We should preserve the order of keys in generated `hosts.toml`, but
go-toml library has no real way to do that on marshaling, so fix the
previous workaround, as it was generating invalid TOML.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6110
I somehow missed the fact that etcd certs were not made fully reactive
to node address changes (I wrongly assume it was already the fact).
This PR refactors etcd certificate generation process to be
resource-based and introduces unit-tests for the controller.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6119
With new stable default hostname feature, any default hostname is
disabled until the machine config is available.
Talos enters maintenance mode when the default config source is empty,
so it doesn't have any machine config available at the moment
maintenance service is started.
Hostname might be set via different sources, e.g. kernel args or via
DHCP before the machine config is available, but if all these sources
are not available, hostname won't be set at all.
This stops waiting for the hostname, and skips setting any DNS names in
the maintenance mode certificate SANs if the hostname is not available.
Also adds a regression test via new `--disable-dhcp-hostname` flag to
`talosctl cluster create`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
When converting to base36 a 256-bit number there's a bias in the
first character of the base36 encoding, as 256-bit number never fits
perfectly base 36 number.
To give an example, when converting 4-digit binary number to decimal,
the first digit of the decimal number will be [0..3], while the
second digit won't be biased:
```
0000 -> 00
0001 -> 01
...
0111 -> 15
1000 -> 16
...
1111 -> 31
```
Same issue happens when going from e.g. base16 to base36.
Stable hostnames were biased towards having a digit as the first
character.
The fix is to skip the first character of the base36 representation, and
also we don't need to convert all 256 bits to base36, if we use only 6
characters, we can save some CPU resources by taking only 8 bytes
instead of full 32 bytes.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This allows to update the member information (for the current node) with
new advertised peer URLs as the config changes.
E.g. if the node IP changes, this will update the peer URLs for the
member accordingly.
At the same time any member update requires quorum, so changing IPs can
only be done on node-by-node basis.
If there are no changes to advertised peer URLs, controller does
nothing.
Talos node might still need a reboot to update the listen addresses, as
these are not handled automatically for now.
Fixes#6080
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
As the 'ca', 'crt' and 'key' parameters are now optional for the talos
client, requiring them for the 'talosctl config add' command no longer
makes sense.
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Looks like it returns nil if it doesn't exist and the code doesn't
handle it properly.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Fixes re-opening editor forever when using `talosctl edit mc`.
Also fixes the temp dir getting filled up with temporary files created
for editing machine config.
Fixes: #6098
Signed-off-by: Noel Georgi <git@frezbo.dev>
Talos client can connect to Talos API via a proxy with basic auth.
Additionally it is now optional to specify a TLS CA,key or crt. Optionally
Developers can build talosctl with WITH_DEBUG=1 to allow insecure
connections when http:// endpoints are specified.
Fixes#5980
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
In preparation for Talos release 1.2.0, update tools/pkgs/extras to
1.2.0.
Also update Go modules to released versions.
There should be no actual changes.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add the missing actor id on the event and a way to filter by it to the events cli command.
Related to siderolabs/talos#5499.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Overview: deprecate existing Talos resource API, and introduce new COSI
API.
Consequences:
* COSI API can only go via one-2-one proxy (`client.WithNode`)
* client-side API access is way easier with `state.State` wrappers
* lots of small changes on the client side to use new APIs
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add a new function EventsWatchV2 that blocks until receiving the first event then switches to non-blocking mode.
Also add new API functions to return responses of the lifecycle actions `reboot`, `reset` and `shutdown`.
Required for the client-side part of siderolabs/talos#5499.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Multinode requests were printing out the errors for each node to stderr,
but they didn't set the global error.
Refactor the code a bit to use a single function for handling that logic
to avoid rewriting it in many other places.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
This introduces new configuration settings to configure
advertised/listen subnets. For backwards compatibility when using no
settings or old 'subnet' argument, etcd still listens on all addresses.
If new `advertisedSubnets` is being used, this automatically limits etcd
listen addresses to the same value. `listenSubnets` can be configured
also explicitly e.g. to listen on additional addresses for some other
scenarios (e.g. accessing etcd from outside of the cluster).
See #5668
One more thing left (for a separate PR) is to update etcd advertised
URLs on the fly.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Same change will be done for the etcd in a separate PR.
The idea is to introduce a subset of `current` addresses: `routed`
addresses don't include external IPs (like AWS), as they are not on the
node, and excludes SideroLink IPs (as these are not routeable).
Reimplement `kubelet` nodeIP selection based on the new resources
removing the reliance on `net.IPAddrs`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Users can now add a port suffix to the endpoints used by talosctl. Either
in the CLI flag or the ~/.talos/config. The default port is still 50000.
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Since `/var/lib/kubelet` was mounted with `rbind` and `rshared`, the
seccomp profile mount from the host at `/var/lib/seccomp/profiles` when
mounted at `/var/lib/kubelet/seccomp/profiles` would create a mount back
to the host creating an extra mount everytime kubelet starts/restarts.
Fix the issue by using the same path for the seccomp profiles on both
host and kubelet.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add a new field `actorID` to the events and populate it with a UUID for the lifecycle actions `reboot`, `reset`, `upgrade` and `shutdown`. This actor ID will be present on all events emitted by this triggered action. We can use this ID later on the client side to be able to track triggered actions.
We also emit an event with an empty payload on the events streaming GRPC endpoint when a client connects. The purpose of this event is to signal to the client that the event streaming has actually started.
Server-side part of siderolabs/talos#5499.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
