Closed wind0r closed 1 year ago
rsmitty
commented
1 year ago hey @wind0r, thanks for filing the issue. I think what you're doing now is probably the best you can do at this moment. but we're talking internally about extending the output to include these fields explicitly as you say. stay tuned!
james-callahan
commented
1 year ago For what it's worth, I was able to do this manually via:
resource "tls_private_key" "kubernetes_cert" {
algorithm = "ED25519"
}
resource "tls_cert_request" "kubernetes_cert" {
private_key_pem = tls_private_key.kubernetes_cert.private_key_pem
subject {
organization = "system:masters"
common_name = "admin"
}
}
resource "tls_locally_signed_cert" "kubernetes_cert" {
cert_request_pem = tls_cert_request.kubernetes_cert.cert_request_pem
ca_private_key_pem = base64decode(local.talos_secrets.certs.k8s.key)
ca_cert_pem = base64decode(local.talos_secrets.certs.k8s.crt)
validity_period_hours = 24 * 365 # same 1 year period that `talosctl kubeconfig` uses
allowed_uses = [
"digital_signature",
"client_auth",
]
}
provider "kubernetes" {
host = local.kubernetes_api_server_endpoint
client_certificate = tls_locally_signed_cert.kubernetes_cert.cert_pem
client_key = tls_private_key.kubernetes_cert.private_key_pem
cluster_ca_certificate = base64decode(local.talos_secrets.certs.k8s.crt)
}
Currently I quite complicated parse the kubeconfig from talos_cluster_kubeconfig to setup the kubernetes provider so I can use helm and/or install flux via terraform
see:
So i am wondering if there is a better way which i am are missing or if
talos_cluster_kubeconfigmay should be extended to directly providehost,cluster_ca_certificate,client_certificateandclient_key.