Adding K8s Nodes
Step-by-step procedure to add a new worker node to the cluster.
Prerequisites
- Access to Euronodes panel
- SSH access from bastion
- Talos metal image (
talos-metal-amd64.raw.zst)
Procedure
1. Order VPS
Order at Euronodes:
- Plan: K4R8 (recommended)
- OS: Ubuntu 24.04 (temporary, will be overwritten)
- IPv4 required (add-on, ~0.90/mo)
DANGER
IPv6-only does NOT work. Container image pulls fail without IPv4.
2. Flash Talos
From bastion, overwrite the disk with the Talos image:
bash
zstd -d /tmp/talos-metal-amd64.raw.zst --stdout | ssh root@[ipv6] 'dd of=/dev/sda bs=4M'3. Reboot
Reboot from the Euronodes panel. Ensure boot order is set to disk first.
4. Generate WireGuard Keys
bash
wg genkey | tee privkey | wg pubkey > pubkeyWARNING
Talos v1.13 does NOT support WireGuard presharedKey. Do not include it in configs.
5. Create Node Config Patch
Copy from an existing node and adjust:
bash
cp nodes/worker-1.yaml nodes/worker-new.yamlUpdate in the new file:
- WireGuard private key
- WireGuard peer public keys
- Node IP in the WireGuard subnet (
10.10.1.X)
6. Generate Full Config
bash
talosctl machineconfig patch /tmp/talos-base/worker.yaml \
--patch @patches/wireguard-common.yaml \
--patch @patches/worker-dc.yaml \
--patch @nodes/worker-new.yaml \
--output /tmp/quinza-worker-new.yaml7. Apply Config
bash
talosctl apply-config --insecure --nodes [ipv6] --file /tmp/quinza-worker-new.yaml8. Add WireGuard Peer on Bastion
bash
sudo wg set wg0 peer '[pubkey]' \
endpoint '[ipv6]:51820' \
allowed-ips '10.10.1.X/32' \
persistent-keepalive 259. Configure Euronodes Firewall
| Rule | Direction | Port | Protocol |
|---|---|---|---|
| Default | IN | all | DROP |
| Talos API | IN | 50000 | TCP |
| WireGuard | IN | 51820 | UDP |
10. Update Ansible Inventory
Add the new node to the inventory so future playbook runs include it.
Verification
bash
# From a machine with talosctl configured
talosctl get members
# Check node joined Kubernetes
kubectl get nodes