docs: update deploy documentation

Add example of deployment.
Clean up unused params.

Signed-off-by: Serge Logvinov <[email protected]>

Makefile

@@ -124,6 +124,10 @@ docs:
 		--set-string image.tag=$(TAG) \
 		--set useDaemonSet=true \
 		charts/talos-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset.yml
+	helm template -n kube-system talos-cloud-controller-manager \
+		-f charts/talos-cloud-controller-manager/values.edge.yaml \
+		--set useDaemonSet=true \
+		charts/talos-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset-edge.yml
 	helm-docs charts/talos-cloud-controller-manager
 
 release-update:

README.md

@@ -22,9 +22,9 @@ Support controllers:
   * Assigns labels and taints based on cloud metadata and configuration
 * cloud-node-lifecycle
   * Cleans up node resource when cloud instance is deleted.
-* node-ipam
+* node-ipam-controller
   * Manages the allocation and assignment of CIDR addresses to pods across the nodes in a Kubernetes cluster.
-* csr-approval
+* node-csr-approval
   * Automatically approves Certificate Signing Requests (CSRs) for kubelet server certificates.
 
 Read more about cloud [controllers](docs/controllers.md).

charts/talos-cloud-controller-manager/Chart.yaml

@@ -11,5 +11,5 @@ keywords:
 maintainers:
   - name: sergelogvinov
     url: https://github.com/sergelogvinov
-version: 0.4.0
+version: 0.4.1
 appVersion: "v1.6.0"

charts/talos-cloud-controller-manager/README.md

@@ -1,6 +1,6 @@
 # talos-cloud-controller-manager
 
-![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)
+![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square)
 
 Talos Cloud Controller Manager Helm Chart
 
@@ -51,7 +51,7 @@ helm upgrade -i --namespace=kube-system -f talos-ccm.yaml \
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
-| enabledControllers | list | `["cloud-node","node-csr-approval"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. |
+| enabledControllers | list | `["cloud-node"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. |
 | extraArgs | list | `[]` | Any extra arguments for talos-cloud-controller-manager |
 | fullnameOverride | string | `""` | String to fully override deployment name. |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull policy: IfNotPresent or Always. |

charts/talos-cloud-controller-manager/values-example.yaml

@@ -1,6 +1,61 @@
 
+# Use latest Talos image
 image:
   pullPolicy: Always
   tag: edge
 
+# Logging details
 logVerbosityLevel: 4
+
+# Allow node CSR approval and cloud-node controllers
+enabledControllers:
+  - cloud-node
+  - node-csr-approval
+  - node-ipam-controller
+
+# Define the CIDR allocator type and mask sizes (for node-ipam-controller only)
+extraArgs:
+  - --allocate-node-cidrs
+  - --cidr-allocator-type=CloudAllocator
+  - --node-cidr-mask-size-ipv4=24
+  - --node-cidr-mask-size-ipv6=80
+
+# Add extra labels to nodes based on their hostname
+transformations:
+  - name: web
+    nodeSelector:
+      - matchExpressions:
+          - key: hostname
+            operator: Regexp
+            values:
+              - ^web-.+$
+    labels:
+      node-role.kubernetes.io/web: ""
+
+  - name: worker
+    nodeSelector:
+      - matchExpressions:
+          - key: hostname
+            operator: Regexp
+            values:
+              - ^worker-.+$
+    labels:
+      node-role.kubernetes.io/worker: ""
+
+  - name: db
+    nodeSelector:
+      - matchExpressions:
+          - key: hostname
+            operator: Regexp
+            values:
+              - ^db-.+$
+    labels:
+      node-role.kubernetes.io/db: ""
+
+# Deploy the Talos Cloud Controller Manager as a DaemonSet
+useDaemonSet: true
+
+# Tolerate all taints
+tolerations:
+  - effect: NoSchedule
+    operator: Exists

charts/talos-cloud-controller-manager/values.yaml

@@ -25,6 +25,10 @@ fullnameOverride: ""
 # -- Any extra arguments for talos-cloud-controller-manager
 extraArgs: []
   # - --cluster-name=kubernetes
+  # Node IPAM controller arguments
+  # - --cidr-allocator-type=CloudAllocator
+  # - --node-cidr-mask-size-ipv4=24
+  # - --node-cidr-mask-size-ipv6=80
 
 # -- List of controllers should be enabled.
 # Use '*' to enable all controllers.
@@ -34,7 +38,7 @@ enabledControllers:
   # - cloud-node-lifecycle
   # - route
   # - service
-  - node-csr-approval
+  # - node-csr-approval
   # - node-ipam-controller
 
 # -- List of node transformations.
@@ -146,6 +150,8 @@ tolerations:
   - effect: NoSchedule
     key: node.cloudprovider.kubernetes.io/uninitialized
     operator: Exists
+  # - effect: NoSchedule
+  #   operator: Exists
 
 # -- Affinity for data pods assignment.
 # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

docs/config.md

@@ -56,10 +56,8 @@ Talos CCM configuration file:
 ```yaml
 # Global parameters
 global:
-  # Check and approve node client certificate signing requests
-  # In case when you use `rotate-server-certificates` flag in kubelet
-  # Parameter is optional, by default is "false"
-  approveNodeCSR: true
+  # PreferIPv6 uses to prefer IPv6 addresses over IPv4 addresses
+  PreferIPv6: false
 
 # Transformations rules for nodes
 transformations:

docs/controllers.md

@@ -5,10 +5,14 @@ To check the default state of the controllers, run the following command:
 
 ```shell
 docker run --rm -ti ghcr.io/siderolabs/talos-cloud-controller-manager:edge --help | grep -A 2 'controllers'
+```
+
+Output:
 
+```shell
       --controllers strings                      A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'.
-                                                 All controllers: cloud-node-controller, cloud-node-lifecycle-controller, node-ipam-controller, node-route-controller, service-lb-controller
-                                                 Disabled-by-default controllers: node-ipam-controller, node-lifecycle-controller (default [*])
+                                                 All controllers: certificatesigningrequest-approving-controller, cloud-node-controller, cloud-node-lifecycle-controller, node-ipam-controller, node-route-controller, service-lb-controller
+                                                 Disabled-by-default controllers: certificatesigningrequest-approving-controller, node-ipam-controller, node-lifecycle-controller (default [*])
 ```
 
 ## Overview
@@ -18,12 +22,17 @@ docker run --rm -ti ghcr.io/siderolabs/talos-cloud-controller-manager:edge --hel
 * [route](#route)
 * [service](#service)
 * [nodeipam](#node-ipam)
-* [csr-approval](#node-certificate-approval)
+* [node-csr-approval](#node-certificate-approval)
 
 ## Cloud node
 
 Enabled by default.
 
+CLI flags to enable the controller:
+```shell
+--controllers=cloud-node
+```
+
 Detects new instances launched in the cloud and registers them as nodes in the Kubernetes cluster.
 Assigns labels and taints based on cloud metadata and configuration.
 See [configuration options](config.md) for more details.
@@ -46,6 +55,11 @@ Node specs:
 
 Disabled by default.
 
+CLI flags to enable the controller:
+```shell
+--controllers=node-lifecycle-controller
+```
+
 Currently, it make sense only for GCP cloud.
 GCP spot instances change their IP address when they are evicted. CCM catches this event and remove the node resource from the cluster. After instance recreation, the node will initialize again and join the cluster.
 
@@ -61,6 +75,11 @@ Is not implemented yet.
 
 Disabled by default.
 
+CLI flags to enable the controller:
+```shell
+--controllers=node-ipam-controller
+```
+
 Node IPAM is responsible for managing the allocation and assignment of CIDR addresses to pods across the nodes in a Kubernetes cluster. It ensures that IP addresses are efficiently distributed without conflicts, supporting scalable and flexible networking within the cluster.
 
 Pod CIDR allocation is based on the node CIDR range, which is defined by the `--node-cidr-mask-size-ipv4` and `--node-cidr-mask-size-ipv6` flags. The node CIDR range is divided into smaller subnets, which are then assigned to nodes in the cluster.
@@ -79,15 +98,46 @@ This ensures seamless integration of Kubernetes networking with the existing clo
 Recommended arguments for the controller:
 
 ```shell
+# Talos CCM args
+--controllers=node-ipam-controller \
 --allocate-node-cidrs --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=80 --cidr-allocator-type=CloudAllocator
 ```
 
+Disable the default Kubernetes CIDR allocator and enable the Talos CloudAllocator.
+
+```yaml
+# Talos machine configuration
+cluster:
+  controllerManager:
+    extraArgs:
+      controllers: "*,tokencleaner,-node-ipam-controller"
+  network:
+    # Example of IPv4 and IPv6 CIDR ranges, podSubnets-v6 will use as fallback for IPv6
+    podSubnets: ["10.32.0.0/12","fd00:10:32::/64"]
+    serviceSubnets: ["10.200.0.0/22","fd40:10:200::/108"]
+```
+
 ## Node certificate approval
 
+Disabled by default.
+
+CLI flags to enable the controller:
+```shell
+--controllers=certificatesigningrequest-approving-controller
+```
+
 Talos CCM is responsible for validating a node's certificate signing request (CSR) and approving it.
 When a node wants to join a cluster, it generates a CSR, which includes its identity and other relevant information.
 It checks if the CSR is properly formatted, contains all the required information, and matches the node's identity.
 
 By validating and approving node CSRs, Talos CCM plays a crucial role in maintaining the security and integrity of the cluster by ensuring that only trusted and authorized nodes are allowed to have signed kubelet certificate.
 
 The kubelet certificate is used to secure the communication between the kubelet and other components in the cluster, such as the Kubernetes control plane. It ensures that the communication is encrypted and authenticated and preventing a man-in-the-middle (MITM) attack.
+
+Talos machine chenges for all nodes:
+```yaml
+machine:
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: true
+```