diff --git a/Makefile b/Makefile index 329d2fa..76caea8 100644 --- a/Makefile +++ b/Makefile @@ -124,6 +124,10 @@ docs: --set-string image.tag=$(TAG) \ --set useDaemonSet=true \ charts/talos-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset.yml + helm template -n kube-system talos-cloud-controller-manager \ + -f charts/talos-cloud-controller-manager/values.edge.yaml \ + --set useDaemonSet=true \ + charts/talos-cloud-controller-manager > docs/deploy/cloud-controller-manager-daemonset-edge.yml helm-docs charts/talos-cloud-controller-manager release-update: diff --git a/README.md b/README.md index 5f780c3..108f3ac 100644 --- a/README.md +++ b/README.md @@ -22,9 +22,9 @@ Support controllers: * Assigns labels and taints based on cloud metadata and configuration * cloud-node-lifecycle * Cleans up node resource when cloud instance is deleted. -* node-ipam +* node-ipam-controller * Manages the allocation and assignment of CIDR addresses to pods across the nodes in a Kubernetes cluster. -* csr-approval +* node-csr-approval * Automatically approves Certificate Signing Requests (CSRs) for kubelet server certificates. Read more about cloud [controllers](docs/controllers.md). diff --git a/charts/talos-cloud-controller-manager/Chart.yaml b/charts/talos-cloud-controller-manager/Chart.yaml index 9504c99..c597e7b 100644 --- a/charts/talos-cloud-controller-manager/Chart.yaml +++ b/charts/talos-cloud-controller-manager/Chart.yaml @@ -11,5 +11,5 @@ keywords: maintainers: - name: sergelogvinov url: https://github.com/sergelogvinov -version: 0.4.0 +version: 0.4.1 appVersion: "v1.6.0" diff --git a/charts/talos-cloud-controller-manager/README.md b/charts/talos-cloud-controller-manager/README.md index 33f8d5a..0b21ee2 100644 --- a/charts/talos-cloud-controller-manager/README.md +++ b/charts/talos-cloud-controller-manager/README.md @@ -1,6 +1,6 @@ # talos-cloud-controller-manager -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square) +![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.0](https://img.shields.io/badge/AppVersion-v1.6.0-informational?style=flat-square) Talos Cloud Controller Manager Helm Chart @@ -51,7 +51,7 @@ helm upgrade -i --namespace=kube-system -f talos-ccm.yaml \ | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity for data pods assignment. ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | -| enabledControllers | list | `["cloud-node","node-csr-approval"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. | +| enabledControllers | list | `["cloud-node"]` | List of controllers should be enabled. Use '*' to enable all controllers. Support only `cloud-node, cloud-node-lifecycle, node-csr-approval, node-ipam-controller` controllers. | | extraArgs | list | `[]` | Any extra arguments for talos-cloud-controller-manager | | fullnameOverride | string | `""` | String to fully override deployment name. | | image.pullPolicy | string | `"IfNotPresent"` | Pull policy: IfNotPresent or Always. | diff --git a/charts/talos-cloud-controller-manager/values-example.yaml b/charts/talos-cloud-controller-manager/values-example.yaml index aee65f4..00bc1e8 100644 --- a/charts/talos-cloud-controller-manager/values-example.yaml +++ b/charts/talos-cloud-controller-manager/values-example.yaml @@ -1,6 +1,61 @@ +# Use latest Talos image image: pullPolicy: Always tag: edge +# Logging details logVerbosityLevel: 4 + +# Allow node CSR approval and cloud-node controllers +enabledControllers: + - cloud-node + - node-csr-approval + - node-ipam-controller + +# Define the CIDR allocator type and mask sizes (for node-ipam-controller only) +extraArgs: + - --allocate-node-cidrs + - --cidr-allocator-type=CloudAllocator + - --node-cidr-mask-size-ipv4=24 + - --node-cidr-mask-size-ipv6=80 + +# Add extra labels to nodes based on their hostname +transformations: + - name: web + nodeSelector: + - matchExpressions: + - key: hostname + operator: Regexp + values: + - ^web-.+$ + labels: + node-role.kubernetes.io/web: "" + + - name: worker + nodeSelector: + - matchExpressions: + - key: hostname + operator: Regexp + values: + - ^worker-.+$ + labels: + node-role.kubernetes.io/worker: "" + + - name: db + nodeSelector: + - matchExpressions: + - key: hostname + operator: Regexp + values: + - ^db-.+$ + labels: + node-role.kubernetes.io/db: "" + +# Deploy the Talos Cloud Controller Manager as a DaemonSet +useDaemonSet: true + +# Tolerate all taints +tolerations: + - effect: NoSchedule + operator: Exists diff --git a/charts/talos-cloud-controller-manager/values.yaml b/charts/talos-cloud-controller-manager/values.yaml index 78f3dbd..a96bcec 100644 --- a/charts/talos-cloud-controller-manager/values.yaml +++ b/charts/talos-cloud-controller-manager/values.yaml @@ -25,6 +25,10 @@ fullnameOverride: "" # -- Any extra arguments for talos-cloud-controller-manager extraArgs: [] # - --cluster-name=kubernetes + # Node IPAM controller arguments + # - --cidr-allocator-type=CloudAllocator + # - --node-cidr-mask-size-ipv4=24 + # - --node-cidr-mask-size-ipv6=80 # -- List of controllers should be enabled. # Use '*' to enable all controllers. @@ -34,7 +38,7 @@ enabledControllers: # - cloud-node-lifecycle # - route # - service - - node-csr-approval + # - node-csr-approval # - node-ipam-controller # -- List of node transformations. @@ -146,6 +150,8 @@ tolerations: - effect: NoSchedule key: node.cloudprovider.kubernetes.io/uninitialized operator: Exists + # - effect: NoSchedule + # operator: Exists # -- Affinity for data pods assignment. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity diff --git a/docs/config.md b/docs/config.md index 3a72d07..c26a814 100644 --- a/docs/config.md +++ b/docs/config.md @@ -56,10 +56,8 @@ Talos CCM configuration file: ```yaml # Global parameters global: - # Check and approve node client certificate signing requests - # In case when you use `rotate-server-certificates` flag in kubelet - # Parameter is optional, by default is "false" - approveNodeCSR: true + # PreferIPv6 uses to prefer IPv6 addresses over IPv4 addresses + PreferIPv6: false # Transformations rules for nodes transformations: diff --git a/docs/controllers.md b/docs/controllers.md index 0fe7582..3d8e40f 100644 --- a/docs/controllers.md +++ b/docs/controllers.md @@ -5,10 +5,14 @@ To check the default state of the controllers, run the following command: ```shell docker run --rm -ti ghcr.io/siderolabs/talos-cloud-controller-manager:edge --help | grep -A 2 'controllers' +``` + +Output: +```shell --controllers strings A list of controllers to enable. '*' enables all on-by-default controllers, 'foo' enables the controller named 'foo', '-foo' disables the controller named 'foo'. - All controllers: cloud-node-controller, cloud-node-lifecycle-controller, node-ipam-controller, node-route-controller, service-lb-controller - Disabled-by-default controllers: node-ipam-controller, node-lifecycle-controller (default [*]) + All controllers: certificatesigningrequest-approving-controller, cloud-node-controller, cloud-node-lifecycle-controller, node-ipam-controller, node-route-controller, service-lb-controller + Disabled-by-default controllers: certificatesigningrequest-approving-controller, node-ipam-controller, node-lifecycle-controller (default [*]) ``` ## Overview @@ -18,12 +22,17 @@ docker run --rm -ti ghcr.io/siderolabs/talos-cloud-controller-manager:edge --hel * [route](#route) * [service](#service) * [nodeipam](#node-ipam) -* [csr-approval](#node-certificate-approval) +* [node-csr-approval](#node-certificate-approval) ## Cloud node Enabled by default. +CLI flags to enable the controller: +```shell +--controllers=cloud-node +``` + Detects new instances launched in the cloud and registers them as nodes in the Kubernetes cluster. Assigns labels and taints based on cloud metadata and configuration. See [configuration options](config.md) for more details. @@ -46,6 +55,11 @@ Node specs: Disabled by default. +CLI flags to enable the controller: +```shell +--controllers=node-lifecycle-controller +``` + Currently, it make sense only for GCP cloud. GCP spot instances change their IP address when they are evicted. CCM catches this event and remove the node resource from the cluster. After instance recreation, the node will initialize again and join the cluster. @@ -61,6 +75,11 @@ Is not implemented yet. Disabled by default. +CLI flags to enable the controller: +```shell +--controllers=node-ipam-controller +``` + Node IPAM is responsible for managing the allocation and assignment of CIDR addresses to pods across the nodes in a Kubernetes cluster. It ensures that IP addresses are efficiently distributed without conflicts, supporting scalable and flexible networking within the cluster. Pod CIDR allocation is based on the node CIDR range, which is defined by the `--node-cidr-mask-size-ipv4` and `--node-cidr-mask-size-ipv6` flags. The node CIDR range is divided into smaller subnets, which are then assigned to nodes in the cluster. @@ -79,11 +98,34 @@ This ensures seamless integration of Kubernetes networking with the existing clo Recommended arguments for the controller: ```shell +# Talos CCM args +--controllers=node-ipam-controller \ --allocate-node-cidrs --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=80 --cidr-allocator-type=CloudAllocator ``` +Disable the default Kubernetes CIDR allocator and enable the Talos CloudAllocator. + +```yaml +# Talos machine configuration +cluster: + controllerManager: + extraArgs: + controllers: "*,tokencleaner,-node-ipam-controller" + network: + # Example of IPv4 and IPv6 CIDR ranges, podSubnets-v6 will use as fallback for IPv6 + podSubnets: ["10.32.0.0/12","fd00:10:32::/64"] + serviceSubnets: ["10.200.0.0/22","fd40:10:200::/108"] +``` + ## Node certificate approval +Disabled by default. + +CLI flags to enable the controller: +```shell +--controllers=certificatesigningrequest-approving-controller +``` + Talos CCM is responsible for validating a node's certificate signing request (CSR) and approving it. When a node wants to join a cluster, it generates a CSR, which includes its identity and other relevant information. It checks if the CSR is properly formatted, contains all the required information, and matches the node's identity. @@ -91,3 +133,11 @@ It checks if the CSR is properly formatted, contains all the required informatio By validating and approving node CSRs, Talos CCM plays a crucial role in maintaining the security and integrity of the cluster by ensuring that only trusted and authorized nodes are allowed to have signed kubelet certificate. The kubelet certificate is used to secure the communication between the kubelet and other components in the cluster, such as the Kubernetes control plane. It ensures that the communication is encrypted and authenticated and preventing a man-in-the-middle (MITM) attack. + +Talos machine chenges for all nodes: +```yaml +machine: + kubelet: + extraArgs: + rotate-server-certificates: true +``` \ No newline at end of file diff --git a/docs/deploy/cloud-controller-manager-daemonset-edge.yml b/docs/deploy/cloud-controller-manager-daemonset-edge.yml new file mode 100644 index 0000000..7d10de6 --- /dev/null +++ b/docs/deploy/cloud-controller-manager-daemonset-edge.yml @@ -0,0 +1,289 @@ +--- +# Source: talos-cloud-controller-manager/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: talos-cloud-controller-manager + labels: + helm.sh/chart: talos-cloud-controller-manager-0.4.1 + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + app.kubernetes.io/version: "v1.6.0" + app.kubernetes.io/managed-by: Helm + namespace: kube-system +--- +# Source: talos-cloud-controller-manager/templates/serviceaccount.yaml +apiVersion: talos.dev/v1alpha1 +kind: ServiceAccount +metadata: + name: talos-cloud-controller-manager-talos-secrets + labels: + helm.sh/chart: talos-cloud-controller-manager-0.4.1 + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + app.kubernetes.io/version: "v1.6.0" + app.kubernetes.io/managed-by: Helm + namespace: kube-system +spec: + roles: + - os:reader +--- +# Source: talos-cloud-controller-manager/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: talos-cloud-controller-manager + labels: + helm.sh/chart: talos-cloud-controller-manager-0.4.1 + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + app.kubernetes.io/version: "v1.6.0" + app.kubernetes.io/managed-by: Helm + namespace: kube-system +data: + ccm-config.yaml: | + global: +--- +# Source: talos-cloud-controller-manager/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:talos-cloud-controller-manager + labels: + helm.sh/chart: talos-cloud-controller-manager-0.4.1 + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + app.kubernetes.io/version: "v1.6.0" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + verbs: + - update +- apiGroups: + - certificates.k8s.io + resources: + - signers + resourceNames: + - kubernetes.io/kubelet-serving + verbs: + - approve +--- +# Source: talos-cloud-controller-manager/templates/rolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: system:talos-cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:talos-cloud-controller-manager +subjects: +- kind: ServiceAccount + name: talos-cloud-controller-manager + namespace: kube-system +--- +# Source: talos-cloud-controller-manager/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:talos-cloud-controller-manager:extension-apiserver-authentication-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - kind: ServiceAccount + name: talos-cloud-controller-manager + namespace: kube-system +--- +# Source: talos-cloud-controller-manager/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: talos-cloud-controller-manager + labels: + helm.sh/chart: talos-cloud-controller-manager-0.4.1 + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + app.kubernetes.io/version: "v1.6.0" + app.kubernetes.io/managed-by: Helm + namespace: kube-system +spec: + clusterIP: None + type: ClusterIP + ports: + - name: metrics + port: 50258 + targetPort: 50258 + protocol: TCP + selector: + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager +--- +# Source: talos-cloud-controller-manager/templates/deployment.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: talos-cloud-controller-manager + labels: + helm.sh/chart: talos-cloud-controller-manager-0.4.1 + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + app.kubernetes.io/version: "v1.6.0" + app.kubernetes.io/managed-by: Helm + namespace: kube-system +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + template: + metadata: + labels: + app.kubernetes.io/name: talos-cloud-controller-manager + app.kubernetes.io/instance: talos-cloud-controller-manager + spec: + serviceAccountName: talos-cloud-controller-manager + securityContext: + fsGroup: 10258 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 10258 + runAsNonRoot: true + runAsUser: 10258 + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + priorityClassName: system-cluster-critical + containers: + - name: talos-cloud-controller-manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + image: "ghcr.io/siderolabs/talos-cloud-controller-manager:edge" + imagePullPolicy: Always + command: ["/talos-cloud-controller-manager"] + args: + - --v=2 + - --cloud-provider=talos + - --cloud-config=/etc/talos/ccm-config.yaml + - --controllers=cloud-node + - --leader-elect-resource-name=cloud-controller-manager-talos + - --use-service-account-credentials + - --secure-port=50258 + - --authorization-always-allow-paths=/healthz,/livez,/readyz,/metrics + env: + - name: TALOS_ENDPOINTS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: KUBERNETES_SERVICE_HOST + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: KUBERNETES_SERVICE_PORT + value: "6443" + ports: + - name: metrics + containerPort: 50258 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: metrics + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 30 + timeoutSeconds: 5 + resources: + requests: + cpu: 10m + memory: 64Mi + volumeMounts: + - name: cloud-config + mountPath: /etc/talos + readOnly: true + - name: talos-secrets + mountPath: /var/run/secrets/talos.dev + readOnly: true + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + operator: Exists + - effect: NoSchedule + key: node.kubernetes.io/not-ready + operator: Exists + volumes: + - name: cloud-config + configMap: + name: talos-cloud-controller-manager + defaultMode: 416 # 0640 + - name: talos-secrets + secret: + secretName: talos-cloud-controller-manager-talos-secrets + defaultMode: 416 # 0640 diff --git a/docs/deploy/cloud-controller-manager-edge.yml b/docs/deploy/cloud-controller-manager-edge.yml index 82ba304..7705239 100644 --- a/docs/deploy/cloud-controller-manager-edge.yml +++ b/docs/deploy/cloud-controller-manager-edge.yml @@ -5,7 +5,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.4.0 + helm.sh/chart: talos-cloud-controller-manager-0.4.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "v1.6.0" @@ -18,7 +18,7 @@ kind: ServiceAccount metadata: name: talos-cloud-controller-manager-talos-secrets labels: - helm.sh/chart: talos-cloud-controller-manager-0.4.0 + helm.sh/chart: talos-cloud-controller-manager-0.4.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "v1.6.0" @@ -34,7 +34,7 @@ kind: ConfigMap metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.4.0 + helm.sh/chart: talos-cloud-controller-manager-0.4.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "v1.6.0" @@ -50,7 +50,7 @@ kind: ClusterRole metadata: name: system:talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.4.0 + helm.sh/chart: talos-cloud-controller-manager-0.4.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "v1.6.0" @@ -158,7 +158,7 @@ kind: Service metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.4.0 + helm.sh/chart: talos-cloud-controller-manager-0.4.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "v1.6.0" @@ -182,7 +182,7 @@ kind: Deployment metadata: name: talos-cloud-controller-manager labels: - helm.sh/chart: talos-cloud-controller-manager-0.4.0 + helm.sh/chart: talos-cloud-controller-manager-0.4.1 app.kubernetes.io/name: talos-cloud-controller-manager app.kubernetes.io/instance: talos-cloud-controller-manager app.kubernetes.io/version: "v1.6.0" @@ -226,7 +226,7 @@ spec: - --v=2 - --cloud-provider=talos - --cloud-config=/etc/talos/ccm-config.yaml - - --controllers=cloud-node,node-csr-approval + - --controllers=cloud-node - --leader-elect-resource-name=cloud-controller-manager-talos - --use-service-account-credentials - --secure-port=50258 diff --git a/docs/install.md b/docs/install.md index ef4c76c..4dcc39e 100644 --- a/docs/install.md +++ b/docs/install.md @@ -10,6 +10,8 @@ machine: kubelet: extraArgs: cloud-provider: external + # For security reasons, it is recommended to enable the rotation of server certificates. + rotate-server-certificates: true ``` On the control-plane you need to allow [API access feature](https://www.talos.dev/v1.2/reference/configuration/#featuresconfig): @@ -17,6 +19,10 @@ On the control-plane you need to allow [API access feature](https://www.talos.de ```yaml # Talos machine config machine: + kubelet: + extraArgs: + # For security reasons, it is recommended to enable the rotation of server certificates. + rotate-server-certificates: true features: kubernetesTalosAPIAccess: enabled: true @@ -54,8 +60,78 @@ kubectl apply -f https://raw.githubusercontent.com/siderolabs/talos-cloud-contro ### Method 3: helm chart -Helm chart documentation can be found [here](../charts/talos-cloud-controller-manager/README.md) +Helm chart documentation can be found [here](../charts/talos-cloud-controller-manager/README.md). +Values example can be found [here](../charts/talos-cloud-controller-manager/values-example.yaml) ```shell helm upgrade -i -n kube-system talos-cloud-controller-manager oci://ghcr.io/siderolabs/charts/talos-cloud-controller-manager ``` + +## Result example + +Talos Machine Config: + +```yaml +machine: + kubelet: + extraArgs: + cloud-provider: external + rotate-server-certificates: true + features: + kubernetesTalosAPIAccess: + enabled: true + allowedRoles: + - os:reader + allowedKubernetesNamespaces: + - kube-system +cluster: + controllerManager: + extraArgs: + # Disable node IPAM controller + controllers: "*,tokencleaner,-node-ipam-controller" + network: + # Example of IPv4 and IPv6 CIDR ranges, podSubnets-v6 will use as fallback for IPv6 + podSubnets: ["10.32.0.0/12","fd00:10:32::/64"] + serviceSubnets: ["10.200.0.0/22","fd40:10:200::/108"] +``` + +We use the [values-example.yaml](../charts/talos-cloud-controller-manager/values-example.yaml) to deploy your Talos Cloud Controller Manager. + +```shell +helm upgrade -i -n kube-system -f https://raw.githubusercontent.com/siderolabs/talos-cloud-controller-manager/main/charts/talos-cloud-controller-manager/values-example.yaml talos-cloud-controller-manager oci://ghcr.io/siderolabs/charts/talos-cloud-controller-manager +``` + +Check the result: + +```shell +# kubectl get nodes -owide +NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME +controlplane-01a Ready control-plane 61d v1.30.2 172.16.0.142 2a01:4f8:0:3064:1::2d02 Talos (v1.7.4) 6.6.32-talos containerd://1.7.16 +web-01a Ready web 61d v1.30.2 172.16.0.129 2a01:4f8:0:3064:2::2c0c Talos (v1.7.4) 6.6.32-talos containerd://1.7.16 +web-02a Ready web 61d v1.30.2 172.16.0.145 2a01:4f8:0:30ac:3::2ff4 Talos (v1.7.4) 6.6.32-talos containerd://1.7.16 + +# kubectl get nodes web-01a -o jsonpath='{.metadata.labels}' | jq +{ + "beta.kubernetes.io/arch": "amd64", + "beta.kubernetes.io/instance-type": "2VCPU-2GB", + "beta.kubernetes.io/os": "linux", + "failure-domain.beta.kubernetes.io/region": "region-1", + "failure-domain.beta.kubernetes.io/zone": "region-1a", + "kubernetes.io/arch": "amd64", + "kubernetes.io/hostname": "web-01a", + "kubernetes.io/os": "linux", + "node-role.kubernetes.io/web": "", + "node.cloudprovider.kubernetes.io/platform": "nocloud", + "node.kubernetes.io/instance-type": "2VCPU-2GB", + "topology.kubernetes.io/region": "region-1", + "topology.kubernetes.io/zone": "region-1a" +} + +# kubectl get nodes -o jsonpath='{.items[*].spec.podCIDRs}'; echo +["10.32.0.0/24","2a01:4f8:0:3064::/80"] ["10.32.3.0/24","2a01:4f8:0:3064:1::/80"] ["10.32.1.0/24","2a01:4f8:0:30ac::/80"] +``` + +Talos CCM: +* adds the node-role label to the nodes by hostname +* define the EXTERNAL-IP +* podCIDRs allocation from IPv6 node subnet, they have two different IPv6/64 subnets (2a01:4f8:0:3064/64, 2a01:4f8:0:30ac::/64) diff --git a/pkg/talos/cloud_config.go b/pkg/talos/cloud_config.go index aeea7c7..3c3eead 100644 --- a/pkg/talos/cloud_config.go +++ b/pkg/talos/cloud_config.go @@ -18,8 +18,6 @@ type cloudConfig struct { } type cloudConfigGlobal struct { - // Approve Node Certificate Signing Request. - ApproveNodeCSR bool `yaml:"approveNodeCSR,omitempty"` // Talos cluster name. ClusterName string `yaml:"clusterName,omitempty"` // Prefer IPv6. diff --git a/pkg/talos/cloud_config_test.go b/pkg/talos/cloud_config_test.go index 57818be..505ce9d 100644 --- a/pkg/talos/cloud_config_test.go +++ b/pkg/talos/cloud_config_test.go @@ -14,10 +14,6 @@ func TestReadCloudConfigEmpty(t *testing.T) { if cfg.Global.PreferIPv6 { t.Errorf("%v is not default value of preferIPv6", cfg.Global.PreferIPv6) } - - if cfg.Global.ApproveNodeCSR { - t.Errorf("%v is not default value of ApproveNodeCSR", cfg.Global.ApproveNodeCSR) - } } func TestReadCloudConfig(t *testing.T) { @@ -25,7 +21,6 @@ func TestReadCloudConfig(t *testing.T) { cfg, err := readCloudConfig(strings.NewReader(` global: - approveNodeCSR: true preferIPv6: true transformations: - name: cluster @@ -48,8 +43,4 @@ transformations: if !cfg.Global.PreferIPv6 { t.Errorf("incorrect preferIPv6: %v", cfg.Global.PreferIPv6) } - - if !cfg.Global.ApproveNodeCSR { - t.Errorf("incorrect ApproveNodeCSR: %v", cfg.Global.ApproveNodeCSR) - } }