Skip to content
/ terraform-talos-secrets Public

This module allows you to generate secret data (PKI, tokens, hashes) for the deployment of Talos Kubernetes Cluster.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ilpozzd/terraform-talos-secrets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
locals.tf
locals.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Talos OS Secrets Terraform Module

This module allows you to generate secret data (PKI, tokens, hashes) for the deployment of Talos Kubernetes Cluster. It is a child module of ilpozzd/vsphere-cluster/talos. Can be used with ilpozzd/vsphere-vm/talos. The generated secrets correspond to the configuration of Talos OS v1.0.x

Usage

module "secrets" {
  source  = "ilpozzd/secrets/talos"
  version = "1.0.0"

  validity_period_hours = 10000
}

Examples

Requirements

Name Version
terraform >= 1.1.9, < 2.0.0

Providers

Name Version
hashicorp/random 3.1.3
hashicorp/tls 3.3.0

Modules

No modules.

Resources

Name Type
random_string.machine_token_6bytes resource
random_string.machine_token_16bytes resource
tls_private_key.machine_ca resource
tls_self_signed_cert.machine_ca resource
tls_private_key.machine_admin resource
tls_cert_request.machine_admin resource
tls_locally_signed_cert.machine_admin resource
random_id.cluster_id resource
random_id.cluster_secret resource
random_string.cluster_token_6bytes resource
random_string.cluster_token_16bytes resource
tls_private_key.kubernetes_ca resource
tls_self_signed_cert.kubernetes_ca resource
tls_private_key.kubernetes_admin resource
tls_cert_request.kubernetes_admin resource
tls_locally_signed_cert.kubernetes_admin resource
random_id.aescbc_encryption_secret resource
tls_private_key.aggregator_ca resource
tls_private_key.kubernetes_sa resource
tls_private_key.etcd_ca resource
tls_self_signed_cert.etcd_ca resource

Inputs

Name Description Type Default Required
validity_period_hours The number of hours after initial issuing that the ALL certificates will become invalid. number 8760 No

Outputs

Name Description Type Sensetive
machine_secrets Secrets to conclude a trusting relationship between virtual machines. object true
talos_admin_pki Certificate and key to manage Talos virtual machines with talosctl. object true
cluster_secrets Secrets shared between all Kubernetes nodes. object true
kubernetes_admin_pki Cerificate and key to manage Kubernetes cluster as admininstartor object true
control_plane_cluster_secrets Secrets shared between control plane Kubernetes nodes object true

Machine Secrets Output

{
  token = string
  ca = {
    crt = base64encode(string)
    key = base64encode(string)
  }
}
  • token - The token is used by a machine to join the PKI of the cluster.
  • ca - The root certificate authority of the PKI. It is composed of a base64 encoded crt and key in PEM format.

For more details see Talos Configuration Reference (MachineConfig).

Talos Admin PKI Output

{
  crt = base64encode(string)
  key = base64encode(string)
}

The certificate authority of the PKI used in talosconfig to control virtual machines using talosctl. It is composed of a base64 encoded crt and key in PEM format. Signed by machine_secrets.ca.crt.

Cluster Secrets Output

{
  id     = string
  secret = string
  token  = string
  ca = {
    crt = base64encode(string)
    key = base64encode(string)
  }
}
  • id - Globally unique identifier for this cluster (base64 encoded random 32 bytes).
  • secret - Shared secret of cluster (base64 encoded random 32 bytes).
  • token - The bootstrap token used to join the cluster.
  • ca - The base64 encoded root certificate authority used by Kubernetes.

For more details see Talos Configuration Reference (ClusterConfig).

Kubernetes Admin PKI Output

{
  crt = base64encode(string)
  key = base64encode(string)
}

The certificate authority of the PKI to control Kubernetes cluster. It is composed of a base64 encoded crt with system:masters role and key in PEM format. Signed by cluster_secrets.ca.crt.

Control Plane Cluster Secrets Output

{
  aescbcEncryptionSecret = string
  aggregatorCA = {
    crt = base64encode(string)
    key = base64encode(string)
  }
  serviceAccount = {
    key = base64encode(string)
  }
  etcd = {
    ca = {
      crt = base64encode(string)
      key = base64encode(string)
    }
  }
}
  • aescbcEncryptionSecret - The key used for the encryption of secret data at rest (base64 encoded random 32 bytes).
  • aggregatorCA - The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation. It is composed of a base64 encoded crt and key in PEM format.
  • serviceAccount - The base64 encoded private key for service account token generation.
  • etcd - The ca is the root certificate authority of the etcd PKI. It is composed of a base64 encoded crt and key.

For more details see Talos Configuration Reference (ClusterConfig).

Authors

Module is maintained by Ilya Pozdnov.

License

Apache 2 Licensed. See LICENSE for full details.

About

This module allows you to generate secret data (PKI, tokens, hashes) for the deployment of Talos Kubernetes Cluster.

Topics

module terraform secrets iac talos

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

1.0.0 Latest
May 24, 2022

Languages