Fixes#4656
As now changes to kubelet configuration can be applied without a reboot,
`talosctl upgrade-k8s` can handle the kubelet upgrades as well.
The gist is simply modifying machine config and waiting for `Node`
version to be updated, rest of the code is required for reliability of
the process.
Also fixed a bug in the API while watching deleted items with
tombstones.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Makes `talosctl` autocomplete the most used dynamic positional parameters like resource definitions, IDs of resource definitions, and also values for arguments like `--nodes` and `--context`.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Update Go modules to the latest versions including talos-systems/
released modules.
In preparation for 0.14-beta release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR solves problems:
1. You want to run controlplane from etcd-backup, and make
changes/investigation and be sure that controlplane
does no change resources.
2. Run controlplane in less memory only for quorum.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Co-authored-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Still no proper tags for Kubernetes modules (known issue upstream).
Also bump dependencies.
Closes#4605closes#4606
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Related to #4448
The only remaining part is filtering out SideroLink addresses when Talos
looks for a node address.
See also https://github.com/talos-systems/siderolink/pull/2
The way to test it out:
```
$ talosctl cluster create ... --extra-boot-kernel-args
siderolink.api=172.20.0.1:4000
```
(where 172.20.0.1 is the bridge IP)
Run `siderolink-agent` (test implementation):
```
$ sudo _out/siderolink-agent-linux-amd64
```
Now on the host, there should be a `siderolink` Wireguard userspace
tunnel:
```
$ sudo wg
interface: siderolink
public key: 2aq/V91QyrHAoH24RK0bldukgo2rWk+wqE5Eg6TArCM=
private key: (hidden)
listening port: 51821
peer: Tyr6C/F3FFLWtnzqq7Dsm54B40bOPq6++PTiD/zqn2Y=
endpoint: 172.20.0.1:47857
allowed ips: fdae:41e4:649b:9303:b6db:d99c:215e:dfc4/128
latest handshake: 2 minutes, 2 seconds ago
transfer: 3.62 KiB received, 1012 B sent
...
```
Each Talos node will be registered as a peer, tunnel is established.
You can now ping Talos nodes from the host over the tunnel:
```
$ ping fdae:41e4:649b:9303:b6db:d99c:215e:dfc4
PING fdae:41e4:649b:9303:b6db:d99c:215e:dfc4(fdae:41e4:649b:9303:b6db:d99c:215e:dfc4) 56 data bytes
64 bytes from fdae:41e4:649b:9303:b6db:d99c:215e:dfc4: icmp_seq=1 ttl=64 time=0.352 ms
64 bytes from fdae:41e4:649b:9303:b6db:d99c:215e:dfc4: icmp_seq=2 ttl=64 time=0.437 ms
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4407fixes#4489
This PR started by enabling simple restart of the `kubelet` service via
services API, but it turned out there's a problem:
When kubelet restarts, CNI is already up, so there's an interface on the
host with CNI node IP, the code which picks kubelet node IP finds it and
tries to add it to the list of kubelet node IPs which completely breaks
kubelet.
Solution was easy: allow node IPs to be filtered out - e.g. we never
want kubelet node IP to be from the pod CIDR.
But this filtering feature is also useful in other cases, so I added
that as well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4279
These APIs were deprecated in 0.13, now it's time to drop them for 0.14.
They were not used anywhere in Talos, so no changes on Talos side.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add JSON over TCP support.
Add support for multiple loggers.
Make logging configurable.
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
This updages CoreDNS from 1.8.4 which includes many fixes from upstream.
Also this seems to fix timeouts introduced in the change which added
`rewrite stop type AAAA A` rule to the `Corefile`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Brings udev rules as first class citizens in the machine config
Allows for customizing how udev devices are presented in the system. My case in particular, I need to change the group and permissions for the Intel QuickSync renderer device to enable non-root containers to make use of the hardware transcoding capabilities of the Intel GPU.
Signed-off-by: Branden Cash <ammmze@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This enables cluster discovery by default for Talos 0.14. KubeSpan is
not enabled by default.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
