Add DNS over TLS (RFC 7858) support to the host DNS forwarder. A new optional
`tlsServerName` field on `nameservers[]` in `ResolverConfig` enables DoT for an
individual upstream; when set, queries to that nameserver use TCP+TLS on port
853 with the given name as both SNI and certificate validation name (TLS 1.2+).
Signed-off-by: Erwan Leboucher <erwanleboucher@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR does those things:
- Raise IPv6 listener on link-local address for dns (both TCP and UDP).
- Update kubelet's `resolv.conf` IPv4/IPv6 endpoints.
Closes#9384
Link: https://github.com/siderolabs/talos/pull/9596
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This replaces existing fixed field for etcd encryption with a completely
flexible configuration which exactly matches upstream kube-apiserver
configuration.
The default machine configuration generated still retains previous
defaults.
New configuration allows:
* rotating etcd encryption secrets
* implementing any encryption policies (e.g. encrypting configmaps).
Fixes#10899
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#13169
Also fixes a number of other issues with controller being stuck
"watching" over stale data.
The major part of the change is to watch contents of kubelet's
kubeconfig and restart the watch when it changes.
The internals of the watch process don't always bubble up error
properly, or we don't watch for errors.
With this change, not only initial sync has a timeout and a way to abort
the sync process, Talos now can also restart the sync on kubeconfig
change make it more transparent.
This might become irrelevant if we start managing kubeconfig via Talos
controlplane for workers, but for now this seems to be the way to fix
issues.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement optional NTS (RFC 8915) support for authenticated and encrypted
time synchronization, using the beevik/nts library.
Signed-off-by: Erwan Leboucher <erwanleboucher@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is a fixup for #12475
Split the protobuf id for extraArgs fields to use new value, so that we
don't have unmarshal failure when using newer machinery with older Talos
or vice versa.
Also pull in a fix https://github.com/siderolabs/go-talos-support/pull/15
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Allow to set build NAME on build, propagate it down to more consumers.
Expose name in `Version` resource, and use that in the dashboard
next to Talos version.
Fix some places where `Name` was hardcoded.
Propagate Name down to UKI build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
A fixup for #12896
The health check might be running as a reduced privilege role client, so
don't pull the machine config, but instead read a field from a
non-sensitive resource.
As this field doesn't exist in older versions of Talos, the check should
still run by default (as it will be empty).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement new minimal Install/Upgrade LifecycleService API with streaming
support for real-time progress reporting. Add protobuf definitions, gRPC
service implementation, and client bindings.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add advertisedNetworks filter to KubeSpan configuration that allows
filtering which additional networks (e.g., pod CIDRs) are advertised
over KubeSpan when advertiseKubernetesNetworks is enabled.
Signed-off-by: Daniil Kivenko <daniil.kivenko@p2p.org>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Re-generate, fix new linting issues.
Update containerd library to the latest 2.2.1 to address the new cgroups
package import (via tools update).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add DisableAccessTime and Secure mount options for existing volumes.
DisableAccessTime adds noatime parameter to disable access time updates.
Secure adds nosuid and nodev parameters for security (defaults to true).
Add integration tests for both options.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
Unify a list of all APIs in Talos to a single place, and use them in
associated tests:
* the test for one2many specifics
* the test for deprecated methods
* the test for missing RBAC rules
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit changes the way kubespan gets the podCIDR to advertise when
`advertiseKubernetesNetworks` is enabled. Before, it used the interface
address, but some CNIs (such as Cilium in NativeRouting) only set a
single /32 IP to a single interface (`cilium_host` in cilium's case).
This adds the `v1.Node`'s `.spec.podCIDRs` array to the `k8s.NodeStatus`
object and uses this to advertise the kubernetes network.
Signed-off-by: Florian Ströger <stroeger@youniqx.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for negative max size values in volume configuration.
Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example, a max size of "-10GiB" means the volume can grow to the device size minus 10GiB.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
BREAKING: internal resources for the components use different
representation of AxtraArgs, resulting in modified types in protocol
buffers.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Populate endpoint coming from the Kubernetes controlplane endpoint with
the hostname (if the endpoint is a hostname).
This should improve cases when hostname is used for the endpoint in
terms of SNI, proper resolving of DNS if it's dynamic.
See https://github.com/siderolabs/talos/pull/12556#issuecomment-3755862314
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a multicast option to LinkSpec that can be configured to explicitly declare the state of the multicast flag.
Signed-off-by: Bryan Lee <me@bryanl.ee>
Don't guess based on the volume type, but use explicit fields for
different locators.
IMAGECACHE-ISO is a disk volume, but uses full volume locator (by
filesystem type, etc.)
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
In certain situations, Talos's shutdown/reboot sequence hangs while
waiting for services/mounts to be gracefully stopped (see:
https://github.com/siderolabs/talos/issues/11775).
This patch adds a forceful mode to the reboot sequence (`talosctl reboot
--mode force`) that bypasses graceful userspace teardown and hard
reboots the machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Also expand internal bond configuration to cover missing fields.
They are not going to be exposed in legacy configuration.
Fixes#10960
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
- Improve docs
- Disable OOM controller in container mode
- Log OOM events
- Add an integration test verifying the system can sustain an OOM event
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Support disabling kernel module signature verification.
Note that this does not work when SecureBoot is enabled.
Fixes: #11989
Signed-off-by: Noel Georgi <git@frezbo.dev>
There was a mismatch between how Talos encodes resource specs to
protobuf on the wire, and `.proto` files generated by `structprotogen`
for the same specs.
This only affected `LinkStatus`/`LinkSpec` resources, and it doesn't
affect Talos/Omni as they go via `protoenc`, bypassing `.proto` files.
Also if default proto library is used, it also works correctly.
The only place where it fails is a strict `vtprotobuf` encoding.
Also imports `protoenc` 0.2.4 skipping encoding of zero fields, which
should make COSI responses smaller for resources with lots of zero
fields.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
