IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This stops using `discovery-service` module which contained both client
and server code. The tests were reworked to use the public discovery
service endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Due to the way our crypto library is implemented, it can't generate a
key from CA with ECDSA-SHA256 on older versions of Talos.
Talos >= 0.13: ECDSA-SHA256 with P-256
Talos < 0.13: ECDSA-SHA512 with P-256
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Previously Talos used ECDSA-SHA512 with P-256 EC key, which is not
widely supported combination. Use ECDSA-SHA256 instead.
There's no security benefit to use ECDSA-SHA512 with P-256 key, and this
combination is officially supported by TLS 1.3 standard.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Update component versions, Go module versions.
Add platform tiers to the support matrix.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This provides integration layer with discovery service to provide
cluster discovery (and transitively KubeSpan peer discovery).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos supports automatic virtual IP for the control plane with pure
layer 2 connectivity. Hetzner Cloud API supports assigning Floating IPs
to the nodes, this PR combines existing virtual IP functionality with calls
to HCloud API to move the IP address on HCloud side to the leader node.
The only thing which should be supplied in the machine configuration is
the Hetzner Cloud API token, every other setting is automatically
discovered by Talos.
Talos supports two types of floating IPs:
* external Floating IP for external network
* server alias IP for local networks
The controlplane can have only one alias on the local network interface.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This should fix lookup of CD-ROM devices.
Update `go-blockdevice` library to the version with the fix.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Update `go-blockdevice` library.
Readwrite mode doesn't work when there are readonly devices like `iso`.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Note: Talos can be still run under `Firecracker`, support for
Firecracker was only removed for `talosctl cluster create`.
Reason:
* code is untested/unmaintained, and probably doesn't work correctly
* firecracker Go SDK pulls lots of dependencies and it blocks CNI Go
module update
Bonus: `talosctl-linux-amd64` shrinks by 2 MiB.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This concludes basic KubeSpan implementation.
Most of the code is from #3577 with some fixes and refactoring.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Seán C McCord <ulexus@gmail.com>
Co-authored-by: Seán C McCord <ulexus@gmail.com>
* cloud-init for scaleway
* set ipv6 to the interface
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR makes sure that some capabilities (SYS_BOOT and SYS_MODULES) and
never be gained by any process running on Talos except for `machined`
itself.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4138
When KubeSpan is enabled, Talos automatically generates or loads
KubeSpan identity which consists of Wireguard key pair. ULA address is
calculated based on ClusterID and first NIC MAC address.
Some code was borrowed from #3577.
Example:
```
$ talosctl -n 172.20.0.2 get ksi
NODE NAMESPACE TYPE ID VERSION ADDRESS PUBLICKEY
172.20.0.2 kubespan KubeSpanIdentity local 1 fd71:6e1d:86be:6302:e871:1bff:feb2:ccee/128 Oak2fBEWngBhwslBxDVgnRNHXs88OAp4kjroSX0uqUE=
```
Additional changes:
* `--with-kubespan` flag for `talosctl cluster create` for quick testing
* validate that cluster discovery (and KubeSpan) requires ClusterID and
ClusterSecret.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Seán C McCord <ulexus@gmail.com>
Co-authored-by: Seán C McCord <ulexus@gmail.com>
Fixes#4137
Node identity is established when `STATE` partition is mounted, and
cached there. Node identity will be used for the cluster discovery
process to identify each node of the cluster.
Random 32 bytes encoded via base62 are used as node identity.
`base62` uses only URL-safe characters which might save us some trouble
later.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Also downgrade some indirect dependencies that don't have a good reason to be updated.
Closes#4111.
Closes#4112.
Closes#4116.
Closes#4117.
Closes#4121.
Closes#4122.
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
No real functional changes, just updating to the final versions before
Talos 0.12 release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos supports automatic virtual IP for the control plane with pure
layer 2 connectivity. Equinix Metal API supports assigning shared IPs to
the nodes, this PR combines existing virtual IP functionality with calls
to EM API to move the IP address on EM side to the leader node.
The only thing which should be supplied in the machine configuration is
the Equinix Metal API token, every other setting is automatically
discovered automatically by Talos.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Resources code extensively uses DeepCopy to prevent in-memory copy of
the resource to be mutated outside of the resource model.
Previous implementation relied on YAML serialization to copy the
machine configuration which was slow, potentially might lead to panics
and it generates pressure on garbage collection.
This implementation uses k8s code generator to generate DeepCopy methods
with some manual helpers when code generator can't handle it.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
