-
Notifications
You must be signed in to change notification settings - Fork 0
Home
doas pacman -S talosctl fluxcd
yay -S kubecolorImportant
TODO: Use Omni, don't patch extra cilium manifests and patch Flux to install without a CNI
Go to https://factory.talos.dev/ and download the appropriate image for your server. In this example I'm using a raw metal arm based image
xz -d metal-arm64.raw.xz
doas dd if=metal-arm64.raw of=/dev/your-disk conv=fsync bs=4M # be careful to choose the correct disk
rm metal-arm64.raw # if you don't want to keep the image locallyEndpoints are the IPs of all the controlplanes
Here is a command using nmap to list all Talos running instances on your local network
nmap -Pn -n -p 50000 192.168.1.0/24 -vv | grep 'Discovered'Next generate the configs
mkdir talos-configs
cd talos-configs
talosctl gen config homelab https://<cluster-endpoint>:6443 --config-patch @patches/gateway-api.yml --config-patch @patches/cilium.yml --config-patch @patches/fluxcd.ymlTo create a controlplane:
talosctl apply-config --insecure --nodes <node IP> --file controlplane.yamlNow configure the endpoints to the talosconfig file
talosctl config endpoint <endpoint IPs separated by spaces> --talosconfig=./talosconfigWait some times and next bootstrap:
talosctl bootstrap --nodes <node IP> --talosconfig=./talosconfig -e <endpoint IP/DNS name>talosctl dashboard -n <node IP> --talosconfig=./talosconfig -e <endpoint IP/DNS name>You can then monitor if everything is working correctly and if so perfect! You just have to retrieve the kubeconfig
talosctl kubeconfig --nodes <node IP> --talosconfig=./talosconfigYou can now access your cluster using kubectl on your local machine!
kubectl get nodes
kubectl get pods --all-namespacesGenerate an access token here with the api permission and paste it in the following secret.
Important
DO NOT ENCODE THE ACCESS TOKEN TO BASE64 (because of stringData)
apiVersion: v1
kind: Secret
metadata:
name: gitlab-secret
labels:
type: gitlab
type: Opaque
stringData:
token: **access token**
kubectl apply -f gitlab.yamlNow edit the cluster-secret-store with the project id that you can find on the 3 dots at the top right of the repo. You can now add all of your secrets at the following url: https://gitlab.com/<username>/<repo>/-/settings/ci_cd#js-cicd-variables-settings
Go to https://github.com/settings/personal-access-tokens and generate a personal access token. The permissions should be the following:
- Administration -> Access: Read-only
- Contents -> Access: Read and write
- Metadata -> Access: Read-only
Now create a secret with your username and password and encode both values in base64. The value of the password should be your newly generated token.
Tip
You can use echo -n "my value to encode" | base64 to convert a text to base64
---
apiVersion: v1
kind: Secret
metadata:
name: flux-system
namespace: flux-system
type: Opaque
data:
username: <BASE64>
password: <BASE64>
You're now ready to deploy the flux controlled cluster. First add the Github token
kubectl apply -f secret.yamlNext add your secrets in the external secret provider of choice (default Gitlab), change the ref in ClusterSecretStore and add all of the needed secrets.
Configure Cilium's ip pool to match your local network in the ippool.yaml file
Edit the external-https-gateway.yaml & internal-https-gateway.yaml files and change the hostname with your own. Also edit the IPs in the annotation so they are in the range of the previously edited IP pool.
Change the ip address with your public ip address
Once everything is ready, simply start Flux's sync
kubectl apply -f clusters/staging/flux-system/gotk-sync.yaml
kubectl get ClusterSecretStores --all-namespaces # Make sure the external secret store is workingRun this command to get the external IP of external-https-gateway:
kubectl get gateway external-https-gatewayNow, go inside your router, open the port 443 and redirect it to this address. If everything is up and running, you should be able to access the services from the internet.
Important
Make sure you forward the IP address of the EXTERNAL gateway and not the internal one.
Edit your local machine's DNS with the IP address of the Pi-hole service to access the internal services