Air-Gapped Installation of Talos Linux Cluster

Bootstrap a Talos Linux cluster for Cozystack with an air-gapped environment

This guide outlines the steps to bootstrap a Cozystack cluster in an air-gapped environment.

Air-gapped installation means that the cluster has no direct access to the Internet. All necessary resources, such as images and metadata, must be available on the private network.

Configure nodes

For Talm installation, make these changes in ./templates/_helpers.tpl before making the template.

Configure NTP Servers

Accurate time synchronization is critical for the cluster. In your Talos machine configuration, set local NTP servers that are accessible inside your private network.

machine:
  time:
    servers:
      - 192.168.0.4
      - 10.10.0.5

Ensure the specified NTP servers are reachable from first node.

Configure Container Registry Mirrors

Since the cluster cannot access public container registries, it needs to use their local mirrors. Creating such mirrors is out of the scope of this guide.

Update your machine configuration in the following way:

machine:
  registries:
    mirrors:
      docker.io:
        endpoints:
          - http://10.0.0.1:8082
      ghcr.io:
        endpoints:
          - http://10.0.0.1:8083
      gcr.io:
        endpoints:
          - http://10.0.0.1:8084
      registry.k8s.io:
        endpoints:
          - http://10.0.0.1:8085
      quay.io:
        endpoints:
          - http://10.0.0.1:8086
    config:
      "10.0.0.1:8082":
        insecure: true
        auth:
          username: myuser
          password: mypass

Here, the values for config.[0].insecure and config.[0].auth are given as examples. Put the real values instead. Make sure your local registry proxies mirror all required images for Talos and Kubernetes components.

Add a CA certificate to the nodes

To use a private Certificate Authority, you need to add its certificate to the nodes.

# talm: nodes=["10.10.10.10"], endpoints=["10.10.10.10"], templates=["templates/controlplane.yaml"]
# THIS FILE IS AUTOGENERATED. PREFER TEMPLATE EDITS OVER MANUAL ONES.
machine:
...
...
...
...
  discovery:
    enabled: false
  etcd:
    advertisedSubnets:
      - 10.4.100.10/24
  allowSchedulingOnControlPlanes: true
---
apiVersion: v1alpha1
kind: TrustedRootsConfig
name: my-enterprise-ca
certificates: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

Make apply for every node

talm apply -f nodes/srv1

Last modified 2025-05-20: (air gapped): add docs for air gapped env (1e46b0c)