change image

clusters/cl01tl/services/talos/templates/external-secret.yaml

@@ -49,28 +49,3 @@ spec:
         key: /cl01tl/talos/etcd-backup
         metadataPolicy: None
         property: AGE_X25519_PUBLIC_KEY
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: talos-etcd-defrag-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: talos-etcd-defrag-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-  annotations:
-    kubernetes.io/service-account.name: talos-defrag-secrets
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: /cl01tl/talos/etcd-defrag
-        metadataPolicy: None
-        property: config

clusters/cl01tl/services/talos/templates/secret.yaml

@@ -9,3 +9,16 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
   annotations:
     kubernetes.io/service-account.name: talos-backup-secrets
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: talos-etcd-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-secrets
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    kubernetes.io/service-account.name: talos-etcd-secrets

clusters/cl01tl/services/talos/templates/service-account.yaml

@@ -10,3 +10,17 @@ metadata:
 spec:
   roles:
     - os:etcd:backup
+
+---
+apiVersion: talos.dev/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: talos-etcd-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-secrets
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  roles:
+    - os:etcd:backup

clusters/cl01tl/services/talos/values.yaml

@@ -169,16 +169,26 @@ etcd-defrag:
         main:
           image:
             repository: ghcr.io/siderolabs/talosctl
-            tag: v1.10.4
+            tag: alpine:3
             pullPolicy: IfNotPresent
-          args:
-              - etcd
-              - defrag
-              - -n 10.232.1.13
-          env:
-            - name: TALOSCONFIG
-              value: /tmp/.talos/config
+          command:
+            - sh
+            - -c
+            - |
+              wget -O /usr/local/bin/talosctl https://github.com/siderolabs/talos/releases/download/v1.10.4/talosctl-linux-amd64
+              chmod +x /usr/local/bin/talosctl
+              while true; talosctl -n 10.232.1.11 version; do sleep 1; done
           workingDir: /tmp
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           resources:
             requests:
               cpu: 100m
@@ -195,11 +205,10 @@ etcd-defrag:
     secret:
       enabled: true
       type: secret
-      name: talos-etcd-defrag-secret
+      name: talos-etcd-secrets
       advancedMounts:
-        defrag:
+        main:
           main:
-            - path: /tmp/.talos/config
+            - path: /var/run/secrets/talos.dev
               readOnly: true
               mountPropagation: None
-              subPath: config