From a47f4bb36fc1d00744580275151b9ce17aadf615 Mon Sep 17 00:00:00 2001 From: Dennis Marttinen Date: Thu, 22 Aug 2024 19:46:47 +0300 Subject: [PATCH] docs: add notice about cert SAN if using DDNS Adding the DDNS FQDN to the cluster cert SAN list must be done to preserve access. Signed-off-by: Dennis Marttinen --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3be7440..9bff441 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Start by logging into cPouta and selecting the right project from the top left. Then, click on your username from the top right and select `OpenStack RC File`. This will give you a file named `project_1234567-openrc.sh` which will be used by the scripts for API access. Save it into the `work` directory, which is used as the working directory of the container. -Next, since cPouta only hands out ephemeral IPv4 addresses, we need to set up [Dynamic DNS (DDNS)](https://en.wikipedia.org/wiki/Dynamic_DNS) for the cluster. This can be done using external services, such as [dy.fi](https://www.dy.fi/) (Finland-only), or any other service supported by [ddclient](https://ddclient.net/). A configuration template is provided in [`ddclient.template.conf`](work/ddclient.template.conf). Copying this file to `ddclient.conf` and filling it out will set up automatic dynamic DNS reconciliation in the cluster during bringup. +Next, since cPouta only hands out ephemeral IPv4 addresses, we need to set up [Dynamic DNS (DDNS)](https://en.wikipedia.org/wiki/Dynamic_DNS) for the cluster. This can be done using external services, such as [dy.fi](https://www.dy.fi/) (Finland-only), or any other service supported by [ddclient](https://ddclient.net/). A configuration template is provided in [`ddclient.template.conf`](work/ddclient.template.conf). Copying this file to `ddclient.conf` and filling it out will set up automatic dynamic DNS reconciliation in the cluster during bring-up. Finally, inside the [container](#usage), run @@ -43,6 +43,14 @@ talosctl gen secrets # Generate Talos secrets (one-time) The nodes should now be running with the baseline configuration, and ready to be fully configured with `talos-bootstrap`. +> [!IMPORTANT] +> If using dynamic DNS, the cPouta tooling will automatically register the DDNS FQDN as a SAN for the cluster certificate. To preserve access after running `talos-bootstrap`, it must be fed a configuration patch that looks as follows: +> ```yaml +> machine: +> certSANs: +> - cluster.example.com # Add DNS FQDN as SAN to cluster cert +> ``` + ### Applying Supernetes Configuration with `talos-bootstrap` The full configuration is applied using [talos-bootstrap](https://github.com/twelho/talos-bootstrap), which is provided as a submodule in this repo.