Make sure that machine config rejects unknown roles in Talos API access config if the feature is enabled.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This provides What's New, updates documentation with new features,
clarifications and fixes.
I added also simple bare-metal stubs for ISO and PXE methods.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add more checks for the Talos Kubernetes upgrade.
The removed api-server resources checks are kept as is, needs to be
moved to the new checks as part of #6599.
Fixes: #6444
Signed-off-by: Noel Georgi <git@frezbo.dev>
This field has a default value, but validation was prohibiting empty
value.
Fixes#6619
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR adds two additional checks which are performed during boot sequence and in `talosctl health`. They ensure that nodes have enough memory and disk.
- Boot check will print a warning if memory / disk size is not sufficient.
- Health check will fail if memory / disk size is not sufficient.
Closes#6467
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This fixes a potential panic which I found in the unit-tests logs.
The error 'not found' is ignored, so need an addiitonal check.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
It's only used to detect if resource is `nil` or of incorrect type. Both errors are developer errors, so we should not collect them.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Currently `.Error()` call is panicking if `watchErr` is nil. Besides - we want to wrap errors the way we can unwrap them.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
There was inconsistency in the way `/v2` was appended to registry
endpoint path between containerd (CRI) and Talos:
* Talos only appended `/v2` to empty paths
* containerd appended `/v2` if it's not the suffix already
Fix Talos to act same as containerd, and introduce a setting
`overridePath` which stops both Talos and `containerd` from appending
`/v2` (should be required with e.g. Harbor registry mirror).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6566
This avoid putting all node addresses which might not be routeable
across Kubernetes.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add talosctl machineconfig patch command which accepts a machine config as input and a list of patches, applying the patches and writing the result to a file or to stdout.
Link `talosctl machineconfig gen` to `talosctl gen config`, so they work the same way.
Closessiderolabs/talos#6562.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Fixes#6553
Talos itself defaults to XFS, so IMA measurements weren't done for Talos
own filesystems. But many other solutions create by default ext4
filesystems, or it might be something mounted by other means.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add support to specify the types of outputs to be generated by talosctl gen config.
Add support for writing a single type of output to stdout instead of a file.
Related to siderolabs/talos#6562.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This brings many fixes, including a new Watch with support for
Bootstapped and Errored event types.
`talosctl` from before this change is still compatible, as there's gRPC
API level backwards compatibility versioning.
New client doesn't yet depend on new event types, so it will work
against Talos 1.2.x.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Host Talos mounts machined socket for API access into the installer
container (for upgrades).
Installer runs any check it might need to verify compatibility.
At the moment following checks are implemented:
* Talos version (whether upgrade from version X to Y is supported)
* Kubernetes version (whether Kubernetes version X is supported with
Talos Y).
Fixes#6149
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Enabling BTF in the kernel brakes kexec from pre-BTF kernel (e.g. when
upgrading from 1.2.x to 1.3.x).
As there's no way to detect Talos version in the installer at the
moment, use another way to detect whether BTF is enabled in the Talos
version which is running right now.
Fixes#6443
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This allows multiple `ip=` parameters, and fixes setting DHCP for any
link on the cmdline.
Fixes#6475
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
It was using value of a variable boud to another flag.
Signed-off-by: Alexandre Mclean <alexandre.mclean@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#5937
This removes external IPs from a set of addresses published by the node
(we source addresses from 'routed' now which excludes external). This is
definitely "right" thing to do, as those addresses are not on the node
itself and can't be routed to the node.
On other hand it also removes them from `talosctl get members`, but we
don't have to split this up right now.
For the KubeSpan endpoints, we still use 'all' addresses, as external
IPs are perfect as KubeSpan endpoints (Wireguard endpoints).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This feature allows us to use only IPv4 or IPv6 stack to reach the peers.
Also, it can help to not share the node-specific IPs,
which cannot be accessible at all.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
This is handy when the node with qemu went down, so you had to manually delete the folder after it restarted.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
