Fixes#4407fixes#4489
This PR started by enabling simple restart of the `kubelet` service via
services API, but it turned out there's a problem:
When kubelet restarts, CNI is already up, so there's an interface on the
host with CNI node IP, the code which picks kubelet node IP finds it and
tries to add it to the list of kubelet node IPs which completely breaks
kubelet.
Solution was easy: allow node IPs to be filtered out - e.g. we never
want kubelet node IP to be from the pod CIDR.
But this filtering feature is also useful in other cases, so I added
that as well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
(cherry picked from commit a76f6d69dbfdf34e4383dd5d2ee9f8cca4661e87)
This PR updates the e2e scripts to work properly by updating the var
names as needed.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
(cherry picked from commit 2258bc4918e89b3d6fcb841b2ad677f114ddba7e)
This PR updates to use the newest var setup from our capi templates.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
(cherry picked from commit c8e404e356878f6cd819a33386b351c1c152c3f5)
It is needed for advanced use cases like Docker-in-Docker, our CI, etc.
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
(cherry picked from commit 423861cf9f99eaf034a4f0cb243d73d1275c3f38)
Update component versions, Go module versions.
Add platform tiers to the support matrix.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Note: Talos can be still run under `Firecracker`, support for
Firecracker was only removed for `talosctl cluster create`.
Reason:
* code is untested/unmaintained, and probably doesn't work correctly
* firecracker Go SDK pulls lots of dependencies and it blocks CNI Go
module update
Bonus: `talosctl-linux-amd64` shrinks by 2 MiB.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Also downgrade some indirect dependencies that don't have a good reason to be updated.
Closes#4111.
Closes#4112.
Closes#4116.
Closes#4117.
Closes#4121.
Closes#4122.
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
etcd has two mounts from the host, both of them are chowned to be
accessible by the etcd user:
* data directory
* secrets directory
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
For the `trustd`, this change is simple as it doesn't access any files
on the host filesystem.
For the `apid`, there are more things involved:
* `apid.sock` used for internal API calls should be createable by `apid`
* `runtime.sock` used for apid to COSI communication should be
accessible for `apid`
* `machined.sock` used for proxying calls to machined should be as well
made available to the `apid`.
Plus fixes default permissions for `tmpfs` mountpoints.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This enable seccomp profile for all containers launched by Talos: apid,
trustd, etcd and kubelet.
Also by default disallow gaining more privileges in the container
(basically disables setuid). As containers are running as root this is
no-op, but soon we'll have running as non-root users and this becomes
important.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This should address issues when the config is a valid yaml but contains
extra fields which may appear there if the indents got messed up somehow
for example.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Fixes#3714
This provides more safe way to join new members to the etcd cluster.
See https://etcd.io/docs/v3.4/learning/design-learner/
With learner mode join there are few differences:
* new nodes are joined one by one, because etcd enforces a single
learner member in the cluster
* learner members are not counted in quorum calculations, so while
learner catches up with the master node, quorum is not affected and
cluster is still operational
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos supports automatic virtual IP for the control plane with pure
layer 2 connectivity. Equinix Metal API supports assigning shared IPs to
the nodes, this PR combines existing virtual IP functionality with calls
to EM API to move the IP address on EM side to the leader node.
The only thing which should be supplied in the machine configuration is
the Equinix Metal API token, every other setting is automatically
discovered automatically by Talos.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixed: https://github.com/talos-systems/talos/issues/3686
Replaced sequencer tasks for KSPP and Kubernetes required sysctl props
by the ones set by controllers.
KernelParam flow includes of 3 controllers and 2 resources:
- `KernelParamConfigController` - handles user sysctls coming from v1alpha1
config.
- `KernelParamDefaultsController` - handles our built-in KSPP and K8s
required sysctls.
- `KernelParamSpecController` - consumes `KernelParamSpec`s created by the
previous two controllers, applies them and updates the corresponding
`KernelParamStatus`.
Signed-off-by: Artem Chernyshev <artem.0xD2@gmail.com>
GitHub recently introduced limit of 25000 byte for the release notes,
which breaks our release process, as our notes are over the limit.
PR https://github.com/talos-systems/talos/pull/4021 introduced support
for GFM release notes, which are at least 50% smaller.
This PR enables GFM, adds a check for release notes size and pushes
release-notes step to every build so that we known in advance if release
notes are over the limit (vs. the moment we push the release).
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Fixes#3951
Bootkube support was removed in Talos 0.9. Talos versions 0.9-0.11
support conversion of self-hosted bootkube-based control plane to the
new style control plane running as static pods managed by Talos.
This commit removes all backwards compatibility and removes conversion
code.
For the k8s controllers, `BootstrapStatus` is removed and a dependency
on `etcd` service status is added (as it was implicitly there via
`BootstrapStatus`).
Remove control plane conversion code.
In k8s upgrade code, remove self-hosted part.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Resources code extensively uses DeepCopy to prevent in-memory copy of
the resource to be mutated outside of the resource model.
Previous implementation relied on YAML serialization to copy the
machine configuration which was slow, potentially might lead to panics
and it generates pressure on garbage collection.
This implementation uses k8s code generator to generate DeepCopy methods
with some manual helpers when code generator can't handle it.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
