- Regularly wake up ControlPlaneStatusController to ensure the status
- Add ControlPlaneStatusType to SupportBundle
- Decrease the wait time if ControlPlaneStatus has errors, so we can reflect the actual state faster
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Change the RedactedClusterMachineConfig controller to also compute diffs between each config change and store them in a new resource.
Additionally, log this diff and include its creation in the audit logs.
Clean up old diffs with both size (count) and time-based retention.
Include these diffs in the support bundles.
The resource ID follows the following pattern: `<machine-id>-<timestamp>`, e.g., `34bafa44-e994-4911-9c1a-609cccefee93-2025-07-04T19:05:40.181Z`.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Rework the discovery service affiliate deletion by doing the following changes:
1. Add support for arbitrary discovery services (e.g., self-hosted or third party):
- Read the discovery service used by a machine from the machine itself
- Implement a cache for discovery service clients
- Use this discovery service client to remove the affiliate on node removal.
2. Make the discovery affiliate deletion asynchronous:
- Introduce `DiscoveryAffiliateDeleteTask` resource
- When a node is removed from a cluster, a resource for this node ID is created
- A controller continuously tries to remove the affiliate until it succeeds or until it gets expired in the discovery service itself (after 30 minutes)
- The controller removes the `DiscoveryAffiliateDeleteTask` resource
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
- Include exposed services in the support bundles.
- Produce a log when an exposed service request is redirected to the login (do not log other requests to avoid excessive logging).
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The new controller is generic and allows extracting labels from any
resource types just by adding the controller to the runtime.
Using this controller will reduce reconciliation count as we ignore
resource spec updates.
Use the `ResourceLabels` resource as the input in the `MachineSetNode`.
Add `MachineStatusLabelInstalled` label to make it possible for
`MachineSetNode` controller to operate only with labels.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Any insecure `talosctl` commands now work with Omni per-instance
`talosconfig`.
User should have at least `Operator` Omni role to be able to use the
insecure `talosctl` mode.
DNS resolver was updated to react on the `MachineStatus` resource
creation, not only the `ClusterMachineConfigStatus` resource.
That makes the DNS record for UUID appear as soon as machine joins Omni,
not when the machine gets allocated into a cluster.
Machines list now has maintenance Talos version update button.
The UI will issue `talosctl upgrade` when another Talos version is
picked.
`MachineStatus` controller was updated a bit: version poller wasn't
marked as dirty after maintenance upgrades. Now we mark it as dirty
every time we get Talos `MachineStatus` resource update.
Also fixed UI issues here and there.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Convert goroutine panics to errors or error logs.
Disallow usage of `golang.org/x/sync/errgroup` package in the backend by `depguard` linter. This linter configuration depends on: https://github.com/siderolabs/kres/pull/417
Rekres the project to include the feature (also bump Go to 1.22.4), but revert `PROTOBUF_GO_VERSION` and `GRPC_GATEWAY_VERSION` manually to not break the frontend.
Disallowing the named `go` statement was not possible at the moment using existing linters, raised an issue in `forbidigo` for it: https://github.com/ashanbrown/forbidigo/issues/47Closessiderolabs/omni#373.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Fixes: https://github.com/siderolabs/omni/issues/33
It is now possible to get full access `kubeconfig` and `talosconfig`
(operator role), if the Omni instance has `enable-break-glass-configs`
flag enabled.
They can be downloaded using cli commands:
`omnictl kubeconfig --admin --cluster <name>`
`omnictl talosconfig --admin --cluster <name>`
After you download the config the cluster will be marked with
`omni.sidero.dev/tainted` annotation to keep in mind that this cluster
has weaker security and might need to get secrets rotation in the
future.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Fixes: https://github.com/siderolabs/omni/issues/45
Introduced new resource type `ExtensionsConfiguration` that allows
setting machine extensions list.
`SchematicConfiguration` is now readonly and is created by
`SchematicConfigurationController` from `ExtensionsConfiguration`
resource. It also ensures that schematic exists in the image factory by
calling the API.
This change is required to simplify the flow in the cluster templates
(no need to call `CreateSchematic` for each resource).
Export command support added as well.
Added cleanup hooks for the `ExtensionsConfiguration` for machine set, machine and cluster levels.
Changed the resource format to use `labels` instead of `target`. Now
it's the same as for config patches, except it doesn't merge several
resources, but gets the first one.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Works the same way as `talosctl support` but also grabs some relevant
Omni resources to help with the diagnostics.
Uses `go-talos-support` common module to collect Talos data.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
