sidero icon indicating copy to clipboard operation
sidero copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

aescbcEncryptionSecret not present to machine config

Open mglants opened this issue 2 years ago • 8 comments

aescbcEncryptionSecret missing when maintaining pre 1.3 clusters.

mglants avatar Jul 24 '23 01:07 mglants

this depends on talosVersion: set in the CABPT config: https://github.com/siderolabs/cluster-api-bootstrap-provider-talos/#usage

It should be set at the moment of the cluster creation to the value matching initial installed Talos version.

smira avatar Jul 24 '23 11:07 smira

Wow, i continue upgrade that parameter too..., my fault probably

mglants avatar Jul 24 '23 11:07 mglants

@smira downed to 1.2, aescbcEncryptionSecret: still not coming to talos machine config if i upgrade talos version via talosctl, what sould i've set in CABPT and CACPPT after ugrade?

mglants avatar Jul 26 '23 16:07 mglants

I'm not quite sure what you mean by that.

talosctl upgrade is not supported with CAPI, you do it on your own.

Upgrade to 1.2 from what version? AES-CBC secret was replaced with SecretBox in the new versions of Talos, both are supported on upgrade, but Talos >=1.3 doesn't generate AES-CBC by default unless instructed to do so by talosVersion:.

smira avatar Jul 26 '23 17:07 smira

No i mean, when i add talosVersion: 1.1, or 1.2, it doesn't provide aescbcEncryptionSecret in machine config

mglants avatar Jul 27 '23 10:07 mglants

I can't reproduce that:

$ talosctl gen config foo https://127.0.0.1:6443/ --talos-version=v1.2 --output-types controlplane -o - | grep aes
generating PKI and tokens
    #         # cipher: aes-xts-plain64
    aescbcEncryptionSecret: EYBoQvtXWbRK4kVZhXn2qVzjs95+rWhNbMCCrTIpSjY= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).

vs.

 talosctl gen config foo https://127.0.0.1:6443/ --force --output-types controlplane -o - | grep aes
generating PKI and tokens
    #         # cipher: aes-xts-plain64
    # aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=

smira avatar Jul 27 '23 11:07 smira

@smira i mean when you have pxe boot always for example, or you reset the node from withing sidero, how could i have system booted up to talos 1.3.7 for example with config for prior verision

mglants avatar Aug 09 '23 22:08 mglants

The config generation process happens in the CABPT provider, and it's driven by the talosVersion: field in the template for the input resource. CAPI stores the machine config in the userdata Secret in the management cluster, which is served to the machine over HTTP from Sidero Metal.

The question whether the machine config has or doesn't have some field is completely defined by the CABPT.

smira avatar Aug 10 '23 10:08 smira