search

siderolabs / sidero

Sidero Metal is a bare metal provisioning system with support for Kubernetes Cluster API.
https://www.sidero.dev
Mozilla Public License 2.0
403 stars 63 forks source link

aescbcEncryptionSecret not present to machine config #1169

Open mglants opened 1 year ago

mglants commented 1 year ago

aescbcEncryptionSecret missing when maintaining pre 1.3 clusters.

smira commented 1 year ago

this depends on talosVersion: set in the CABPT config: https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/#usage

It should be set at the moment of the cluster creation to the value matching initial installed Talos version.

mglants commented 1 year ago

Wow, i continue upgrade that parameter too..., my fault probably

mglants commented 1 year ago

@smira downed to 1.2, aescbcEncryptionSecret: still not coming to talos machine config if i upgrade talos version via talosctl, what sould i've set in CABPT and CACPPT after ugrade?

smira commented 1 year ago

I'm not quite sure what you mean by that.

talosctl upgrade is not supported with CAPI, you do it on your own.

Upgrade to 1.2 from what version? AES-CBC secret was replaced with SecretBox in the new versions of Talos, both are supported on upgrade, but Talos >=1.3 doesn't generate AES-CBC by default unless instructed to do so by talosVersion:.

mglants commented 1 year ago

No i mean, when i add talosVersion: 1.1, or 1.2, it doesn't provide aescbcEncryptionSecret in machine config

smira commented 1 year ago

I can't reproduce that:

$ talosctl gen config foo https://127.0.0.1:6443/ --talos-version=v1.2 --output-types controlplane -o - | grep aes
generating PKI and tokens
    #         # cipher: aes-xts-plain64
    aescbcEncryptionSecret: EYBoQvtXWbRK4kVZhXn2qVzjs95+rWhNbMCCrTIpSjY= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

vs.

 talosctl gen config foo https://127.0.0.1:6443/ --force --output-types controlplane -o - | grep aes
generating PKI and tokens
    #         # cipher: aes-xts-plain64
    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
mglants commented 1 year ago

@smira i mean when you have pxe boot always for example, or you reset the node from withing sidero, how could i have system booted up to talos 1.3.7 for example with config for prior verision

smira commented 1 year ago

The config generation process happens in the CABPT provider, and it's driven by the talosVersion: field in the template for the input resource. CAPI stores the machine config in the userdata Secret in the management cluster, which is served to the machine over HTTP from Sidero Metal.

The question whether the machine config has or doesn't have some field is completely defined by the CABPT.