Add support for caching all platforms in a multi-platform image index
by passing --platform=all to the images cache-create command.
When all is specified, the index manifest is fetched without platform
resolution, and each platform-specific image is downloaded individually.
Attestation manifests (unknown/unknown) are included.
Include the platform in the fetch log line so each pull is identifiable,
e.g. fetching image "..." (linux/amd64).
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 786bf00abb309955616e440cd06fd0718b1b77ab)
Also clean up some imports in go.mod, reduce replaced modules.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 9c34591144f1e2fc759fdc6d56694541eb9f241a)
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit ad72c73006abc3b51e5371496c61d8637b2222f0)
Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 038cb87354eea1c1ff4612bdd13d1e77e595955a)
Update to the latest available release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit b1a02f3681c7e361ee6a3ef3d230b47480b48408)
Our fixes got merged, and more fixes in the library as well.
Bump grpc library (due to a reported CVE which we are not affected
with).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 86344639fcb76d9430ac1e975c98db4488701e43)
Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add ErrMissingAPIVersion check in the config document decoder, parallel
to the existing ErrMissingKind. Previously, a typo in the apiVersion key
(e.g. 'apiVerstion') would result in a misleading 'not registered' error
instead of clearly indicating the missing field.
Signed-off-by: Dominik Pitz <pitzdominik@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Also sync tools, now the kernel is built with LLVM 22.1.
See https://github.com/siderolabs/pkgs/issues/1479 for the context.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This was yet another socket with implicit auth - remove it completely
by reworking the only usecase for it - cluster-side health checks.
Now these health checks build a "regular" network Talos API client (as
they anyways work only controlplane nodes).
Refactor the check for controlplane nodes to use resources instead of
machine config directly (as machine config might not be always present).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
A fixup for #12896
The health check might be running as a reduced privilege role client, so
don't pull the machine config, but instead read a field from a
non-sensitive resource.
As this field doesn't exist in older versions of Talos, the check should
still run by default (as it will be empty).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `talosctl install` command using the LifecycleService.Install
streaming API with support for insecure (maintenance) mode and progress
reporting. Refactor `talosctl upgrade` to use the new
LifecycleService.Upgrade streaming API with automatic fallback to the
legacy MachineService.Upgrade path for older Talos versions.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Implement new minimal Install/Upgrade LifecycleService API with streaming
support for real-time progress reporting. Add protobuf definitions, gRPC
service implementation, and client bindings.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
This PR would add the ability to generate a standardized document for trusted roots.
Ran into wanting this with the vsphere provider and I generally feel like we should try
to extend the available standard patches here over time.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The `talosctl upgrade-k8s` doesn't support pinning to image digests, but
it should ignore any image digests if they already exist in the
machine configuration.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
drop the old cli-utils based manifest apply logic and replace it with the new fluxcd/pkg/ssa based implementation
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Since the type was changed to the custom one, merging code can't handle
it correctly, so add an explicit merge method.
```
merge field v1alpha1.Config.ClusterConfig: merge field v1alpha1.ClusterConfig.ProxyConfig: merge field v1alpha1.ProxyConfig.ExtraArgsConfig: merge map key v1alpha1.Args[metrics-bind-address]: merge field v1alpha1.ArgValue.strValue: merge not possible, left $(POD_IP):10249 is not settable
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
There were two issues which prevented this patch from working:
* `CommonLinkConfig` is an embedded struct, so we need to make selector
descend into embedded structs properly
* The previous `reflect.Value.String()` doesn't handle correctly complex
values (like `netip.Prefix`) which have a custom `fmt.Stringer`
See https://github.com/siderolabs/talos/discussions/12848#discussioncomment-15910003
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#12822
This stops the internal Kubernetes client goroutine which reloads certs
from being started.
This is only part of the full fix, as there is a TLS transport leak
related to go-kubernetes client aggressively caching TLS configs with
unique dialers (a separate fix will go to `go-kubernetes`).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Allow LinkAliasConfig names like net%d to match multiple links and assign
sequential aliases in alphabetical order, skipping links already claimed by
earlier alias configs. Add validation for the format verb and controller
tests covering ordering and reconciliation on link changes.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Not updating Go modules yet, as there's a dependency conflict via
fluxcd/pkg/ssa right now due to removed autoscaling API in k8s.io/api.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pulls in KMS with logging, and adds more logging to Talos.
This allows to debug encryption problems better.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
