Merge pull request #5 from supernetes/cert-san-notice

docs: add notice about cert SAN if using DDNS
supernetes · Aug 22, 2024 · 12873b2 · 12873b2
2 parents 25f0b9f + a47f4bb
commit 12873b2
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ Start by logging into cPouta and selecting the right project from the top left.
 
 Then, click on your username from the top right and select `OpenStack RC File`. This will give you a file named `project_1234567-openrc.sh` which will be used by the scripts for API access. Save it into the `work` directory, which is used as the working directory of the container.
 
-Next, since cPouta only hands out ephemeral IPv4 addresses, we need to set up [Dynamic DNS (DDNS)](https://en.wikipedia.org/wiki/Dynamic_DNS) for the cluster. This can be done using external services, such as [dy.fi](https://www.dy.fi/) (Finland-only), or any other service supported by [ddclient](https://ddclient.net/). A configuration template is provided in [`ddclient.template.conf`](work/ddclient.template.conf). Copying this file to `ddclient.conf` and filling it out will set up automatic dynamic DNS reconciliation in the cluster during bringup.
+Next, since cPouta only hands out ephemeral IPv4 addresses, we need to set up [Dynamic DNS (DDNS)](https://en.wikipedia.org/wiki/Dynamic_DNS) for the cluster. This can be done using external services, such as [dy.fi](https://www.dy.fi/) (Finland-only), or any other service supported by [ddclient](https://ddclient.net/). A configuration template is provided in [`ddclient.template.conf`](work/ddclient.template.conf). Copying this file to `ddclient.conf` and filling it out will set up automatic dynamic DNS reconciliation in the cluster during bring-up.
 
 Finally, inside the [container](#usage), run
 
@@ -43,6 +43,14 @@ talosctl gen secrets # Generate Talos secrets (one-time)
 
 The nodes should now be running with the baseline configuration, and ready to be fully configured with `talos-bootstrap`.
 
+> [!IMPORTANT]
+> If using dynamic DNS, the cPouta tooling will automatically register the DDNS FQDN as a SAN for the cluster certificate. To preserve access after running `talos-bootstrap`, it must be fed a configuration patch that looks as follows:
+> ```yaml
+> machine:
+>   certSANs:
+>     - cluster.example.com # Add DNS FQDN as SAN to cluster cert
+>  ```
+
 ### Applying Supernetes Configuration with `talos-bootstrap`
 
 The full configuration is applied using [talos-bootstrap](https://github.com/twelho/talos-bootstrap), which is provided as a submodule in this repo.