mirror of
https://github.com/siderolabs/talos.git
synced 2025-12-04 09:01:14 +01:00
860002c735
Fixes #7159 The change looks big, but it's actually pretty simple inside: the static pods had an annotation which tracks a version of the secrets which forced control plane pods to reload on a change. At the same time `kube-apiserver` can reload certificate inputs automatically from files without restart. So the inputs were split: the dynamic (for kube-apiserver) inputs don't need to be reloaded, so its version is not tracked in static pod annotation, so they don't cause a reload. The previous non-dynamic resource still causes a reload, but it doesn't get updated when e.g. node addresses change. There might be many more refactoring done, the resource chain is a bit of a mess there, but I wanted to keep number of changes minimal to keep this backportable. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
90 lines
2.6 KiB
Protocol Buffer
Executable File
90 lines
2.6 KiB
Protocol Buffer
Executable File
syntax = "proto3";
|
|
|
|
package talos.resource.definitions.secrets;
|
|
|
|
option go_package = "github.com/siderolabs/talos/pkg/machinery/api/resource/definitions/secrets";
|
|
|
|
import "common/common.proto";
|
|
|
|
// APICertsSpec describes etcd certs secrets.
|
|
message APICertsSpec {
|
|
common.PEMEncodedCertificateAndKey ca = 1;
|
|
common.PEMEncodedCertificateAndKey client = 2;
|
|
common.PEMEncodedCertificateAndKey server = 3;
|
|
}
|
|
|
|
// CertSANSpec describes fields of the cert SANs.
|
|
message CertSANSpec {
|
|
repeated common.NetIP i_ps = 1;
|
|
repeated string dns_names = 2;
|
|
string fqdn = 3;
|
|
}
|
|
|
|
// EtcdCertsSpec describes etcd certs secrets.
|
|
message EtcdCertsSpec {
|
|
common.PEMEncodedCertificateAndKey etcd = 1;
|
|
common.PEMEncodedCertificateAndKey etcd_peer = 2;
|
|
common.PEMEncodedCertificateAndKey etcd_admin = 3;
|
|
common.PEMEncodedCertificateAndKey etcd_api_server = 4;
|
|
}
|
|
|
|
// EtcdRootSpec describes etcd CA secrets.
|
|
message EtcdRootSpec {
|
|
common.PEMEncodedCertificateAndKey etcd_ca = 1;
|
|
}
|
|
|
|
// KubeletSpec describes root Kubernetes secrets.
|
|
message KubeletSpec {
|
|
common.URL endpoint = 1;
|
|
common.PEMEncodedCertificateAndKey ca = 2;
|
|
string bootstrap_token_id = 3;
|
|
string bootstrap_token_secret = 4;
|
|
}
|
|
|
|
// KubernetesCertsSpec describes generated Kubernetes certificates.
|
|
message KubernetesCertsSpec {
|
|
string scheduler_kubeconfig = 4;
|
|
string controller_manager_kubeconfig = 5;
|
|
string localhost_admin_kubeconfig = 6;
|
|
string admin_kubeconfig = 7;
|
|
}
|
|
|
|
// KubernetesDynamicCertsSpec describes generated KubernetesCerts certificates.
|
|
message KubernetesDynamicCertsSpec {
|
|
common.PEMEncodedCertificateAndKey api_server = 1;
|
|
common.PEMEncodedCertificateAndKey api_server_kubelet_client = 2;
|
|
common.PEMEncodedCertificateAndKey front_proxy = 3;
|
|
}
|
|
|
|
// KubernetesRootSpec describes root Kubernetes secrets.
|
|
message KubernetesRootSpec {
|
|
string name = 1;
|
|
common.URL endpoint = 2;
|
|
common.URL local_endpoint = 3;
|
|
repeated string cert_sa_ns = 4;
|
|
string dns_domain = 6;
|
|
common.PEMEncodedCertificateAndKey ca = 7;
|
|
common.PEMEncodedKey service_account = 8;
|
|
common.PEMEncodedCertificateAndKey aggregator_ca = 9;
|
|
string aescbc_encryption_secret = 10;
|
|
string bootstrap_token_id = 11;
|
|
string bootstrap_token_secret = 12;
|
|
string secretbox_encryption_secret = 13;
|
|
repeated common.NetIP api_server_ips = 14;
|
|
}
|
|
|
|
// OSRootSpec describes operating system CA.
|
|
message OSRootSpec {
|
|
common.PEMEncodedCertificateAndKey ca = 1;
|
|
repeated common.NetIP cert_sani_ps = 2;
|
|
repeated string cert_sandns_names = 3;
|
|
string token = 4;
|
|
}
|
|
|
|
// TrustdCertsSpec describes etcd certs secrets.
|
|
message TrustdCertsSpec {
|
|
common.PEMEncodedCertificateAndKey ca = 1;
|
|
common.PEMEncodedCertificateAndKey server = 2;
|
|
}
|
|
|