Having issues with wireguard connectivity from QEMU machines to Omni running on macOS revealed an issue: If macOS has multiple interfaces with IPs in the same subnet (for example connected both via ethernet and Wi-Fi), it could respond to WireGuard packets not from the interface they are received from, but from the other one, even when the wg endpoint was explicitly set to be a specific IP:PORT in Omni config. And this was breaking wg handshakes.
The core issue seems to be the wireguard-go library not implementing sticky sockets (`IP_PKTINFO`) on macOS.
While investigating, we found that the standard wireguard-go `StdNetBind` always binds to all interfaces (`0.0.0.0`), ignoring any specific host in the endpoint configuration. Add a custom bind implementation that respects the configured host.
This fixes the macOS issue as a side benefit.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add an E2E test which adds an nginx service through an inlineManifests config patch on the control plane, and check that it is accessible.
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
Move some tests from e2e-upgrades test to e2e-misc-upgrades to speed up the overall speed, because the test was taking too much time.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Remove the flags for turning on SQLite storage for:
- Discovery service state
- Audit logs
- Machine logs
Instead, migrate them unconditionally to SQLite on the next startup.
Remove many flags which are no longer meaningful. Only keep the ones which are required for the migrations.
Additionally: Make the `--sqlite-storage-path` (or its config counterpart `.storage.sqlite.path`) required with no default value, as a default value does not make sense for it in most of the cases.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
META section updates are no-op for non-UKI machines, but still, the recent changes in the kernel args PR started clearing them (since now we compute schematic ID always), causing the schematic ID to be updated, which caused cluster machines to be upgraded and restarted.
Remove the UKI check and keep meta valus always as-is.
Update the integration tests to:
- Also include META values.
- Make Omni upgrade test pick both UKI and non-UKI machines.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Updated the default Kubernetes version to 1.34.2 and adjusted related
version constants in the integration script and Go files.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Changelog included the whole of Talos due to the unwanted dependency of `github.com/siderolabs/talos` brought in by a test. Remove that dependency, and re-generate the changelog for `v1.3.0-beta.0`.
Also, bump the Talos machinery version and rekres, which also bumps Go version to `1.25.3`.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Update the node version used by the frontend to the latest LTS version 24.11.0
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
(Re)implement the kernel args support functionality in the following way:
- Only support UKI or UKI-like (>=1.12 with GrubUseUKICmdline) systems.
- In `MachineStatusController`:
- When we see a machine for the first time, do a one-time operation of extracting of the extra kernel args from it and store them in the newly introduced `KernelArgs` resource. This resource is user-owned from that point on.
- Mark the `MachineStatus` with an annotation as "its kernel args are initialized".
- Start storing the the raw schematic.
- Take a one-time snapshot of the extensions on the machine and set them as "initial extensions". They might not be the "actual initial", i.e., the set of extensions when we actually seen the machine for the first time, but we do this in a best-effort basis. We need this, since now we cannot simply go back to the initial schematic ID when all extensions are removed - kernel args are also included in the schematic.
- Start collecting the kernel cmdline from Talos machines as well.
- Adapt the `SchematicConfiguration` controller to not revert to the initial schematic ID ever - it now always computes the needed schematic - when it wants to revert to the initial set of extensions, it uses the new field on the `MachineStatus`.
- Introduce the resource `MachineUpgradeStatus` and its controller `MachineUpgradeStatusController`, which handles the maintenance mode upgrades when kernel args are updated. The controller is named this way, since our long-term plan is to centralize all upgrade calls to be done from this controller. Currently, it does not change Talos version or the set of extensions. It works only in maintenance mode, only for kernel args changes (when supported).
- Introduce the resource `KernelArgsStatus` and its controller `KernelArgsStatusController`, which provides information about the kernel args updates. Its status is reliable in both maintenance and non-maintenance modes.
- Build a UI to update these args (with @Unix4ever's help).
Co-authored-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
- Make sure the console output of QEMU is sent to `console=ttyS0` when non-UKI is used.
- Use the new `cluster create` arg `--skip-injecting-extra-cmdline` to make sure `console=ttyS0` kernel arg is not duplicated.
- Get rid of `SUDO_USER` var.
- Add the missing `--omni.output-dir` flag to make sure the support bundles are collected to proper destinations.
- Gather all artifacts to be collected under `TEST_OUTPUTS_DIR` for better organization in the test artifacts archive.
- Quote some strings.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
It was using local pod IP which was generating new schematic every time
the test runs.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Rekres, fix linter issues, bump go to 1.25.2
See groups.google.com/g/golang-nuts/c/Gxn25BP4MXk/m/3KrM-XBOBAAJ
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Change the interceptor order to move the Prometheus metrics collector earlier, so that we can get metrics for the calls that fail early. Related to siderolabs/omni#1606.
Additionally, ensure that `get` access to the `AuthConfig` resource does not require a GRPC signature.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
It was using tabs instead of spaces for the `docker-compose.override.yml` file template.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
* Improve test cluster creation for e2e tests
* Remove partial config apply after vm wipe because it's no longer necessary
Co-authored-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
default / e2e-cluster-import (push) Has been cancelled
default / e2e-forced-removal (push) Has been cancelled
default / e2e-omni-upgrade (push) Has been cancelled
default / e2e-scaling (push) Has been cancelled
default / e2e-short (push) Has been cancelled
default / e2e-short-secureboot (push) Has been cancelled
default / e2e-templates (push) Has been cancelled
default / e2e-upgrades (push) Has been cancelled
default / e2e-workload-proxy (push) Has been cancelled
default / integration-test (push) Has been cancelled
default / lint (push) Has been cancelled
default / unit-tests (push) Has been cancelled
Rekres to bring back retrieve PR labels step default job and use relative location of GH workspace instead of `/tmp` for local storage.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Added a new omnictl command for aborting cluster import process and removing the created resources (e.g `Cluster`, `MachineSet`s, `MachineSetNode`s without reseting the machines.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
