This change is pretty mechanical, just wrap every API so that remote
peer address is used as default for `resp.Metadata.Hostname`.
This makes `NODE:` non-empty in all the API calls.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This PR adds the ability to override the image in our default build step
function in jsonnet. Needed so we can override the image easily for
basic integration tests.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This PR adds a `--output-dir/-o` flag to osctl config generate and will
attempt to create the directory path and write the generated files to
that location. Will close#1509.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This PR adds the `--client` flag to `osctl version` so that we exit
before attempting to contact the server to get its version. Will close#1363
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This PR clarifies a few nits about the vmware docs. We were referring to
alpha.2 in lots of places. I moved this to a note that just says to set
TALOS_VERSION to `v0.3.0-alpha.10` or similar. Also clarifies the path
to the ova could be any /path/to/downloaded/file.
Should close#1572 when we've gotten some extra info about the hardware
versions.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This is a simple refactor that reduces the number of arguments required
by `NewTemporaryClientFromPKI`.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This changes the way the sidebar anchors are constructed, and if
there is an anchor in the URL, the Content component will render
the requested page, instead of just the top-level docs page.
Signed-off-by: Tim Gerla <tim@gerla.net>
If `osctl` invocation doesn't have `-t`, response doesn't contain
`.Metadata` field, so we need to check for it explicitly.
Some commands in osctl had this check, some didn't, now all the commands
have this check.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This adds support for parsing/honoring the `ip=` kernel argument that can
be supplied to configure an interface on the host.
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
This PR allows you to specify the kubeconfig command like `osctl
kubeconfig . --force` or `osctl kubeconfig . -f` to delete the
kubeconfig file before we write it out.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This KubeletConfig should be checked for `nil`, and initialized if
needed, before attempting to access its' fields.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This brings in the latest set of packages with the following changes:
- Linux v5.3.14
- Pinned ca-certificates (2019-11-27)
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This moves to using Webhook mode instead of the default AlwaysAllow for
kubelet API authorization.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
The `--e2e-parallel` flag seems to skip all tests when running in
certified-conformance mode. This reverts that change, and also adds a
check that fails if the conformance tests do not pass. This ensures that
we are not publishing broken versions of our edge release.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This brings in changes from upstream bootkube. It fixes an issue with
the pod-checkpointer that would cause the pod-checkpointer to fail if
the kubelet's read-only port were disabled. It also adds a dedicated
certificate for the API server's `kubelet-client-*` args, which will allow the
usage of the `authentication-token-webhook` flag in the kubelet.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
In `tls.Config`, there are two hooks for getting certificate for client
and server config. So we need separate configuration methods to
configure them both.
Required in apid to provide refreshing TLS client cert to
grpc.ClientConn.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This replaces codegen version of apid proxying with
talos-systems/grpc-proxy based version. Proxying is transparent, it
doesn't require exact information about methods and response types. It
requires some common layout response to enhance it properly with node
metadata or errors.
There should be no signifcant changes to the API with the previous
version, but it's worth mentioning a few changes:
1. grpc.ClientConn is established just once per upstream (either local
service or remote apid instance).
2. When called without `-t` (`targets`), apid proxies immediately down
to local service skipping proxying to itself (as before), which results
in empty node metadata in response (before it had local node IP). Might
revert this later to proxy to itself (?).
3. Streaming APIs are now fully supported with multiple targets, but
message definition doesn't contain `ResponseMetadata`, so streaming APIs
are broken now with targets (needs a fix).
4. Errors are now returned as responses with `Error` field set in
`ResponseMetadata`, this requires client library update and `osctl` to
handle it properly.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This upgrades sonouoy and additionally adds the `--e2e-parallel` flag to
hopefully speed things up.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This brings in a patched version of the pod-checkpointer. It fixes a bug
that prevented the static pod-checkpointer from being scheduled,
preventing recovery of the control plane on a reboot of all control
plane nodes.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This adds a check for the existence of data in the etcd data directory,
that we then use to conditionally set the initial cluster args to handle
the case of a reboot of all etcd members at once. Without this, etcd
fails to come back up, and effectively kills the cluster.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This moves to using our official bootkube repo. The latest changes in
the branch we are using enables the aggregation layer. This should fix
our conformance.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This adds a step to the conformance pipeline that pushes all containers
with the tag "edge." This Will allow us to start using and edge
"channel" for upgrades.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This change sets bonded devices to ignored if there is no user supplied
configuration. Without configuration, a bonded interfaces doesnt provide
any value. This should speed up initial boot times by preventing address
discovery on this interface.
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
This aligns the nomenclature for filesystems like /dev and /proc with
what is used in the kernel code.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This includes a healthy refactor of the networkd code as well.
- Move netlink functionality to nic package
- Networkd facilitates the orchestration of the underlying interface configuration
- Networkd now stores the state of each interface configuration. This
should allow us to expose this information via api in the future.
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
Measuring overlayfs spams the measurement logs. Since these are mostly files
in pods, we don't get a lot of benefit from measuring them. This adds a rule
to ignore overlayfs.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This creates an IMA policy at boot. It uses the default TCB policy with
a dont_measure rule for XFS.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This updates the kernel to make use of a version that has IMA
measurement and appraisal enabled. It is not yet enforced. Additionally,
this adds the securityfs mount at /sys/kernel/security.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This PR removes all refs to the azure e2e/integration/conformance tests
for now, since we need to wait on some upstream CAPI fixes and the test
is currently broken.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
Not sure if there was an update in the fmt code path, but these are the
results after running `make fmt`.
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
