Allows to authenticate to Image Factory (if Image Factory is configured
for auth), applies for HTTP downloads (e.g. ISO), and injects registry
auth into Talos as well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit c2948cef232f6a175312636369b444124cb995db)
Use defer blocks and error joining to guarantee uncordon cleanup
runs regardless of reboot/upgrade success or failure. Prevents nodes
from staying cordoned when operations fail.
Also added gRPC keepalive params to prevent timeout issues during
long operations.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit 3db14309e058cacc2ab8664944fc18f80a3bb747)
When run in "normal" mode, `talosctl` takes into account proxy
configuration, such as the `https_proxy` and `no_proxy` environment
variables; but when invoked with `--insecure`, those would be ignored,
which results in `talosctl` being unable to interact with nodes in
maintenance mode if they're only reachable through a proxy.
This commit adds the `WithDefaultGRPCDialOptions()` option to the
client created by `WithClientMaintenance()`, same as `WithClient()`.
Signed-off-by: Benoît Knecht <benoit.knecht@proton.ch>
(cherry picked from commit 21f459aab5d8ac2841aa69a9237ca3faa06da7df)
Allow to set build NAME on build, propagate it down to more consumers.
Expose name in `Version` resource, and use that in the dashboard
next to Talos version.
Fix some places where `Name` was hardcoded.
Propagate Name down to UKI build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 968ec1e0ca26eb1f0de0836e0a55df09dea7dafe)
Add --drain and --drain-timeout flags to `talosctl reboot` (default off)
and `talosctl upgrade` (default on) that cordon and drain the Kubernetes
node before rebooting, then wait for Ready and uncordon after it comes
back. When --drain is enabled, --wait is forced to true.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit 52b920032e97e1b241c1e0bd89c6e41cbc1c9a47)
Forcing fallback to legacy flow, might be wanted by some users.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit 7b6ab0c1c3cec7b6260e27dd5b6e72faa1975ab0)
It does not make sense without SideroLink, and will not work,
as it requires Admin role.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit 10cdfa9099a3e40ca8182ecb69d836c06ca621e3)
Fixes#12933
There are many usecases for this:
* exploring resources and state of the system, learning available
resources
* when a Talos machine is booted up in an environment without network
access, learning all available network interfaces, all disks
available, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 5e24d5265bde9adee92c02e675140de87ee126bf)
Add support for caching all platforms in a multi-platform image index
by passing --platform=all to the images cache-create command.
When all is specified, the index manifest is fetched without platform
resolution, and each platform-specific image is downloaded individually.
Attestation manifests (unknown/unknown) are included.
Include the platform in the fetch log line so each pull is identifiable,
e.g. fetching image "..." (linux/amd64).
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 786bf00abb309955616e440cd06fd0718b1b77ab)
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit ad72c73006abc3b51e5371496c61d8637b2222f0)
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `talosctl install` command using the LifecycleService.Install
streaming API with support for insecure (maintenance) mode and progress
reporting. Refactor `talosctl upgrade` to use the new
LifecycleService.Upgrade streaming API with automatic fallback to the
legacy MachineService.Upgrade path for older Talos versions.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
drop the old cli-utils based manifest apply logic and replace it with the new fluxcd/pkg/ssa based implementation
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
The call to filepath.join in current code causes breakage when using talosctl on windows due to wrong slash introduced into the embed path.
Signed-off-by: Jan Paul <paulj@nerakhon.cz>
Use the library built for tview, so that we don't have to have two UI
libraries working in parallel in the same TUI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pulls in KMS with logging, and adds more logging to Talos.
This allows to debug encryption problems better.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The disks flag Set method was appending new disk requests to the existing ones,
which caused duplicate disk entries when custom values for the disks flag were set.
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
This affects reading multi-doc machine config via `talosctl` from Talos
machines v1.11 and below by `talosctl` of v1.12 and up.
The problem is that before v1.12 Talos returned machine config as
embedded document instead of the spec if the resource, which was not
valid YAML. It worked via hacks we used in our fork of yaml library.
Talos v1.12+ cleans that up by marshaling the config as a string, and
drops the forked library. The problem is that we can't still pass
multi-doc YAML via this path, so we have to resort to going into COSI
internals to retrieve the actual value as written by Talos API.
Note: there is no problem for Omni, as it goes via protobuf path which
hasn't been affected.
Fixes#12787
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Re-generate, fix new linting issues.
Update containerd library to the latest 2.2.1 to address the new cgroups
package import (via tools update).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command is very specific to terminal operations which don't exist
or might not work well enough on Windows.
Windows users will have better luck with WSL and Linux talosctl.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command was always hidden, rename it to `debug-tool` to free up the
`talosctl debug` for #12932.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The --k8s-endpoint flag was defined but never used in the rotate-ca
command. This fix passes the flag value through to the Kubernetes
client, allowing users to override the default Kubernetes API endpoint
during CA rotation.
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Simplify the flow a bit by using live partition info,
avoid doing some calculations which are already done in the
partition code.
Remove some steps I believe we don't need to do.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
it is before on Long but wrong display on docs website
(already use by image cache-create cmd)
Signed-off-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Migrate KubeSpan configuration to support multi-document format.
Add version-aware support for talosctl cluster create and gen config.
Uses multi-doc format for Talos 1.13+, legacy format for 1.12 and earlier.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The `persist` value was locked to be true for a long time now, and Talos
doesn't support any other mode (machine config is persisted).
Drop the `gen config` flag and related generate options, as modern Talos
doesn't accept `persist: false`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
add the following flags to the upgrade-k8s command:
* `--force-conflicts` overwrite the fields when applying even if the field manager differs
* `--inventory-policy` string kubernetes SSA inventory policy (one of 'MustMatch', 'AdoptIfNoInventory' or 'AdoptAll') (default "AdoptIfNoInventory")
* `--no-prune` whether pruning of previously applied objects should happen after apply
* `--prune-timeout` int how long to wait for resources to be pruned in secunds (set to zero to disable waiting for resources to be fully deleted) (default 180)
* `--reconcile-timeout` int how long to wait for resources to be prfully reconciled in secunds (set to zero to disable waiting for resources to be fully reoondiled) (default 180)
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
After changing `talsoctl images k8s-bundle and talos-bundle`
we stopped printing some of the images to release notes.
This fixes that issue.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Overlays installers assume the `/boot/EFI` path, so we generate assets into `/boot/EFI` then move that directory to the mountPrefix+/EFI.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Boards were deprecated in favor of overlays from Talos 1.7.
Now completely remove all board specific code.
Part of: #12492
Signed-off-by: Noel Georgi <git@frezbo.dev>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also changes the bootloader interface.
Disks are formatted/created with pre-populated source directories in Install/Image mode.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Support creating filesystems from `SourceDirectory`, this implies partitions can have the data populated when formatted.
ImageCache handling is now using `SourceDirectory` while formatting simplifying the code.
Signed-off-by: Noel Georgi <git@frezbo.dev>
I don't see much point in this check, as it's only valuable when joining
to a local development instance of Omni, which is pretty nice usecase.
But this check breaks joining to "real" Omni which has hostname in the
endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
