diff --git a/Dockerfile b/Dockerfile
index 34e1dd4b8..37c46d4bf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1288,10 +1288,10 @@ FROM scratch AS proto-docs-build
COPY --from=generate-build-clean /api/docs/api.md /api.md
FROM scratch AS docs
-COPY --from=docs-build /tmp/configuration/ /website/content/v1.12/reference/configuration/
-COPY --from=docs-build /tmp/cli.md /website/content/v1.12/reference/
-COPY --from=docs-build /tmp/schemas /website/content/v1.12/schemas/
-COPY --from=proto-docs-build /api.md /website/content/v1.12/reference/
+COPY --from=docs-build /tmp/configuration/ /website/content/v1.13/reference/configuration/
+COPY --from=docs-build /tmp/cli.md /website/content/v1.13/reference/
+COPY --from=docs-build /tmp/schemas /website/content/v1.13/schemas/
+COPY --from=proto-docs-build /api.md /website/content/v1.13/reference/
# The talosctl-cni-bundle builds the CNI bundle for talosctl.
diff --git a/README.md b/README.md
index 40a7bdd47..f538c740e 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ See [Contributing](CONTRIBUTING.md) for our guidelines.
## License
- 
+ 
Some software we distribute is under the General Public License family of licenses or other licenses that require we provide you with the source code.
diff --git a/hack/release.toml b/hack/release.toml
index 1cdfbb08e..57d25cb00 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -18,206 +18,9 @@ preface = """
[notes.updates]
title = "Component Updates"
description = """\
-Linux: 6.18.0
-Kubernetes: 1.35.0-rc.1
-CNI Plugins: 1.9.0
-cryptsetup: 2.8.1
-LVM2: 2_03_37
-systemd-udevd: 257.8
-runc: 1.3.4
-CoreDNS: 1.13.1
-etcd: 3.6.6
-Flannel: 0.27.4
-Flannel CNI plugin: v1.8.0-flannel2
-containerd: 2.1.5
-
-> For Talos 1.13 only:
-> containerd: 2.2.0
+containerd: 2.2.0
Talos is built with Go 1.25.5.
-"""
-
- [notes.luks2]
- title = "Encrypted Volumes"
- description = """\
-Talos Linux now consistently provides mapped names for encrypted volumes in the format `/dev/mapper/luks2-`.
-This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
-and specifically for raw encrypted volumes.
-"""
-
- [notes.disk-encryption]
- title = "Disk Encryption"
- description = """\
-Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.
-
-Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the `options.pcrs`
-field in the `tpm` section of the disk encryption configuration.
-
-If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.
-
-This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
-and users may wish to disable locking to PCR 7 state entirely.
-
-Signed PCR policies will still be bound to PCR 11.
-
-The currently used PCR's can be seen with `talosctl get volumestatus -o yaml` command.
-"""
-
- [notes.kspp]
- title = "Kernel Security Posture Profile (KSPP)"
- description = """\
-Talos now enables a stricter set of KSPP sysctl settings by default.
-The list of overridden settings is available with `talosctl get kernelparamstatus` command.
-"""
-
- [notes.extra-binaries]
- title = "Extra Binaries"
- description = """\
-Talos Linux now ships with `nft` binary in the rootfs to support CNIs which shell out to `nft` command.
-"""
-
- [notes.ethernet-config]
- title = "Ethernet Configuration"
- description = """\
-The Ethernet configuration now includes a `wakeOnLAN` field to enable Wake-on-LAN (WOL) support.
-This field can be set to enable WOL and specify the desired WOL modes.
-"""
-
- [notes.embedded-config]
- title = "Embedded Config"
- description = """\
-Talos Linux now supports [embedding the machine configuration](https://www.talos.dev/v1.12/talos-guides/configuration/acquire/) directly into the boot image.
-"""
-
- [notes.feature-lock]
- title = "Feature Lock"
- description = """\
-Talos now ignores the following machine configuration fields:
-
-- `machine.features.rbac` (locked to true)
-- `machine.features.apidCheckExtKeyUsage` (locked to true)
-- `cluster.apiServer.disablePodSecurityPolicy` (locked to true)
-
-These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.
-"""
-
- [notes.etcd]
- title = "etcd"
- description = """\
-etcd container image is now pulled from `registry.k8s.io/etcd` instead of `gcr.io/etcd-development/etcd`.
-"""
-
- [notes.talosctl]
- title = "talosctl image cache-serve"
- description = """\
-`talosctl` includes new subcommand `image cache-serve`.
-It allows serving the created OCI image registry over HTTP/HTTPS.
-It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the `cache-create` command;
-
-Additionally `talosctl image cache-create` has some changes:
- * new flag `--layout`: `oci` (_default_), `flat`:
- * `oci` preserves current behavior;
- * `flat` does not repack artifact layer, but moves it to a destination directory, allowing it to be served by `talosctl image cache-serve`;
- * changed flag `--platform`: now can accept multiple os/arch combinations:
- * comma separated (`--platform=linux/amd64,linux/arm64`);
- * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`);
-"""
-
- [notes.force-reboot]
- title = "Talos force reboot"
- description = """\
-Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
-It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.
-
-In addition, `talosctl` was updated to support this feature via `talosctl reboot --mode force`.
-"""
-
- [notes.kernel-module]
- title = "Kernel Module"
- description = """\
-Talos now supports optionally disabling kernel module signature verification by setting `module.sig_enforce=0` kernel parameter.
-By default module signature verification is enabled (`module.sig_enforce=1`).
-When using Factory or Imager supply as `-module.sig_enfore module.sig_enforce=0` kernel parameters to disable module signature enforcement.
-"""
-
- [notes.grub]
- title = "GRUB"
- description = """\
-Talos Linux introduces new machine configuration option `.machine.install.grubUseUKICmdline` to control whether GRUB should use the kernel command line
-provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).
-
-This option defaults to `true` for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
-For existing installations upgrading to v1.12, this option will default to `false` to preserve the legacy behavior.
-"""
-
- [notes.directory-user-volumes]
- title = "New User Volume type - bind"
- description = """\
-New field in UserVolumeConfig - `volumeType` that defaults to `partition`, but can be set to `directory`.
-When set to `directory`, provisioning and filesystem operations are skipped and a directory is created under `/var/mnt/`.
-
-The `directory` type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.
-
-When `volumeType = "directory"`:
-- A directory is created at `/var/mnt/`;
-- `provisioning`, `filesystem` and `encryption` are prohibited.
-
-Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
-It should not be used for workloads requiring predictable storage quotas.
-"""
-
- [notes.registry-configuration]
- title = "CRI Registry Configuration"
- description = """\
-The CRI registry configuration in v1apha1 legacy machine configuration under `.machine.registries` is now deprecated, but still supported for backwards compatibility.
-New configuration documents `RegistryMirrorConfig`, `RegistryAuthConfig` and `RegistryTLSConfig` should be used instead.
-"""
-
- [notes.disk-user-volumes]
- title = "New User Volume type - disk"
- description = """\
-`volumeType` in UserVolumeConfig can be set to `disk`.
-When set to `disk`, a full block device is used for the volume.
-
-When `volumeType = "disk"`:
-- Size specific settings are not allowed in the provisioning block (`minSize`, `maxSize`, `grow`).
-"""
-
- [notes.uefi-boot]
- title = "UEFI Boot"
- description = """\
-When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
-Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
-To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.
-"""
-
- [notes.network-configuration]
- title = "Network Configuration"
- description = """\
-The network configuration under `.machine.network` (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
-See [documentation](https://docs.siderolabs.com/talos/v1.12/networking/configuration/overview) for more information.
-"""
-
- [notes.apiserver-cipher-suites]
- title = "API Server Cipher Suites"
- description = """\
-The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
-This is in line with a set of best practices documented in CIS 1.12 benchmark.
-
-You can still expand the list of supported cipher suites via the `cluster.apiServer.extraArgs."tls-cipher-suites"` machine configuration field if needed.
-"""
-
- [notes.kernel-log]
- title = "Kernel Log"
- description = """\
-The kernel log (dmesg) is now also available as the service log named `kernel` (`talosctl logs kernel`).
-"""
-
- [notes.persistent-logs]
- title = "Persistent logs"
- description = """\
-Talos now stores system component logs in /var/log, featuring automatic log rotation and keeping two most
-recent log files. This change allows collecting logs from Talos like on any other Linux system.
"""
[make_deps]
diff --git a/pkg/machinery/compatibility/kubernetes_version.go b/pkg/machinery/compatibility/kubernetes_version.go
index fa22f9a76..48df51e8e 100644
--- a/pkg/machinery/compatibility/kubernetes_version.go
+++ b/pkg/machinery/compatibility/kubernetes_version.go
@@ -13,6 +13,7 @@ import (
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos110"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos111"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos112"
+ "github.com/siderolabs/talos/pkg/machinery/compatibility/talos113"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos12"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos13"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos14"
@@ -73,6 +74,8 @@ func (v *KubernetesVersion) SupportedWith(target *TalosVersion) error {
minK8sVersion, maxK8sVersion = talos111.MinimumKubernetesVersion, talos111.MaximumKubernetesVersion
case talos112.MajorMinor: // upgrades to 1.12.x
minK8sVersion, maxK8sVersion = talos112.MinimumKubernetesVersion, talos112.MaximumKubernetesVersion
+ case talos113.MajorMinor: // upgrades to 1.13.x
+ minK8sVersion, maxK8sVersion = talos113.MinimumKubernetesVersion, talos113.MaximumKubernetesVersion
default:
return fmt.Errorf("compatibility with version %s is not supported", target.String())
}
diff --git a/pkg/machinery/compatibility/kubernetes_version_test.go b/pkg/machinery/compatibility/kubernetes_version_test.go
index bf6d17780..27595f735 100644
--- a/pkg/machinery/compatibility/kubernetes_version_test.go
+++ b/pkg/machinery/compatibility/kubernetes_version_test.go
@@ -385,12 +385,45 @@ func TestKubernetesCompatibility112(t *testing.T) {
}
}
+func TestKubernetesCompatibility113(t *testing.T) {
+ for _, tt := range []kubernetesVersionTest{
+ {
+ kubernetesVersion: "1.31.1",
+ target: "1.13.0",
+ },
+ {
+ kubernetesVersion: "1.32.1",
+ target: "1.13.0",
+ },
+ {
+ kubernetesVersion: "1.35.3",
+ target: "1.13.0-beta.0",
+ },
+ {
+ kubernetesVersion: "1.36.0-rc.0",
+ target: "1.13.7",
+ },
+ {
+ kubernetesVersion: "1.37.0-alpha.0",
+ target: "1.13.0",
+ expectedError: "version of Kubernetes 1.37.0-alpha.0 is too new to be used with Talos 1.13.0",
+ },
+ {
+ kubernetesVersion: "1.30.1",
+ target: "1.13.0",
+ expectedError: "version of Kubernetes 1.30.1 is too old to be used with Talos 1.13.0",
+ },
+ } {
+ runKubernetesVersionTest(t, tt)
+ }
+}
+
func TestKubernetesCompatibilityUnsupported(t *testing.T) {
for _, tt := range []kubernetesVersionTest{
{
kubernetesVersion: "1.25.0",
- target: "1.13.0-alpha.0",
- expectedError: "compatibility with version 1.13.0-alpha.0 is not supported",
+ target: "1.14.0-alpha.0",
+ expectedError: "compatibility with version 1.14.0-alpha.0 is not supported",
},
{
kubernetesVersion: "1.25.0",
diff --git a/pkg/machinery/compatibility/talos112/talos112.go b/pkg/machinery/compatibility/talos112/talos112.go
index 66291310e..a7f122f86 100644
--- a/pkg/machinery/compatibility/talos112/talos112.go
+++ b/pkg/machinery/compatibility/talos112/talos112.go
@@ -9,7 +9,7 @@ import (
"github.com/blang/semver/v4"
)
-// MajorMinor is the major.minor version of Talos 1.11.
+// MajorMinor is the major.minor version of Talos 1.12.
var MajorMinor = [2]uint64{1, 12}
// MinimumHostUpgradeVersion is the minimum version of Talos that can be upgraded to 1.12.
diff --git a/pkg/machinery/compatibility/talos113/talos113.go b/pkg/machinery/compatibility/talos113/talos113.go
new file mode 100644
index 000000000..2a6c9cead
--- /dev/null
+++ b/pkg/machinery/compatibility/talos113/talos113.go
@@ -0,0 +1,28 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package talos113 provides compatibility constants for Talos 1.13.
+package talos113
+
+import (
+ "github.com/blang/semver/v4"
+)
+
+// MajorMinor is the major.minor version of Talos 1.13.
+var MajorMinor = [2]uint64{1, 13}
+
+// MinimumHostUpgradeVersion is the minimum version of Talos that can be upgraded to 1.13.
+var MinimumHostUpgradeVersion = semver.MustParse("1.11.0")
+
+// MaximumHostDowngradeVersion is the maximum (not inclusive) version of Talos that can be downgraded to 1.13.
+var MaximumHostDowngradeVersion = semver.MustParse("1.15.0")
+
+// DeniedHostUpgradeVersions are the versions of Talos that cannot be upgraded to 1.13.
+var DeniedHostUpgradeVersions []semver.Version
+
+// MinimumKubernetesVersion is the minimum version of Kubernetes is supported with 1.13.
+var MinimumKubernetesVersion = semver.MustParse("1.31.0")
+
+// MaximumKubernetesVersion is the maximum version of Kubernetes is supported with 1.13.
+var MaximumKubernetesVersion = semver.MustParse("1.36.99")
diff --git a/pkg/machinery/compatibility/talos_version.go b/pkg/machinery/compatibility/talos_version.go
index fd5bb9247..f9b1cf4a3 100644
--- a/pkg/machinery/compatibility/talos_version.go
+++ b/pkg/machinery/compatibility/talos_version.go
@@ -15,6 +15,7 @@ import (
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos110"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos111"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos112"
+ "github.com/siderolabs/talos/pkg/machinery/compatibility/talos113"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos12"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos13"
"github.com/siderolabs/talos/pkg/machinery/compatibility/talos14"
@@ -111,6 +112,9 @@ func (v *TalosVersion) UpgradeableFrom(host *TalosVersion) error {
case talos112.MajorMinor: // upgrades to 1.12.x
minHostUpgradeVersion, maxHostDowngradeVersion = talos112.MinimumHostUpgradeVersion, talos112.MaximumHostDowngradeVersion
deniedHostUpgradeVersions = talos112.DeniedHostUpgradeVersions
+ case talos113.MajorMinor: // upgrades to 1.13.x
+ minHostUpgradeVersion, maxHostDowngradeVersion = talos113.MinimumHostUpgradeVersion, talos113.MaximumHostDowngradeVersion
+ deniedHostUpgradeVersions = talos113.DeniedHostUpgradeVersions
default:
return fmt.Errorf("upgrades to version %s are not supported", v.version.String())
}
diff --git a/pkg/machinery/compatibility/talos_version_test.go b/pkg/machinery/compatibility/talos_version_test.go
index e36aad4b6..5e44a4218 100644
--- a/pkg/machinery/compatibility/talos_version_test.go
+++ b/pkg/machinery/compatibility/talos_version_test.go
@@ -400,9 +400,9 @@ func TestTalosUpgradeCompatibility111(t *testing.T) {
expectedError: `host version 1.8.0 is too old to upgrade to Talos 1.11.0`,
},
{
- host: "1.13.0-alpha.0",
- target: "1.11.0",
- expectedError: `host version 1.13.0-alpha.0 is too new to downgrade to Talos 1.11.0`,
+ host: "1.14.0-alpha.0",
+ target: "1.12.0",
+ expectedError: `host version 1.14.0-alpha.0 is too new to downgrade to Talos 1.12.0`,
},
} {
runTalosVersionTest(t, tt)
@@ -450,12 +450,53 @@ func TestTalosUpgradeCompatibility112(t *testing.T) {
}
}
+func TestTalosUpgradeCompatibility113(t *testing.T) {
+ for _, tt := range []talosVersionTest{
+ {
+ host: "1.11.0",
+ target: "1.13.0",
+ },
+ {
+ host: "1.12.0-alpha.0",
+ target: "1.13.0",
+ },
+ {
+ host: "1.11.0",
+ target: "1.13.0-alpha.0",
+ },
+ {
+ host: "1.12.3",
+ target: "1.13.1",
+ },
+ {
+ host: "1.13.0-beta.0",
+ target: "1.13.0",
+ },
+ {
+ host: "1.13.5",
+ target: "1.13.3",
+ },
+ {
+ host: "1.10.0",
+ target: "1.13.0",
+ expectedError: `host version 1.10.0 is too old to upgrade to Talos 1.13.0`,
+ },
+ {
+ host: "1.15.0-alpha.0",
+ target: "1.13.0",
+ expectedError: `host version 1.15.0-alpha.0 is too new to downgrade to Talos 1.13.0`,
+ },
+ } {
+ runTalosVersionTest(t, tt)
+ }
+}
+
func TestTalosUpgradeCompatibilityUnsupported(t *testing.T) {
for _, tt := range []talosVersionTest{
{
- host: "1.3.0",
- target: "1.13.0-alpha.0",
- expectedError: `upgrades to version 1.13.0-alpha.0 are not supported`,
+ host: "1.5.0",
+ target: "1.15.0-alpha.0",
+ expectedError: `upgrades to version 1.15.0-alpha.0 are not supported`,
},
{
host: "1.4.0",
diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go
index 6b1761a99..f389e89a7 100644
--- a/pkg/machinery/config/contract.go
+++ b/pkg/machinery/config/contract.go
@@ -25,6 +25,7 @@ type VersionContract struct {
// Well-known Talos version contracts.
var (
TalosVersionCurrent = (*VersionContract)(nil)
+ TalosVersion1_13 = &VersionContract{1, 13}
TalosVersion1_12 = &VersionContract{1, 12}
TalosVersion1_11 = &VersionContract{1, 11}
TalosVersion1_10 = &VersionContract{1, 10}
diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/base-controlplane.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/base-controlplane.yaml
new file mode 100644
index 000000000..0eb1c2afe
--- /dev/null
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/base-controlplane.yaml
@@ -0,0 +1,94 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+ type: controlplane
+ token: d8cwfa.eyvpi0xwxyarbfid
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEI5cStGVXpodzkycHVPemtpNzB1eGRNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU16RXdNVEl4TURRMk1EbGFGdzB6TXpFd01Ea3hNRFEyTURsYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaHVLczZxeCtKWi8wWG8ybXdpQUNjK1EwSVYySGhMd3ozVTZICmUxemZjS2lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVSlgzWlVNRktWWFZ5NWhKWQozZG9NWENpVEJZRXdCUVlESzJWd0EwRUFCbUxrbDhITmQ3cUpEN3VqQkk2UG9abVRQQWlEcU9GQ0NTVDZJYlZDClF3UzQ1bk1tMldtalRIc3ZrYU5FQ0dneTBhQXJaaFdsbnVYWUswY0t3Z2VJQ0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTURXbklEdVpSdlhQcW1tbSt6bk15SWMrdk53ZjdnYksvSmR3WC9iN2d1RQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+ certSANs: []
+ kubelet:
+ image: ghcr.io/siderolabs/kubelet:v1.28.0
+ defaultRuntimeSeccompProfileEnabled: true
+ disableManifestsDirectory: true
+ network: {}
+ install:
+ wipe: false
+ grubUseUKICmdline: true
+ features:
+ diskQuotaSupport: true
+ kubePrism:
+ enabled: true
+ port: 7445
+ hostDNS:
+ enabled: true
+ forwardKubeDNSToHost: true
+ nodeLabels:
+ node.kubernetes.io/exclude-from-external-load-balancers: ""
+cluster:
+ id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
+ secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
+ controlPlane:
+ endpoint: https://base:6443
+ clusterName: base
+ network:
+ dnsDomain: cluster.local
+ podSubnets:
+ - 10.244.0.0/16
+ serviceSubnets:
+ - 10.96.0.0/12
+ token: inn7ol.u4ehnti8qyls9ymo
+ secretboxEncryptionSecret: 45yd2Ke+sytiICojDf8aibTfgt99nzJmO53cjDqrCto=
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRYm1hNDNPalRwR0I5TjVxOVFEc3RFekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSXpNVEF4TWpFd05EWXdPVm9YRFRNek1UQXdPVEV3TkRZdwpPVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTXNhRWZ5R3lFb0xyK0p1Wk91dkVVaXVNMStIQjZvZGtSdVV3ZEJ0ODdacDd1SkVoaEFsZitxNFFjT3gKcFRpZnBIRHJBOEFURjNCWUlFRmFXZ0xPTld1allUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU0ZEVkM1RoVzRKWlVWcXR1OEFZNWx1NUhQeGN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUpJbkFMb0EKY1VhRUp4VlJ5dkhQenFQcTBvaGJOY2oyT3N2d3VKUFMzSktVQWlCSmhwNGFWMG9zUURRSGJnbjdXUWFYaHZFTwo5bWxTbVRURTAyOXBWb0YyWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUVZbFloNzVTUTZ6VUJFTUZ6em5pUzZuVVg3Q2VxQ013S3k0RTZHVEVFMGNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFeXhvUi9JYklTZ3V2NG01azY2OFJTSzR6WDRjSHFoMlJHNVRCMEczenRtbnU0a1NHRUNWLwo2cmhCdzdHbE9KK2tjT3NEd0JNWGNGZ2dRVnBhQXM0MWF3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ aggregatorCA:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYakNDQVFXZ0F3SUJBZ0lRWnNnVDRZZzVxRkNIbS9QTnV5QUVSekFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJek1UQXhNakV3TkRZd09Wb1hEVE16TVRBd09URXdORFl3T1Zvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCRmQ1eEhFWHhZRndQeTdaWjhmd3FHRGU2YVQ5ZmxNRVlWZENRNDlEaWZobWVteTVDaHZRCnlVRkpZcFM4b21HODVTS1dnOEpFTkoyNnhEdm9WMFBCS2srallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVV4K0xab1FrYjlmOTN0Y0g4NnZjOUc2ZE13T2t3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnClhudDVXdmEzOGtWVTB3NjExMEp4bU43Qm5zcWl2NnNMaXlJNXRUR1BDQk1DSUZDQlJ3RXZSYTNnU3pkdXB6ajcKQVJLV3NlK3V5YW9rMnlNYXZnaUVITWpUCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlMblhpQ3hOWU1CWHpncjVuYmc3bnVtUWM2UGlHaXdmWUN2eFF3Tlhxc3dvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVjNuRWNSZkZnWEEvTHRsbngvQ29ZTjdwcFAxK1V3UmhWMEpEajBPSitHWjZiTGtLRzlESgpRVWxpbEx5aVliemxJcGFEd2tRMG5ickVPK2hYUThFcVR3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ serviceAccount:
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlHVElBQjZZUzV0cFcrUnYxeDBPY09Jb1h0SXgzdGZteVFZNGxOWWRCbmpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFQ3drbVVTUmtrbnlOc0NjTFJNUTlmZWx6cFY0dDdIdlNRcnp6ZGRvK2pWYmlqd2kwVVE1YQp0VW8vZkxQbDlBckVNOHNRWTVOSlgraVdxYjFkQWFXa2VnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ apiServer:
+ image: registry.k8s.io/kube-apiserver:v1.28.0
+ admissionControl:
+ - name: PodSecurity
+ configuration:
+ apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+ defaults:
+ audit: restricted
+ audit-version: latest
+ enforce: baseline
+ enforce-version: latest
+ warn: restricted
+ warn-version: latest
+ exemptions:
+ namespaces:
+ - kube-system
+ runtimeClasses: []
+ usernames: []
+ kind: PodSecurityConfiguration
+ auditPolicy:
+ apiVersion: audit.k8s.io/v1
+ kind: Policy
+ rules:
+ - level: Metadata
+ controllerManager:
+ image: registry.k8s.io/kube-controller-manager:v1.28.0
+ proxy:
+ image: registry.k8s.io/kube-proxy:v1.28.0
+ scheduler:
+ image: registry.k8s.io/kube-scheduler:v1.28.0
+ discovery:
+ enabled: true
+ registries:
+ kubernetes:
+ disabled: true
+ service: {}
+ etcd:
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmVENDQVNPZ0F3SUJBZ0lRVkNTWmFQU3Z0TlZTcjYrVkRyUks0akFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEl6TVRBeE1qRXdORFl3T1ZvWERUTXpNVEF3T1RFd05EWXdPVm93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk9wVXN0MHN3MEJZCkFDN0hpTGNrRElvdVdTRVhWTlJVWE42UmNLTWVRQU9VOEhJQkZBaTJlS2Rka2VJOEhZOTJNWTU1U21xQlhNK3cKRTh0RFgyT3kxSk9qWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVejVmai9oZTZoUjhMCkFRTU5qTjgxNS8zV3B6d3dDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdFWWcyTlp3NkExek02eURNWTRHN1JPVkwKc0JOU0VhSDd4VmVSalBSblAvZ0NJUURiYzFMNmI0SkU0MCtuUCtYNG5pZlB0QWp5REhhUzVMS0YzQWZkUkRWdApMUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU03Q2VnMk1GQW5TM3ROMzV6QTc0aFZ3VElkTkthK0ZwUHlYVERCdU4wVFlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNmxTeTNTekRRRmdBTHNlSXR5UU1paTVaSVJkVTFGUmMzcEZ3b3g1QUE1VHdjZ0VVQ0xaNApwMTJSNGp3ZGozWXhqbmxLYW9GY3o3QVR5ME5mWTdMVWt3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+---
+apiVersion: v1alpha1
+kind: HostnameConfig
+auto: stable
diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/base-worker.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/base-worker.yaml
new file mode 100644
index 000000000..d48b1c036
--- /dev/null
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/base-worker.yaml
@@ -0,0 +1,52 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+ type: worker
+ token: d8cwfa.eyvpi0xwxyarbfid
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEI5cStGVXpodzkycHVPemtpNzB1eGRNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU16RXdNVEl4TURRMk1EbGFGdzB6TXpFd01Ea3hNRFEyTURsYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaHVLczZxeCtKWi8wWG8ybXdpQUNjK1EwSVYySGhMd3ozVTZICmUxemZjS2lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVSlgzWlVNRktWWFZ5NWhKWQozZG9NWENpVEJZRXdCUVlESzJWd0EwRUFCbUxrbDhITmQ3cUpEN3VqQkk2UG9abVRQQWlEcU9GQ0NTVDZJYlZDClF3UzQ1bk1tMldtalRIc3ZrYU5FQ0dneTBhQXJaaFdsbnVYWUswY0t3Z2VJQ0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: ""
+ certSANs: []
+ kubelet:
+ image: ghcr.io/siderolabs/kubelet:v1.28.0
+ defaultRuntimeSeccompProfileEnabled: true
+ disableManifestsDirectory: true
+ network: {}
+ install:
+ wipe: false
+ grubUseUKICmdline: true
+ features:
+ diskQuotaSupport: true
+ kubePrism:
+ enabled: true
+ port: 7445
+ hostDNS:
+ enabled: true
+ forwardKubeDNSToHost: true
+cluster:
+ id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
+ secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
+ controlPlane:
+ endpoint: https://base:6443
+ clusterName: base
+ network:
+ dnsDomain: cluster.local
+ podSubnets:
+ - 10.244.0.0/16
+ serviceSubnets:
+ - 10.96.0.0/12
+ token: inn7ol.u4ehnti8qyls9ymo
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRYm1hNDNPalRwR0I5TjVxOVFEc3RFekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSXpNVEF4TWpFd05EWXdPVm9YRFRNek1UQXdPVEV3TkRZdwpPVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTXNhRWZ5R3lFb0xyK0p1Wk91dkVVaXVNMStIQjZvZGtSdVV3ZEJ0ODdacDd1SkVoaEFsZitxNFFjT3gKcFRpZnBIRHJBOEFURjNCWUlFRmFXZ0xPTld1allUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU0ZEVkM1RoVzRKWlVWcXR1OEFZNWx1NUhQeGN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUpJbkFMb0EKY1VhRUp4VlJ5dkhQenFQcTBvaGJOY2oyT3N2d3VKUFMzSktVQWlCSmhwNGFWMG9zUURRSGJnbjdXUWFYaHZFTwo5bWxTbVRURTAyOXBWb0YyWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: ""
+ discovery:
+ enabled: true
+ registries:
+ kubernetes:
+ disabled: true
+ service: {}
+---
+apiVersion: v1alpha1
+kind: HostnameConfig
+auto: stable
diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/overrides-controlplane.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/overrides-controlplane.yaml
new file mode 100644
index 000000000..8652e8fca
--- /dev/null
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/overrides-controlplane.yaml
@@ -0,0 +1,123 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+ type: controlplane
+ token: d8cwfa.eyvpi0xwxyarbfid
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEI5cStGVXpodzkycHVPemtpNzB1eGRNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU16RXdNVEl4TURRMk1EbGFGdzB6TXpFd01Ea3hNRFEyTURsYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaHVLczZxeCtKWi8wWG8ybXdpQUNjK1EwSVYySGhMd3ozVTZICmUxemZjS2lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVSlgzWlVNRktWWFZ5NWhKWQozZG9NWENpVEJZRXdCUVlESzJWd0EwRUFCbUxrbDhITmQ3cUpEN3VqQkk2UG9abVRQQWlEcU9GQ0NTVDZJYlZDClF3UzQ1bk1tMldtalRIc3ZrYU5FQ0dneTBhQXJaaFdsbnVYWUswY0t3Z2VJQ0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTURXbklEdVpSdlhQcW1tbSt6bk15SWMrdk53ZjdnYksvSmR3WC9iN2d1RQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
+ certSANs:
+ - foo
+ - bar
+ kubelet:
+ image: ghcr.io/siderolabs/kubelet:v1.28.0
+ extraMounts:
+ - destination: /var/opt
+ type: bind
+ source: /var/opt
+ options:
+ - rshared
+ defaultRuntimeSeccompProfileEnabled: true
+ disableManifestsDirectory: true
+ network: {}
+ install:
+ disk: /dev/vda
+ extraKernelArgs:
+ - foo=bar
+ - bar=baz
+ wipe: false
+ grubUseUKICmdline: true
+ sysctls:
+ foo: bar
+ features:
+ diskQuotaSupport: true
+ kubePrism:
+ enabled: true
+ port: 7445
+ hostDNS:
+ enabled: true
+ forwardKubeDNSToHost: true
+ nodeLabels:
+ node.kubernetes.io/exclude-from-external-load-balancers: ""
+cluster:
+ id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
+ secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
+ controlPlane:
+ endpoint: https://base:6443
+ localAPIServerPort: 5443
+ clusterName: base
+ network:
+ cni:
+ name: custom
+ urls:
+ - https://example.com/cni.yaml
+ dnsDomain: example.com
+ podSubnets:
+ - 10.244.0.0/16
+ serviceSubnets:
+ - 10.96.0.0/12
+ token: inn7ol.u4ehnti8qyls9ymo
+ secretboxEncryptionSecret: 45yd2Ke+sytiICojDf8aibTfgt99nzJmO53cjDqrCto=
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRYm1hNDNPalRwR0I5TjVxOVFEc3RFekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSXpNVEF4TWpFd05EWXdPVm9YRFRNek1UQXdPVEV3TkRZdwpPVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTXNhRWZ5R3lFb0xyK0p1Wk91dkVVaXVNMStIQjZvZGtSdVV3ZEJ0ODdacDd1SkVoaEFsZitxNFFjT3gKcFRpZnBIRHJBOEFURjNCWUlFRmFXZ0xPTld1allUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU0ZEVkM1RoVzRKWlVWcXR1OEFZNWx1NUhQeGN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUpJbkFMb0EKY1VhRUp4VlJ5dkhQenFQcTBvaGJOY2oyT3N2d3VKUFMzSktVQWlCSmhwNGFWMG9zUURRSGJnbjdXUWFYaHZFTwo5bWxTbVRURTAyOXBWb0YyWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUVZbFloNzVTUTZ6VUJFTUZ6em5pUzZuVVg3Q2VxQ013S3k0RTZHVEVFMGNvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFeXhvUi9JYklTZ3V2NG01azY2OFJTSzR6WDRjSHFoMlJHNVRCMEczenRtbnU0a1NHRUNWLwo2cmhCdzdHbE9KK2tjT3NEd0JNWGNGZ2dRVnBhQXM0MWF3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ aggregatorCA:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYakNDQVFXZ0F3SUJBZ0lRWnNnVDRZZzVxRkNIbS9QTnV5QUVSekFLQmdncWhrak9QUVFEQWpBQU1CNFgKRFRJek1UQXhNakV3TkRZd09Wb1hEVE16TVRBd09URXdORFl3T1Zvd0FEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxRwpTTTQ5QXdFSEEwSUFCRmQ1eEhFWHhZRndQeTdaWjhmd3FHRGU2YVQ5ZmxNRVlWZENRNDlEaWZobWVteTVDaHZRCnlVRkpZcFM4b21HODVTS1dnOEpFTkoyNnhEdm9WMFBCS2srallUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZApCZ05WSFE0RUZnUVV4K0xab1FrYjlmOTN0Y0g4NnZjOUc2ZE13T2t3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnClhudDVXdmEzOGtWVTB3NjExMEp4bU43Qm5zcWl2NnNMaXlJNXRUR1BDQk1DSUZDQlJ3RXZSYTNnU3pkdXB6ajcKQVJLV3NlK3V5YW9rMnlNYXZnaUVITWpUCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlMblhpQ3hOWU1CWHpncjVuYmc3bnVtUWM2UGlHaXdmWUN2eFF3Tlhxc3dvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVjNuRWNSZkZnWEEvTHRsbngvQ29ZTjdwcFAxK1V3UmhWMEpEajBPSitHWjZiTGtLRzlESgpRVWxpbEx5aVliemxJcGFEd2tRMG5ickVPK2hYUThFcVR3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ serviceAccount:
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUlHVElBQjZZUzV0cFcrUnYxeDBPY09Jb1h0SXgzdGZteVFZNGxOWWRCbmpvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFQ3drbVVTUmtrbnlOc0NjTFJNUTlmZWx6cFY0dDdIdlNRcnp6ZGRvK2pWYmlqd2kwVVE1YQp0VW8vZkxQbDlBckVNOHNRWTVOSlgraVdxYjFkQWFXa2VnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ apiServer:
+ image: registry.k8s.io/kube-apiserver:v1.28.0
+ certSANs:
+ - foo
+ - bar
+ admissionControl:
+ - name: PodSecurity
+ configuration:
+ apiVersion: pod-security.admission.config.k8s.io/v1alpha1
+ defaults:
+ audit: restricted
+ audit-version: latest
+ enforce: baseline
+ enforce-version: latest
+ warn: restricted
+ warn-version: latest
+ exemptions:
+ namespaces:
+ - kube-system
+ runtimeClasses: []
+ usernames: []
+ kind: PodSecurityConfiguration
+ auditPolicy:
+ apiVersion: audit.k8s.io/v1
+ kind: Policy
+ rules:
+ - level: Metadata
+ controllerManager:
+ image: registry.k8s.io/kube-controller-manager:v1.28.0
+ proxy:
+ image: registry.k8s.io/kube-proxy:v1.28.0
+ scheduler:
+ image: registry.k8s.io/kube-scheduler:v1.28.0
+ discovery:
+ enabled: true
+ registries:
+ kubernetes:
+ disabled: true
+ service: {}
+ etcd:
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmVENDQVNPZ0F3SUJBZ0lRVkNTWmFQU3Z0TlZTcjYrVkRyUks0akFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEl6TVRBeE1qRXdORFl3T1ZvWERUTXpNVEF3T1RFd05EWXdPVm93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk9wVXN0MHN3MEJZCkFDN0hpTGNrRElvdVdTRVhWTlJVWE42UmNLTWVRQU9VOEhJQkZBaTJlS2Rka2VJOEhZOTJNWTU1U21xQlhNK3cKRTh0RFgyT3kxSk9qWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVejVmai9oZTZoUjhMCkFRTU5qTjgxNS8zV3B6d3dDZ1lJS29aSXpqMEVBd0lEU0FBd1JRSWdFWWcyTlp3NkExek02eURNWTRHN1JPVkwKc0JOU0VhSDd4VmVSalBSblAvZ0NJUURiYzFMNmI0SkU0MCtuUCtYNG5pZlB0QWp5REhhUzVMS0YzQWZkUkRWdApMUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+ key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU03Q2VnMk1GQW5TM3ROMzV6QTc0aFZ3VElkTkthK0ZwUHlYVERCdU4wVFlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNmxTeTNTekRRRmdBTHNlSXR5UU1paTVaSVJkVTFGUmMzcEZ3b3g1QUE1VHdjZ0VVQ0xaNApwMTJSNGp3ZGozWXhqbmxLYW9GY3o3QVR5ME5mWTdMVWt3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+ allowSchedulingOnControlPlanes: true
+---
+apiVersion: v1alpha1
+kind: RegistryMirrorConfig
+name: ghcr.io
+endpoints:
+ - url: https://ghcr.io.my-mirror.com
+---
+apiVersion: v1alpha1
+kind: HostnameConfig
+auto: stable
diff --git a/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/overrides-worker.yaml b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/overrides-worker.yaml
new file mode 100644
index 000000000..b567f94d2
--- /dev/null
+++ b/pkg/machinery/config/types/v1alpha1/testdata/stability/v1.13/overrides-worker.yaml
@@ -0,0 +1,76 @@
+version: v1alpha1
+debug: false
+persist: true
+machine:
+ type: worker
+ token: d8cwfa.eyvpi0xwxyarbfid
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEI5cStGVXpodzkycHVPemtpNzB1eGRNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU16RXdNVEl4TURRMk1EbGFGdzB6TXpFd01Ea3hNRFEyTURsYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBaHVLczZxeCtKWi8wWG8ybXdpQUNjK1EwSVYySGhMd3ozVTZICmUxemZjS2lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVSlgzWlVNRktWWFZ5NWhKWQozZG9NWENpVEJZRXdCUVlESzJWd0EwRUFCbUxrbDhITmQ3cUpEN3VqQkk2UG9abVRQQWlEcU9GQ0NTVDZJYlZDClF3UzQ1bk1tMldtalRIc3ZrYU5FQ0dneTBhQXJaaFdsbnVYWUswY0t3Z2VJQ0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: ""
+ certSANs:
+ - foo
+ - bar
+ kubelet:
+ image: ghcr.io/siderolabs/kubelet:v1.28.0
+ extraMounts:
+ - destination: /var/opt
+ type: bind
+ source: /var/opt
+ options:
+ - rshared
+ defaultRuntimeSeccompProfileEnabled: true
+ disableManifestsDirectory: true
+ network: {}
+ install:
+ disk: /dev/vda
+ extraKernelArgs:
+ - foo=bar
+ - bar=baz
+ wipe: false
+ grubUseUKICmdline: true
+ sysctls:
+ foo: bar
+ features:
+ diskQuotaSupport: true
+ kubePrism:
+ enabled: true
+ port: 7445
+ hostDNS:
+ enabled: true
+ forwardKubeDNSToHost: true
+cluster:
+ id: 0raF93qnkMvF-FZNuvyGozXNdLiT2FOWSlyBaW4PR-w=
+ secret: pofHbABZq7VXuObsdLdy/bHmz6hlMHZ3p8+6WKrv1ic=
+ controlPlane:
+ endpoint: https://base:6443
+ clusterName: base
+ network:
+ cni:
+ name: custom
+ urls:
+ - https://example.com/cni.yaml
+ dnsDomain: example.com
+ podSubnets:
+ - 10.244.0.0/16
+ serviceSubnets:
+ - 10.96.0.0/12
+ token: inn7ol.u4ehnti8qyls9ymo
+ ca:
+ crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpVENDQVMrZ0F3SUJBZ0lRYm1hNDNPalRwR0I5TjVxOVFEc3RFekFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUUtFd3ByZFdKbGNtNWxkR1Z6TUI0WERUSXpNVEF4TWpFd05EWXdPVm9YRFRNek1UQXdPVEV3TkRZdwpPVm93RlRFVE1CRUdBMVVFQ2hNS2EzVmlaWEp1WlhSbGN6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCTXNhRWZ5R3lFb0xyK0p1Wk91dkVVaXVNMStIQjZvZGtSdVV3ZEJ0ODdacDd1SkVoaEFsZitxNFFjT3gKcFRpZnBIRHJBOEFURjNCWUlFRmFXZ0xPTld1allUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ2hEQWRCZ05WSFNVRQpGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFCkZnUVU0ZEVkM1RoVzRKWlVWcXR1OEFZNWx1NUhQeGN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUpJbkFMb0EKY1VhRUp4VlJ5dkhQenFQcTBvaGJOY2oyT3N2d3VKUFMzSktVQWlCSmhwNGFWMG9zUURRSGJnbjdXUWFYaHZFTwo5bWxTbVRURTAyOXBWb0YyWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+ key: ""
+ discovery:
+ enabled: true
+ registries:
+ kubernetes:
+ disabled: true
+ service: {}
+---
+apiVersion: v1alpha1
+kind: RegistryMirrorConfig
+name: ghcr.io
+endpoints:
+ - url: https://ghcr.io.my-mirror.com
+---
+apiVersion: v1alpha1
+kind: HostnameConfig
+auto: stable
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_stability_test.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_stability_test.go
index 2190925fd..ad658ef2e 100644
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_stability_test.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_stability_test.go
@@ -47,6 +47,7 @@ func TestConfigEncodingStability(t *testing.T) {
config.TalosVersion1_10,
config.TalosVersion1_11,
config.TalosVersion1_12,
+ config.TalosVersion1_13,
}
currentVersion := ensure.Value(semver.ParseTolerant(gendata.VersionTag))