From d80f57292002ffb3fce5cbf18567c751781c17ba Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Tue, 9 Sep 2025 11:57:00 -0500 Subject: [PATCH] change config --- .../talos/templates/external-secret.yaml | 23 +++++++++++++++++ .../services/talos/templates/secret.yaml | 13 ---------- .../talos/templates/service-account.yaml | 14 ----------- clusters/cl01tl/services/talos/values.yaml | 25 +++++++------------ 4 files changed, 32 insertions(+), 43 deletions(-) diff --git a/clusters/cl01tl/services/talos/templates/external-secret.yaml b/clusters/cl01tl/services/talos/templates/external-secret.yaml index 7d725d1c6..199dc9bc7 100644 --- a/clusters/cl01tl/services/talos/templates/external-secret.yaml +++ b/clusters/cl01tl/services/talos/templates/external-secret.yaml @@ -49,3 +49,26 @@ spec: key: /cl01tl/talos/etcd-backup metadataPolicy: None property: AGE_X25519_PUBLIC_KEY + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: talos-etcd-defrag-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-defrag-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: config + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/talos/etcd-defrag + metadataPolicy: None + property: config diff --git a/clusters/cl01tl/services/talos/templates/secret.yaml b/clusters/cl01tl/services/talos/templates/secret.yaml index 75f46f6eb..b54ee3464 100644 --- a/clusters/cl01tl/services/talos/templates/secret.yaml +++ b/clusters/cl01tl/services/talos/templates/secret.yaml @@ -9,16 +9,3 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} annotations: kubernetes.io/service-account.name: talos-backup-secrets - ---- -apiVersion: v1 -kind: Secret -metadata: - name: talos-etcd-secrets - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: talos-etcd-secrets - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} - annotations: - kubernetes.io/service-account.name: talos-etcd-secrets diff --git a/clusters/cl01tl/services/talos/templates/service-account.yaml b/clusters/cl01tl/services/talos/templates/service-account.yaml index 7f86db397..60e9a89ed 100644 --- a/clusters/cl01tl/services/talos/templates/service-account.yaml +++ b/clusters/cl01tl/services/talos/templates/service-account.yaml @@ -10,17 +10,3 @@ metadata: spec: roles: - os:etcd:backup - ---- -apiVersion: talos.dev/v1alpha1 -kind: ServiceAccount -metadata: - name: talos-etcd-secrets - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: talos-etcd-secrets - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - roles: - - os:etcd:backup diff --git a/clusters/cl01tl/services/talos/values.yaml b/clusters/cl01tl/services/talos/values.yaml index 1046570b8..a788cb837 100644 --- a/clusters/cl01tl/services/talos/values.yaml +++ b/clusters/cl01tl/services/talos/values.yaml @@ -176,17 +176,9 @@ etcd-defrag: - defrag - -n - "10.232.1.11" - workingDir: /tmp - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault + env: + - name: TALOSCONFIG + value: /tmp/.talos/config resources: requests: cpu: 100m @@ -200,13 +192,14 @@ etcd-defrag: main: - path: /tmp readOnly: false - secret: + talos-config: enabled: true type: secret - name: talos-etcd-secrets + name: talos-etcd-defrag-secret advancedMounts: - defrag: - main: - - path: /var/run/secrets/talos.dev + snapshot: + s3-backup: + - path: /tmp/.talos/config readOnly: true mountPropagation: None + subPath: config