Add support for caching all platforms in a multi-platform image index
by passing --platform=all to the images cache-create command.
When all is specified, the index manifest is fetched without platform
resolution, and each platform-specific image is downloaded individually.
Attestation manifests (unknown/unknown) are included.
Include the platform in the fetch log line so each pull is identifiable,
e.g. fetching image "..." (linux/amd64).
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 786bf00abb309955616e440cd06fd0718b1b77ab)
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit ad72c73006abc3b51e5371496c61d8637b2222f0)
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `talosctl install` command using the LifecycleService.Install
streaming API with support for insecure (maintenance) mode and progress
reporting. Refactor `talosctl upgrade` to use the new
LifecycleService.Upgrade streaming API with automatic fallback to the
legacy MachineService.Upgrade path for older Talos versions.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
drop the old cli-utils based manifest apply logic and replace it with the new fluxcd/pkg/ssa based implementation
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
The call to filepath.join in current code causes breakage when using talosctl on windows due to wrong slash introduced into the embed path.
Signed-off-by: Jan Paul <paulj@nerakhon.cz>
Use the library built for tview, so that we don't have to have two UI
libraries working in parallel in the same TUI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pulls in KMS with logging, and adds more logging to Talos.
This allows to debug encryption problems better.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The disks flag Set method was appending new disk requests to the existing ones,
which caused duplicate disk entries when custom values for the disks flag were set.
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
This affects reading multi-doc machine config via `talosctl` from Talos
machines v1.11 and below by `talosctl` of v1.12 and up.
The problem is that before v1.12 Talos returned machine config as
embedded document instead of the spec if the resource, which was not
valid YAML. It worked via hacks we used in our fork of yaml library.
Talos v1.12+ cleans that up by marshaling the config as a string, and
drops the forked library. The problem is that we can't still pass
multi-doc YAML via this path, so we have to resort to going into COSI
internals to retrieve the actual value as written by Talos API.
Note: there is no problem for Omni, as it goes via protobuf path which
hasn't been affected.
Fixes#12787
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Re-generate, fix new linting issues.
Update containerd library to the latest 2.2.1 to address the new cgroups
package import (via tools update).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command is very specific to terminal operations which don't exist
or might not work well enough on Windows.
Windows users will have better luck with WSL and Linux talosctl.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command was always hidden, rename it to `debug-tool` to free up the
`talosctl debug` for #12932.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The --k8s-endpoint flag was defined but never used in the rotate-ca
command. This fix passes the flag value through to the Kubernetes
client, allowing users to override the default Kubernetes API endpoint
during CA rotation.
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Simplify the flow a bit by using live partition info,
avoid doing some calculations which are already done in the
partition code.
Remove some steps I believe we don't need to do.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
it is before on Long but wrong display on docs website
(already use by image cache-create cmd)
Signed-off-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Migrate KubeSpan configuration to support multi-document format.
Add version-aware support for talosctl cluster create and gen config.
Uses multi-doc format for Talos 1.13+, legacy format for 1.12 and earlier.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The `persist` value was locked to be true for a long time now, and Talos
doesn't support any other mode (machine config is persisted).
Drop the `gen config` flag and related generate options, as modern Talos
doesn't accept `persist: false`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
add the following flags to the upgrade-k8s command:
* `--force-conflicts` overwrite the fields when applying even if the field manager differs
* `--inventory-policy` string kubernetes SSA inventory policy (one of 'MustMatch', 'AdoptIfNoInventory' or 'AdoptAll') (default "AdoptIfNoInventory")
* `--no-prune` whether pruning of previously applied objects should happen after apply
* `--prune-timeout` int how long to wait for resources to be pruned in secunds (set to zero to disable waiting for resources to be fully deleted) (default 180)
* `--reconcile-timeout` int how long to wait for resources to be prfully reconciled in secunds (set to zero to disable waiting for resources to be fully reoondiled) (default 180)
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
After changing `talsoctl images k8s-bundle and talos-bundle`
we stopped printing some of the images to release notes.
This fixes that issue.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Overlays installers assume the `/boot/EFI` path, so we generate assets into `/boot/EFI` then move that directory to the mountPrefix+/EFI.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Boards were deprecated in favor of overlays from Talos 1.7.
Now completely remove all board specific code.
Part of: #12492
Signed-off-by: Noel Georgi <git@frezbo.dev>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also changes the bootloader interface.
Disks are formatted/created with pre-populated source directories in Install/Image mode.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Support creating filesystems from `SourceDirectory`, this implies partitions can have the data populated when formatted.
ImageCache handling is now using `SourceDirectory` while formatting simplifying the code.
Signed-off-by: Noel Georgi <git@frezbo.dev>
I don't see much point in this check, as it's only valuable when joining
to a local development instance of Omni, which is pretty nice usecase.
But this check breaks joining to "real" Omni which has hostname in the
endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use the grouping feature to reflect internal command structure better in
the `--help` output.
```
$ talosctl --help
A CLI for out-of-band management of Kubernetes nodes created by Talos
Usage:
talosctl [command]
Manage running Talos clusters:
apply-config Apply a new configuration to a node
bootstrap Bootstrap the etcd cluster on the specified node.
cgroups Retrieve cgroups usage information
config Manage the client configuration file (talosconfig)
conformance Run conformance tests
containers List containers
copy Copy data out from the node
dashboard Cluster dashboard with node overview, logs and real-time metrics
dmesg Retrieve kernel logs
edit Edit Talos node machine configuration with the default editor.
etcd Manage etcd
events Stream runtime events
get Get a specific resource or list of resources (use 'talosctl get rd' to see all available resource types).
health Check cluster health
image Manage CRI container images
inspect Inspect internals of Talos
kubeconfig Download the admin kubeconfig from the node
list Retrieve a directory listing
logs Retrieve logs for a service
memory Show memory usage
meta Write and delete keys in the META partition
mounts List mounts
netstat Show network connections and sockets
patch Patch machine configuration of a Talos node with a local patch.
pcap Capture the network packets from the node.
processes List running processes
read Read a file on the machine
reboot Reboot a node
reset Reset a node
restart Restart a process
rollback Rollback a node to the previous installation
rotate-ca Rotate cluster CAs (Talos and Kubernetes APIs).
service Retrieve the state of a service (or all services), control service state
shutdown Shutdown a node
stats Get container stats
support Dump debug information about the cluster
time Gets current server time
upgrade Upgrade Talos on the target node
upgrade-k8s Upgrade Kubernetes control plane in the Talos cluster.
usage Retrieve a disk usage
version Prints the version
wipe Wipe block device or volumes
Commands to generate and manage machine configuration offline:
gen Generate CAs, certificates, and private keys
inject Inject Talos API resources into Kubernetes manifests
machineconfig Machine config related commands
validate Validate config
Local Talos cluster commands:
cluster A collection of commands for managing local docker-based or QEMU-based clusters
Additional Commands:
completion Output shell completion code for the specified shell (bash, fish or zsh)
help Help about any command
Flags:
-h, --help help for talosctl
Use "talosctl [command] --help" for more information about a command.
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Un-hide the `talosctl cluster create` command, as it hides its children,
but instead hide all flags. The flags are still documented for
`talosctl cluster dev`.
Fixes#12423
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When creating Talos with QEMU on Mac, do not override default DNS settings to Gateway IPs
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
s/default/k8s-bundle
s/source-bundle/talos-bundle
for UX consistency when generating lists of images used by talos.
Remove non-k8s images from k8s-bundle list.
Signed-off-by: Justin Garrison <justin.garrison@siderolabs.com>
Use UKI cmdline either if the config is missing completely, or if the
incomplete machine config is present (we are in maintenance mode).
Fixes#12349
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Try to be more smart while parsing `--config-patch` (and similar) flags:
* we still support inline patches
* if the flag value doesn't look like a patch, try to use it as a
filename directly
This avoids common confusion with `--config-patch=patch.yaml` returning
an error "expected a mapping node".
Also clarify/updated documentation for `talosctl edit` and `talosctl
patch`, as they only work for the machineconfig, there is no other
usecase now.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
