This PR allows the ability to generate `secrets.yaml` (`talosctl gen secrets`) using a Kubernetes PKI directory path (e.g. `/etc/kubernetes/pki`) as input. Also introduces the flag `--kubernetes-bootstrap-token` to be able to set a static Kubernetes bootstrap token to the generated `secrets.yaml` file instead of a randomly-generated one. Closessiderolabs/talos#5894.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The end result is that every Talos CLI accepts both JSON and strategic
patches to patch machine configuration.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This format is much easier to understand when compared to JSON patches,
it allows for more patch validation, and it should provide better user
experience.
This just implements the config merge, but it doesn't yet hook it up to
any CLI utility, so no user-facing docs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
this commits adds dracut style vlan support to allow
installing talos in networks where ports is not tagged
with a default vlan.
Signed-off-by: Eirik Askheim <eirik@x13.no>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR fixes a mistake in the bridge support docs and the reference to its docs in changelog.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The URL to fetch the configuration for a talos node is given by the
talos.config kernel parameter. We add support for 4 variables ${uuid},
${serial}, ${mac} and ${hostname} which substitute the device UUID,
DMI-sourced serial number, MAC address of the first network interface to
be up and the hostname respectively.
Fixes#3272
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
With Pod Security, we need to allow privileged for rook-ceph.
This fix was lost when reverting day-two.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This allows to build a custom Talos image which comes with some system
extension bundled in. Sometimes we might need to have an extension in
the initial image, e.g. `vmtoolsd` for VMWare Talos image.
Syntax:
```
make image-aws \
IMAGER_SYSTEM_EXTENSIONS="ghcr.io/siderolabs/amd-ucode:..."
```
System extensions are not supported for now for ISO images, as they
don't go through the common installer flow (#5725).
Also it might be nice to add a simple way to generate just
`initramfs.xz` with system extensions bundled in (e.g. for PXE booting).
(#5726)
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
It wasn't used when building an endpoint to the local API server, so
Talos couldn't talk to the local API server when port was changed from
the default one.
Fixes#5706
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is inline with CIS guidelines. Otherwise the kube-apiserver will pass along the request with the group
set to `system:unauthenticated`. This will expose anything that is allowed by the `system:public-info-viewer`
and `system:discovery` cluster roles.
Signed-off-by: Rio Kierkels <riokierkels@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot-based, go-mod-outdated is broken due to sum issue with Azure
SDK package :(
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot + go-mod-outdated
`arp` library is now using Go stdlib `netip.Addr`, so we need an ugly
way to convert `netaddr.IP` to `netip.Addr`. We should soon refactor to
use `netip.Addr` everywhere (starting with `siderolabs/net` package).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
