Fixes#3714
This provides more safe way to join new members to the etcd cluster.
See https://etcd.io/docs/v3.4/learning/design-learner/
With learner mode join there are few differences:
* new nodes are joined one by one, because etcd enforces a single
learner member in the cluster
* learner members are not counted in quorum calculations, so while
learner catches up with the master node, quorum is not affected and
cluster is still operational
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos supports automatic virtual IP for the control plane with pure
layer 2 connectivity. Equinix Metal API supports assigning shared IPs to
the nodes, this PR combines existing virtual IP functionality with calls
to EM API to move the IP address on EM side to the leader node.
The only thing which should be supplied in the machine configuration is
the Equinix Metal API token, every other setting is automatically
discovered automatically by Talos.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This relies on changes in GRUB and other utilities to respect
`SOURCE_DATE_EPOCH`.
Variable `SOURCE_DATE_EPOCH` is set to the timestamp of the last git
commit which makes it deterministic, but still changes for each
release/commit.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
When looking up existing routes in the kernel routing table, make sure
routes are filtered by the address family (IPv4, IPv6). This is usually
redundant, as either destination or gateway enforces the family, but for
the default routes without the destination, we need to add this check.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#3940
This changes machine configuration in a backwards compatible way to
allow multiple `.addresses` to be specified for the interface (and for
VLANs). Old field `.cidr` is still processed and used, but new
deployments should move to `.addresses`. This allows to stop using
interface duplication workarounds to assign multiple IPs to the
interface.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixed: https://github.com/talos-systems/talos/issues/3686
Replaced sequencer tasks for KSPP and Kubernetes required sysctl props
by the ones set by controllers.
KernelParam flow includes of 3 controllers and 2 resources:
- `KernelParamConfigController` - handles user sysctls coming from v1alpha1
config.
- `KernelParamDefaultsController` - handles our built-in KSPP and K8s
required sysctls.
- `KernelParamSpecController` - consumes `KernelParamSpec`s created by the
previous two controllers, applies them and updates the corresponding
`KernelParamStatus`.
Signed-off-by: Artem Chernyshev <artem.0xD2@gmail.com>
GCP does not consider generated .tar file to be valid.
This reverts commit b2507b41d250b989b9c13ad23e16202cd53a18d2.
Refs #4023.
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
New primary key is the following:
* table (if `main`, leave it empty)
* family
* gateway
* destination
* metric (priority)
There might be more ways we can improve this (probably gateway should be
removed?), but this should be much better model to represent routes in
the system.
This was discovered in KubeSpan development (@Ulexus).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Use `vtprobuf` optimized Marshal/Unmarshal methods which do not depend
on reflection to reduce memory and CPU usage while using Talos API.
See https://github.com/planetscale/vtprotobuf and
https://vitess.io/blog/2021-06-03-a-new-protobuf-generator-for-go/
Co-authored-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
Sparse file generation replaced with Go native calls.
Final artifact `.tar` reproducible with new tar flags and using GNU tar
instead of busybox one, but as the image itself is not reproducible,
this only helps a bit.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This pulls in a change to bump number of max CPUs in the kernel to 512
and update ca-certificates.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Preset `-0` for xz means fast compression but low compression level.
Changing this to `-6` (default) means that result is 10% smaller (tested
with RPi4 image).
Enable parallel compression with number of threads equal to number of
CPUs to make it compress even faster then with `-0`:
* `-0`: 15s
* `-6`: 60s
* `-6 -T 0`: 10s (on my machine, depends on number of cores)
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
GitHub recently introduced limit of 25000 byte for the release notes,
which breaks our release process, as our notes are over the limit.
PR https://github.com/talos-systems/talos/pull/4021 introduced support
for GFM release notes, which are at least 50% smaller.
This PR enables GFM, adds a check for release notes size and pushes
release-notes step to every build so that we known in advance if release
notes are over the limit (vs. the moment we push the release).
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This feature comes as PSP is deprecated and going to be removed in 1.25.
In preparation for that, add an option to disable PSP which was always
enabled in Talos by default.
To keep backwards compatibility, PSP is still enabled by default.
See also #3971
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Co-authored-by: Adam Szucs-Matyas <szucsitg@gmail.com>
No need to do hacks with multiple interface entries just to get multiple
addressing methods
Fixes#2804
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This allows to disable these plugins via `extraArgs` and shortens
argument list for the `kube-apiserver`.
There are no functional changes, as these plugins are enabled by default
anyways.
Based on #3971
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Co-authored-by: Adam Szucs-Matyas <szucsitg@gmail.com>
Signed-off-by: Adam Szucs-Matyas <szucsitg@gmail.com>
* correctly merge wireguard specs across multiple configuration layers
(partially stolen from #3577)
* fix erroneous wireguard reconfig when listen port in the config is
zero
* add tests for link merging (once again, partially stolen from #3577)
* fix ugly bug with LinkSpec Type merging (I believe it's a major source
of pain for you, Seán, in your PR).
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Fixes#3951
Bootkube support was removed in Talos 0.9. Talos versions 0.9-0.11
support conversion of self-hosted bootkube-based control plane to the
new style control plane running as static pods managed by Talos.
This commit removes all backwards compatibility and removes conversion
code.
For the k8s controllers, `BootstrapStatus` is removed and a dependency
on `etcd` service status is added (as it was implicitly there via
`BootstrapStatus`).
Remove control plane conversion code.
In k8s upgrade code, remove self-hosted part.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Scan all pods in `kube-system` and find `kube-proxy`, `kube-scheduler`,
`kube-controller-manager` and `kube-apiserver` ones, then check the
lowest version amongst them.
Signed-off-by: Artem Chernyshev <artem.0xD2@gmail.com>
