Bootstrapping a new cluster

Steps for setting up a cluster

Automated Bash Script

This bash script can be used to bootstrap a new cluster using Talos on Hetzner.

Make sure that you set up the Talos images for Hetzner. Talos has a good guide on how to use Packer to create the required images

This script uses Gitlab to initialise Flux, you can however use our own Forgejo instance to bootstrap. With Forgejo you can use a deploy key to bootstrap instead of an access token and don't need to use your own personal account.

GITLAB_TOKEN=xxx
HCLOUD_TOKEN=xxx
HCLOUD_ROBOT_USER=xxx
HCLOUD_ROBOT_PASS=xxx
# Change to correct ID, AMD images has to be made for instances running AMD architecture.
SNAPSHOT_ARM_ID=183053462
CLUSTER_DOMAIN=local.bifrost.bitkraken.no
KUBERNETES_API_SERVER_PORT=6443
KUBERNETES_API_SERVER_ADDRESS=bifrost.bitkraken.no

hcloud server create --name talos-control-plane-1 \ 
    --image ${SNAPSHOT_ARM_ID} \ 
    --type cax11 \ 
    --location hel1 \ 
    --label 'type=controlplane' \ 
    --user-data-from-file controlplane.yaml &
hcloud server create --name talos-control-plane-2 \ 
    --image ${SNAPSHOT_ARM_ID} \ 
    --type cax11 \ 
    --location hel1 \ 
    --label 'type=controlplane' \ 
    --user-data-from-file controlplane.yaml &
hcloud server create --name talos-control-plane-3 \ 
    --image ${SNAPSHOT_ARM_ID} \ 
    --type cax11 \ 
    --location hel1 \ 
    --label 'type=controlplane' \ 
    --user-data-from-file controlplane.yaml &
# Wait for the servers to be ready (ensure all background processes are done)
wait
# Set up server ID
CONTROL_SERVER_INFO=$(hcloud server list | grep talos-control-plane-1)
CONTROL_SERVER_ID=$(echo $CONTROL_SERVER_INFO | awk '{print $1}')
CONTROL_SERVER_IP=$(echo $CONTROL_SERVER_INFO | awk '{print $4}')
# Config control plane
talosctl --talosconfig talosconfig config endpoint ${CONTROL_SERVER_IP}
talosctl --talosconfig talosconfig config node ${CONTROL_SERVER_IP}
talosctl --talosconfig talosconfig bootstrap
# Wait 5 seconds so bootstrapping is hopefully completed
sleep 5
talosctl --talosconfig talosconfig kubeconfig .
CURRENT_DIR=$(pwd)
KUBECONFIG="${CURRENT_DIR}/kubeconfig"
until kubectl get nodes &>/dev/null; do
  echo "Waiting for the control plane to be ready..."
  sleep 5
done

echo "Control plane is ready."

# Setup CNI
helm install cilium cilium/cilium --version 1.16.1 --namespace kube-system \
  --set ipam.mode=kubernetes \
  --set hostFirewall.enabled=true \
  --set hubble.relay.enabled=true \
  --set hubble.ui.enabled=true \
  --set hubble.peerService.clusterDomain=${CLUSTER_DOMAIN} \
  --set etcd.clusterDomain=${CLUSTER_DOMAIN} \
  --set kubeProxyReplacement=strict \
  --set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
  --set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
  --set cgroup.autoMount.enabled=false \
  --set cgroup.hostRoot=/sys/fs/cgroup \
  --set k8sServiceHost="${KUBERNETES_API_SERVER_ADDRESS}" \
  --set k8sServicePort="${KUBERNETES_API_SERVER_PORT}" \
  --set kubeProxyReplacement=true
echo "Setup CNI"
kubectl -n kube-system create secret generic hcloud \
  --from-literal=token=${HCLOUD_TOKEN} \
  --from-literal=robot-user=${HCLOUD_ROBOT_USER} \
  --from-literal=robot-password=${HCLOUD_ROBOT_PASS}
helm repo add hcloud https://charts.hetzner.cloud
helm repo update hcloud
helm install hccm hcloud/hcloud-cloud-controller-manager -n kube-system -f hcloud-values.yaml
echo "Hcloud/cloud controller is setup"
# Add flux secret
kubectl -n flux-system create secret generic sops-age \ 
   --from-file=age.agekey=sops-key.txt
# Bootstrap flux
flux bootstrap gitlab --owner=Givemeurcookies --repository=thycluster --path=./clusters/bifrost --personal --branch master --cluster-domain="${CLUSTER_DOMAIN}"
echo "Bootstrapped Flux. Done setting up cluster."

Old guide

This guide is not up to date, but can give you an idea of the flow of setting up a new cluster

Start with setting up Talosconfig, bootstrap etcd and Kubeconfig
Add CNI
Add SOPS secret and Bootstrap Flux
Bootstrap secrets
-- Start adding control apps --
Kubelet Serving Certificate Approver
Add Hloud controller
-- Any apps after this point can run on worker nodes --
Add all operators/CRDs as some resources depend on them
Add cert-manager
Add issuers (dependsOn cert-manager crd)
Add kyverno and hcloud CSI
Add rook-ceph and cephCluster (dependsOn rook-ceph crd)

Previously evaluated

Applications or solutions we have previously considered or work with

Adding a new node to a cluster

How to add a new node to a cluster

On This Page

Star on GitHub Create Issues