Talos k8s with AWS CCM support #173

erikvveen · 2025-01-03T11:30:17Z

No description provided.

PhilipSchmid

Thanks for adding this! I commented on a few things to address. Once done, please also run terraform fmt, make docs, and squash all commits into a single one with a meaningful message.

00-locals.tf

03-talos.tf

00-locals.tf

PhilipSchmid

Thanks for the updated version! I commented on a few nits (mostly with ready-to-apply suggestions). As soon as those are addressed, we can merge it.

00-locals.tf

00-variables.tf

03-talos.tf

00-variables.tf

PhilipSchmid

Have you tested this change without enabling your newly introduced variables? The example doesn't start anymore, because the CP nodes don't have the node-role.kubernetes.io/control-plane= label set anymore. This is a problem for the subsequent Cilium TF module because it waits for all CP nodes to be available before the installation.

With your changes:

$ kgn --show-labels
NAME                  STATUS     ROLES    AGE     VERSION   LABELS
i-0238e1f62a0343992   NotReady   <none>   4m24s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0238e1f62a0343992,kubernetes.io/os=linux
i-07316ad6229166609   NotReady   <none>   4m25s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-07316ad6229166609,kubernetes.io/os=linux
i-0cf8f2aeaa9e65467   NotReady   <none>   4m25s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0cf8f2aeaa9e65467,kubernetes.io/os=linux
i-0d9c6cf2b08719873   NotReady   <none>   4m24s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0d9c6cf2b08719873,kubernetes.io/os=linux
i-0f6e0c1f46443a8f4   NotReady   <none>   4m26s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0f6e0c1f46443a8f4,kubernetes.io/os=linux

Before your changes:

$ kgn --show-labels
NAME              STATUS   ROLES           AGE    VERSION   LABELS
ip-10-0-100-197   Ready    control-plane   102s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-100-197,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
ip-10-0-100-199   Ready    <none>          104s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-100-199,kubernetes.io/os=linux
ip-10-0-101-164   Ready    control-plane   102s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-101-164,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
ip-10-0-101-28    Ready    <none>          104s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-101-28,kubernetes.io/os=linux
ip-10-0-102-180   Ready    control-plane   102s   v1.31.4   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-102-180,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=

erikvveen · 2025-02-10T15:54:28Z

Thanks Philip, You are right. For some reason when just setting hostname-override in the config_patches block for the kubelet, the control-plane label disappears. I’ve tested with keeping all code the same, and just commenting out the hostname-override, and everything works perfectly well, no problem with control-plane label. To be honest no clue, what it can be. Can it be something in the talos_machine_configuration_apply? Hope you can help? Kind regards, Erik

…

On Feb 6, 2025, at 1:59 PM, Philip Schmid ***@***.***> wrote: @PhilipSchmid commented on this pull request. Have you tested this change without enabling your newly introduced variables? The example doesn't start anymore, because the CP nodes don't have the node-role.kubernetes.io/control-plane= label set anymore. This is a problem for the subsequent Cilium TF module because it waits for all CP nodes to be available before the installation. With your changes: $ kgn --show-labels NAME STATUS ROLES AGE VERSION LABELS i-0238e1f62a0343992 NotReady <none> 4m24s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0238e1f62a0343992,kubernetes.io/os=linux i-07316ad6229166609 NotReady <none> 4m25s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-07316ad6229166609,kubernetes.io/os=linux i-0cf8f2aeaa9e65467 NotReady <none> 4m25s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0cf8f2aeaa9e65467,kubernetes.io/os=linux i-0d9c6cf2b08719873 NotReady <none> 4m24s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0d9c6cf2b08719873,kubernetes.io/os=linux i-0f6e0c1f46443a8f4 NotReady <none> 4m26s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=i-0f6e0c1f46443a8f4,kubernetes.io/os=linux Before your changes: $ kgn --show-labels NAME STATUS ROLES AGE VERSION LABELS ip-10-0-100-197 Ready control-plane 102s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-100-197,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers= ip-10-0-100-199 Ready <none> 104s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-100-199,kubernetes.io/os=linux ip-10-0-101-164 Ready control-plane 102s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-101-164,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers= ip-10-0-101-28 Ready <none> 104s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-101-28,kubernetes.io/os=linux ip-10-0-102-180 Ready control-plane 102s v1.31.4 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=ip-10-0-102-180,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers= — Reply to this email directly, view it on GitHub <#173 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJGXPWWJT6KX62SLT225RQ32ONMEHAVCNFSM6AAAAABURRF4BOVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDKOJYGYYDENJRG4>. You are receiving this because you authored the thread.

PhilipSchmid · 2025-02-14T14:41:00Z

@erikvveen I've refactored a few things (see 3889481), and it now works on my end - would you please test it as well and confirm?

I took a few things from:

... and changed the var.metadata_options default values back to the AWS TF provider defaults as it seems the AWS Cloud Controller struggles with http_tokens=required.

Once you confirm, I'll squash everything, run the CI stuff, and merge it eventually.

erikvveen · 2025-02-17T11:14:42Z

@PhilipSchmid running your code as it is resulted for me in nodenames following a mixed pattern of "ip-based naming" and "resource based naming", see: According AWS (https://cloud-provider-aws.sigs.k8s.io/prerequisites/ ) nodenames should follow either the pattern ip-xxx-xxx-xxx-xxx.ec2.<region>.internal Or i-1234567890abcdefg or i-1234567890abcdefg.<region>.compute.internal,not a mixture. Reintroducing the hostname-override to the kubelet : hostname-override = module.talos_worker_group[each.key].id makes that the node names follow resource based naming correctly but the “control plane” label "node-role.kubernetes.io/control-plane=" disappears (the tier=control-plane stays). The disappearance of the label prevents aws-cloud-controller-manager from launching. Adding manually the label to the control-planes and adding ProviderID’s to all the nodes, starts the cloud controller manager and initializes it correctly. Please let me know if you see the same? Thanks, Erik

…

On Feb 14, 2025, at 3:41 PM, Philip Schmid ***@***.***> wrote: PhilipSchmid left a comment (isovalent/terraform-aws-talos#173) @erikvveen I've refactored a few things (see 3889481), and it now works on my end - would you please test it as well and confirm? I took a few things from: https://github.com/siderolabs/contrib/blob/main/examples/terraform/aws/main.tf https://www.siderolabs.com/blog/deploying-talos-on-aws-with-cdk/ https://cloud-provider-aws.sigs.k8s.io/prerequisites/ ... and changed the var.metadata_options default values back to the AWS TF provider defaults as it seems the AWS Cloud Controller struggles with http_tokens=required. Once you confirm, I'll squash everything, run the CI stuff, and merge it eventually. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned. <https://github.com/erikvveen> <3889481> <https://github.com/siderolabs/contrib/blob/main/examples/terraform/aws/main.tf> <https://www.siderolabs.com/blog/deploying-talos-on-aws-with-cdk/> <https://cloud-provider-aws.sigs.k8s.io/prerequisites/> <#173 (comment)> <https://github.com/notifications/unsubscribe-auth/AJGXPWS4P3CZ45FFMTTUL532PX6BHAVCNFSM6AAAAABURRF4BOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJZGUYDONRZGU> PhilipSchmid left a comment (isovalent/terraform-aws-talos#173) <#173 (comment)> @erikvveen <https://github.com/erikvveen> I've refactored a few things (see 3889481 <3889481>), and it now works on my end - would you please test it as well and confirm? I took a few things from: https://github.com/siderolabs/contrib/blob/main/examples/terraform/aws/main.tf https://www.siderolabs.com/blog/deploying-talos-on-aws-with-cdk/ https://cloud-provider-aws.sigs.k8s.io/prerequisites/ ... and changed the var.metadata_options default values back to the AWS TF provider defaults as it seems the AWS Cloud Controller struggles with http_tokens=required. Once you confirm, I'll squash everything, run the CI stuff, and merge it eventually. — Reply to this email directly, view it on GitHub <#173 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJGXPWS4P3CZ45FFMTTUL532PX6BHAVCNFSM6AAAAABURRF4BOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJZGUYDONRZGU>. You are receiving this because you were mentioned.

PhilipSchmid · 2025-02-17T12:48:25Z

@erikvveen What exactly do you mean by nodenames following a mixed pattern? When issuing kubectl get nodes all the nodes follow the same IP-based naming pattern:

$ kubectl get nodes
NAME                                          STATUS   ROLES           AGE   VERSION
ip-10-0-100-145.eu-north-1.compute.internal   Ready    control-plane   86s   v1.31.4
ip-10-0-101-23.eu-north-1.compute.internal    Ready    control-plane   85s   v1.31.4
ip-10-0-101-245.eu-north-1.compute.internal   Ready    <none>          87s   v1.31.4
ip-10-0-102-121.eu-north-1.compute.internal   Ready    <none>          87s   v1.31.4
ip-10-0-102-75.eu-north-1.compute.internal    Ready    control-plane   86s   v1.31.4

Yes, it's not directly following the in the docs mentioned ip-xxx-xxx-xxx-xxx.ec2.<region>.internal pattern, but it looks like ip-xxx-xxx-xxx-xxx.<region>.compute.internal is fine as well:

$ kubectl get pods -n kube-system -l k8s-app=aws-cloud-controller-manager
NAME                                 READY   STATUS    RESTARTS   AGE
aws-cloud-controller-manager-7pfsh   1/1     Running   0          3m14s
aws-cloud-controller-manager-f2njz   1/1     Running   0          3m14s
aws-cloud-controller-manager-hhpxv   1/1     Running   0          3m14s

kubectl logs -n kube-system aws-cloud-controller-manager-7pfsh                                                    185ms  13:46:10
I0217 12:43:08.447721       1 serving.go:348] Generated self-signed cert in-memory
I0217 12:43:08.744423       1 serving.go:348] Generated self-signed cert in-memory
W0217 12:43:08.744542       1 client_config.go:618] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0217 12:43:09.310760       1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestController
I0217 12:43:09.312180       1 aws.go:681] Loading region from metadata service
I0217 12:43:12.469956       1 aws.go:1341] Building AWS cloudprovider
I0217 12:43:12.470022       1 aws.go:681] Loading region from metadata service
I0217 12:43:25.281692       1 tags.go:77] AWS cloud filtering on ClusterID: talos-cute
I0217 12:43:25.281774       1 aws.go:1431] The following IP families will be added to nodes: [ipv4]
I0217 12:43:25.281808       1 controllermanager.go:167] Version: v1.27.1
I0217 12:43:25.291378       1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" certDetail="\"localhost@1739796188\" [serving] validServingFor=[127.0.0.1,localhost,localhost] issuer=\"localhost-ca@1739796188\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.291328146 +0000 UTC))"
I0217 12:43:25.291814       1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0217 12:43:25.292110       1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0217 12:43:25.291835       1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0217 12:43:25.292324       1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0217 12:43:25.291860       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0217 12:43:25.292794       1 shared_informer.go:311] Waiting for caches to sync for RequestHeaderAuthRequestController
I0217 12:43:25.294518       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1739796189\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1739796189\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.294479324 +0000 UTC))"
I0217 12:43:25.294592       1 secure_serving.go:210] Serving securely on [::]:10258
I0217 12:43:25.295126       1 leaderelection.go:245] attempting to acquire leader lease kube-system/cloud-controller-manager...
I0217 12:43:25.295666       1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0217 12:43:25.392679       1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0217 12:43:25.392804       1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0217 12:43:25.392842       1 shared_informer.go:318] Caches are synced for RequestHeaderAuthRequestController
I0217 12:43:25.393076       1 tlsconfig.go:178] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] groups=[kubernetes] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.393018897 +0000 UTC))"
I0217 12:43:25.393995       1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" certDetail="\"localhost@1739796188\" [serving] validServingFor=[127.0.0.1,localhost,localhost] issuer=\"localhost-ca@1739796188\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.393964012 +0000 UTC))"
I0217 12:43:25.394906       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1739796189\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1739796189\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.394877431 +0000 UTC))"
I0217 12:43:25.395176       1 tlsconfig.go:178] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] groups=[kubernetes] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.395144595 +0000 UTC))"
I0217 12:43:25.395356       1 tlsconfig.go:178] "Loaded client CA" index=1 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.395314115 +0000 UTC))"
I0217 12:43:25.396124       1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" certDetail="\"localhost@1739796188\" [serving] validServingFor=[127.0.0.1,localhost,localhost] issuer=\"localhost-ca@1739796188\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.396098799 +0000 UTC))"
I0217 12:43:25.396915       1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" certDetail="\"apiserver-loopback-client@1739796189\" [serving] validServingFor=[apiserver-loopback-client] issuer=\"apiserver-loopback-client-ca@1739796189\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.396886485 +0000 UTC))"

Hence, the Node name conventions prerequisite seems to be fulfilled. The EC2 instance name on the AWS portal doesn't matter, as far as I can tell.

erikvveen · 2025-02-17T17:48:03Z

Ah, I made a stupid mistake. I initialized the cluster still with http_tokens=required I missed your remark that it struggles with that. I corrected it, and it works indeed also with your suggested ip-xxx-xxx-xxx-xxx.<region>.compute.internal pattern (although I must admit I slightly prefer to work in accordance with AWS notation, just to avoid any problems in future or misconceptions). If you want to squash everything and merge it, it would be great. Thanks again for your patience with me! Erik

…

On Feb 17, 2025, at 1:48 PM, Philip Schmid ***@***.***> wrote: PhilipSchmid left a comment (isovalent/terraform-aws-talos#173) @erikvveen What exactly do you mean by nodenames following a mixed pattern? When issuing kubectl get nodes all the nodes follow the same IP-based naming pattern: $ kubectl get nodes NAME STATUS ROLES AGE VERSION ip-10-0-100-145.eu-north-1.compute.internal Ready control-plane 86s v1.31.4 ip-10-0-101-23.eu-north-1.compute.internal Ready control-plane 85s v1.31.4 ip-10-0-101-245.eu-north-1.compute.internal Ready <none> 87s v1.31.4 ip-10-0-102-121.eu-north-1.compute.internal Ready <none> 87s v1.31.4 ip-10-0-102-75.eu-north-1.compute.internal Ready control-plane 86s v1.31.4 Yes, it's not directly following the in the docs mentioned ip-xxx-xxx-xxx-xxx.ec2.<region>.internal pattern, but it looks like ip-xxx-xxx-xxx-xxx.<region>.compute.internal is fine as well: $ kubectl get pods -n kube-system -l k8s-app=aws-cloud-controller-manager NAME READY STATUS RESTARTS AGE aws-cloud-controller-manager-7pfsh 1/1 Running 0 3m14s aws-cloud-controller-manager-f2njz 1/1 Running 0 3m14s aws-cloud-controller-manager-hhpxv 1/1 Running 0 3m14s kubectl logs -n kube-system aws-cloud-controller-manager-7pfsh 185ms  13:46:10 I0217 12:43:08.447721 1 serving.go:348] Generated self-signed cert in-memory I0217 12:43:08.744423 1 serving.go:348] Generated self-signed cert in-memory W0217 12:43:08.744542 1 client_config.go:618] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0217 12:43:09.310760 1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestController I0217 12:43:09.312180 1 aws.go:681] Loading region from metadata service I0217 12:43:12.469956 1 aws.go:1341] Building AWS cloudprovider I0217 12:43:12.470022 1 aws.go:681] Loading region from metadata service I0217 12:43:25.281692 1 tags.go:77] AWS cloud filtering on ClusterID: talos-cute I0217 12:43:25.281774 1 aws.go:1431] The following IP families will be added to nodes: [ipv4] I0217 12:43:25.281808 1 controllermanager.go:167] Version: v1.27.1 I0217 12:43:25.291378 1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ***@***.***\" [serving] validServingFor=[127.0.0.1,localhost,localhost] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.291328146 +0000 UTC))" I0217 12:43:25.291814 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file" I0217 12:43:25.292110 1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file I0217 12:43:25.291835 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" I0217 12:43:25.292324 1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0217 12:43:25.291860 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController I0217 12:43:25.292794 1 shared_informer.go:311] Waiting for caches to sync for RequestHeaderAuthRequestController I0217 12:43:25.294518 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" ***@***.***\" [serving] validServingFor=[apiserver-loopback-client] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.294479324 +0000 UTC))" I0217 12:43:25.294592 1 secure_serving.go:210] Serving securely on [::]:10258 I0217 12:43:25.295126 1 leaderelection.go:245] attempting to acquire leader lease kube-system/cloud-controller-manager... I0217 12:43:25.295666 1 tlsconfig.go:240] "Starting DynamicServingCertificateController" I0217 12:43:25.392679 1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0217 12:43:25.392804 1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file I0217 12:43:25.392842 1 shared_informer.go:318] Caches are synced for RequestHeaderAuthRequestController I0217 12:43:25.393076 1 tlsconfig.go:178] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] groups=[kubernetes] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.393018897 +0000 UTC))" I0217 12:43:25.393995 1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ***@***.***\" [serving] validServingFor=[127.0.0.1,localhost,localhost] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.393964012 +0000 UTC))" I0217 12:43:25.394906 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" ***@***.***\" [serving] validServingFor=[apiserver-loopback-client] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.394877431 +0000 UTC))" I0217 12:43:25.395176 1 tlsconfig.go:178] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] groups=[kubernetes] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.395144595 +0000 UTC))" I0217 12:43:25.395356 1 tlsconfig.go:178] "Loaded client CA" index=1 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.395314115 +0000 UTC))" I0217 12:43:25.396124 1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ***@***.***\" [serving] validServingFor=[127.0.0.1,localhost,localhost] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.396098799 +0000 UTC))" I0217 12:43:25.396915 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" ***@***.***\" [serving] validServingFor=[apiserver-loopback-client] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.396886485 +0000 UTC))" Hence, the Node name conventions prerequisite seems to be fulfilled. The EC2 instance name on the AWS portal doesn't matter, as far as I can tell. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned. <https://github.com/erikvveen> <https://cloud-provider-aws.sigs.k8s.io/prerequisites/> <#173 (comment)> <https://github.com/notifications/unsubscribe-auth/AJGXPWWVGVFCI2GMVUBAVCT2QHLDBAVCNFSM6AAAAABURRF4BOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNRTGAZDINRSGQ> PhilipSchmid left a comment (isovalent/terraform-aws-talos#173) <#173 (comment)> @erikvveen <https://github.com/erikvveen> What exactly do you mean by nodenames following a mixed pattern? When issuing kubectl get nodes all the nodes follow the same IP-based naming pattern: $ kubectl get nodes NAME STATUS ROLES AGE VERSION ip-10-0-100-145.eu-north-1.compute.internal Ready control-plane 86s v1.31.4 ip-10-0-101-23.eu-north-1.compute.internal Ready control-plane 85s v1.31.4 ip-10-0-101-245.eu-north-1.compute.internal Ready <none> 87s v1.31.4 ip-10-0-102-121.eu-north-1.compute.internal Ready <none> 87s v1.31.4 ip-10-0-102-75.eu-north-1.compute.internal Ready control-plane 86s v1.31.4 Yes, it's not directly following the in the docs mentioned ip-xxx-xxx-xxx-xxx.ec2.<region>.internal pattern, but it looks like ip-xxx-xxx-xxx-xxx.<region>.compute.internal is fine as well: $ kubectl get pods -n kube-system -l k8s-app=aws-cloud-controller-manager NAME READY STATUS RESTARTS AGE aws-cloud-controller-manager-7pfsh 1/1 Running 0 3m14s aws-cloud-controller-manager-f2njz 1/1 Running 0 3m14s aws-cloud-controller-manager-hhpxv 1/1 Running 0 3m14s kubectl logs -n kube-system aws-cloud-controller-manager-7pfsh 185ms  13:46:10 I0217 12:43:08.447721 1 serving.go:348] Generated self-signed cert in-memory I0217 12:43:08.744423 1 serving.go:348] Generated self-signed cert in-memory W0217 12:43:08.744542 1 client_config.go:618] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. I0217 12:43:09.310760 1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestController I0217 12:43:09.312180 1 aws.go:681] Loading region from metadata service I0217 12:43:12.469956 1 aws.go:1341] Building AWS cloudprovider I0217 12:43:12.470022 1 aws.go:681] Loading region from metadata service I0217 12:43:25.281692 1 tags.go:77] AWS cloud filtering on ClusterID: talos-cute I0217 12:43:25.281774 1 aws.go:1431] The following IP families will be added to nodes: [ipv4] I0217 12:43:25.281808 1 controllermanager.go:167] Version: v1.27.1 I0217 12:43:25.291378 1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ***@***.***\" [serving] validServingFor=[127.0.0.1,localhost,localhost] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.291328146 +0000 UTC))" I0217 12:43:25.291814 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file" I0217 12:43:25.292110 1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file I0217 12:43:25.291835 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" I0217 12:43:25.292324 1 shared_informer.go:311] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0217 12:43:25.291860 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController I0217 12:43:25.292794 1 shared_informer.go:311] Waiting for caches to sync for RequestHeaderAuthRequestController I0217 12:43:25.294518 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" ***@***.***\" [serving] validServingFor=[apiserver-loopback-client] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.294479324 +0000 UTC))" I0217 12:43:25.294592 1 secure_serving.go:210] Serving securely on [::]:10258 I0217 12:43:25.295126 1 leaderelection.go:245] attempting to acquire leader lease kube-system/cloud-controller-manager... I0217 12:43:25.295666 1 tlsconfig.go:240] "Starting DynamicServingCertificateController" I0217 12:43:25.392679 1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0217 12:43:25.392804 1 shared_informer.go:318] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file I0217 12:43:25.392842 1 shared_informer.go:318] Caches are synced for RequestHeaderAuthRequestController I0217 12:43:25.393076 1 tlsconfig.go:178] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] groups=[kubernetes] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.393018897 +0000 UTC))" I0217 12:43:25.393995 1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ***@***.***\" [serving] validServingFor=[127.0.0.1,localhost,localhost] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.393964012 +0000 UTC))" I0217 12:43:25.394906 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" ***@***.***\" [serving] validServingFor=[apiserver-loopback-client] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.394877431 +0000 UTC))" I0217 12:43:25.395176 1 tlsconfig.go:178] "Loaded client CA" index=0 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] groups=[kubernetes] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.395144595 +0000 UTC))" I0217 12:43:25.395356 1 tlsconfig.go:178] "Loaded client CA" index=1 certName="client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" certDetail="\"\" [serving,client] issuer=\"<self>\" (2025-02-17 12:39:53 +0000 UTC to 2035-02-15 12:39:53 +0000 UTC (now=2025-02-17 12:43:25.395314115 +0000 UTC))" I0217 12:43:25.396124 1 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ***@***.***\" [serving] validServingFor=[127.0.0.1,localhost,localhost] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.396098799 +0000 UTC))" I0217 12:43:25.396915 1 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopback" ***@***.***\" [serving] validServingFor=[apiserver-loopback-client] ***@***.***\" (2025-02-17 11:43:08 +0000 UTC to 2026-02-17 11:43:08 +0000 UTC (now=2025-02-17 12:43:25.396886485 +0000 UTC))" Hence, the Node name conventions prerequisite <https://cloud-provider-aws.sigs.k8s.io/prerequisites/> seems to be fulfilled. The EC2 instance name on the AWS portal doesn't matter, as far as I can tell. — Reply to this email directly, view it on GitHub <#173 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJGXPWWVGVFCI2GMVUBAVCT2QHLDBAVCNFSM6AAAAABURRF4BOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNRTGAZDINRSGQ>. You are receiving this because you were mentioned.

erikvveen requested a review from PhilipSchmid as a code owner January 3, 2025 11:30

PhilipSchmid requested changes Jan 6, 2025

View reviewed changes

erikvveen mentioned this pull request Jan 10, 2025

Nodename #171

Closed

erikvveen force-pushed the main branch from 3fa9f22 to b4e94b7 Compare January 10, 2025 19:59

erikvveen requested a review from PhilipSchmid January 10, 2025 19:59

PhilipSchmid reviewed Jan 13, 2025

View reviewed changes

erikvveen requested a review from PhilipSchmid February 2, 2025 16:10

PhilipSchmid reviewed Feb 6, 2025

View reviewed changes

00-variables.tf Show resolved Hide resolved

PhilipSchmid reviewed Feb 6, 2025

View reviewed changes

PhilipSchmid force-pushed the main branch from eaf23b8 to 3889481 Compare February 14, 2025 14:31

Talos k8s with AWS CCM support

d6741fe

PhilipSchmid force-pushed the main branch from 3889481 to d6741fe Compare February 17, 2025 18:38

PhilipSchmid approved these changes Feb 17, 2025

View reviewed changes

PhilipSchmid merged commit dee9e31 into isovalent:main Feb 17, 2025
2 of 8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Talos k8s with AWS CCM support #173

Talos k8s with AWS CCM support #173

erikvveen commented Jan 3, 2025

PhilipSchmid left a comment

PhilipSchmid left a comment

PhilipSchmid left a comment

erikvveen commented Feb 10, 2025 via email

PhilipSchmid commented Feb 14, 2025

erikvveen commented Feb 17, 2025 via email

PhilipSchmid commented Feb 17, 2025

erikvveen commented Feb 17, 2025 via email

Talos k8s with AWS CCM support #173

Talos k8s with AWS CCM support #173

Conversation

erikvveen commented Jan 3, 2025

PhilipSchmid left a comment

Choose a reason for hiding this comment

PhilipSchmid left a comment

Choose a reason for hiding this comment

PhilipSchmid left a comment

Choose a reason for hiding this comment

erikvveen commented Feb 10, 2025 via email

PhilipSchmid commented Feb 14, 2025

erikvveen commented Feb 17, 2025 via email

PhilipSchmid commented Feb 17, 2025

erikvveen commented Feb 17, 2025 via email