Permission denied for Talos Linux certificates

[JeanGau-ops]

Hello, I'm trying to implement this great tool in our talos linux clusters but can't figure out how to do it properly. First I had to add "hostPathVolumeType: null" in the chart and now it returns a "permission denied" for every certificate under /system/secrets/kubernetes/ I know that some of Enix cluster are using Talos Linux too so... How did you implement this tool? Or did you?

[npdgm]

Hi @JeanGau-ops, Sorry for the super late answer. This config should work on a Talos cluster:

hostPathsExporter:
  securityContext:
    privileged: true
    capabilities:
      add:
      - SYS_ADMIN

  hostPathVolumeType: null

  daemonSets:
    cp:
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
      watchFiles:
      - /etc/kubernetes/pki/ca.crt
      - /var/lib/kubelet/pki/kubelet-client-current.pem
      - /system/secrets/etcd/server.crt
      - /system/secrets/etcd/peer.crt
      - /system/secrets/etcd/ca.crt
      - /system/secrets/etcd/admin.crt
      - /system/secrets/kubernetes/kube-apiserver/aggregator-ca.crt
      - /system/secrets/kubernetes/kube-apiserver/apiserver-kubelet-client.crt
      - /system/secrets/kubernetes/kube-apiserver/apiserver.crt
      - /system/secrets/kubernetes/kube-apiserver/ca.crt
      - /system/secrets/kubernetes/kube-apiserver/etcd-client-ca.crt
      - /system/secrets/kubernetes/kube-apiserver/etcd-client.crt
      - /system/secrets/kubernetes/kube-apiserver/front-proxy-client.crt

    nodes:
      watchFiles:
      - /etc/kubernetes/pki/ca.crt
      - /var/lib/kubelet/pki/kubelet-client-current.pem

I'll add it to the documentation.