IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Fixes#7513
AWS image uploads recently consistently fail in some regions, which
blocks the release process. Allow to skip some AMIs if they fail to
upload.
Disable Azure until #7512 is resolved.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Disable cloud-images step due to the issue with AWS & Azure atm.
Pull in https://github.com/siderolabs/pkgs/pull/761
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7453
The goal is to make it possible to load some multi-doc configuration
from the platform source (or persisted in STATE) before machine acquires
full configuration.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
UKI is meant to be for UEFI Secure Boot, so it's expected to enforce
kernel lockdown. We might reconsider in the future to use a kernel patch
instead: b1a0314b08
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7487
When `.kubelet.nodeIP` filters yield no match, Talos should not start
the kubelet, as using empty address list results in `--node-ip=` empty
kubelet arg, which makes kubelet pick up "the first" address.
Instead, skip updating (creating) the nodeIP and log an explicit
warning.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This adds basic support for shutdown/poweroff flags.
it can distringuish between halt/shutdown/reboot.
In the case of Talos halt/shutdown is same op.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Use the `machined` socket for `shutdown` and `poweroff` aliases. This
ensures that worker nodes does not have to wait on apid to start.
Signed-off-by: Noel Georgi <git@frezbo.dev>
We can safely do it on `io.Writer` level, since `log.Logger.Output` (called by `Print|Printf`) pretty much promises
that every call to `Write` ends with `\n`.
Closes#7439
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
For rng seed and pcr extend, let's ignore if the device is not TPM2.0
based. Seal/Unseal operations would still error out since it's
explicitly user enabled feature.
Signed-off-by: Noel Georgi <git@frezbo.dev>
The previous flow was using TPM PCR 11 values to bound the policy which
means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7
which is bound to the SecureBoot state (SecureBoot status and
Certificates). This provides a full chain of trust bound to SecureBoot
state and signed PCR signature.
Also the code has been refactored to use PolicyCalculator from the TPM
library.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Bump:
- REVERT cilium/cilium-cli to v0.14.7
- github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.0
- github.com/Azure/azure-sdk-for-go/sdk/storage/azblob to v1.1.0
- github.com/aws/aws-sdk-go to v1.44.300
- github.com/beevik/ntp to v1.2.0
- github.com/docker/docker to v24.0.4+incompatible
- github.com/gomarkdown/markdown to v0.0.0-20230711084535-11b03c0ae6d6
- github.com/hetznercloud/hcloud-go to v1.48.0
- github.com/iancoleman/orderedmap to v0.3.0
- github.com/jsimonetti/rtnetlink to v1.3.4
- github.com/siderolabs/go-debug to v0.2.3
- golang.org/x/net to v0.12.0
- golang.org/x/tools to v0.11.0
- google.golang.org/genproto/googleapis/rpc to v0.0.0-20230711160842-782d3b101e98
- google.golang.org/grpc to v1.56.2
- google.golang.org/protobuf to v1.31.0
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This is intemediate step to move parts of the `ukify` down to the main
Talos source tree, and call it from `talosctl` binary.
The next step will be to integrate it into the imager and move `.uki`
build out of the Dockerfile.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
It seems that CRI has a bit of eventual consistency, and it might fail
to remove a stopped pod failing that it's still running.
Rewrite the upgrade API call in the upgrade test to actually wait for
the upgrade to be successful, and fail immediately if it's not
successful. This should improve the test stability and it should make
it easier to find issues immediately.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6391
Implement a set of APIs and commands to manage images in the CRI, and
pre-pull images on Kubernetes upgrades.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The Go modules were not tagged for alpha.4, so using alpha.3 tag.
Talos 1.5 will ship with Kubernetes 1.28.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
We do not need a tpm simulator for ukify measure. We can pre-calculate
the values. This also means we can build ukify as a static binary.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#7430
Introduce a set of resources which look similar to other API
implementations: CA, certs, cert SANs, etc.
Introduce a controller which manages the service based on resource
state.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7379
Add possibility to configure the controlplane static pod resources via
APIServer, ControllerManager and Scheduler configs.
Signed-off-by: LukasAuerbeck <17929465+LukasAuerbeck@users.noreply.github.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos now supports new type of encryption keys which rely on Sealing/Unsealing randomly generated bytes with a KMS server:
```
systemDiskEncryption:
ephemeral:
keys:
- kms:
endpoint: https://1.2.3.4:443
slot: 0
```
gRPC API definitions and a simple reference implementation of the KMS server can be found in this
[repository](https://github.com/siderolabs/kms-client/blob/main/cmd/kms-server/main.go).
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Use shell here-doc to unify multiple commands into a single layer to
have less layers created.
Use `--link` to pull in pkgs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The problem first spotted by Artem, leads to spurious dirty checks.
The sort order was checking wrong (lowered) keys, so the order was
actually random.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Split the documents to provide easier version for the as the starting
guide.
Signed-off-by: Steve Francis <steve.francis@talos-systems.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7228
Add some changes to make Talos accept partial machine configuration
without main v1alpha1 config.
With this change, it's possible to connect a machine already running
with machine configuration (v1alpha1), the following patch will connect
to a local SideroLink endpoint:
```yaml
apiVersion: v1alpha1
kind: SideroLinkConfig
apiUrl: grpc://172.20.0.1:4000/?jointoken=foo
---
apiVersion: v1alpha1
kind: KmsgLogConfig
name: apiSink
url: tcp://[fdae:41e4:649b:9303::1]:4001/
---
apiVersion: v1alpha1
kind: EventSinkConfig
endpoint: "[fdae:41e4:649b:9303::1]:8080"
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
