20 lines
1.2 KiB
Markdown
20 lines
1.2 KiB
Markdown
# Proxmox talos with secrets encrypted by sops.
|
|
|
|
To start from scratch:
|
|
|
|
- create new vm in proxmox from the template (which is simply the image factory with qemu and iscsi extensions, nocloud but whatever, metal would work just as well)
|
|
- edit in it's IP to the script because I haven't parameterised it yet.
|
|
- `scripts/talosctl-apply-with-secrets -e <<THE_IP>> -n <<THE_IP>>`
|
|
- `export TALOSCONFIG=${PWD}/talosconfig`
|
|
- `talosctl config endpoints <<THE_IP>>`
|
|
- `talosctl bootstrap -n <<THE_IP>>`
|
|
- `talosctl kubeconfig -n <<THE_IP>>`
|
|
|
|
TODO: parameterise stuff.
|
|
|
|
How the secrets stuff works:
|
|
`sops` uses age to encrypt the **values** in the yaml file, and `sops exec-file secrets.yaml 'some-command {}' decrypts `secrets.yaml` to a temporary file and runs `some-command` with "{}" replaced by the temporary file, then removes it after the process exits.
|
|
|
|
Talos basically says "don't store your config, store patches and just regenerate from the secrets", so you use `talosctl gen-config` (that's in the script) with `--with-secrets` and `--config-patch` with a filename to patch into the yaml.
|
|
|
|
And that's it. Apply argo manifests, apply the app-of-apps, and everything else should "just flow".
|