IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It seems that CRI has a bit of eventual consistency, and it might fail
to remove a stopped pod failing that it's still running.
Rewrite the upgrade API call in the upgrade test to actually wait for
the upgrade to be successful, and fail immediately if it's not
successful. This should improve the test stability and it should make
it easier to find issues immediately.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6391
Implement a set of APIs and commands to manage images in the CRI, and
pre-pull images on Kubernetes upgrades.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The Go modules were not tagged for alpha.4, so using alpha.3 tag.
Talos 1.5 will ship with Kubernetes 1.28.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
We do not need a tpm simulator for ukify measure. We can pre-calculate
the values. This also means we can build ukify as a static binary.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#7430
Introduce a set of resources which look similar to other API
implementations: CA, certs, cert SANs, etc.
Introduce a controller which manages the service based on resource
state.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7379
Add possibility to configure the controlplane static pod resources via
APIServer, ControllerManager and Scheduler configs.
Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos now supports new type of encryption keys which rely on Sealing/Unsealing randomly generated bytes with a KMS server:
```
systemDiskEncryption:
ephemeral:
keys:
- kms:
endpoint: https://1.2.3.4:443
slot: 0
```
gRPC API definitions and a simple reference implementation of the KMS server can be found in this
[repository](https://github.com/siderolabs/kms-client/blob/main/cmd/kms-server/main.go).
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Use shell here-doc to unify multiple commands into a single layer to
have less layers created.
Use `--link` to pull in pkgs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The problem first spotted by Artem, leads to spurious dirty checks.
The sort order was checking wrong (lowered) keys, so the order was
actually random.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Split the documents to provide easier version for the as the starting
guide.
Signed-off-by: Steve Francis <steve.francis@talos-systems.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7228
Add some changes to make Talos accept partial machine configuration
without main v1alpha1 config.
With this change, it's possible to connect a machine already running
with machine configuration (v1alpha1), the following patch will connect
to a local SideroLink endpoint:
```yaml
apiVersion: v1alpha1
kind: SideroLinkConfig
apiUrl: grpc://172.20.0.1:4000/?jointoken=foo
---
apiVersion: v1alpha1
kind: KmsgLogConfig
name: apiSink
url: tcp://[fdae:41e4:649b:9303::1]:4001/
---
apiVersion: v1alpha1
kind: EventSinkConfig
endpoint: "[fdae:41e4:649b:9303::1]:8080"
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7425
The previously used method doesn't handle YAML multi-doc, incorrectly
stripping only the first document and throwing away everything else.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Previously, if META values were supplied to the Talos ISO via
environment variable, they will be written down and available after the
install. With this fix, values are also readable and available before
the installation runs (in maintenance mode).
Most of the PR is refactoring `meta.Value(s)` to be a shared library
which is used by the installer/imager and (now) Talos.
Also fixes an issue with not returning properly `NotExist` error when
META is not yet available as a partition on disk.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The static paths for the OVMF firmware are limited, and won't match, for
example, any of the files installed by `edk2-ovmf` on a Fedora 38 system. This
change separates the search paths and filenames, making sure all combinations
are covered when looking for a suitable firmware. Similarly also cleans up the
OVMF vars lookup.
Signed-off-by: Dennis Marttinen <twelho@welho.tech>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Some tools like qemu-guest-agent when ran as a extension service calls
`/sbin/shutdown` instead of `/sbin/poweroff`. This adds handling for the
same.
Ref: https://github.com/siderolabs/extensions/pull/173
Signed-off-by: Noel Georgi <git@frezbo.dev>
Allow specifying the reboot mode during upgrades by introducing `--reboot-mode` flag, similar to the `--mode` flag of the reboot command.
Closessiderolabs/talos#7302.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This makes handling of `exec` more flexible.
Signed-off-by: Markus Reiter <me@reitermark.us>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Uses the auto-enrollment feature of sd-boot to enroll required UEFI Secure
Boot keys.
Fixes: #7373
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This includes sd-boot handling, EFI variables, etc.
There are some TODOs which need to be addressed to make things smooth.
Install to disk, upgrades work.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit adds support for API load balancer. Quick way to enable it is during cluster creation using new `api-server-balancer-port` flag (0 by default - disabled). When enabled all API request will be routed across
cluster control plane endpoints.
Closes#7191
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Move labels out of the bootloader interface, while moving copying assets
into the bootloader interface. GRUB is using one set of assets,
`sd-boot` will be using another one.
Fix the problem with `bootloader.Probe()` finding boot partition on the
host when it runs in a priv container, fixing issues with image creation
in the CI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
`WITH_CONFIG_PATCH_WORKER` check result was overriding any value set in `CONFIG_PATCH_FLAG` variable.
Move it to the different variable.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This changes the bootloader code to be generic to support
multiple bootloader implementations.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7233
Waiting for node readiness now happens in the `MachineStatus` controller
which won't mark the node as ready until Kubernetes `Node` is ready.
Handling cordoning/uncordining happens with help of additional resource
in `NodeApplyController`.
New controller provides reactive `NodeStatus` resource to see current
status of Kubernetes `Node`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Due to a bug (?) cilium tests don't clean up all the deployments & pods,
leaving one pod in 'Pending' state.
Kubernetes e2e tests check for !Running pods in `kube-system` namespace.
Fix by moving cilium tests to a separate namespace.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The `kubeconfig` can be fetched from one Talos node, while Kubernetes
API request might land on `kube-apiserver` on a different node which
might have time slightly out of sync.
The minimum time diff between the two might lead to `Unauthorized` error
on first use:
```
1 authentication.go:70] "Unable to authenticate the request" err="[x509: certificate has expired or is not yet valid: current time 2023-06-13T15:30:51Z is before 2023-06-13T15:30:52Z, verifying certificate SN=314179687645609956480346926163236202072, SKID=, AKID=E9:9E:A8:1E:0B:6C:8B:AB:1B:2B:7E:17:14:CF:A4:0A:82:6B:42:67 failed: x509: certificate has expired or is not yet valid: current time 2023-06-13T15:30:51Z is before 2023-06-13T15:30:52Z]"
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes usage of custom kernel images to copy over the modules info
list and the default set of modules shipped with Talos.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Also uncomment Azure uploader.
Add the Azure environment variables to the Makefile cloud-images step.
Change disk size and tier to 16GiB and tier: P3
Add boolean value to drone pipeline and the cloud images hack will check the value to determine which Azure Compute Gallery to push images to.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com>
Include a description and a commented-out example for the `cluster.allowSchedulingOnControlPlanes` field on `talosctl gen config ...` output.
Closessiderolabs/talos#7313.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
