.yaml
|
|
talosctl bootstrap -n 10.10.10.3 -e 10.10.10.3 --talosconfig talosconfig
|
|
```
|
|
|
|
# Cilium CNI
|
|
After applying the machine config and bootstrapping Talos will appear to hang on phase 18/19 with the message: retrying error: node not ready. This happens because nodes in Kubernetes are only marked as ready once the CNI is up. As there is no CNI defined, the boot process is pending and will reboot the node to retry after 10 minutes, this is expected behavior.
|
|
|
|
During this window you can install Cilium manually by running the following:
|
|
|
|
```bash
|
|
helm repo add cilium https://helm.cilium.io/
|
|
helm repo update
|
|
|
|
helm install \
|
|
cilium \
|
|
cilium/cilium \
|
|
--version 1.17.3 \
|
|
--namespace kube-system \
|
|
--set ipam.mode=kubernetes \
|
|
--set kubeProxyReplacement=true \
|
|
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
|
|
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
|
|
--set cgroup.autoMount.enabled=false \
|
|
--set cgroup.hostRoot=/sys/fs/cgroup \
|
|
--set k8sServiceHost=localhost \
|
|
--set k8sServicePort=7445 \
|
|
--set operator.replicas=1
|
|
```
|
|
|
|
```bash
|
|
# Enable and disable hubble
|
|
cilium hubble enable --ui
|
|
cilium hubble disable
|
|
``` |