This is a regression compared to Talos 1.12: allow blockdevice wipe in
maintenance mode (with `os:reader` role).
Also improve the test for maintenance via SideroLink - add a test on
install, META write and reboot preserving META value.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 1dd701efa8119b6515a62ff68c430c99a96f2b68)
As one of the integration tests was overriding TrustedRoots config, it
erased the required settings leading to a random failure (depending on
the nodes picked for subsequent tests).
Fixes#13013
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 70cefab6af3dacdc80921b55ca8dbf5644501c6c)
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit ad72c73006abc3b51e5371496c61d8637b2222f0)
The gpu-operator device plugin generates CDI specs with hooks pointing
to /usr/bin/nvidia-ctk and /usr/bin/nvidia-cdi-hook (hardcoded defaults
in NVIDIA/k8s-device-plugin and NVIDIA/nvidia-container-toolkit). Talos
extensions install these binaries under /usr/local/bin/, so pods
requesting nvidia.com/gpu resource limits fail with "no such file".
Add /usr/bin/nvidia-ctk and /usr/bin/nvidia-cdi-hook to the rootfs as
symlinks.
Fixes: #13021
Fixes: https://github.com/siderolabs/extensions/issues/1017
Signed-off-by: David Orman <ormandj@corenode.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 9597714f625ac07bf74de32a24c3e6dad5abdc91)
We should use the endpoint(s) from the original talosconfig instead of
using node IPs, as they might be private/behind the LB.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 8e1c8a7a90fb039fd8a639a1218c169bc683d141)
Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
This was yet another socket with implicit auth - remove it completely
by reworking the only usecase for it - cluster-side health checks.
Now these health checks build a "regular" network Talos API client (as
they anyways work only controlplane nodes).
Refactor the check for controlplane nodes to use resources instead of
machine config directly (as machine config might not be always present).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add symlinks that are expected by nvidia-gpu-operator.
These symlinks point to empty files when nvidia-container-toolkit extension is not added.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update provision integration tests to use the new LifecycleService.Upgrade
streaming API with image pre-pull via ImageService. Fall back to the legacy
MachineService.Upgrade path when the server returns Unimplemented. Extract
shared post-upgrade wait logic into a reusable `waitForUpgrade` helper.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Environment suite tests fail often, especially on AWS/GCP.
This change makes the tests more robust.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
drop the old cli-utils based manifest apply logic and replace it with the new fluxcd/pkg/ssa based implementation
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also allow the system containerd to execute igzip, which is essential
for pulling images
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Re-generate, fix new linting issues.
Update containerd library to the latest 2.2.1 to address the new cgroups
package import (via tools update).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add DisableAccessTime and Secure mount options for existing volumes.
DisableAccessTime adds noatime parameter to disable access time updates.
Secure adds nosuid and nodev parameters for security (defaults to true).
Add integration tests for both options.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit introduces ProbeConfig, a new network configuration document type
that allows users to configure TCP connectivity probes to monitor network
endpoints.
Features:
- ProbeConfig document type with TCP probe support
- ProbeSpec and ProbeStatus resources for probe management
- ProbeConfigController to translate ProbeConfig into ProbeSpec
- ProbeController to execute probes and update ProbeStatus
- Configurable probe interval, timeout, and failure threshold
- Integration tests for API functionality
Signed-off-by: Mickaël Canévet <mickael.canevet@proton.ch>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for negative max size values in volume configuration.
Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example, a max size of "-10GiB" means the volume can grow to the device size minus 10GiB.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Open the blockdevice in `O_EXCL` mode when wiping to ensure that we
don't wipe a mounted device.
This issue was discovered via #12620, when we wipe a blockdevice which
is still mounted ending up in a wrong state.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
BREAKING: internal resources for the components use different
representation of AxtraArgs, resulting in modified types in protocol
buffers.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Fixes#12491
In (almost) all places we previously used `FastWipe`, use instead a
helper which will try to discover filesystem/partition signatures, and
wipe them.
This fixes the issue when a partition re-created in the same place might
already hit a scenario when the "old" filesystem is discovered in the
same place.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Migrate KubeSpan configuration to support multi-document format.
Add version-aware support for talosctl cluster create and gen config.
Uses multi-doc format for Talos 1.13+, legacy format for 1.12 and earlier.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
add the following flags to the upgrade-k8s command:
* `--force-conflicts` overwrite the fields when applying even if the field manager differs
* `--inventory-policy` string kubernetes SSA inventory policy (one of 'MustMatch', 'AdoptIfNoInventory' or 'AdoptAll') (default "AdoptIfNoInventory")
* `--no-prune` whether pruning of previously applied objects should happen after apply
* `--prune-timeout` int how long to wait for resources to be pruned in secunds (set to zero to disable waiting for resources to be fully deleted) (default 180)
* `--reconcile-timeout` int how long to wait for resources to be prfully reconciled in secunds (set to zero to disable waiting for resources to be fully reoondiled) (default 180)
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
* add SSA via the new go-kubernetes library implementation to talosctl `upgrade-k8s` command
* add SSA via direct ResourceInterface call into talos (machined) with a manual inventory update
* add an integration test for ssa functionality
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When building for the release, as the release hasn't been finalized yet,
the test might fail.
```
run.go:146: Running "/home/runner/_work/talos/talos/_out/talosctl-linux-amd64 --talosconfig /tmp/e2e/docker/talosconfig image talos-bundle v1.13.0-alpha.0"
run.go:210:
Error Trace: /src/internal/integration/base/run.go:210
/src/internal/integration/base/cli.go:107
/src/internal/integration/cli/image.go:142
/go/src/runtime/asm_amd64.s:1693
Error: Received unexpected error:
exit status 1
Test: TestIntegration/cli.ImageSuite/TestSourceBundle
Messages: command failed, stdout: "", stderr: "error fetching official extensions for v1.13.0-alpha.0: HEAD https://ghcr.io/v2/ghcr.io/siderolabs/extensions/manifests/v1.13.0-alpha.0: unexpected status code 404 Not Found (HEAD responses have no body, use GET for details)\n"
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a test for this case
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
s/default/k8s-bundle
s/source-bundle/talos-bundle
for UX consistency when generating lists of images used by talos.
Remove non-k8s images from k8s-bundle list.
Signed-off-by: Justin Garrison <justin.garrison@siderolabs.com>
Extracted from #12115
The idea is that kernel log can be delivered/persisted along with any
other service logs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
