Azure

Image Creation

For each Talos release, we provide an Azure compatible vhd (azure.tar.gz). If you want to build the image locally, you can do so by running:

make installer
make image-azure

This will produce build/azure.tar.gz.

Environment Setup

Before proceeding, you’ll want to make sure you have osctl available and the azure cli az installed and configured. osctl is published on each release and is available on our releases page Talos release. If you want to build it locally, you can do so by running:

make osctl-[linux|darwin]
cp build/osctl-[linux|darwin]-amd64 /usr/local/bin

We’ll also make use of the following environment variables throughout the setup:

# Storage account to use, default to 'mytalosvhd'
STORAGE_ACCOUNT=${STORAGE_ACCOUNT:-mytalosvhd}

# Resource group name, default to 'talos'
GROUP=${GROUP:-talos}

# Location, default to 'westus2'
LOCATION=${LOCATION:-westus2}

Upload Image

After downloading or creating the image locally, we’ll want to upload it to Azure and create an image.

# Create resource group
az group create -l $LOCATION -n $GROUP

# Create storage account
az storage account create -g $GROUP -n $STORAGE_ACCOUNT

# Get storage account connection string
CONNECTION=$(az storage account show-connection-string -n $STORAGE_ACCOUNT -g $GROUP -o tsv)

# Create a container in the storage account
az storage container create -n talos --connection-string $CONNECTION

# Upload the vhd
az storage blob upload --connection-string $CONNECTION --container-name talos -f build/talos-azure.vhd -n disk.vhd

# Create an image based on the vhd
az image create --name talos --source https://$STORAGE_ACCOUNT.blob.core.windows.net/talos/disk.vhd --os-type linux -g $GROUP

Network Infrastructure

Once the resource group is created and image uploaded, we’ll want to work through the network security rules.

# Create network security group
az network nsg create -g $GROUP -n talos

# Client -> Proxyd
az network nsg rule create -g $GROUP --nsg-name talos -n proxyd --priority 1000 --destination-port-ranges 443  --direction inbound

# Client -> OSD
az network nsg rule create -g $GROUP --nsg-name talos -n osd --priority 1001 --destination-port-ranges 50000 --direction inbound

# Trustd
az network nsg rule create -g $GROUP --nsg-name talos -n trustd --priority 1002 --destination-port-ranges 50001 --direction inbound

# etcd
az network nsg rule create -g $GROUP --nsg-name talos -n etcd --priority 1003 --destination-port-ranges 2379-2380 --direction inbound

# Proxyd -> Kubernetes API Server
az network nsg rule create -g $GROUP --nsg-name talos -n kube --priority 1004 --destination-port-ranges 6443 --direction inbound

Cluster Configuration

After getting the network security group set up, we’ll need to allocate public IPs for our master nodes. The example below assumes a HA control plane of 3 nodes. You can adjust this for your needs.

# Reserve public IPs
az network public-ip create -g $GROUP --name talos-master-1 --allocation-method static
az network public-ip create -g $GROUP --name talos-master-2 --allocation-method static
az network public-ip create -g $GROUP --name talos-master-3 --allocation-method static

# Gather public IPs into a comma separated string
MASTERIPS=$(az network public-ip list -g $GROUP -o tsv --query [].ipAddress | paste -sd,)

# Generate a default Talos config for this cluster
# # This should generate master-{1,2,3}.yaml, worker.yaml, and talosconfig in your PWD
./osctl config generate cluster.local $MASTERIPS

Compute Creation

# Create master nodes
# # `--admin-username` and `--generate-ssh-keys` are required by the az cli,
# # but are not actually used by talos
# # `--os-disk-size-gb` is the backing disk for Kubernetes and any workload containers
# # `--boot-diagnostics-storage` is to enable console output which may be necessary
# # for troubleshooting
az vm create \
  --name talos1 \
  --image talos \
  --custom-data ./master-1.yaml \
  --public-ip-address talos-master-1 \
  -g $GROUP \
  --admin-username talos \
  --generate-ssh-keys \
  --verbose \
  --boot-diagnostics-storage $STORAGE_ACCOUNT \
  --nsg talos \
  --os-disk-size-gb 64 \
  --no-wait
az vm create --name talos2 --image talos --custom-data ./master-2.yaml  --public-ip-address talos-master-2 -g $GROUP --admin-username talos --generate-ssh-keys --verbose --boot-diagnostics-storage $STORAGE_ACCOUNT --nsg talos --os-disk-size-gb 64 --no-wait
az vm create --name talos3 --image talos --custom-data ./master-3.yaml  --public-ip-address talos-master-3 -g $GROUP --admin-username talos --generate-ssh-keys --verbose --boot-diagnostics-storage $STORAGE_ACCOUNT --nsg talos --os-disk-size-gb 64 --no-wait

## Create worker nodes, reuse as needed
az vm create --name talos4 --image talos --custom-data ./worker.yaml -g $GROUP --admin-username talos --generate-ssh-keys --verbose --boot-diagnostics-storage $STORAGE_ACCOUNT --nsg talos --os-disk-size-gb 64 --no-wait

Enjoy your cluster

You should now be able to interact with your cluster with osctl:

osctl --talosconfig ./talosconfig kubeconfig > kubeconfig
kubectl --kubeconfig ./kubeconfig get nodes

You will need to apply a PSP and CNI configuration. More details can be found in the getting started guide.