github-personal/talos-cloud-controller-manager
1
0
Fork 0
mirror of https://github.com/outbackdingo/talos-cloud-controller-manager.git synced 2026-01-27 10:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: update deploy documentation

Browse Source 
Add example of deployment.
Clean up unused params.

Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
This commit is contained in:
Serge Logvinov
2024-08-29 11:28:38 +03:00
parent 09a5b9e24d
commit 01145da4f4
13 changed files with 499 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@@ -124,6 +124,10 @@ docs:
--set-string image.tag=$(TAG) \
--set useDaemonSet=true \
charts/talos-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset.yml
helm template -n kube-system talos-cloud-controller-manager \
-f charts/talos-cloud-controller-manager/values.edge.yaml \
--set useDaemonSet=true \
charts/talos-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset-edge.yml
helm-docs charts/talos-cloud-controller-manager
release-update:

4
README.md
View File

@@ -22,9 +22,9 @@ Support controllers:
* Assigns labels and taints based on cloud metadata and configuration
* cloud-node-lifecycle
* Cleans up node resource when cloud instance is deleted.
* node-ipam
* node-ipam-controller
* Manages the allocation and assignment of CIDR addresses to pods across the nodes in a Kubernetes cluster.
* csr-approval
* node-csr-approval
* Automatically approves Certificate Signing Requests (CSRs) for kubelet server certificates.
Read more about cloud [controllers](docs/controllers.md).

2
charts/talos-cloud-controller-manager/Chart.yaml
View File

@@ -11,5 +11,5 @@ keywords:
maintainers:
- name: sergelogvinov
url: https://github.com/sergelogvinov
version: 0.4.0
version: 0.4.1
appVersion: "v1.6.0"

4
charts/talos-cloud-controller-manager/README.md
View File

@@ -1,6 +1,6 @@
# talos-cloud-controller-manager
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)
Talos Cloud Controller Manager Helm Chart
@@ -51,7 +51,7 @@ helm upgrade -i --namespace=kube-system -f talos-ccm.yaml \
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Affinity for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| enabledControllers | list | `["cloud-node","node-csr-approval"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. |
| enabledControllers | list | `["cloud-node"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. |
| extraArgs | list | `[]` | Any extra arguments for talos-cloud-controller-manager |
| fullnameOverride | string | `""` | String to fully override deployment name. |
| image.pullPolicy | string | `"IfNotPresent"` | Pull policy: IfNotPresent or Always. |

55
charts/talos-cloud-controller-manager/values-example.yaml
View File

@@ -1,6 +1,61 @@
# Use latest Talos image
image:
pullPolicy: Always
tag: edge
# Logging details
logVerbosityLevel: 4
# Allow node CSR approval and cloud-node controllers
enabledControllers:
- cloud-node
- node-csr-approval
- node-ipam-controller
# Define the CIDR allocator type and mask sizes (for node-ipam-controller only)
extraArgs:
- --allocate-node-cidrs
- --cidr-allocator-type=CloudAllocator
- --node-cidr-mask-size-ipv4=24
- --node-cidr-mask-size-ipv6=80
# Add extra labels to nodes based on their hostname
transformations:
- name: web
nodeSelector:
- matchExpressions:
- key: hostname
operator: Regexp
values:
- ^web-.+$
labels:
node-role.kubernetes.io/web: ""
- name: worker
nodeSelector:
- matchExpressions:
- key: hostname
operator: Regexp
values:
- ^worker-.+$
labels:
node-role.kubernetes.io/worker: ""
- name: db
nodeSelector:
- matchExpressions:
- key: hostname
operator: Regexp
values:
- ^db-.+$
labels:
node-role.kubernetes.io/db: ""
# Deploy the Talos Cloud Controller Manager as a DaemonSet
useDaemonSet: true
# Tolerate all taints
tolerations:
- effect: NoSchedule
operator: Exists

8
charts/talos-cloud-controller-manager/values.yaml
View File

@@ -25,6 +25,10 @@ fullnameOverride: ""
# -- Any extra arguments for talos-cloud-controller-manager
extraArgs: []
# - --cluster-name=kubernetes
# Node IPAM controller arguments
# - --cidr-allocator-type=CloudAllocator
# - --node-cidr-mask-size-ipv4=24
# - --node-cidr-mask-size-ipv6=80
# -- List of controllers should be enabled.
# Use '*' to enable all controllers.
@@ -34,7 +38,7 @@ enabledControllers:
# - cloud-node-lifecycle
# - route
# - service
- node-csr-approval
# - node-csr-approval
# - node-ipam-controller
# -- List of node transformations.
@@ -146,6 +150,8 @@ tolerations:
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
operator: Exists
# - effect: NoSchedule
# operator: Exists
# -- Affinity for data pods assignment.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

6
docs/config.md
View File

@@ -56,10 +56,8 @@ Talos CCM configuration file:
```yaml
# Global parameters
global:
# Check and approve node client certificate signing requests
# In case when you use `rotate-server-certificates` flag in kubelet
# Parameter is optional, by default is "false"
approveNodeCSR: true
# PreferIPv6 uses to prefer IPv6 addresses over IPv4 addresses
PreferIPv6: false
# Transformations rules for nodes
transformations:

56
docs/controllers.md
View File

@@ -5,10 +5,14 @@ To check the default state of the controllers, run the following command:
```shell
docker run --rm -ti ghcr.io/siderolabs/talos-cloud-controller-manager:edge --help | grep -A 2 'controllers'
```
Output:
```shell
--controllers strings A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
All controllers: cloud-node-controller, cloud-node-lifecycle-controller, node-ipam-controller, node-route-controller, service-lb-controller
Disabled-by-default controllers: node-ipam-controller, node-lifecycle-controller (default [*])
All controllers: certificatesigningrequest-approving-controller, cloud-node-controller, cloud-node-lifecycle-controller, node-ipam-controller, node-route-controller, service-lb-controller
Disabled-by-default controllers: certificatesigningrequest-approving-controller, node-ipam-controller, node-lifecycle-controller (default [*])
```
## Overview
@@ -18,12 +22,17 @@ docker run --rm -ti ghcr.io/siderolabs/talos-cloud-controller-manager:edge --hel
* [route](#route)
* [service](#service)
* [nodeipam](#node-ipam)
* [csr-approval](#node-certificate-approval)
* [node-csr-approval](#node-certificate-approval)
## Cloud node
Enabled by default.
CLI flags to enable the controller:
```shell
--controllers=cloud-node
```
Detects new instances launched in the cloud and registers them as nodes in the Kubernetes cluster.
Assigns labels and taints based on cloud metadata and configuration.
See [configuration options](config.md) for more details.
@@ -46,6 +55,11 @@ Node specs:
Disabled by default.
CLI flags to enable the controller:
```shell
--controllers=node-lifecycle-controller
```
Currently, it make sense only for GCP cloud.
GCP spot instances change their IP address when they are evicted. CCM catches this event and remove the node resource from the cluster. After instance recreation, the node will initialize again and join the cluster.
@@ -61,6 +75,11 @@ Is not implemented yet.
Disabled by default.
CLI flags to enable the controller:
```shell
--controllers=node-ipam-controller
```
Node IPAM is responsible for managing the allocation and assignment of CIDR addresses to pods across the nodes in a Kubernetes cluster. It ensures that IP addresses are efficiently distributed without conflicts, supporting scalable and flexible networking within the cluster.
Pod CIDR allocation is based on the node CIDR range, which is defined by the `--node-cidr-mask-size-ipv4` and `--node-cidr-mask-size-ipv6` flags. The node CIDR range is divided into smaller subnets, which are then assigned to nodes in the cluster.
@@ -79,11 +98,34 @@ This ensures seamless integration of Kubernetes networking with the existing clo
Recommended arguments for the controller:
```shell
# Talos CCM args
--controllers=node-ipam-controller \
--allocate-node-cidrs --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=80 --cidr-allocator-type=CloudAllocator
```
Disable the default Kubernetes CIDR allocator and enable the Talos CloudAllocator.
```yaml
# Talos machine configuration
cluster:
controllerManager:
extraArgs:
controllers: "*,tokencleaner,-node-ipam-controller"
network:
# Example of IPv4 and IPv6 CIDR ranges, podSubnets-v6 will use as fallback for IPv6
podSubnets: ["10.32.0.0/12","fd00:10:32::/64"]
serviceSubnets: ["10.200.0.0/22","fd40:10:200::/108"]
```
## Node certificate approval
Disabled by default.
CLI flags to enable the controller:
```shell
--controllers=certificatesigningrequest-approving-controller
```
Talos CCM is responsible for validating a node's certificate signing request (CSR) and approving it.
When a node wants to join a cluster, it generates a CSR, which includes its identity and other relevant information.
It checks if the CSR is properly formatted, contains all the required information, and matches the node's identity.
@@ -91,3 +133,11 @@ It checks if the CSR is properly formatted, contains all the required informatio
By validating and approving node CSRs, Talos CCM plays a crucial role in maintaining the security and integrity of the cluster by ensuring that only trusted and authorized nodes are allowed to have signed kubelet certificate.
The kubelet certificate is used to secure the communication between the kubelet and other components in the cluster, such as the Kubernetes control plane. It ensures that the communication is encrypted and authenticated and preventing a man-in-the-middle (MITM) attack.
Talos machine chenges for all nodes:
```yaml
machine:
kubelet:
extraArgs:
rotate-server-certificates: true
```

289
docs/deploy/cloud-controller-manager-daemonset-edge.yml Normal file
View File

@@ -0,0 +1,289 @@
---
# Source: talos-cloud-controller-manager/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
app.kubernetes.io/managed-by: Helm
namespace: kube-system
---
# Source: talos-cloud-controller-manager/templates/serviceaccount.yaml
apiVersion: talos.dev/v1alpha1
kind: ServiceAccount
metadata:
name: talos-cloud-controller-manager-talos-secrets
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
app.kubernetes.io/managed-by: Helm
namespace: kube-system
spec:
roles:
- os:reader
---
# Source: talos-cloud-controller-manager/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
app.kubernetes.io/managed-by: Helm
namespace: kube-system
data:
ccm-config.yaml: |
global:
---
# Source: talos-cloud-controller-manager/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- create
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- update
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- kubernetes.io/kubelet-serving
verbs:
- approve
---
# Source: talos-cloud-controller-manager/templates/rolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:talos-cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:talos-cloud-controller-manager
subjects:
- kind: ServiceAccount
name: talos-cloud-controller-manager
namespace: kube-system
---
# Source: talos-cloud-controller-manager/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: system:talos-cloud-controller-manager:extension-apiserver-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: talos-cloud-controller-manager
namespace: kube-system
---
# Source: talos-cloud-controller-manager/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
app.kubernetes.io/managed-by: Helm
namespace: kube-system
spec:
clusterIP: None
type: ClusterIP
ports:
- name: metrics
port: 50258
targetPort: 50258
protocol: TCP
selector:
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
---
# Source: talos-cloud-controller-manager/templates/deployment.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
app.kubernetes.io/managed-by: Helm
namespace: kube-system
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
template:
metadata:
labels:
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
spec:
serviceAccountName: talos-cloud-controller-manager
securityContext:
fsGroup: 10258
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 10258
runAsNonRoot: true
runAsUser: 10258
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
priorityClassName: system-cluster-critical
containers:
- name: talos-cloud-controller-manager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
image: "ghcr.io/siderolabs/talos-cloud-controller-manager:edge"
imagePullPolicy: Always
command: ["/talos-cloud-controller-manager"]
args:
- --v=2
- --cloud-provider=talos
- --cloud-config=/etc/talos/ccm-config.yaml
- --controllers=cloud-node
- --leader-elect-resource-name=cloud-controller-manager-talos
- --use-service-account-credentials
- --secure-port=50258
- --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics
env:
- name: TALOS_ENDPOINTS
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: KUBERNETES_SERVICE_HOST
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: KUBERNETES_SERVICE_PORT
value: "6443"
ports:
- name: metrics
containerPort: 50258
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: metrics
scheme: HTTPS
initialDelaySeconds: 20
periodSeconds: 30
timeoutSeconds: 5
resources:
requests:
cpu: 10m
memory: 64Mi
volumeMounts:
- name: cloud-config
mountPath: /etc/talos
readOnly: true
- name: talos-secrets
mountPath: /var/run/secrets/talos.dev
readOnly: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/not-ready
operator: Exists
volumes:
- name: cloud-config
configMap:
name: talos-cloud-controller-manager
defaultMode: 416 # 0640
- name: talos-secrets
secret:
secretName: talos-cloud-controller-manager-talos-secrets
defaultMode: 416 # 0640

14
docs/deploy/cloud-controller-manager-edge.yml
View File

@@ -5,7 +5,7 @@ kind: ServiceAccount
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.0
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
@@ -18,7 +18,7 @@ kind: ServiceAccount
metadata:
name: talos-cloud-controller-manager-talos-secrets
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.0
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
@@ -34,7 +34,7 @@ kind: ConfigMap
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.0
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
@@ -50,7 +50,7 @@ kind: ClusterRole
metadata:
name: system:talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.0
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
@@ -158,7 +158,7 @@ kind: Service
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.0
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
@@ -182,7 +182,7 @@ kind: Deployment
metadata:
name: talos-cloud-controller-manager
labels:
helm.sh/chart: talos-cloud-controller-manager-0.4.0
helm.sh/chart: talos-cloud-controller-manager-0.4.1
app.kubernetes.io/name: talos-cloud-controller-manager
app.kubernetes.io/instance: talos-cloud-controller-manager
app.kubernetes.io/version: "v1.6.0"
@@ -226,7 +226,7 @@ spec:
- --v=2
- --cloud-provider=talos
- --cloud-config=/etc/talos/ccm-config.yaml
- --controllers=cloud-node,node-csr-approval
- --controllers=cloud-node
- --leader-elect-resource-name=cloud-controller-manager-talos
- --use-service-account-credentials
- --secure-port=50258

78
docs/install.md
View File

@@ -10,6 +10,8 @@ machine:
kubelet:
extraArgs:
cloud-provider: external
# For security reasons, it is recommended to enable the rotation of server certificates.
rotate-server-certificates: true
```
On the control-plane you need to allow [API access feature](https://www.talos.dev/v1.2/reference/configuration/#featuresconfig):
@@ -17,6 +19,10 @@ On the control-plane you need to allow [API access feature](https://www.talos.de
```yaml
# Talos machine config
machine:
kubelet:
extraArgs:
# For security reasons, it is recommended to enable the rotation of server certificates.
rotate-server-certificates: true
features:
kubernetesTalosAPIAccess:
enabled: true
@@ -54,8 +60,78 @@ kubectl apply -f https://raw.githubusercontent.com/siderolabs/talos-cloud-contro
### Method 3: helm chart
Helm chart documentation can be found [here](../charts/talos-cloud-controller-manager/README.md)
Helm chart documentation can be found [here](../charts/talos-cloud-controller-manager/README.md).
Values example can be found [here](../charts/talos-cloud-controller-manager/values-example.yaml)
```shell
helm upgrade -i -n kube-system talos-cloud-controller-manager oci://ghcr.io/siderolabs/charts/talos-cloud-controller-manager
```
## Result example
Talos Machine Config:
```yaml
machine:
kubelet:
extraArgs:
cloud-provider: external
rotate-server-certificates: true
features:
kubernetesTalosAPIAccess:
enabled: true
allowedRoles:
- os:reader
allowedKubernetesNamespaces:
- kube-system
cluster:
controllerManager:
extraArgs:
# Disable node IPAM controller
controllers: "*,tokencleaner,-node-ipam-controller"
network:
# Example of IPv4 and IPv6 CIDR ranges, podSubnets-v6 will use as fallback for IPv6
podSubnets: ["10.32.0.0/12","fd00:10:32::/64"]
serviceSubnets: ["10.200.0.0/22","fd40:10:200::/108"]
```
We use the [values-example.yaml](../charts/talos-cloud-controller-manager/values-example.yaml) to deploy your Talos Cloud Controller Manager.
```shell
helm upgrade -i -n kube-system -f https://raw.githubusercontent.com/siderolabs/talos-cloud-controller-manager/main/charts/talos-cloud-controller-manager/values-example.yaml talos-cloud-controller-manager oci://ghcr.io/siderolabs/charts/talos-cloud-controller-manager
```
Check the result:
```shell
# kubectl get nodes -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
controlplane-01a Ready control-plane 61d v1.30.2 172.16.0.142 2a01:4f8:0:3064:1::2d02 Talos (v1.7.4) 6.6.32-talos containerd://1.7.16
web-01a Ready web 61d v1.30.2 172.16.0.129 2a01:4f8:0:3064:2::2c0c Talos (v1.7.4) 6.6.32-talos containerd://1.7.16
web-02a Ready web 61d v1.30.2 172.16.0.145 2a01:4f8:0:30ac:3::2ff4 Talos (v1.7.4) 6.6.32-talos containerd://1.7.16
# kubectl get nodes web-01a -o jsonpath='{.metadata.labels}' | jq
{
"beta.kubernetes.io/arch": "amd64",
"beta.kubernetes.io/instance-type": "2VCPU-2GB",
"beta.kubernetes.io/os": "linux",
"failure-domain.beta.kubernetes.io/region": "region-1",
"failure-domain.beta.kubernetes.io/zone": "region-1a",
"kubernetes.io/arch": "amd64",
"kubernetes.io/hostname": "web-01a",
"kubernetes.io/os": "linux",
"node-role.kubernetes.io/web": "",
"node.cloudprovider.kubernetes.io/platform": "nocloud",
"node.kubernetes.io/instance-type": "2VCPU-2GB",
"topology.kubernetes.io/region": "region-1",
"topology.kubernetes.io/zone": "region-1a"
}
# kubectl get nodes -o jsonpath='{.items[*].spec.podCIDRs}'; echo
["10.32.0.0/24","2a01:4f8:0:3064::/80"] ["10.32.3.0/24","2a01:4f8:0:3064:1::/80"] ["10.32.1.0/24","2a01:4f8:0:30ac::/80"]
```
Talos CCM:
* adds the node-role label to the nodes by hostname
* define the EXTERNAL-IP
* podCIDRs allocation from IPv6 node subnet, they have two different IPv6/64 subnets (2a01:4f8:0:3064/64, 2a01:4f8:0:30ac::/64)

2
pkg/talos/cloud_config.go
View File

@@ -18,8 +18,6 @@ type cloudConfig struct {
}
type cloudConfigGlobal struct {
// Approve Node Certificate Signing Request.
ApproveNodeCSR bool `yaml:"approveNodeCSR,omitempty"`
// Talos cluster name.
ClusterName string `yaml:"clusterName,omitempty"`
// Prefer IPv6.

9
pkg/talos/cloud_config_test.go
View File

@@ -14,10 +14,6 @@ func TestReadCloudConfigEmpty(t *testing.T) {
if cfg.Global.PreferIPv6 {
t.Errorf("%v is not default value of preferIPv6", cfg.Global.PreferIPv6)
}
if cfg.Global.ApproveNodeCSR {
t.Errorf("%v is not default value of ApproveNodeCSR", cfg.Global.ApproveNodeCSR)
}
}
func TestReadCloudConfig(t *testing.T) {
@@ -25,7 +21,6 @@ func TestReadCloudConfig(t *testing.T) {
cfg, err := readCloudConfig(strings.NewReader(`
global:
approveNodeCSR: true
preferIPv6: true
transformations:
- name: cluster
@@ -48,8 +43,4 @@ transformations:
if !cfg.Global.PreferIPv6 {
t.Errorf("incorrect preferIPv6: %v", cfg.Global.PreferIPv6)
}
if !cfg.Global.ApproveNodeCSR {
t.Errorf("incorrect ApproveNodeCSR: %v", cfg.Global.ApproveNodeCSR)
}
}