This replaces existing fixed field for etcd encryption with a completely
flexible configuration which exactly matches upstream kube-apiserver
configuration.
The default machine configuration generated still retains previous
defaults.
New configuration allows:
* rotating etcd encryption secrets
* implementing any encryption policies (e.g. encrypting configmaps).
Fixes#10899
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Concurrent goroutines wrote to k8sNames without synchronization,
causing a data race during drain. The comment claiming "no mutex
needed" was wrong - each goroutine writes a different key, but
the Go map implementation is not safe for concurrent writes.
Fixes#13247
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
This deprecates more `.machine.features`, allows host DNS to be enabled
in maintenance mode.
Fixes#12438
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Defaults to installer image from factory.talos.dev. Default images now
use schematic hash naming (metal-installer/<hash>) instead of
registry-based naming.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Allows to authenticate to Image Factory (if Image Factory is configured
for auth), applies for HTTP downloads (e.g. ISO), and injects registry
auth into Talos as well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use defer blocks and error joining to guarantee uncordon cleanup
runs regardless of reboot/upgrade success or failure. Prevents nodes
from staying cordoned when operations fail.
Also added gRPC keepalive params to prevent timeout issues during
long operations.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
When run in "normal" mode, `talosctl` takes into account proxy
configuration, such as the `https_proxy` and `no_proxy` environment
variables; but when invoked with `--insecure`, those would be ignored,
which results in `talosctl` being unable to interact with nodes in
maintenance mode if they're only reachable through a proxy.
This commit adds the `WithDefaultGRPCDialOptions()` option to the
client created by `WithClientMaintenance()`, same as `WithClient()`.
Signed-off-by: Benoît Knecht <benoit.knecht@proton.ch>
Add --drain and --drain-timeout flags to `talosctl reboot` (default off)
and `talosctl upgrade` (default on) that cordon and drain the Kubernetes
node before rebooting, then wait for Ready and uncordon after it comes
back. When --drain is enabled, --wait is forced to true.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Allow to set build NAME on build, propagate it down to more consumers.
Expose name in `Version` resource, and use that in the dashboard
next to Talos version.
Fix some places where `Name` was hardcoded.
Propagate Name down to UKI build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#12933
There are many usecases for this:
* exploring resources and state of the system, learning available
resources
* when a Talos machine is booted up in an environment without network
access, learning all available network interfaces, all disks
available, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It does not make sense without SideroLink, and will not work,
as it requires Admin role.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Add support for caching all platforms in a multi-platform image index
by passing --platform=all to the images cache-create command.
When all is specified, the index manifest is fetched without platform
resolution, and each platform-specific image is downloaded individually.
Attestation manifests (unknown/unknown) are included.
Include the platform in the fetch log line so each pull is identifiable,
e.g. fetching image "..." (linux/amd64).
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `talosctl install` command using the LifecycleService.Install
streaming API with support for insecure (maintenance) mode and progress
reporting. Refactor `talosctl upgrade` to use the new
LifecycleService.Upgrade streaming API with automatic fallback to the
legacy MachineService.Upgrade path for older Talos versions.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
drop the old cli-utils based manifest apply logic and replace it with the new fluxcd/pkg/ssa based implementation
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
The call to filepath.join in current code causes breakage when using talosctl on windows due to wrong slash introduced into the embed path.
Signed-off-by: Jan Paul <paulj@nerakhon.cz>
Use the library built for tview, so that we don't have to have two UI
libraries working in parallel in the same TUI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pulls in KMS with logging, and adds more logging to Talos.
This allows to debug encryption problems better.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The disks flag Set method was appending new disk requests to the existing ones,
which caused duplicate disk entries when custom values for the disks flag were set.
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
This affects reading multi-doc machine config via `talosctl` from Talos
machines v1.11 and below by `talosctl` of v1.12 and up.
The problem is that before v1.12 Talos returned machine config as
embedded document instead of the spec if the resource, which was not
valid YAML. It worked via hacks we used in our fork of yaml library.
Talos v1.12+ cleans that up by marshaling the config as a string, and
drops the forked library. The problem is that we can't still pass
multi-doc YAML via this path, so we have to resort to going into COSI
internals to retrieve the actual value as written by Talos API.
Note: there is no problem for Omni, as it goes via protobuf path which
hasn't been affected.
Fixes#12787
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Re-generate, fix new linting issues.
Update containerd library to the latest 2.2.1 to address the new cgroups
package import (via tools update).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command is very specific to terminal operations which don't exist
or might not work well enough on Windows.
Windows users will have better luck with WSL and Linux talosctl.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command was always hidden, rename it to `debug-tool` to free up the
`talosctl debug` for #12932.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The --k8s-endpoint flag was defined but never used in the rotate-ca
command. This fix passes the flag value through to the Kubernetes
client, allowing users to override the default Kubernetes API endpoint
during CA rotation.
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Simplify the flow a bit by using live partition info,
avoid doing some calculations which are already done in the
partition code.
Remove some steps I believe we don't need to do.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
it is before on Long but wrong display on docs website
(already use by image cache-create cmd)
Signed-off-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Migrate KubeSpan configuration to support multi-document format.
Add version-aware support for talosctl cluster create and gen config.
Uses multi-doc format for Talos 1.13+, legacy format for 1.12 and earlier.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The `persist` value was locked to be true for a long time now, and Talos
doesn't support any other mode (machine config is persisted).
Drop the `gen config` flag and related generate options, as modern Talos
doesn't accept `persist: false`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
add the following flags to the upgrade-k8s command:
* `--force-conflicts` overwrite the fields when applying even if the field manager differs
* `--inventory-policy` string kubernetes SSA inventory policy (one of 'MustMatch', 'AdoptIfNoInventory' or 'AdoptAll') (default "AdoptIfNoInventory")
* `--no-prune` whether pruning of previously applied objects should happen after apply
* `--prune-timeout` int how long to wait for resources to be pruned in secunds (set to zero to disable waiting for resources to be fully deleted) (default 180)
* `--reconcile-timeout` int how long to wait for resources to be prfully reconciled in secunds (set to zero to disable waiting for resources to be fully reoondiled) (default 180)
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
After changing `talsoctl images k8s-bundle and talos-bundle`
we stopped printing some of the images to release notes.
This fixes that issue.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Overlays installers assume the `/boot/EFI` path, so we generate assets into `/boot/EFI` then move that directory to the mountPrefix+/EFI.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Boards were deprecated in favor of overlays from Talos 1.7.
Now completely remove all board specific code.
Part of: #12492
Signed-off-by: Noel Georgi <git@frezbo.dev>
