terraform-provider-talos icon indicating copy to clipboard operation
terraform-provider-talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

Regenerate talosconfig

Open pau-campana opened this issue 1 year ago • 3 comments

We are using your terraform module to generate resource talos_machine_secrets and then get a data resource talos_client_configuration based on that secret. What we want at the end is to generate a valid talosconfig

terraform {
  required_providers {
    talos = {
      source = "siderolabs/talos"
      version = "~> 0.3.3"
    }
  }
}

resource "talos_machine_secrets" "this" {
  talos_version = "v1.5"
}

data "talos_client_configuration" "this" {
  cluster_name    = "example-cluster"
  client_configuration = talos_machine_secrets.this.client_configuration
}

output "talosconfig" {
  value = data.talos_client_configuration.this.talos_config
  sensitive = true
}

As talosconfig cert is only valid for 1 year, we would like to regenerating talosconfig using terraform. We know for terraform resources we can do it with different approaches, but as talos_client_configuration is of type data source, we don’t know how we should do it. Any idea how to do it?

pau-campana avatar Oct 03 '23 13:10 pau-campana

it gets refreshed whenever a new run happens, so it should be fine

frezbo avatar Oct 03 '23 14:10 frezbo

I executed today again same terraform apply, and seems talosconfig is not refreshed. Terraform output:

terraform apply
talos_machine_secrets.this: Refreshing state... [id=machine_secrets]
data.talos_client_configuration.this: Reading...
data.talos_client_configuration.this: Read complete after 0s [id=example-cluster]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

talosconfig = <sensitive>

And if I check the certificate from talosconfig, is still the same as yesterday:

        Validity
            Not Before: Oct  3 08:34:42 2023 GMT
            Not After : Oct  2 08:34:42 2024 GMT

(If I generate a new secret and talosconfig I will see that validity will be from OCT 4 2023 to OCT 3 2023).

Am I doing something wrong? At least the way I am using it looks talosconfig is not refreshed

pau-campana avatar Oct 04 '23 08:10 pau-campana

ahh yes you're correct, the code got refactored such that the client config is part of the secrets resource, so it never gets refreshed, probably need to think on how to recreate, based on a flag or when nearing expiration as the upstream tls providers

frezbo avatar Oct 04 '23 08:10 frezbo

There is this article: https://www.talos.dev/v1.7/talos-guides/howto/cert-management/, but it is not supported by the provider. Maybe it can be worked around but this will be cumbersome. Or has to be completely managed outside of terraform.

camaeel avatar Jun 20 '24 20:06 camaeel