This is useful as cli arguments and embedded config (to be added) can result in an extremely long url.
Also makes the final url easier to read and share, and allows users to bookmark the final configuration
with the schematic ID without needing to also include all the other parameters that were used to generate it.
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Hardcoded `factory.talos.dev` in SPDX document namespace broke
deployments where image-factory runs under a different hostname.
External URL now threads from service config through SPDXOptions
and Builder down to namespace generation.
Fixes#440
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Add a /talosctl/:version endpoint which lists all downloadable talosctl binaries fro a given version.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Add French (fr) locale file with translations for the image-factory
frontend interface.
Signed-off-by: Quentin Joly <quentinj@une-pause-cafe.fr>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These were added when we were not keeping Image
Factory up-to-date with Talos, this was a hack
never really worked in CI except a few times.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Move ownership/auth checks from scattered frontend handlers into
schematic.Factory.Get, which now accepts an OwnershipChecker. This
eliminates duplicated checkOwnership methods across http and spdx
frontends and ensures anonymous callers cannot probe schematic
existence when auth is enabled.
Also guard PXE credential embedding behind AuthProvider != nil so
credentials are never propagated when auth is disabled.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
This feature is Enterprise only (requires BUSL).
Any access to the schematic requires the user to be authenticated
before access.
Moreover, any schematic stores the owner in the schematic, so each
schematic becomes private (owned by the user which created it).
Authentication is configured using a set of usernames and keys
associates with each user (API key).
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Add enterprise-only checksum endpoint: appending .sha256 or .sha512
to any /image/ path returns a single-line checksum file instead of
the asset. Algorithm is selected from the suffix; the Checksummer
interface takes the suffix so no circular import is needed.
Wizard UI shows (sha256) and (sha512) links per download button;
non-enterprise builds show a localized (checksums) tooltip.
Integration tests cover both algorithms (GET, HEAD, validate,
reproducibility, error cases).
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Rename consistently to 'Image Factory Enterprise'.
Pass Talos name down to profile.
Pass the image factory name (and url) in the schematic's extension
Author field.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Previous fix#419 fixed the push, but that was not enough to fix the pull for verify.
The error message returned from sigstore library was not helpful to debug this.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#408
Now we have proper cache capacity, LRU, and also negative cache TTL to
help with case when multiple instance might disagree on whether cache
contains not found or not.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Rekres to use large runners instead of generic ones, as Image Factory
tests require lots of resources.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Bump Talos version and update machinery doc links to point to docs.siderolabs.com.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Remove the generic "Kubernetes 1.23+" prerequisite as it's redundant and
potentially confusing. The actual minimum Kubernetes version depends on
the hostUsers configuration:
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Add support for Kubernetes user namespaces to enhance pod security isolation.
This feature allows pods to run with a separate user namespace instead of
the host's user namespace when hostUsers is set to false.
Changes:
- Add hostUsers configuration option to values.yaml (default: true)
- Add Kubernetes version validation (requires K8s 1.25+ when hostUsers=false)
- Create helm-docs template (README.md.gotmpl) for automated documentation
- Update README with comprehensive security, configuration, and setup guides
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Also fix up the docs and allow doucumenting the non-leaf items to
clarify the documentation.
Clarify external registry, add a note about proxying.
Fixes#388Fixes#389
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The new verifier requires explicit insecure option for insecure
registries.
This affects configurations when the cache registry doesn't use
localhost endpoint, but some hostname.
Also rekres and bump Talos.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
