We need to extend the Talos base image with open-iscsi which we do via a GitHub action triggered manually. This will no longer be necessary with Longhorn 1.6 longhorn/longhorn#3161
Based on the guide from Talos: https://github.com/siderolabs/talos
export HCLOUD_TOKEN=TOKEN_WITH_READ_WRITE_PERMISSIONS
cd talos
packer init .
packer build .You may need to update the version of Talos in the Terraform
Create the file control-plane/secrets.auto.tfvars and put in hetzner_token=TOKEN_WITH_READ_WRITE_PERMISSIONS
cd neptune
terraform init
terraform applyAfter creation, you can get the configuration for Talos via terraform output -raw talosconfig > talosconfig and the Kubernetes config via terraform output -raw kubeconfig > kubeconfig. Place the kubeconfig in ~/.kube/config (by default on Linux) or point the KUBECONFIG env to the file.
error reading server preface: remote error: tls: expired certificate
Open the control-plane-configuration.yaml and grab the root certificate.
mkdir certs
cd certs
yq eval .machine.ca.crt ../docs/control-plane-configuration.yaml | base64 -d > ca.crt
yq eval .machine.ca.key ../docs/control-plane-configuration.yaml | base64 -d > ca.key
talosctl gen key --name admin
talosctl gen csr --key admin.key --ip 127.0.0.1
talosctl gen crt --ca ca --csr admin.csr --name admin
base64 -w0 ca.crt | wl-copy # For `ca`
base64 -w0 admin.crt | wl-copy # For `crt`
base64 -w0 admin.key | wl-copy # For `key`Update the values in the talosconfig with the new certificates.
TODO: How to update Terraform?
After running for a year, the cert manager webhook cert will expire, which can be refreshed by running: kubectl delete secret cert-manager-webhook-ca -n kube-system