Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aescbcEncryptionSecret not present to machine config #1169

Open
mglants opened this issue Jul 24, 2023 · 8 comments
Open

aescbcEncryptionSecret not present to machine config #1169

mglants opened this issue Jul 24, 2023 · 8 comments

Comments

@mglants
Copy link

mglants commented Jul 24, 2023

aescbcEncryptionSecret missing when maintaining pre 1.3 clusters.
@smira
Copy link
Member

smira commented Jul 24, 2023

this depends on talosVersion: set in the CABPT config: https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/#usage

It should be set at the moment of the cluster creation to the value matching initial installed Talos version.

@mglants
Copy link
Author

mglants commented Jul 24, 2023

Wow, i continue upgrade that parameter too..., my fault probably

@mglants
Copy link
Author

mglants commented Jul 26, 2023
edited
Loading

@smira downed to 1.2, aescbcEncryptionSecret: still not coming to talos machine config
if i upgrade talos version via talosctl, what sould i've set in CABPT and CACPPT after ugrade?

@smira
Copy link
Member

smira commented Jul 26, 2023

I'm not quite sure what you mean by that.

talosctl upgrade is not supported with CAPI, you do it on your own.

Upgrade to 1.2 from what version? AES-CBC secret was replaced with SecretBox in the new versions of Talos, both are supported on upgrade, but Talos >=1.3 doesn't generate AES-CBC by default unless instructed to do so by talosVersion:.

@mglants
Copy link
Author

mglants commented Jul 27, 2023

No i mean, when i add talosVersion: 1.1, or 1.2, it doesn't provide aescbcEncryptionSecret in machine config

@smira
Copy link
Member

smira commented Jul 27, 2023

I can't reproduce that:

$ talosctl gen config foo https://127.0.0.1:6443/ --talos-version=v1.2 --output-types controlplane -o - | grep aes
generating PKI and tokens
    #         # cipher: aes-xts-plain64
    aescbcEncryptionSecret: EYBoQvtXWbRK4kVZhXn2qVzjs95+rWhNbMCCrTIpSjY= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

vs.

 talosctl gen config foo https://127.0.0.1:6443/ --force --output-types controlplane -o - | grep aes
generating PKI and tokens
    #         # cipher: aes-xts-plain64
    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=

@mglants
Copy link
Author

mglants commented Aug 9, 2023
edited
Loading

@smira i mean when you have pxe boot always for example, or you reset the node from withing sidero, how could i have system booted up to talos 1.3.7 for example with config for prior verision

@smira
Copy link
Member

smira commented Aug 10, 2023

The config generation process happens in the CABPT provider, and it's driven by the talosVersion: field in the template for the input resource. CAPI stores the machine config in the userdata Secret in the management cluster, which is served to the machine over HTTP from Sidero Metal.

The question whether the machine config has or doesn't have some field is completely defined by the CABPT.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smira @mglants