It wasn't used when building an endpoint to the local API server, so
Talos couldn't talk to the local API server when port was changed from
the default one.
Fixes#5706
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes an issue when invalid `--mode` option was treated as a
default mode.
Fixes#5712
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Run `xfs_repair` on XFS filesystems that needs repairing indicated by
the `unix.EUCLEAN` error when mounting
Fixes#5319Fixes#5437
Signed-off-by: Noel Georgi <git@frezbo.dev>
This is inline with CIS guidelines. Otherwise the kube-apiserver will pass along the request with the group
set to `system:unauthenticated`. This will expose anything that is allowed by the `system:public-info-viewer`
and `system:discovery` cluster roles.
Signed-off-by: Rio Kierkels <riokierkels@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add new health check which checks if the etcd members match the control plane nodes. Closes siderolabs#5553.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add an OVMF image source path for QEMU, needed on RHEL-based systems.
Signed-off-by: Han Cen <hi@chamburr.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is a cosmetic fix: when `KubeletServiceController` tries to write
files to `/etc/kubernetes` before `/var` mounted, it would fail.
Controller will be restarted, but each restart involves a backoff on
each restart which gets longer with each restart.
On the first boot, or when EPHEMERAL is encrypted, mounting might take
considerable time (seconds), so during that time controller might enter
such long backoff timeout that it will delay whole boot sequence - it
won't finish before `kubelet` is started.
By waiting for `EPHEMERAL` to be mounted before starting the controller
we eliminate long backoff cycles.
Also fix a bug when `StartAllServices` task might start a kubelet early
(before `KubeletServiceController` is actually going to start it).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fix a bug: when etcd session is closed during election campaign, we
should quit the campaign instead of continuing which is the case when
the election was won (bug found by @frezbo).
Also in the same controller, even before election is won, we should
observer changes to kubelet lifecycle and etcd lifecycle events to make
sure we quit the campaign on appropriate events. This fixes a delay on
kubelet shutdown of control plane when VIP is enabled, but the node
doesn't own the VIP on upgrade.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR gets us closer to being a supported option on Equinix Metal. We
now look for a new kernel arg `em.events_url` and will send events there
based on the state of our install. These events are then presented to
the user in the GUI or via calls to the EM API.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
Disable kexec on SBC's known to have issues when doing kexec
Fixes: https://github.com/siderolabs/talos/issues/5649
Raspberry Pi seems to have issues enabling secondary CPU's on subsequent
reboots. RockPi's doesn't seem to work at all with kexec.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add public IP from Azure Standard SKU LB to the list of external IP (for
proper certificate generation).
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Stdlib `net.ParseMAC` does lots of validations, but some hardware addrs
we can see (on logical interfaces) are not valid, so parse MACs in a
simple way.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Version API is only available over SideroLink connection.
This is useful to find Talos version as it got booted (e.g. to generate
proper machine configuration).
There's a security concern that version API might return sensitive
information via public API. At the same time Talos version can be
guessed by looking at the output of other APIs, e.g. resource type list
(`talosctl get rd`), which changes with every minor version.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
To enable authorization to services via siderolink on startup we extend
the kernel parameter siderolink.api to accept an optional join token as
a parameter as in grpc://<host>:<port>?jointoken=1234
Fixes#5592
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
The tag was already corrected in v1.1 of the doc but we also need to
correct it for v1.0. When we check out git tag v1.0.5 and build the
installer it will create the image with `siderolabs` in the image tag.
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Instead of hardcoded `grub.cfg`, use common code to generate list of
kernel arguments and allow using `--extra-kernel-arg` as well.
Before the change:
```
linux /boot/vmlinuz init_on_alloc=1 slab_nomerge pti=on panic=0 consoleblank=0 printk.devkmsg=on earlyprintk=ttyS0 console=tty0 console=ttyS0 talos.platform=metal
```
New (default line):
```
linux /boot/vmlinuz talos.platform=metal earlyprintk=ttyS0 console=ttyS0 console=tty0 init_on_alloc=1 slab_nomerge pti=on consoleblank=0 nvme_core.io_timeout=4294967295 random.trust_cpu=on printk.devkmsg=on ima_template=ima-ng ima_appraise=fix ima_hash=sha512
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
`GenerateKey` generates random 32 bytes vs. the key suitable for
Wireguard endpoint key.
This is the only place in code with this bug, and it is only used in
test code (`talosctl cluster create` with fixed Wireguard
configuration).
SideroLink and Kubespan are not affected.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
If SideroLink is enabled, maintenance mode should only allow Siderolink connections.
Closes#5627
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Add extra context to error message when unable to properly
open the talos config file when creating a cluster.
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
This adds the option to toggle the automatic creation of search domains.
Signed-off-by: Bᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs <me@bjw-s.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot-based, go-mod-outdated is broken due to sum issue with Azure
SDK package :(
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes:
* Node hostname has a different place in metadata config.
* Do not reboot if machine-config is empty.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This increases `initramfs` size by 356060 bytes (raw text database is
1.3 MiB).
In QEMU:
```
$ talosctl -n 172.20.0.2 get links eth0 -o yaml
spec:
...
productID: "0x1000"
vendorID: "0x1af4"
product: Virtio network device
vendor: Red Hat, Inc.
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
