Kubernetes
The cluster runs Talos Linux on Hetzner Cloud, provisioned through OpenTofu using the hcloud-k8s/kubernetes/hcloud module. Everything below the application layer — VMs, network, storage, certificates — is defined in flux-clusters/stefanzhelev/terraform/hcloud/.
Cluster topology
Section titled “Cluster topology”| Node pool | Server type | Count | Role |
|---|---|---|---|
| control | CX33 | 3 | Control plane (etcd, API server) |
| stateful-ha | CX43 | 3 | HA workloads (Vault, CNPG, ClickHouse) |
| stateful-single | CX43 | 1 | Single-instance stateful apps |
| stateless-single | CX53 | 1 | Stateless workloads |
Workloads are placed on pools by node selectors so HA databases stay on the three-node pool while one-off services share the cheaper single-node pools.
Networking
Section titled “Networking”| Setting | Value |
|---|---|
| Network CIDR | 10.10.0.0/16 |
| CNI | Cilium |
| Encryption | WireGuard (node-to-node) |
| Gateway API | Enabled |
| kube-proxy | Replaced by Cilium |
Storage
Section titled “Storage”| Storage class | Encrypted | Default | Reclaim policy |
|---|---|---|---|
hcloud-volumes-encrypted | Yes | Yes | Retain |
hcloud-volumes | No | No | Retain |
Talos state and ephemeral partitions are encrypted at the OS layer in addition to the CSI-level volume encryption.
Security posture
Section titled “Security posture”- Talos state and ephemeral partition encryption enabled
- Hetzner firewall rules auto-configured against the operator’s current IP
- OIDC authentication for the Kubernetes API delegated to Authentik
- TLS certificates issued by cert-manager with the Let’s Encrypt production issuer
- etcd backups written to S3-compatible storage
Provisioning with OpenTofu
Section titled “Provisioning with OpenTofu”Infrastructure lives in flux-clusters/stefanzhelev/terraform/hcloud/. Terraform state is stored remotely in Cloudflare R2:
backend "s3" { bucket = "stefanzhelev-tf-state" key = "clusters/stefanzhelev-hcloud.tfstate" endpoints = { s3 = "https://<account-id>.r2.cloudflarestorage.com" } region = "auto"}Initialize and plan
Section titled “Initialize and plan”cd flux-clusters/stefanzhelev/terraform/hcloudtofu inittofu planApply infrastructure changes
Section titled “Apply infrastructure changes”tofu applyDestroy the cluster
Section titled “Destroy the cluster”tofu destroyTalos commands
Section titled “Talos commands”Talos is managed entirely through its API — there is no SSH access. The talosctl CLI handles every node operation.
Configuration
Section titled “Configuration”# Set talosconfig from the Terraform outputexport TALOSCONFIG=$(pwd)/talosconfig
# Verify connectivitytalosctl healthNode information
Section titled “Node information”talosctl get memberstalosctl dashboardtalosctl logs kubelettalosctl logs etcdtalosctl servicesCluster operations
Section titled “Cluster operations”# Get kubeconfigtalosctl kubeconfig ./kubeconfig
# Upgrade Talos on a nodetalosctl upgrade --nodes <node-ip> \ --image ghcr.io/siderolabs/installer:<version>
# Upgrade Kubernetestalosctl upgrade-k8s --to <k8s-version>
# Reset a nodetalosctl reset --nodes <node-ip> --gracefulTroubleshooting
Section titled “Troubleshooting”talosctl etcd statustalosctl etcd memberstalosctl usage /vartalosctl get machineconfig -o yamltalosctl reboot --nodes <node-ip>