Skip to content

Problems with talos bootstrap certsΒ #224

New issue
New issue
Open
Open
Problems with talos bootstrap certs#224
@amaol-vestas

Description

@amaol-vestas
amaol-vestas
opened on Aug 20, 2025

Hello,

I'm using talos bootstrap and controlplane cluster api providers together with Nutanix cluster api provider:

I'm using the following TalosControlPlane config:

`
apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
kind: TalosControlPlane
metadata:
name: tenant-sbx-kcp
namespace: tenant-sbx
spec:
controlPlaneConfig:
controlplane:
configPatches:
- op: add
path: /machine/kubelet/extraArgs
value:
cloud-provider: external
- op: add
path: /machine/features/kubernetesTalosAPIAccess
value:
allowedKubernetesNamespaces:
- kube-system
allowedRoles:
- os:reader
enabled: true
- op: add
path: /machine/network
value:
interfaces:
- dhcp: true
dhcpOptions:
routeMetric: 1
interface: eth0
vip:
ip: ####
- dhcp: true
dhcpOptions:
routeMetric: 10
interface: eth1
nameservers:
- ####
- ####
- ####
- op: add
path: /machine/install
value:
extraKernelArgs:
- net.ifnames=0
- op: add
path: /cluster/proxy
value:
disabled: false
- op: add
path: /machine/features/kubePrism
value:
enabled: true
port: 7445
- op: replace
path: /cluster/controlPlane
value:
endpoint: https://###:6443
- op: add
path: /machine/certSANs
value:
- ####
- op: add
path: /cluster/network/cni
value:
name: none
generateType: controlplane
talosVersion: v1.10.5
infrastructureTemplate:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: NutanixMachineTemplate
name: tenant-sbx
namespace: tenant-sbx
replicas: 3
rolloutStrategy:
rollingUpdate:
maxSurge: 1
type: RollingUpdate
version: 1.33.1

`

and facing certificate issues during bootstrap:

`k describe TalosControlPlane

Message:               machine "tenant-sbx-kcp-llj4p": rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
Reason:                ControlPlaneComponentsInspectionFailed
Severity:              Warning
Status:                False
Type:                  ControlPlaneComponentsHealthy
Last Transition Time:  2025-08-20T07:53:32Z
Message:               error checking etcd health on machine "tenant-sbx-kcp-llj4p": rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
Reason:                EtcdClusterUnhealthy
Severity:              Warning
Status:                False
Type:                  EtcdClusterHealthyCondition
Last Transition Time:  2025-08-20T07:25:50Z
Message:               rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
Reason:                WaitingForTalosBoot

`

Anyone faced similar issue? Or know how to fix it?

Any support or help highly welcome, thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions