change config

clusters/cl01tl/services/talos/templates/external-secret.yaml

@@ -49,3 +49,26 @@ spec:
         key: /cl01tl/talos/etcd-backup
         metadataPolicy: None
         property: AGE_X25519_PUBLIC_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: talos-etcd-defrag-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-defrag-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/talos/etcd-defrag
+        metadataPolicy: None
+        property: config

clusters/cl01tl/services/talos/templates/secret.yaml

@@ -9,16 +9,3 @@ metadata:
     app.kubernetes.io/part-of: {{ .Release.Name }}
   annotations:
     kubernetes.io/service-account.name: talos-backup-secrets
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: talos-etcd-secrets
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: talos-etcd-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-  annotations:
-    kubernetes.io/service-account.name: talos-etcd-secrets

clusters/cl01tl/services/talos/templates/service-account.yaml

@@ -10,17 +10,3 @@ metadata:
 spec:
   roles:
     - os:etcd:backup
-
----
-apiVersion: talos.dev/v1alpha1
-kind: ServiceAccount
-metadata:
-  name: talos-etcd-secrets
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: talos-etcd-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  roles:
-    - os:etcd:backup

clusters/cl01tl/services/talos/values.yaml

@@ -176,17 +176,9 @@ etcd-defrag:
             - defrag
             - -n
             - "10.232.1.11"
-          workingDir: /tmp
+          env:
-          securityContext:
+            - name: TALOSCONFIG
-            runAsUser: 1000
+              value: /tmp/.talos/config
-            runAsGroup: 1000
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
           resources:
             requests:
               cpu: 100m
@@ -200,13 +192,14 @@ etcd-defrag:
           main:
             - path: /tmp
               readOnly: false
-    secret:
+    talos-config:
       enabled: true
       type: secret
-      name: talos-etcd-secrets
+      name: talos-etcd-defrag-secret
       advancedMounts:
-        defrag:
+        snapshot:
-          main:
+          s3-backup:
-            - path: /var/run/secrets/talos.dev
+            - path: /tmp/.talos/config
               readOnly: true
               mountPropagation: None
+              subPath: config