This file receives many updates, and we don't want to handle them.
Everyone can have it on their local machine.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add new section to see how to disable admission control in control
plane.
Signed-off-by: Pau Campana <pau.campanya.soler@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes an issue introduced in #5879: options should be set same way
for both `init` and `controlplane` cases.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit bumps protoenc to v0.2.0 and also adds tests to ensure that encoding fixes are working correctly.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Don't allow worker nodes to act as apid routers:
* don't try to issue client certificate for apid on worker nodes
* if worker nodes receives incoming connections with `--nodes` set to
one of the local addresses of the nodd, it routes the request to
itself without proxying
Second point allows using `talosctl -e worker -n worker` to connect
directly to the worker if the connection from the control plane is not
available for some reason.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos worker nodes use `trustd` API on control plane nodes to issue
certificates for `apid` service. Access to the API is protected with the
Talos join token specified in the machine configuration.
There was no validation on what kind of request is requested, so
`trustd` could issue a certificate which is valid for client
authentication with any set of Talos API RBAC roles, including
`os:admin` role allowing full access to the Talos API on control plane
nodes.
See: GHSA-7hgc-php5-77qq
CVE: CVE-2022-36103
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Don't skip pods which are not ready, try still to stop containers inside
not ready pod sandboxes.
Re-enable the test with Canal CNI (upstream Calico got fixed).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
There is no need to use `assert.Implements` since we can express this check during compile time. Go will eliminate `_` variables and any accompanying allocations during dead-code elimination phase.
This commit also removes:
tok := new(v1alpha1.ClusterConfig).Token()
assert.Implements(t, (*config.Token)(nil), tok)
Code since it doesn't check anything - v1alpha1.ClusterConfig.Token() already returns a config.Token interface.
Also - run `go work sync` and `go mod tidy`.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The bug was triggered by `containerd` crash (restart), in this case
runner receives an error as if the process exited.
Runner tries to restart the container, but as the container is still
running, attempt to delete the task would fail.
With this change Talos always tries to kill the running container and
waits for the container to terminate.
The error message when the bug was triggered looks like:
```
service[kubelet](Waiting): Error running Containerd(kubelet), going to restart forever: failed to clean up task "kubelet": task must be stopped before deletion: running: failed precondition
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6156
Now access from Talos itself goes with `talos:admin` username in the
Kubernetes API server audit log, while access with admin kubeconfig goes
with `admin` username as before.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is enabled via a machine config feature/version contract, as
`talosconfig` certificate generated previously didn't have proper key
usage set, so we need to keep backwards compatibility on upgrades.
New v1.3+ clusters will include this check.
This check prevents even potential mis-use of server certificates as a
client certificate.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
That was a mistake to use only 'routed' addresses, as they e.g. do not
include SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
As APIs were not listed explicitly, access with `os:reader` was denied
by default, while it should have been checked down in the access filter.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
There's a common logger for API calls already working, so no need to log
in the token authenticator.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6210
Refactored the code a bit to support excludes and default configuration.
Etcd should never advertise VIPs, as VIPs are managed by etcd elections.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit adds structprotogen tool which is used to generate proto file from Go structs.
Closes#6078.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This commit adds initial support for the Nano Pi
R4S from Friendlyelec. This device is a networking focused
rk3399 based SBC with two 1G ethernet interfaces,
making it perfect for edge or SOHO deployments.
Signed-off-by: Marvin Drees <marvin.drees@9elements.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
It should have been the opposite: it's a problem if the server version
is _older_ than the client verion.
E.g. using talosctl 1.2.0 against Talos 1.1.2 is a problem, not vice
versa.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
If a member has no IP addresses, prevent cluster health checks from failing with a panic by checking for the length of member IPs and not assuming there's always at least 1 IP.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Update what's new, upgrading docs.
Fix up instances of `master` leftover in the docs.
Fix the formatting of kernel params reference.
Fixes#6150
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fix the assertions on the reboot cli test to correctly assert the event messages in lowercase.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Track the progress of the long-running actions `reboot`, `reset`, `upgrade` and `shutdown` on the client side by default, unless `--no-wait=true` is specified.
Use the events API to follow the events using the actor ID of the action and display it using an stderr reporter with a spinner.
Closessiderolabs/talos#5499.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
I hit this bug when one the API calls got hanging, and submitting the
machine config with `apply-config` never takes the node out of
maintenance mode, as `.GracefulStop()` may hang forever waiting for all
the calls to finish.
This way we always abort at some timeout and stop the server forcefully.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes a case when a node is rebooted, and connection via another
endpoint apid "caches" a connection error even when the node is up.
E.g. this command:
```
talosctl -e IP1 -n IP2 version
```
If node `IP2` is rebooted, `apid` at `IP1` might enter long backoff loop
and return an error still when `IP2` is actually up.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
For maintenance mode (`talosctl get --insecure`), there's no 'nodes'
set, so we run the loop for a single "current" node client is connected
to.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
