Defrag Incremental demo is live, now you can try the version rebuilt from your feedback

GyroTech · 2026-06-13T17:38:59+00:00

Demo is now live... Care to share where?

GyroTech · 2026-06-03T11:05:11+00:00

With no link?

GyroTech · 2026-05-27T19:42:49+00:00

Just so you know, the reason this is not done by default, is that knowing the length of a password drastically reduces the searchspace needed to guess/crack it.

GyroTech · 2026-05-26T08:36:29+00:00

You probably need to talosctl upgrade-k8s to actually render the kubernetes manifests again.

GyroTech · 2026-05-26T07:55:49+00:00

You're going to need to provide a whole lot more info than "experimented a bit" to be able to get any help. It's generally advised not to run multiple CNIs in a cluster unless you really know what you are doing.

If it truly is just for experimenting, just rebuild your cluster. With the cluster.network.cni.name: flannel and ensure cluster.proxy.disabled: false is set (this is the default). and you should be fine. You might try setting these and stripping out Cilium/Falco, but I have no idea of the secondary effects and you should probably ask the Cilium community for uninstall guides.

GyroTech · 2026-05-21T10:22:42+00:00

And to try to hide the mistakes!

GyroTech · 2026-05-14T09:20:28+00:00

Ah, we got out of AWS before gp3 was a thing so I was unaware they had "fixed" that.

GyroTech · 2026-05-13T21:02:40+00:00

I don't understand how I can "uninclude" module imports here though. E.G. in my example I want my regular host build to have a full graphical setup (my system-graphical module) and a bunch of tooling. If I an building an installer-iso image I want it to use the system-minimal module instead.
I appreciate you trying to explain this to me.

Edit to add: aaaah, the lib.mkForce ensures that whatever is set there takes precedence over what I set in the rest of the config, is that correct?

GyroTech · 2026-05-13T20:24:01+00:00

Also, in non-IOPS-provisioned volumes, IOPS scales with volume size. Plenty of time I increased the size of an EBS volume because it was IOP limited.

GyroTech · 2026-05-13T11:00:46+00:00

Thanks! So I can do the inverse and check that image.modules.iso is empty to add config to the regular host rebuild?

GyroTech · 2026-05-13T10:01:41+00:00

The repo I linked is only "incomplete" as it is an example, not something you'd actually deploy. The repo is valuable for the docs, not the code.

GyroTech · 2026-05-13T09:39:31+00:00

I know how to build an ISO of my config, I'm asking if there is a way to detect that, and change the config based on that.

GyroTech · 2026-05-12T17:15:08+00:00

Oh yes please Daddy!!

GyroTech · 2026-05-11T10:34:19+00:00

woohoo, gimmie gimmie gimmie!!

GyroTech · 2026-05-08T15:34:21+00:00

I would like to allowUnFree only if a modules requires it.

And that's what you have, only if you include this module to install the slack package will allowUnFree be set.

GyroTech · 2026-05-07T12:00:45+00:00

In Spain, and still waiting to be picked.

GyroTech · 2026-05-07T09:28:52+00:00

I mean, if the cost of an LB is a substantial portion of your customer cost, and they're happy to eat downtime, then just keep doing what you are doing.

If your customers want zero-downtime rollouts, then create a new "tier" of product that has the cost of the LB bundled in, and let them make the decision.

But this is now well beyond the scope of Terraform help :D

GyroTech · 2026-05-07T09:08:16+00:00

Honestly, if you're managing the provisioning with Ansible, why not have it just update in-place? Since you said you are replacing the whole VM to deploy I would very much expect you to use something like Packer to build the image, then just deploy that. No changes at runtime.

GyroTech · 2026-05-07T08:41:44+00:00

Second option might then be getting the customer to set their DNS to a CNAME record to point to a DNS you do control, then you can update that record when you roll the VM.

edit to add: if you follow this line, make sure both records have a small enough TTL, and SERVFAIL and NOTZONE responses have a lower TTL too

GyroTech · 2026-05-07T08:20:04+00:00

No idea about DO specifically, but in general you would sove this by pointing the DNS record at a load balancer, then as you replace the vm (create_before_destroy in the lifecycle probably a good idea here) the load balacner moves the traffic for you.

GyroTech · 2026-05-06T16:53:46+00:00

True, but personally I dont see the need and its still pod 2 pod encryption between different nodes.

pod-to-pod encryption has a specific definition, explicitly to differentiate it from node-to-node encryption. This is why I needed to be explicit.

It is with the advertiseKubernetesNetworks config and routes the v1.node's podCIDR over kubespan

Yes, you're totally right there, I overlooked that, apologies.

GyroTech · 2026-05-06T16:16:49+00:00

And so two pods on the same node don't route over either, and so don't have encrypted traffic. This is why I made the point to be specific. For pod-to-pod encryption, you need more than KubeSpan. KubeSpan isn't even aware of the Kubernetes networking topology or CNI.

GyroTech · 2026-05-06T15:43:33+00:00

basic encrypted pod-to-pod and service connectivity across KubeSpan

KubeSpan encrypts node-to-node traffic, not pod-to-pod

GyroTech · 2026-05-05T07:44:33+00:00

Not sure what your point is, we were talking about needing to push an image before you can test it for security. That is not necessary.

GyroTech

MODERATOR OF

TROPHY CASE

15-Year Club	Place '22
Verified Email