mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-21 14:41:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
talos/docs/content/configuration/masters.md
Matt Welch 8d3ee182d9 docs: minor spelling corrections. 
Minor spelling corrections.

Signed-off-by: Matt Welch <matt.welch@gmail.com>
2019-07-18 16:40:08 -07:00

174 lines
3.8 KiB
Markdown
Raw Blame History

---
title: "Masters"
date: 2018-10-29T19:40:55-07:00
draft: false
weight: 20
menu:
docs:
parent: 'configuration'
weight: 20
---
Configuring master nodes in a Talos Kubernetes cluster is a two-part process:
- configuring the Talos specific options
- and configuring the Kubernetes specific options
To get started, create a YAML file to use in the following steps:
```bash
touch <node-name>.yaml
```
## Configuring Talos
### Injecting the Talos PKI
Using `osctl`, and our output from the `osd` configuration [documentation]({{< ref "osd.md" >}}), inject the generated PKI into the configuration file:
```bash
osctl inject os --crt <organization>.crt --key <organization>.key <node-name>.yaml
```
You should see the following fields populated:
```yaml
security:
os:
ca:
crt: <base 64 encoded root public certificate>
key: <base 64 encoded root private key>
...
```
This process only needs to be performed on your initial node's configuration file.
### Configuring `trustd`
Each master node participates as a Root of Trust in the cluster.
The responsibilities of `trustd` include:
- certificate as a service
- Kubernetes PKI distribution among master nodes
The authorization between `trustd` and a client is, for now, a simple username and password combination.
Having these credentials gives a client the power to request a certificate that identifies itself.
In the `<node-name>.yaml` file, add the following:
```yaml
security:
...
services:
...
trustd:
username: '<username>'
password: '<password>'
...
```
## Configuring Kubernetes
### Generating the Root CA
To create the root CA for the Kubernetes cluster, run:
```bash
osctl gen ca --rsa --hours <hours> --organization <kubernetes-organization>
```
{{% note %}}The `--rsa` flag is required for the generation of the Kubernetes CA. {{% /note %}}
### Injecting the Kubernetes PKI
Using `osctl`, inject the generated PKI into the configuration file:
```bash
osctl inject kubernetes --crt <kubernetes-organization>.crt --key <kubernetes-organization>.key <node-name>.yaml
```
You should see the following fields populated:
```yaml
security:
...
kubernetes:
ca:
crt: <base 64 encoded root public certificate>
key: <base 64 encoded root private key>
...
```
### Configuring Kubeadm
The configuration of the `kubeadm` service is done in two parts:
- supplying the Talos specific options
- supplying the `kubeadm` `InitConfiguration`
#### Talos Specific Options
```yaml
services:
...
kubeadm:
init:
cni: <flannel|calico>
...
```
#### Kubeadm Specific Options
```yaml
services:
...
kubeadm:
...
configuration: |
apiVersion: kubeadm.k8s.io/v1alpha3
kind: InitConfiguration
...
...
```
> See the official [documentation](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/) for the options available in `InitConfiguration`.
In the end you should have something that looks similar to the following:
```yaml
version: ""
security:
os:
ca:
crt: <base 64 encoded root public certificate>
key: <base 64 encoded root private key>
kubernetes:
ca:
crt: <base 64 encoded root public certificate>
key: <base 64 encoded root private key>
services:
init:
cni: <flannel|calico>
kubeadm:
configuration: |
apiVersion: kubeadm.k8s.io/v1beta1
kind: InitConfiguration
apiEndpoint:
advertiseAddress: <master ip>
bindPort: 6443
apiVersion: kubeadm.k8s.io/v1beta1
bootstrapTokens:
- token: '<kubeadm token>'
ttl: 0s
---
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
controlPlaneEndpoint: <master ip>:443
networking:
dnsDomain: cluster.local
podSubnet: <pod subnet>
serviceSubnet: <service subnet>
trustd:
username: '<username>'
password: '<password>'
```
Reference in New Issue View Git Blame Copy Permalink