talos/hack/release.toml

# commit to be tagged for new release
commit = "HEAD"

project_name = "Talos"
github_repo = "siderolabs/talos"
match_deps = "^github.com/((talos-systems|siderolabs)/[a-zA-Z0-9-]+)$"
ignore_deps = ["github.com/coredns/coredns"]

# previous release
previous = "v1.11.0"

pre_release = false

preface = """
"""

[notes]
    [notes.updates]
        title = "Component Updates"
        description = """\
Linux: 6.18.1
Kubernetes: 1.35.0
CNI Plugins: 1.9.0
cryptsetup: 2.8.1
LVM2: 2_03_37
systemd-udevd: 257.8
etcd: 3.6.7
CoreDNS: 1.13.2
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.4
containerd: 2.1.6
zfs: 2.4.0

Talos is built with Go 1.25.5.
"""

    [notes.aaawhatsnew]
        title = "What's New"
        description = """\
See also [What's new in Talos v1.12.0](https://docs.siderolabs.com/talos/v1.12/getting-started/what's-new-in-talos) in the documentation for a summary of the most notable changes in this release.
"""

    [notes.luks2]
        title = "Encrypted Volumes"
        description = """\
Talos Linux now consistently provides mapped names for encrypted volumes in the format `/dev/mapper/luks2-<volume-id>`.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.
"""

    [notes.disk-encryption]
        title = "Disk Encryption"
        description = """\
Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the `options.pcrs`
field in the `tpm` section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with `talosctl get volumestatus <volume> -o yaml` command.
"""

    [notes.kspp]
        title = "Kernel Security Posture Profile (KSPP)"
        description = """\
Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with `talosctl get kernelparamstatus` command.
"""

    [notes.extra-binaries]
        title = "Extra Binaries"
        description = """\
Talos Linux now ships with `nft` binary in the rootfs to support CNIs which shell out to `nft` command.
"""

    [notes.ethernet-config]
        title = "Ethernet Configuration"
        description = """\
The Ethernet configuration now includes a `wakeOnLAN` field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.
"""

    [notes.embedded-config]
        title = "Embedded Config"
        description = """\
Talos Linux now supports [embedding the machine configuration](https://www.talos.dev/v1.12/talos-guides/configuration/acquire/) directly into the boot image.
"""

    [notes.feature-lock]
        title = "Feature Lock"
        description = """\
Talos now ignores the following machine configuration fields:

- `machine.features.rbac` (locked to true)
- `machine.features.apidCheckExtKeyUsage` (locked to true)
- `cluster.apiServer.disablePodSecurityPolicy` (locked to true)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.
"""

    [notes.etcd]
        title = "etcd"
        description = """\
etcd container image is now pulled from `registry.k8s.io/etcd` instead of `gcr.io/etcd-development/etcd`.
"""

    [notes.talosctl]
        title = "talosctl image cache-serve"
        description = """\
`talosctl` includes new subcommand `image cache-serve`.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the `cache-create` command;

Additionally `talosctl image cache-create` has some changes:
  * new flag `--layout`: `oci` (_default_), `flat`:
    * `oci` preserves current behavior;
    * `flat` does not repack artifact layer, but moves it to a destination directory, allowing it to be served by `talosctl image cache-serve`;
  * changed flag `--platform`: now can accept multiple os/arch combinations:
    * comma separated (`--platform=linux/amd64,linux/arm64`);
    * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`);
"""

   [notes.force-reboot]
        title = "Talos force reboot"
        description = """\
Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, `talosctl` was updated to support this feature via `talosctl reboot --mode force`.
"""

    [notes.kernel-module]
        title = "Kernel Module"
        description = """\
Talos now supports optionally disabling kernel module signature verification by setting `module.sig_enforce=0` kernel parameter.
By default module signature verification is enabled (`module.sig_enforce=1`).
When using Factory or Imager supply as `-module.sig_enfore module.sig_enforce=0` kernel parameters to disable module signature enforcement.
"""

    [notes.grub]
        title = "GRUB"
        description = """\
Talos Linux introduces new machine configuration option `.machine.install.grubUseUKICmdline` to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to `true` for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to `false` to preserve the legacy behavior.
"""

    [notes.directory-user-volumes]
        title = "New User Volume type - bind"
        description = """\
New field in UserVolumeConfig - `volumeType` that defaults to `partition`, but can be set to `directory`.
When set to `directory`, provisioning and filesystem operations are skipped and a directory is created under `/var/mnt/<name>`.

The `directory` type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When `volumeType = "directory"`:
- A directory is created at `/var/mnt/<metadata.name>`;
- `provisioning`, `filesystem` and `encryption` are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.
"""

    [notes.registry-configuration]
        title = "CRI Registry Configuration"
        description = """\
The CRI registry configuration in v1apha1 legacy machine configuration under `.machine.registries` is now deprecated, but still supported for backwards compatibility.
New configuration documents `RegistryMirrorConfig`, `RegistryAuthConfig` and `RegistryTLSConfig` should be used instead.
"""

    [notes.disk-user-volumes]
        title = "New User Volume type - disk"
        description = """\
`volumeType` in UserVolumeConfig can be set to `disk`.
When set to `disk`, a full block device is used for the volume.

When `volumeType = "disk"`:
- Size specific settings are not allowed in the provisioning block (`minSize`, `maxSize`, `grow`).
"""

    [notes.uefi-boot]
        title = "UEFI Boot"
        description = """\
When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.
"""

    [notes.network-configuration]
        title = "Network Configuration"
        description = """\
The network configuration under `.machine.network` (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
See [documentation](https://docs.siderolabs.com/talos/v1.12/networking/configuration/overview) for more information.
"""

    [notes.apiserver-cipher-suites]
        title = "API Server Cipher Suites"
        description = """\
The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default.
This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the `cluster.apiServer.extraArgs."tls-cipher-suites"` machine configuration field if needed.
"""

    [notes.kernel-log]
        title = "Kernel Log"
        description = """\
The kernel log (dmesg) is now also available as the service log named `kernel` (`talosctl logs kernel`).
"""

    [notes.persistent-logs]
        title = "Persistent logs"
        description = """\
Talos now stores system component logs in /var/log, featuring automatic log rotation and keeping two most
recent log files. This change allows collecting logs from Talos like on any other Linux system.
"""

[make_deps]

    [make_deps.tools]
        variable = "TOOLS"
        repository = "github.com/siderolabs/tools"

    [make_deps.pkgs]
        variable = "PKGS"
        repository = "github.com/siderolabs/pkgs"