Closed leoslf closed 7 months ago
The recommended approach is to use a patch
either with the apply machine config resource or the generate machine config data source
resource "talos_machine_configuration_apply" "this" {
...
config_patches = [
yamlencode({
cluster = {
serviceAccount = {
key = tls_private_key.service_account_signing_key.private_key_pem
}
}
})
]
}
or
data "talos_machine_configuration" "this" {
...
config_patches = [
yamlencode({
cluster = {
serviceAccount = {
key = tls_private_key.service_account_signing_key.private_key_pem
}
}
})
]
}
The recommended approach is to use a patch
Hi @frezbo,
Thanks for the prompt reply. The two suggested workarounds definitely look better than mine.
It would be nice if the talos_machine_secrets.machine_secrets
could be self-contained (should not have to be patched elsewhere after creation), so the users can just use it without patching in every talos_machine_configuration data source.
Since talos_machine_secrets
takes care of secrets generation, it would be just nice and give a better user experience to (a) have an optional parameter defaults to ECDSA
-> ES256
but still provide a way to use RSA
-> RS256
as an alternative algorithm for service account signing key, so it's backward compatible on the provider side, and (b) expose the key-pair as separate readable properties (I mean it's still fine to yamldecode
the nested field).
Thanks, Leo
P.S. Did a little tracing here... The hardcoded value sits on this line in siderolabs/talos https://github.com/siderolabs/talos/blob/0bd1bdd744f68dc42ac64678972fede992a7189e/pkg/machinery/config/generate/secrets/bundle.go#L255
That is fixed in Talos 1.7 (it defaults to RSA for service account key).
@smira Thank you so much
Hi Team,
It would be nice if we could parametrize either
talos_machine_secrets.certs.k8sserviceaccount.key
or expose an option to chooseRS256
for generatingtalos_machine_secrets.certs.k8sserviceaccount.key
.The use case is deploying a Talos cluster to AWS on EC2 and turns out AWS IAM Roles for Service Accounts (IRSA) doesn't accept service account tokens generated with
ES256
, which is the default generated by the provider.Current workaround:
Thanks, Leo