IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This PR supports skipping node registration from K8s.
This is an adavnced use case and only needs to be used in special cases.
In this mode Kubelet only runs the static pods.
Fixes: #5847
Operations that will be broken:
- `talosctl cluster create` would eventually timeout since it expects
nodes to be registered.
- `talosctl health` since it expects nodes to be registered.
- `talosctl upgrade-k8s` since it expects nodes to be registered. Static
pods can still be updated by editing the machine config..
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#5652
This reworks and unifies HTTP client/transport management in Talos:
* cleanhttp is used everywhere consistently
* DefaultClient is using pooled client, other clients use regular
transport
* like before, Proxy vars are inspected on each request (but now
consistently)
* manifest download functions now recreate the client on each run to
pick up latest changes
* system CA list is picked up from a fixed locations, and supports
reloading on changes
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is incompatible with Calico and Cilium in default configuration, as
it's not easy to figure out exact PodCIDRs of the node.
We change the default but provide the option to revert the old behavior.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fix `Talos` sequencer to run only a single sequence at the same time.
Sequences priority was updated. To match the table:
| what is running (columns) what is requested (rows) | boot | reboot | reset | upgrade |
|----------------------------------------------------|------|--------|-------|---------|
| reboot | Y | Y | Y | N |
| reset | Y | N | N | N |
| upgrade | Y | N | N | N |
With a small addition that `WithTakeover` is still there.
If set, priority is ignored.
This is mainly used for `Shutdown` sequence invokation.
And if doing apply config with reboot enabled.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Fixing small issue in syntax.
Signed-off-by: Matthew Richardson <M.Richardson@ed.ac.uk>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Use machine-id as the source for the default hostname (e.g. `talos-2gd-76y`) instead of DHCP-assigned IP (e.g. `talos-172-20-0-2`). This way, DHCP IP changes won't impact the hostname. Defaults to true for Talos version >=1.2.
Closessiderolabs/talos#5896.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Fixes#4836
Firewall mark is `uint32` attached to the packet in the Linux kernel
(it's not transmitted on the wire). This is a shared value for all
networking software, so multiple components might attempt to set and
match on the firewall mark.
Cilium and Calico CNIs are using firewall marks internally, but they
touch only some bits of the firewall mark.
The way KubeSpan was implemented before this PR, it was doing direct
match on the firewall mark, and setting the whole `uint32`, so it comes
into conflict with any other networking component using firewall marks.
The other problem was that firewall mark 0x51820 (0x51821) was too
"wide" touching random bits of the 32-bit value for no good reason.
So this change contains two fixes:
* make firewall mark exactly a single bit (we use bits `0x20` and `0x40`
now)
* match and mark packets with the mask (don't touch bits outside of the
mask when setting the mark and ignore bits outside of the mask when
matching on the mark).
This was tested successfully with both Cilium CNI (default config +
`ipam.mode=kubernetes`) and Calico CNI (default config).
One thing to note is that for KubeSpan and Talos it's important to make
sure that `podSubnets` in the machine config match CNI setting for
`podCIDRs`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This uses the `go-packet` library with native bindings for the packet
capture (without `libpcap`). This is not the most performant way, but it
allows us to avoid CGo.
There is a problem with converting network filter expressions (like
`tcp port 3222`) into BPF instructions, it's only available in C
libraries, but there's a workaround with `tcpdump`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR allows the ability to generate `secrets.yaml` (`talosctl gen secrets`) using a Kubernetes PKI directory path (e.g. `/etc/kubernetes/pki`) as input. Also introduces the flag `--kubernetes-bootstrap-token` to be able to set a static Kubernetes bootstrap token to the generated `secrets.yaml` file instead of a randomly-generated one. Closessiderolabs/talos#5894.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This PR removes pre-v0.10 docs from the drop down. They will remain in
the content so folks can still read them if needed.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
The end result is that every Talos CLI accepts both JSON and strategic
patches to patch machine configuration.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Adds a new command `talosctl gen secrets` to generate a `secrets.yaml` file with Talos and Kubenetes secrets. This file can later be used like `talosctl gen config ... --with-secrets secrets` to generate a config with these pre-generated secrets. Closessiderolabs/talos#5861.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
this commits adds dracut style vlan support to allow
installing talos in networks where ports is not tagged
with a default vlan.
Signed-off-by: Eirik Askheim <eirik@x13.no>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
There should be no functional change with this PR.
The primary driver is supporting strategic merge configuration patches.
For such type of patches machine config should be loaded from incomplete
fragments, so it becomes critically important to distinguish between a
field having zero value vs. field being set in YAML.
E.g. with following struct:
```go
struct { AEnabled *bool `yaml:"a"` }
```
It's possible to distinguish between:
```yaml
a: false
```
and no metion of `a` in YAML.
Merging process trewats zero values as "not set" (skips them when
merging), so it's important to allow overriding value to explicit
`false`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR fixes a mistake in the bridge support docs and the reference to its docs in changelog.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Talos v1.0 and later versions are unable to boot in a Proxmox
VM with "kvm64" set as its Processor Type. We add an
instruction in the Proxmox Guide for setting Processor Type
to "host". Talos v1.0 requires the x86-64-v2
microarchitecture, which is very common today.
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
sudo -E doesn't keep $HOME on all platforms. Change to
--preserve-home=HOME to tell sudo to especially kee $HOME to prevent
config being generated in /root/.talos
Signed-off-by: hobyte <simolu8@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The URL to fetch the configuration for a talos node is given by the
talos.config kernel parameter. We add support for 4 variables ${uuid},
${serial}, ${mac} and ${hostname} which substitute the device UUID,
DMI-sourced serial number, MAC address of the first network interface to
be up and the hostname respectively.
Fixes#3272
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
As we submit results to Certified Kubernetes, we provide metadata which
should be updated now, and also we lost the logo in our assets.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add docs on using OpenEBS Jiva that works well with local storage and
`iscsi-tools` extension.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
