Documentation
¶
Overview ¶
Package talosgenerator provides a generator for Talos project scaffolding.
This package creates the Talos patches directory structure required for Talos cluster configuration, including cluster-wide, control-plane, and worker patch folders.
Index ¶
Constants ¶
const DisableDefaultCNIPatchYAML = `cluster:
network:
cni:
name: none
`
DisableDefaultCNIPatchYAML is the Talos machine config patch YAML that disables the default CNI (Flannel). This is the single source of truth for the patch content, shared between the generator (file-based scaffolding) and the runtime config manager (in-memory patch injection when no scaffolded project exists). Required when using an alternative CNI like Cilium or Calico.
See: https://docs.siderolabs.com/kubernetes-guides/cni/deploying-cilium
const ExternalCloudProviderPatchYAML = `cluster:
externalCloudProvider:
enabled: true
machine:
kubelet:
extraArgs:
cloud-provider: external
`
ExternalCloudProviderPatchYAML is the Talos machine config patch YAML that enables the external cloud provider. This is the single source of truth for the patch content, shared between the generator (file-based scaffolding) and the runtime config manager (in-memory patch injection for existing projects).
It enables both the cluster-level externalCloudProvider and the kubelet cloud-provider flag, which are required for cloud controller managers (e.g., Hetzner CCM) to initialize nodes with a providerID and write node labels.
See: https://www.talos.dev/latest/kubernetes-guides/configuration/cloud-provider/
const IngressFirewallDefaultActionYAML = `apiVersion: v1alpha1
kind: NetworkDefaultActionConfig
ingress: block
`
IngressFirewallDefaultActionYAML is the Talos NetworkDefaultActionConfig document that blocks all ingress traffic by default. Individual NetworkRuleConfig documents selectively allow required ports.
const KubeletServingCertApproverManifestURL = "https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml"
KubeletServingCertApproverManifestURL is the URL for the kubelet-serving-cert-approver manifest. This is installed during Talos bootstrap to automatically approve kubelet serving certificate CSRs. Note: We use alex1989hu/kubelet-serving-cert-approver for Talos because it provides a single manifest URL suitable for extraManifests. For non-Talos distributions, we use postfinance/kubelet-csr-approver via Helm which offers more features and configurability. See: https://docs.siderolabs.com/kubernetes-guides/monitoring-and-observability/deploy-metrics-server/
Deprecated: Use csrapprover.Manifest() with inlineManifests instead of this URL. This constant is retained for backward compatibility with existing patch files.
Variables ¶
var ErrConfigRequired = errors.New("talos config is required")
ErrConfigRequired is returned when a nil config is provided.
Functions ¶
func IngressFirewallCPRulesYAML ¶ added in v7.6.1
IngressFirewallCPRulesYAML returns the Talos NetworkRuleConfig documents for control-plane nodes. The networkCIDR and cniPort parameters are injected at generation time.
This is the single source of truth for the CP rules content, shared between the generator (file-based scaffolding) and the runtime config manager (in-memory injection).
func IngressFirewallWorkerRulesYAML ¶ added in v7.6.1
IngressFirewallWorkerRulesYAML returns the Talos NetworkRuleConfig documents for worker nodes. Workers expose fewer ports than control-plane nodes.
func KubeletCSRApproverInlineManifestPatchYAML ¶ added in v7.4.2
func KubeletCSRApproverInlineManifestPatchYAML() string
KubeletCSRApproverInlineManifestPatchYAML returns the Talos machine config patch YAML that installs the kubelet-serving-cert-approver via cluster.inlineManifests. The manifest uses the upstream-recommended :main image tag.
Types ¶
type Config ¶
type Config struct {
// PatchesDir is the root directory for Talos patches.
PatchesDir string
// MirrorRegistries contains mirror registry specifications in "host=upstream" format.
// Example: ["docker.io=https://registry-1.docker.io"]
MirrorRegistries []string
// WorkerNodes is the number of worker nodes configured.
// When 0 (default), generates allow-scheduling-on-control-planes.yaml.
WorkerNodes int
// DisableDefaultCNI indicates whether to disable Talos's default CNI (Flannel).
// When true, generates a disable-default-cni.yaml patch to set cluster.network.cni.name to "none".
// This is required when using an alternative CNI like Cilium.
DisableDefaultCNI bool
// EnableKubeletCertRotation indicates whether to enable kubelet serving certificate rotation.
// When true, generates a kubelet-cert-rotation.yaml patch with rotate-server-certificates: true.
// This is required for secure metrics-server communication using TLS.
EnableKubeletCertRotation bool
// ClusterName is an optional explicit cluster name override.
// When set, generates a cluster-name.yaml patch to set cluster.clusterName.
// This name is used for the kubeconfig context (admin@<name>).
ClusterName string
// EnableImageVerification indicates whether to generate an ImageVerificationConfig template.
// When true, generates an image-verification.yaml document with a default skip-all rule
// and commented examples for keyless (Cosign/OIDC) and public key verification.
// This requires Talos 1.13+.
EnableImageVerification bool
// DisableCDI indicates whether to generate a patch that disables CDI.
// When true, generates a disable-cdi.yaml patch to set machine.features.enableCDI to false.
// Talos 1.13+ enables CDI by default, so this patch is only needed when CDI should be turned off.
DisableCDI bool
// EnableExternalCloudProvider indicates whether to enable the external cloud provider.
// When true, generates an external-cloud-provider.yaml patch that sets
// cluster.externalCloudProvider.enabled to true and machine.kubelet.extraArgs.cloud-provider
// to "external". This is required for Hetzner Cloud so that the Cloud Controller Manager
// can initialize nodes with a providerID and the CSI driver can schedule.
// See: https://www.talos.dev/latest/kubernetes-guides/configuration/cloud-provider/
EnableExternalCloudProvider bool
// EnableIngressFirewall indicates whether to generate Talos ingress firewall documents.
// When true, generates NetworkDefaultActionConfig (ingress: block) and per-role
// NetworkRuleConfig documents for defense-in-depth at the OS level.
// Requires the NetworkCIDR and CNIPort fields to be set.
// See: https://www.talos.dev/latest/talos-guides/network/ingress-firewall/
EnableIngressFirewall bool
// NetworkCIDR is the cluster's private network CIDR, used to restrict
// ingress firewall rules to cluster-internal traffic (e.g., "10.0.0.0/16").
NetworkCIDR string
// CNIPort is the CNI encapsulation port (e.g., 8472 for Cilium VXLAN, 4789 for Flannel/Calico).
CNIPort int
}
Config represents the Talos scaffolding configuration.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package csrapprover provides the kubelet-serving-cert-approver manifest for embedding in Talos machine configs via cluster.inlineManifests.
|
Package csrapprover provides the kubelet-serving-cert-approver manifest for embedding in Talos machine configs via cluster.inlineManifests. |