Add support for using certificates stored in AWS Certificate Manager to
sign secureboot images in imager.
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
Open the blockdevice in `O_EXCL` mode when wiping to ensure that we
don't wipe a mounted device.
This issue was discovered via #12620, when we wipe a blockdevice which
is still mounted ending up in a wrong state.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
add the following flags to the upgrade-k8s command:
* `--force-conflicts` overwrite the fields when applying even if the field manager differs
* `--inventory-policy` string kubernetes SSA inventory policy (one of 'MustMatch', 'AdoptIfNoInventory' or 'AdoptAll') (default "AdoptIfNoInventory")
* `--no-prune` whether pruning of previously applied objects should happen after apply
* `--prune-timeout` int how long to wait for resources to be pruned in secunds (set to zero to disable waiting for resources to be fully deleted) (default 180)
* `--reconcile-timeout` int how long to wait for resources to be prfully reconciled in secunds (set to zero to disable waiting for resources to be fully reoondiled) (default 180)
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
* add SSA via the new go-kubernetes library implementation to talosctl `upgrade-k8s` command
* add SSA via direct ResourceInterface call into talos (machined) with a manual inventory update
* add an integration test for ssa functionality
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also changes the bootloader interface.
Disks are formatted/created with pre-populated source directories in Install/Image mode.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Update COSI, and stop using a fork of `gopkg.in/yaml.v3`, now we use new
supported for of this library.
Drop `MarshalYAMLBytes` for the machine config, as we actually marshal
config as a string, and we don't need this at all.
Make `talosctl` stop doing hacks on machine config for newer Talos, keep
hacks for backwards compatibility.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is a fix for the wrong fix in #11204, which was wrong in two ways:
* the ldflags -X override had a wrong variable name, so it had no effect
* but the above even if it worked, only covered "mamangement" part of
things, while `wgctrl-go` which configures things still has a
hardcoded location of `/var/run/`.
So the fix is two ways:
* replace the location where the socket is created properly
* use updated forked wgctrl-go which looks in both locations
This keeps all fixes of #11204 - `talosctl cluster create` siderolink
agent works properly with `wg` on the host, and Talos uses proper
location.
Before the fix the location was actually `/var/run` and it randomly
failed depending on the race condition of Talos booting up and managing
`/var`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
CoreDNS 1.13.0
Linux 6.17.4
Other go.mod dependencies, tools, Helm charts used in tests, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `--airgapped` flag to talos cluster create (qemu)
to disable NAT in the VMs to effectively become airgapped.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
* add 'iso', 'pxe', 'disk-image', 'maintenance' and 'secureboot' presets
* swith the image-factory e2e test to use the create qemu command with presets
* add a '--omni-api-endpoint' to simplify connecting machines to omni
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
There was a mismatch between how Talos encodes resource specs to
protobuf on the wire, and `.proto` files generated by `structprotogen`
for the same specs.
This only affected `LinkStatus`/`LinkSpec` resources, and it doesn't
affect Talos/Omni as they go via `protoenc`, bypassing `.proto` files.
Also if default proto library is used, it also works correctly.
The only place where it fails is a strict `vtprotobuf` encoding.
Also imports `protoenc` 0.2.4 skipping encoding of zero fields, which
should make COSI responses smaller for resources with lots of zero
fields.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is driven by a bug in `nocloud`, but it was long overdue to nuke
the old version of the library completely and rely on new code.
This refactors all four platforms which do load something from a mounted
disk into one implementation.
Fixes #11948
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit adds SOCKS5 proxy support to the DynamicProxyDialer function.
The implementation includes:
- Detection of socks5:// scheme in proxy URLs
- Authentication support for SOCKS5 proxies (username/password)
- Proper error handling and connection establishment
- Unit tests to verify SOCKS5 proxy functionality
- Fixed import path for dialer package in tests
The change allows Talos clients to connect through SOCKS5 proxies by
setting the HTTPS_PROXY environment variable with a socks5:// URL.
Signed-off-by: Olivier Doucet <odoucet@oxeva.fr>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use key provider with fallback option for auth type SideroV1:
- Attempt to use $HOME/.talos/keys directory to read/remove existing PGP file if it exists or write new PGP file if directory is writable.
- Otherwise fallback to using $XDG_DATA_HOME/talos/keys directory.
- Add new talosctl flag --siderov1-key-dir (also configurable via SIDEROV1_KEYS_DIR env var) to allow customizing the directory to use for PGP keys
Update documentation to remove reference for $XDG_CONFIG_HOME for storing talosctl configuration, as it's not used anymore.
Signed-off-by: Oguz Kilcan <oguz.kilcan@siderolabs.com>
Move stuff into `tools/go.mod`.
Also fix linting issues on the way (updating golangci-lint).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
