From 32e90994f07aaf62ff916205f7b62c18ef082299 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Tue, 9 Sep 2025 11:45:36 -0500 Subject: [PATCH] change image --- .../talos/templates/external-secret.yaml | 25 -------------- .../services/talos/templates/secret.yaml | 13 ++++++++ .../talos/templates/service-account.yaml | 14 ++++++++ clusters/cl01tl/services/talos/values.yaml | 33 ++++++++++++------- 4 files changed, 48 insertions(+), 37 deletions(-) diff --git a/clusters/cl01tl/services/talos/templates/external-secret.yaml b/clusters/cl01tl/services/talos/templates/external-secret.yaml index 15d7c19f5..7d725d1c6 100644 --- a/clusters/cl01tl/services/talos/templates/external-secret.yaml +++ b/clusters/cl01tl/services/talos/templates/external-secret.yaml @@ -49,28 +49,3 @@ spec: key: /cl01tl/talos/etcd-backup metadataPolicy: None property: AGE_X25519_PUBLIC_KEY - ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: talos-etcd-defrag-secret - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: talos-etcd-defrag-secret - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - annotations: - kubernetes.io/service-account.name: talos-defrag-secrets -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: config - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /cl01tl/talos/etcd-defrag - metadataPolicy: None - property: config diff --git a/clusters/cl01tl/services/talos/templates/secret.yaml b/clusters/cl01tl/services/talos/templates/secret.yaml index b54ee3464..75f46f6eb 100644 --- a/clusters/cl01tl/services/talos/templates/secret.yaml +++ b/clusters/cl01tl/services/talos/templates/secret.yaml @@ -9,3 +9,16 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} annotations: kubernetes.io/service-account.name: talos-backup-secrets + +--- +apiVersion: v1 +kind: Secret +metadata: + name: talos-etcd-secrets + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-secrets + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} + annotations: + kubernetes.io/service-account.name: talos-etcd-secrets diff --git a/clusters/cl01tl/services/talos/templates/service-account.yaml b/clusters/cl01tl/services/talos/templates/service-account.yaml index 60e9a89ed..7f86db397 100644 --- a/clusters/cl01tl/services/talos/templates/service-account.yaml +++ b/clusters/cl01tl/services/talos/templates/service-account.yaml @@ -10,3 +10,17 @@ metadata: spec: roles: - os:etcd:backup + +--- +apiVersion: talos.dev/v1alpha1 +kind: ServiceAccount +metadata: + name: talos-etcd-secrets + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-secrets + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + roles: + - os:etcd:backup diff --git a/clusters/cl01tl/services/talos/values.yaml b/clusters/cl01tl/services/talos/values.yaml index 034fe8139..d42a64004 100644 --- a/clusters/cl01tl/services/talos/values.yaml +++ b/clusters/cl01tl/services/talos/values.yaml @@ -169,16 +169,26 @@ etcd-defrag: main: image: repository: ghcr.io/siderolabs/talosctl - tag: v1.10.4 + tag: alpine:3 pullPolicy: IfNotPresent - args: - - etcd - - defrag - - -n 10.232.1.13 - env: - - name: TALOSCONFIG - value: /tmp/.talos/config + command: + - sh + - -c + - | + wget -O /usr/local/bin/talosctl https://github.com/siderolabs/talos/releases/download/v1.10.4/talosctl-linux-amd64 + chmod +x /usr/local/bin/talosctl + while true; talosctl -n 10.232.1.11 version; do sleep 1; done workingDir: /tmp + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault resources: requests: cpu: 100m @@ -195,11 +205,10 @@ etcd-defrag: secret: enabled: true type: secret - name: talos-etcd-defrag-secret + name: talos-etcd-secrets advancedMounts: - defrag: + main: main: - - path: /tmp/.talos/config + - path: /var/run/secrets/talos.dev readOnly: true mountPropagation: None - subPath: config