Separating secrets from your controlplane.yaml/worker.yaml file?

[TimoVerbrugghe]

Ey everyone! Looking into using Talos, have used kubernetes before but new to talos. I have a question on config file management. I understand you can generate a separate secrets.yaml file and that you can generate a new controlplane.yaml file from that.

However I'm planning to create a controlplane.yaml / worker.yaml file that I would like to store in a github repository somewhere with the rest of my config files. However, I don't see a way to generate an unified controlplane.yaml file based on a custom one + secrets.yaml file (or am I missing something)?

Or is there a way when you apply a talos config to specify a separate controlplane/worker.yaml file and a secrets.yaml file?

How do you all separate secrets from a config that you would store publicly somewhere?

[rothgar]

A secrets file is a normal config patch. So you can use something like this

talosctl apply -f controlplane.yaml -p secrets.yaml -p patch-1.yaml -p patch-2.yaml

[TimoVerbrugghe]

Jep agreed, after diving a bit deeper into the talos documentation, it's indeed better to create some kind of a "generic patch" with the config options you want to change from the default controlplane/worker yaml files that talos generates & in addition have a separate secrets.yaml that you can then merge at anytime with the command above. Thanks for the quick reply!

[xyhhx]

How do you all separate secrets from a config that you would store publicly somewhere?

personally, i generate my secrets with talosctl gen secrets, encrypt that with sops, track in git.

i use the terraform provider for talos to ingest those secrets and then generate my resources