IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This controller is enabled when `talos.logging.kernel=` kernel arg is
passed. It will try to send logs to the endpoint as JSON-over-TCP (or
UDP-over-TCP, depends on the endpoint) as structured messages.
Example (from test implementation):
```
2021-11-26T19:53:21.912+0300 INFO siderolink-agent/log_receiver.go:23 kernel log message {"src_address": "fdae:41e4:649b:9303:680a:dfab:f7fa:ea00", "msg": {"clock":6252819,"facility":"user","msg":"[talos] task startAllServices (1/1): waiting for 6 services\n","priority":"warning","seq":711,"talos-level":"warn","talos-time":"2021-11-26T16:53:21.3258698Z"}}
```
Fixes#4455
See also https://github.com/talos-systems/siderolink/pull/4
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Still no proper tags for Kubernetes modules (known issue upstream).
Also bump dependencies.
Closes#4605closes#4606
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4567
This is not a complete fix, but rather a workaround: if the DHCP4 operator
panics, Talos shouldn't crash on `machined` unhandled panic.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Next blockdevice library release reads MBR along with GPT and raises
an error if GPT is not set.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Related to #4448
The only remaining part is filtering out SideroLink addresses when Talos
looks for a node address.
See also https://github.com/talos-systems/siderolink/pull/2
The way to test it out:
```
$ talosctl cluster create ... --extra-boot-kernel-args
siderolink.api=172.20.0.1:4000
```
(where 172.20.0.1 is the bridge IP)
Run `siderolink-agent` (test implementation):
```
$ sudo _out/siderolink-agent-linux-amd64
```
Now on the host, there should be a `siderolink` Wireguard userspace
tunnel:
```
$ sudo wg
interface: siderolink
public key: 2aq/V91QyrHAoH24RK0bldukgo2rWk+wqE5Eg6TArCM=
private key: (hidden)
listening port: 51821
peer: Tyr6C/F3FFLWtnzqq7Dsm54B40bOPq6++PTiD/zqn2Y=
endpoint: 172.20.0.1:47857
allowed ips: fdae:41e4:649b:9303:b6db:d99c:215e:dfc4/128
latest handshake: 2 minutes, 2 seconds ago
transfer: 3.62 KiB received, 1012 B sent
...
```
Each Talos node will be registered as a peer, tunnel is established.
You can now ping Talos nodes from the host over the tunnel:
```
$ ping fdae:41e4:649b:9303:b6db:d99c:215e:dfc4
PING fdae:41e4:649b:9303:b6db:d99c:215e:dfc4(fdae:41e4:649b:9303:b6db:d99c:215e:dfc4) 56 data bytes
64 bytes from fdae:41e4:649b:9303:b6db:d99c:215e:dfc4: icmp_seq=1 ttl=64 time=0.352 ms
64 bytes from fdae:41e4:649b:9303:b6db:d99c:215e:dfc4: icmp_seq=2 ttl=64 time=0.437 ms
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4407fixes#4489
This PR started by enabling simple restart of the `kubelet` service via
services API, but it turned out there's a problem:
When kubelet restarts, CNI is already up, so there's an interface on the
host with CNI node IP, the code which picks kubelet node IP finds it and
tries to add it to the list of kubelet node IPs which completely breaks
kubelet.
Solution was easy: allow node IPs to be filtered out - e.g. we never
want kubelet node IP to be from the pod CIDR.
But this filtering feature is also useful in other cases, so I added
that as well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This stops using `discovery-service` module which contained both client
and server code. The tests were reworked to use the public discovery
service endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Due to the way our crypto library is implemented, it can't generate a
key from CA with ECDSA-SHA256 on older versions of Talos.
Talos >= 0.13: ECDSA-SHA256 with P-256
Talos < 0.13: ECDSA-SHA512 with P-256
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Previously Talos used ECDSA-SHA512 with P-256 EC key, which is not
widely supported combination. Use ECDSA-SHA256 instead.
There's no security benefit to use ECDSA-SHA512 with P-256 key, and this
combination is officially supported by TLS 1.3 standard.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Update component versions, Go module versions.
Add platform tiers to the support matrix.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This provides integration layer with discovery service to provide
cluster discovery (and transitively KubeSpan peer discovery).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos supports automatic virtual IP for the control plane with pure
layer 2 connectivity. Hetzner Cloud API supports assigning Floating IPs
to the nodes, this PR combines existing virtual IP functionality with calls
to HCloud API to move the IP address on HCloud side to the leader node.
The only thing which should be supplied in the machine configuration is
the Hetzner Cloud API token, every other setting is automatically
discovered by Talos.
Talos supports two types of floating IPs:
* external Floating IP for external network
* server alias IP for local networks
The controlplane can have only one alias on the local network interface.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This should fix lookup of CD-ROM devices.
Update `go-blockdevice` library to the version with the fix.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Update `go-blockdevice` library.
Readwrite mode doesn't work when there are readonly devices like `iso`.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Note: Talos can be still run under `Firecracker`, support for
Firecracker was only removed for `talosctl cluster create`.
Reason:
* code is untested/unmaintained, and probably doesn't work correctly
* firecracker Go SDK pulls lots of dependencies and it blocks CNI Go
module update
Bonus: `talosctl-linux-amd64` shrinks by 2 MiB.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This concludes basic KubeSpan implementation.
Most of the code is from #3577 with some fixes and refactoring.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Seán C McCord <ulexus@gmail.com>
Co-authored-by: Seán C McCord <ulexus@gmail.com>
* cloud-init for scaleway
* set ipv6 to the interface
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR makes sure that some capabilities (SYS_BOOT and SYS_MODULES) and
never be gained by any process running on Talos except for `machined`
itself.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4138
When KubeSpan is enabled, Talos automatically generates or loads
KubeSpan identity which consists of Wireguard key pair. ULA address is
calculated based on ClusterID and first NIC MAC address.
Some code was borrowed from #3577.
Example:
```
$ talosctl -n 172.20.0.2 get ksi
NODE NAMESPACE TYPE ID VERSION ADDRESS PUBLICKEY
172.20.0.2 kubespan KubeSpanIdentity local 1 fd71:6e1d:86be:6302:e871:1bff:feb2:ccee/128 Oak2fBEWngBhwslBxDVgnRNHXs88OAp4kjroSX0uqUE=
```
Additional changes:
* `--with-kubespan` flag for `talosctl cluster create` for quick testing
* validate that cluster discovery (and KubeSpan) requires ClusterID and
ClusterSecret.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Seán C McCord <ulexus@gmail.com>
Co-authored-by: Seán C McCord <ulexus@gmail.com>
Fixes#4137
Node identity is established when `STATE` partition is mounted, and
cached there. Node identity will be used for the cluster discovery
process to identify each node of the cluster.
Random 32 bytes encoded via base62 are used as node identity.
`base62` uses only URL-safe characters which might save us some trouble
later.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Also downgrade some indirect dependencies that don't have a good reason to be updated.
Closes#4111.
Closes#4112.
Closes#4116.
Closes#4117.
Closes#4121.
Closes#4122.
Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@talos-systems.com>
No real functional changes, just updating to the final versions before
Talos 0.12 release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos supports automatic virtual IP for the control plane with pure
layer 2 connectivity. Equinix Metal API supports assigning shared IPs to
the nodes, this PR combines existing virtual IP functionality with calls
to EM API to move the IP address on EM side to the leader node.
The only thing which should be supplied in the machine configuration is
the Equinix Metal API token, every other setting is automatically
discovered automatically by Talos.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
