Add a SupportsFactoryTalosctlDownload quirk to mark the minimum version that supports talosctl downloads from factory
Signed-off-by: Edward Sammut Alessi <edward.sammutalessi@siderolabs.com>
(cherry picked from commit b43c3a124f6c6d1523c1feaddc9c4a23454eeb56)
The final Kubernetes version for Talos v1.13.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit ecf2fa855b8eb19731b228990a3acbe1430ccad4)
Fixes#13169
Also fixes a number of other issues with controller being stuck
"watching" over stale data.
The major part of the change is to watch contents of kubelet's
kubeconfig and restart the watch when it changes.
The internals of the watch process don't always bubble up error
properly, or we don't watch for errors.
With this change, not only initial sync has a timeout and a way to abort
the sync process, Talos now can also restart the sync on kubeconfig
change make it more transparent.
This might become irrelevant if we start managing kubeconfig via Talos
controlplane for workers, but for now this seems to be the way to fix
issues.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 149592fa59d20c5aa29e4c0af9a3760585f378ce)
There are no security issues fixed.
Drop username/password creds - they were not used.
Improve security of token interceptor.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 9fbb7c95df2b1dcd68fafa23865412bbd8300f4b)
Remove the skip statements/rework the code to allow
FIPS builds to do Wireguard by wrapping Wireguard operations
into `fips140.WithoutEnforcement` blocks.
Using Wireguard (or not using it) is still a user's choice, but this
allows tests to run in strict mode.
There might be more fixes required for FIPS strict, right now being
blocked by Go issue with X25119 which is going to be backported to Go
1.26.3.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 1ef8e630ab77b3c849e7da6d1ff83e7c6795f070)
This is a fixup for #12475
Split the protobuf id for extraArgs fields to use new value, so that we
don't have unmarshal failure when using newer machinery with older Talos
or vice versa.
Also pull in a fix https://github.com/siderolabs/go-talos-support/pull/15
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit f6e7346fa725a703ac4281854150d7a3be12c8d1)
Getting ready for 1.36.0 final release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit b7512d9125b623d2bb92e3a8b5839e85e1309a39)
When hostDNS.enabled is false but forwardKubeDNSToHost defaults to true
(via version contract >= 1.8), the controller still writes the host DNS
service address into HostDNSConfig. This causes CoreDNS pods to get a
resolv.conf pointing to 169.254.116.108 while nothing listens there,
leading to DNS query timeouts.
Add a config validation error when forwardKubeDNSToHost is true while
hostDNS.enabled is false.
Fixessiderolabs/talos#13100
Signed-off-by: Zadkiel AHARONIAN <hello@zadkiel.fr>
(cherry picked from commit ca208e51492c4584f9a4cea4d0762c2199f703e7)
Allow to set build NAME on build, propagate it down to more consumers.
Expose name in `Version` resource, and use that in the dashboard
next to Talos version.
Fix some places where `Name` was hardcoded.
Propagate Name down to UKI build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 968ec1e0ca26eb1f0de0836e0a55df09dea7dafe)
Allow both /etc/ld.so.conf and /etc/ld.so.cache files in /etc since tools expect these to be standard.
See: https://github.com/siderolabs/extensions/pull/1031
Replaces changes for Dockerfile from #12909
Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 414f78a298fc1a196fe310b17b89d3aadc15e1b4)
When decompressing extensions, we might not be able to set xattrs (e.g.
running rootless), so instead of setting xattrs, save them in memory and
push to mksquashfs as pseudo definitions.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit d697f5538a7a624a1ac7bafdfebc67dd9418c434)
When dashboard runs within Talos, it previously used `os:admin` role
which allows anything.
With changes in 1.13, I dropped the role to `os:reader`, which is a way
tighter scope from the security perspective, but it broke network config
tab - it tries to write to META, which is not allowed under `os:reader`
role, so this change fixes the dashboard, but still keeps the RBAC
tight.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 649ab7fe4234de1a947071926603377e00910cb9)
Fixes#13056
The TPM unseal operation doesn't respect the context, and we had 10
second timeout for the whole key unlock operation.
So there might a case when a "slow" TPM unseal runs for more than 10
seconds, and by the time TPM unseal is down, context timeout already
passed, so a somewhat wrong messahe pops in, as the rate limiter is
configured with any limit, but it fails due to the fact that the context
got canceled (but it would have failed later anyways doing the actual
resource operation).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 087ced85f5130656cbc647c2e4d838cab3ff1737)
ExternalVolume has type=nfs defined in the Schema. It is currently
unused and unimplemented, and will fail to provision. Remove it
from the schema, validation and docs, to not confuse the users.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit 11ab0a8c5aec1537542bddb851a9f71e92888e3b)
Add support for caching all platforms in a multi-platform image index
by passing --platform=all to the images cache-create command.
When all is specified, the index manifest is fetched without platform
resolution, and each platform-specific image is downloaded individually.
Attestation manifests (unknown/unknown) are included.
Include the platform in the fetch log line so each pull is identifiable,
e.g. fetching image "..." (linux/amd64).
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 786bf00abb309955616e440cd06fd0718b1b77ab)
Also clean up some imports in go.mod, reduce replaced modules.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 9c34591144f1e2fc759fdc6d56694541eb9f241a)
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit ad72c73006abc3b51e5371496c61d8637b2222f0)
Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 038cb87354eea1c1ff4612bdd13d1e77e595955a)
Update to the latest available release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit b1a02f3681c7e361ee6a3ef3d230b47480b48408)
Our fixes got merged, and more fixes in the library as well.
Bump grpc library (due to a reported CVE which we are not affected
with).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 86344639fcb76d9430ac1e975c98db4488701e43)
Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add ErrMissingAPIVersion check in the config document decoder, parallel
to the existing ErrMissingKind. Previously, a typo in the apiVersion key
(e.g. 'apiVerstion') would result in a misleading 'not registered' error
instead of clearly indicating the missing field.
Signed-off-by: Dominik Pitz <pitzdominik@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Also sync tools, now the kernel is built with LLVM 22.1.
See https://github.com/siderolabs/pkgs/issues/1479 for the context.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This was yet another socket with implicit auth - remove it completely
by reworking the only usecase for it - cluster-side health checks.
Now these health checks build a "regular" network Talos API client (as
they anyways work only controlplane nodes).
Refactor the check for controlplane nodes to use resources instead of
machine config directly (as machine config might not be always present).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
A fixup for #12896
The health check might be running as a reduced privilege role client, so
don't pull the machine config, but instead read a field from a
non-sensitive resource.
As this field doesn't exist in older versions of Talos, the check should
still run by default (as it will be empty).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
