Stop tracking talos kubeconfig; remove Authentik token from git; add Newt kubeseal example
Remove committed talos/kubeconfig (cluster admin credentials). Ignore talos/kubeconfig at repo root. Replace hardcoded LDAP outpost token with AUTHENTIK_LDAP_OUTPOST_TOKEN from .env. Document Sealed Secrets workflow for Newt (kubeseal script + README updates). Clarify Talos secrets use talsecret/SOPS, not Sealed Secrets. Made-with: Cursor
This commit is contained in:
Nikholas Pcenicni
@@ -26,6 +26,8 @@ talhelper genconfig -o out
|
||||
|
||||
`out/` is ignored via repo root `.gitignore` (`talos/out/`). Do not commit `talsecret.yaml` or generated machine configs.
|
||||
|
||||
**Never commit `talos/kubeconfig`** (also gitignored). It contains cluster admin credentials; generate locally with `talosctl kubeconfig` (§3). If it was ever pushed, remove it from git tracking, regenerate kubeconfig, and treat the old credentials as compromised (purge from history with `git filter-repo` or BFG if needed).
|
||||
|
||||
**After any `talconfig.yaml` edit, run `genconfig` again** before `apply-config`. Stale `out/*.yaml` is easy to apply by mistake. Quick check: `grep -A8 kind: UserVolumeConfig out/noble-neon.yaml` should match what you expect (e.g. Longhorn `volumeType: disk`, not `grow`/`maxSize` on a partition).
|
||||
|
||||
## 2. Apply machine config
|
||||
|
||||
Reference in New Issue
Block a user