4.2 Boot & Install¶
After generating machine configurations in 4.1, apply them to your nodes. The process is:
- Boot nodes into Talos maintenance mode (how depends on your deployment model)
- Apply machine configuration to each node using
talosctl apply-config --insecure
The --insecure flag is required for the initial apply because the node doesn't yet have TLS credentials. After the first apply, all communication uses mTLS.
After all nodes are configured, proceed to 4.3 Bootstrap the Cluster.
On AWS, Talos is installed via the AMI that was built and registered during the Provision Compute step. The EC2 instances boot directly from this AMI — there is no separate installation step.
How It Works¶
- The Terraform compute module (
terraform/modules/aws/compute/) launches EC2 instances withamiset to the Talos AMI - Each instance boots Talos Linux from the AMI root volume (
/dev/xvda) - Talos enters maintenance mode, waiting for a machine configuration to be applied via
talosctl
Accessing Nodes¶
Since nodes are in private subnets, you need network access to reach them:
- Internet-facing NLB (
nlbInternal = false): Use the NLB DNS name withallowedAdminCidrset to your IP - Internal NLB (
nlbInternal = true): Access via VPN or bastion host within the VPC
The NLB has three listeners:
| Port | Target | Description |
|---|---|---|
| 6443 | Control plane nodes | Kubernetes API |
| 50000 | Control plane nodes | Talos API |
| 50001 | Worker nodes | Talos API |
Port 50001 allows you to apply machine configurations and run talosctl commands against worker nodes directly through the NLB, without routing through a control plane node.
Apply Machine Configuration¶
After the EC2 instances are running, apply the talhelper-generated per-node configurations from 4.1 Generate Machine Configuration. Each node gets its own config file under the clusterconfig/ directory, named <cluster-name>-<hostname>.yaml.
Control Plane Nodes¶
Apply via the NLB on port 50000 (Talos API for control plane nodes):
talosctl apply-config \
--insecure \
--nodes <nlb-dns-name>:50000 \
--file clusterconfig/rciis-aws-cp-01.yaml
Worker Nodes¶
Apply via the NLB on port 50001 (Talos API for worker nodes):
talosctl apply-config \
--insecure \
--nodes <nlb-dns-name>:50001 \
--file clusterconfig/rciis-aws-wn-01.yaml
Note
The --insecure flag is required for the initial configuration apply because the node does not yet have TLS credentials. After the first apply, all subsequent communication uses mTLS.
Tip
If you have multiple nodes of each type, repeat the command for each one. The NLB will round-robin to the next unconfigured node in maintenance mode on the corresponding port.
Configure talosctl¶
After all nodes have been configured and have rebooted, merge the generated talosconfig and set node targets:
# Merge the talhelper-generated talosconfig into your local config
talosctl config merge clusterconfig/talosconfig
# Set nodes to the private IPs from terraform output
talosctl config nodes <cp-private-ip> <worker-private-ip>
Info
Endpoints are the Talos API entry points — the NLB address is set as the endpoint in the generated talosconfig. Nodes are the targets for commands and must be set to the private IPs of the EC2 instances. This is because talosctl connects to an endpoint, which then proxies the request to the target node's private IP.
Note
This step is only required during initial cluster setup or when adding new nodes. Subsequent terraform apply runs that recreate existing instances with the same IPs do not require updating the talosconfig. The node list in your local ~/.talos/config persists across sessions.
Talos Extensions¶
If you built a custom AMI with extensions via schematic.yaml, those extensions are baked into the image and active at boot. No additional configuration is needed.
The schematic.yaml file in the project lists available extensions:
customization:
systemExtensions:
officialExtensions: []
# Uncomment extensions as needed:
# - siderolabs/iscsi-tools
# - siderolabs/zfs
# - siderolabs/tailscale
See github.com/siderolabs/extensions for the full list.
On bare metal, Talos is booted from ISO, USB, or PXE (see Provision Compute). After booting, nodes enter maintenance mode and wait for a machine configuration on port 50000.
Step 1: Verify Nodes Are in Maintenance Mode¶
Each node listens on port 50000 after booting. Verify connectivity:
If this returns a list of disks, the node is in maintenance mode and ready for configuration.
Step 2: Apply Machine Configuration¶
Control Plane Nodes¶
Apply the control plane config to each CP node:
talosctl apply-config \
--insecure \
--nodes 192.168.30.31 \
--file _out/controlplane.yaml
talosctl apply-config \
--insecure \
--nodes 192.168.30.32 \
--file _out/controlplane.yaml
talosctl apply-config \
--insecure \
--nodes 192.168.30.33 \
--file _out/controlplane.yaml
Note
If each control plane node has a unique config (e.g., different static IP patches), use per-node config files instead.
Worker Nodes¶
talosctl apply-config \
--insecure \
--nodes 192.168.30.34 \
--file _out/worker.yaml
talosctl apply-config \
--insecure \
--nodes 192.168.30.35 \
--file _out/worker.yaml
talosctl apply-config \
--insecure \
--nodes 192.168.30.36 \
--file _out/worker.yaml
After applying, each node:
1. Installs Talos to the configured disk (e.g., /dev/sda)
2. Reboots from the installed disk
3. Starts Talos services and waits for cluster bootstrap
Next Steps
Proceed to 4.3 Bootstrap the Cluster to configure talosctl, initialise etcd, retrieve credentials, and install the CNI plugin.
On Proxmox, VMs are provisioned with Terraform in 3.1 Provision Compute. After Terraform completes, each VM boots from the Talos template and enters maintenance mode, listening on port 50000. The remaining steps verify connectivity and apply Talhelper-generated machine configs via talosctl:
- Verify nodes are in maintenance mode
- Apply Talhelper-generated machine configs to each node
Step 1: Verify Nodes Are in Maintenance Mode¶
Confirm each node is reachable and in maintenance mode:
# Check if the Talos API is reachable on each node
talosctl get disk -n 192.168.30.31 --insecure
talosctl get disk -n 192.168.30.34 --insecure
talosctl get disk -n 192.168.30.35 --insecure
talosctl get disk -n 192.168.30.36 --insecure
If the command returns a list of disks, the node is in maintenance mode and ready for configuration. Use this output to verify the installDisk value in your talconfig.yaml — see 4.1 Generate Machine Configuration — Determine the Install Disk for details.
Tip
If a node is not responding, check the VM console in the Proxmox web UI. Common issues include incorrect network bridge configuration or the VM not having booted from the template correctly.
Step 2: Apply Machine Configuration¶
Note
If you haven't generated machine configs yet, complete 4.1 Generate Machine Configuration before continuing.
Control Plane Nodes¶
Apply the control plane config to each CP node:
talosctl apply-config \
--insecure \
--nodes 192.168.30.31 \
--file clusterconfig/rciis-proxmox-rciis-cp1.yaml
Worker Nodes¶
talosctl apply-config \
--insecure \
--nodes 192.168.30.34 \
--file clusterconfig/rciis-proxmox-rciis-worker1.yaml
talosctl apply-config \
--insecure \
--nodes 192.168.30.35 \
--file clusterconfig/rciis-proxmox-rciis-worker2.yaml
talosctl apply-config \
--insecure \
--nodes 192.168.30.36 \
--file clusterconfig/rciis-proxmox-rciis-worker3.yaml
After applying, each node:
- Installs Talos to the configured disk (e.g.,
/dev/sda) - Reboots from the installed disk
- Starts Talos services and waits for cluster bootstrap
Note
The --insecure flag is required for the initial apply because the node does not yet have TLS credentials. After the first apply, all subsequent communication uses mTLS.
Next Steps
Proceed to 4.3 Bootstrap the Cluster to configure talosctl, initialise etcd, retrieve credentials, and install the CNI plugin.