# voxpupuli
- y
Yury Bushmelev
04/11/2023, 12:07 PMI had a “write a Bolt plan to setup k8s cluster in VMs based on the-hard-way” in my todo but I’m too lazy these days 😞 - y
Yury Bushmelev
04/11/2023, 12:07 PMI had a “write a Bolt plan to setup k8s cluster in VMs” in my todo but I’m too lazy these days 😞 - y
Yury Bushmelev
04/11/2023, 12:07 PMI had a “write a Bolt plan to setup k8s cluster in VMs based on the-hard-way” in my todo but I’m too lazy these days 😞 - y
Yury Bushmelev
04/11/2023, 12:08 PMhm.. just curious how IRC users see a message edits 🤔 - v
VoxBot
04/11/2023, 12:08 PM3 messages - v
VoxBot
04/11/2023, 12:08 PMall slightly different - y
Yury Bushmelev
04/11/2023, 12:09 PMweird.. sorry 😄 - v
VoxBot
04/11/2023, 12:56 PMThe generate_ca parameter will indeed generate CA on every node where it's set. The recommended use is to set it on one node, let it generate the secrets, and then copy those over to all other master/etcd nodes. - r
Robert Waffen
04/11/2023, 12:57 PMbut the "copy over" is not in the module and one has to handle it for oneself? - r
Robert Waffen
04/11/2023, 12:57 PMokay, thats a thing i have to get done for my setup. atm i have a single.head control-plane. but this will change in later stages - v
VoxBot
04/11/2023, 12:58 PMPuppet doesn't have a good method to do any such copying automatically, no - y
Yury Bushmelev
04/11/2023, 12:58 PMyeah.. that’s why Puppet Bolt might be a better solution for k8s provisioning.. - y
Yury Bushmelev
04/11/2023, 12:59 PMbtw, alt names might affect things after copying certs from 1st node - v
VoxBot
04/11/2023, 12:59 PMYou only copy the CA data, certificates are generated and signed per node - y
Yury Bushmelev
04/11/2023, 12:59 PMthough “cluster name” should work - y
Yury Bushmelev
04/11/2023, 1:00 PMah, I see - r
Robert Waffen
04/11/2023, 1:00 PMatm we only can provide pathes where to look for certs? in other setups/software i have the possibility to specify the content of the certs. would this be a thing we can implement? so pre-create the certs to use. put them (encrypted) as text-block in hiera and let puppet deploy them? - b
bastelfreak
04/11/2023, 1:00 PMBolt or Vault are probably good solutions here - v
VoxBot
04/11/2023, 1:00 PMThe only necessary secrets are the k8s CA, aggregator CA, and service account key. As well as the etcd client and peer CAs. The rest of the certificates should be generated and signed on the master nodes - v
VoxBot
04/11/2023, 1:00 PM@Robert The module is written to handle user provided secrets, it's how we deploy our multi-master clusters. Just create file resources for those files and don't set generate_ca - y
Yury Bushmelev
04/11/2023, 1:00 PMVault is another option, yes.. there is vaultbot and key-keeper to provision certs from the vault - s
Slackbot
04/11/2023, 1:02 PMThis message was deleted.yr- 3
- 11
- v
VoxBot
04/11/2023, 1:02 PMOur solution looks something like;... (full message at https://libera.ems.host/_matrix/media/v3/download/libera.chat/35a12700968d494723101913e5dc5d94869558d2) - v
VoxBot
04/11/2023, 1:03 PMAnd the k8s module will automatically use the secrets as provided, without any extra configuration necessary - r
Robert Waffen
04/11/2023, 1:04 PMnice. will adapt this - v
VoxBot
04/11/2023, 1:05 PMFor my multi-master k8s at home, I'm just using hiera-eyaml parameters which I deploy to files in a similar manner - r
Robert Waffen
04/11/2023, 1:07 PMyeah like i said, i also want to put the content of the files into eyaml. - v
VoxBot
04/11/2023, 1:07 PMI have a PR open at the moment though to improve this experience, since I ran into some issues on certain OS combinations where it wouldn't converge in a single puppet run - r
Robert Waffen
04/11/2023, 1:14 PMwhat is thet title? it translates one word into german as Fadennudel, which makes no sense 😄 - v
VoxBot
04/11/2023, 1:21 PM"Добрый Кот" giggle