siderolabs/talos v1.3.0-alpha.0 on GitHub

Talos 1.3.0-alpha.0 (2022-09-28)

Welcome to the v1.3.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

kube-apiserver Audit Policy

Talos now supports setting custom audit policy for kube-apiserver in the machine configuration.

etcd Consistency Check

Talos enables --experimental-compact-hash-check-enabled option by default to improve
etcd store consistency guarantees.

This options is only available with etcd >= v3.5.5, so Talos doesn't support version of etcd before v3.5.5.

Kernel Modules

Talos now supports settings kernel module parameters.

Eg:

machine:
  kernel:
    modules:
      - name: "br_netfilter"
        parameters:
          - nf_conntrack_max=131072

Nano Pi R4S

Talos now supports the Nano Pi R4S SBC.

Raspberry Generic Images

The Raspberry Pi 4 specific image has been deprecated and will be removed in the v1.4 release of Talos.
Talos now ships a generic Raspberry Pi image that should support more Raspberry Pi variants.
Refer to the docs at https://www.talos.dev/v1.3/talos-guides/install/single-board-computers/rpi_generic/ to find which ones are supported.

Component Updates

Kubernetes: v1.26.0-alpha.1
Flannel: v0.19.2
CoreDNS: v1.10.0
etcd: v3.5.5
Linux: 5.15.70

Contributors

Andrey Smirnov
Noel Georgi
Andrey Smirnov
Artem Chernyshev
Dmitriy Matrenichev
Artem Chernyshev
Alexey Palazhchenko
Serge Logvinov
Andrew Rynhard
Utku Ozdemir
Kris Reeves
Marvin Drees
Philipp Sauter
Andrew Rynhard
Branden Cash
Matt Zahorik
Olli Janatuinen
Pau Campana
Sander Maijers
Seán C McCord
Spencer Smith
Steve Francis
Tim Jones

Changes

106 commits

67cc45ae3 release(v1.3.0-alpha.0): prepare release
18c377a4d feat: customize audit policy
23c9ea46b fix: raspberry pi install
f17cdee16 feat: jsonpath filter for talosctl get outputs
6bd3cca1a chore: generic raspberry pi images
d914ab8bb chore: add vulncheck tool as a linter
a0151aa13 feat: add generic rpi u-boot support
30f851d09 chore: bump dependences
8b2235c3b fix: lookup Equinix Metal bond slaves using 'permanent addr'
b3257ebb1 chore: bump kernel to 5.15.70
0b2767c16 feat: implement 'permanent addr' in link statuses
c90e20251 fix: kubeconfig permission
fc48849d0 chore: move maps/slices/ordered to gen module
8b09bd4b0 feat: update Kubernetes to v1.26.0-alpha.1
276d4175b chore: bump extension versions in testing
357b770cb fix: cryptsetup delete slot
711128839 fix: continue applying bootstrap manifests on some errors
ce12c7b38 chore: update COSI runtime to v0.2.0-alpha.1
1b435c0b3 chore: bump kernel + ice drivers
18e041f1e docs: fix typo in patching example
0ad6452ca feat: update CoreDNS to v1.10.0
479f3f52e chore: bump dependencies
e07c6ae99 feat: update Kubernetes to v1.25.1
13fdfaffc test: fix up default branch name
ef181321a docs: add component diagram; K8s & Talos Linux
aade73643 docs: fix missing variable in OpenEBS docs
472590aa8 chore: return InvalidArgument on invalid config in maintenance mode
e5cabd42c feat: enable etcd consistency hashcheck
015535d90 fix: update discovery client with the redirect fix
d0c8e7699 chore: bump kernel and go
985b0c2e7 chore: remove go.work.sum
69124f102 feat: update etcd to v3.5.5
1985a796c docs: update docs for pod security
94b088f02 fix: set etcd options consistently
92ae7ef4b fix: fix protoenc encoding for enums and types with custom encoders
93809017c docs: cpu scaling governor knowledgebase
7b270ff33 test: fix api controller test
2dadcd669 fix: stop worker nodes from acting as apid routers
9eaf33f3f fix: never sign client certificate requests in trustd
436749124 feat: environment vars for extension service
0c0cb671e chore: mark machine configuration validation failure as InvalidArgument
f424e5340 fix: stop containers more thoroughly
12827b861 chore: move "implements" checks to compile time
3a67c42cb fix: kill the task processes when cleaning up stale task
14a79e325 chore: bump dependencies
9beee92e7 docs: fix double vv in Kubernetes version
688272515 fix: use different username for Talos Kubernetes API access
161a52a9e feat: check apid client certificate extended key usage
9dadc4a59 fix: include all node addresses into etcd cert SANs
71bfd3e43 feat: update CoreDNS to 1.9.4
9df8f1ff1 fix: list COSI APIs for the apid authenticator
31462450f fix: pass a pointer to specs.Mount into protoenc.Marshal
e626540df chore: avoid double API request logging in trustd
f62d17125 chore: update crypto to use new import path siderolabs/crypto
ef27dd855 chore: bump dependencies
6472ae00b fix: automatically discard VIPs for etcd advertised addresses
5e21cca52 feat: support setting kernel parameters
bd56621cd feat: add structprotogen tool
cdb6bb2cc feat: add Nano Pi R4S support
36c1f1d6e fix: flip the client-server version check
cd6c53a97 docs: fork docs for v1.3
0847400f7 fix: prevent panic on health check if a member has no IPs
7471d7f01 feat: update Flannel to v0.19.2
148c75cfb docs: consolidate the control-plane documentation
353154281 fix: drop kube-system SA default binding
4f37b668b chore: remove capi hacks
1369afea8 docs: make 1.2.0 docs default ones
7627cb0e3 docs: add new talosctl gen secrets
8aa60a37a chore: bump kernel to 5.15.64
a798dbd5d docs: update docs for upcoming 1.2.0 release
b2fec3c97 fix: properly handle configContext being nil in Talos client
1c0977b3a fix: change the type of returned gRPC connection object from the client
41848e421 fix: expose Talos client gRPC connection via the function Conn
2e9be4af8 chore: bump dependencies
d283aba3a test: fix cli reboot test
0b339a9dc feat: track progress of action API calls
072349812 fix: update COSI to the version with gRPC Wait fix
89d57aa81 fix: always abort the maintenance service
f6fa74619 fix: limit apid backoff max delay
d7ef346db fix: get command in the case 'nodes' are not set in the context
4e9c32256 fix: correctly render hosts.toml with multiple endpoints
cdd0f08bc feat: check client <> server version in some Talos commands
446b0af58 chore: bump kernel and runc
8c203ce9b feat: remove the machine from the discovery service on reset
b59ca5810 chore: move from inet.af/netaddr to net/netip and go4.org/netipx
053af1d59 fix: update etcd certificates when node addresses changes
11edb2c6f test: re-enable upgrade tests
0310e2089 chore: bump github.com/siderolabs/protoenc to v0.1.5
29bd63240 chore: remove old build tags syntax
b500d0aa9 chore: bump k8s to v1.25.0
29e574be7 docs: update to v1.2.0-beta.1
26b549f2a chore: bump dependencies
8c3ac4c42 chore: limit GOMAXPROCS for Talos services
361e85b74 fix: properly read kexec disabled sysctl
cfe6c2bc2 docs: nvidia oss drivers
2f2d97b6b fix: don't wait for the hostname in maintenance mode
b15a63924 chore: bump kernel to 5.15.62
a0d94be30 fix: stable default hostname bias
da4cd34ef feat: update etcd advertised peer addresses on the fly
faf92ce01 chore: bump kubernetes to v1.25.0-rc.1
52de919e3 chore: bump containerd to v1.6.8
7d43fc79b fix: make 'ca', 'crt' and 'key' flags optional for 'talosctl config add'
fd467e02c fix: handle grub config being empty in the Revert function
9492aca65 fix: clean up cancelCtxMu leftovers in PriorityLock
61e3eb2ea fix: talosctl edit mc loop
32db7a7f5 fix: surround cancelCtx with the mutex

Changes from siderolabs/crypto

27 commits

siderolabs/crypto@c3225ee feat: allow CSR template subject field to be overridden
siderolabs/crypto@8570669 chore: rename to siderolabs/crypto
siderolabs/crypto@e9df1b8 feat: add support for generating keys from RSA-SHA256 CAs
siderolabs/crypto@510b0d2 chore: add json tags
siderolabs/crypto@6fa2d93 fix: deepcopy nil fields as nil
siderolabs/crypto@9a63cba fix: add back support for generating ECDSA keys with P-256 and SHA512
siderolabs/crypto@893bc66 fix: use SHA256 for ECDSA-P256
siderolabs/crypto@deec8d4 chore: implement DeepCopy methods for PEMEncoded* types
siderolabs/crypto@d3cb772 feat: make possible to change KeyUsage
siderolabs/crypto@6bc5bb5 chore: remove unused argument
siderolabs/crypto@cd18ef6 feat: add support for several organizations
siderolabs/crypto@97c888b chore: add options to CSR
siderolabs/crypto@7776057 chore: fix typos
siderolabs/crypto@80df078 chore: remove named result parameters
siderolabs/crypto@15bdd28 chore: minor updates
siderolabs/crypto@4f80b97 fix: verify CSR signature before issuing a certificate
siderolabs/crypto@39584f1 feat: support for key/certificate types RSA, Ed25519, ECDSA
siderolabs/crypto@cf75519 fix: function NewKeyPair should create certificate with proper subject
siderolabs/crypto@751c95a feat: add 'PEMEncodedKey' which allows to transport keys in YAML
siderolabs/crypto@562c3b6 feat: add support for public RSA key in RSAKey
siderolabs/crypto@bda0e9c feat: enable more conversions between encoded and raw versions
siderolabs/crypto@e0dd56a feat: add NotBefore option for x509 cert creation
siderolabs/crypto@12a4897 feat: add support for SPKI fingerprint generation and matching
siderolabs/crypto@d0c3eef fix: implement NewKeyPair
siderolabs/crypto@196679e feat: move pkg/grpc/tls from github.com/talos-systems/talos as ./tls
siderolabs/crypto@1ff6242 chore: initial version as imported from talos-systems/talos
siderolabs/crypto@835063e chore: initial commit

Changes from siderolabs/discovery-api

3 commits

siderolabs/discovery-api@5b0c5e7 chore: rename to siderolabs, rekres, etc
siderolabs/discovery-api@db279ef feat: initial set of APIs and generated files
siderolabs/discovery-api@ac52a37 chore: initial commit

Changes from siderolabs/discovery-client

1 commit

siderolabs/discovery-client@230f317 fix: reconnect the client on update failure

Changes from siderolabs/gen

4 commits

siderolabs/gen@726e066 fix: rename tuples.go to pair.go and set proper package name
siderolabs/gen@d8d7d25 chore: minor additions
siderolabs/gen@338a650 chore: add initial implementation and documentation
siderolabs/gen@4fd8667 Initial commit

Changes from siderolabs/go-blockdevice

55 commits

siderolabs/go-blockdevice@dcf6044 chore: rekres and rename
siderolabs/go-blockdevice@9c4af49 fix: cryptsetup remove slot
siderolabs/go-blockdevice@74ea471 feat: add freebsd stubs
siderolabs/go-blockdevice@9fa801c feat: add ReadOnly attribute to Disk
siderolabs/go-blockdevice@fccee8b chore: rekres the source, fix issues
siderolabs/go-blockdevice@d9c3a27 feat: support probing FAT12/FAT16 filesystems
siderolabs/go-blockdevice@b374eb4 fix: align partition to 1M boundary by default
siderolabs/go-blockdevice@ec428fe fix: lookup filesystem labels on the actual device path
siderolabs/go-blockdevice@7b9de26 feat: read symlink fullpath in block device list function
siderolabs/go-blockdevice@6928ee4 refactor: rewrite GPT serialize/deserialize functions
siderolabs/go-blockdevice@0c7e429 refactor: simplify middle endian functions
siderolabs/go-blockdevice@15b182d fix: return partition table not exist when trying to read an empty dev
siderolabs/go-blockdevice@b9517d5 fix: resize partition
siderolabs/go-blockdevice@70d2865 fix: try to find cdrom disks
siderolabs/go-blockdevice@667bf53 fix: revert gpt partition not found
siderolabs/go-blockdevice@d7d4cdd fix: gpt partition not found
siderolabs/go-blockdevice@33afba3 fix: also open in readonly mode when running All lookup method
siderolabs/go-blockdevice@e367f9d feat: make probe always open blockdevices in readonly mode
siderolabs/go-blockdevice@d981156 fix: allow Build for Windows
siderolabs/go-blockdevice@fe24303 fix: perform correct PMBR partition calculations
siderolabs/go-blockdevice@2ec0c3c fix: preserve the PMBR bootable flag when opening GPT partition
siderolabs/go-blockdevice@87816a8 feat: align partition to minimum I/O size
siderolabs/go-blockdevice@c34b59f feat: expose more encryption options in the LUKS module
siderolabs/go-blockdevice@30c2bc3 feat: mark MBR bootable
siderolabs/go-blockdevice@1292574 fix: make disk type matcher parser case insensitive
siderolabs/go-blockdevice@b77400e fix: properly detect nvme and sd card disk types
siderolabs/go-blockdevice@1d830a2 fix: revert mark the EFI partition in PMBR as bootable
siderolabs/go-blockdevice@bec914f fix: mark the EFI partition in PMBR as bootable
siderolabs/go-blockdevice@776b37d feat: add options to probe disk by various sysblock parameters
siderolabs/go-blockdevice@bb3ad73 fix: align partition start to physical sector size
siderolabs/go-blockdevice@8f976c2 feat: replace exec.Command with go-cmd module
siderolabs/go-blockdevice@1cf7f25 fix: properly handle no child processes error from cmd.Wait
siderolabs/go-blockdevice@04a9851 feat: implement luks encryption provider
siderolabs/go-blockdevice@b0375e4 feat: add an option to open block device with exclusive flock
siderolabs/go-blockdevice@5a1c7f7 refactor: add devname into gpt.Partition, refactor probe package
siderolabs/go-blockdevice@f2728a5 fix: keep contents of PMBR when writing it
siderolabs/go-blockdevice@2878460 fix: write second copy of partition entries
siderolabs/go-blockdevice@943b08b fix: blockdevice reset should read partition table from disk
siderolabs/go-blockdevice@5b4ee44 fix: ignore /dev/ram devices
siderolabs/go-blockdevice@98754ec refactor: rewrite GPT library
siderolabs/go-blockdevice@2a1baad fix: correctly build paths for mmcblk devices
siderolabs/go-blockdevice@8076344 fix: return proper disk size from GetDisks function
siderolabs/go-blockdevice@8742133 chore: add common method to list available disks using /sys/block
siderolabs/go-blockdevice@c4b5833 feat: implement "fast" wipe
siderolabs/go-blockdevice@b4e67d7 feat: return resize status from Resize() function
siderolabs/go-blockdevice@ceae64e fix: sync kernel partition table incrementally
siderolabs/go-blockdevice@2cb9516 fix: return correct error value from blkpg functions
siderolabs/go-blockdevice@cebe43d refactor: expose InsertAt method via interface
siderolabs/go-blockdevice@c40dcd8 fix: properly inform kernel about partition deletion
siderolabs/go-blockdevice@bb8ac5d feat: implement disk wiping via several methods
siderolabs/go-blockdevice@23fb7dc feat: expose partition name (label)
siderolabs/go-blockdevice@ff3a821 feat: implement 'InsertAt' method to insert partitions at any position
siderolabs/go-blockdevice@3d1ce4f fix: calculate last lba of partition correctly
siderolabs/go-blockdevice@b71540f feat: copy initial version from talos-systems/talos
siderolabs/go-blockdevice@ca3c078 Initial commit

Changes from siderolabs/pkgs

26 commits

siderolabs/pkgs@0ac7773 chore: use generic raspberry pi u-boot
siderolabs/pkgs@d5633d4 chore: bump kernel to 5.15.70
siderolabs/pkgs@39c0d43 feat: add generic rpi_arm64_defconfig configuration
siderolabs/pkgs@ed269ca chore: bump kernel to 5.15.69
siderolabs/pkgs@f2f8333 fix: no slack notifications on failure
siderolabs/pkgs@6f0af33 chore: disable drone slack pipeline for renovate
siderolabs/pkgs@32aea3f chore: disable drone for renovate/dependabot
siderolabs/pkgs@44579f0 fix: rollback xfsprogs to 5.18.0
siderolabs/pkgs@792c0e3 feat: add gasket driver package
siderolabs/pkgs@07f1898 chore: update deps
siderolabs/pkgs@f78f410 chore: enable conntrack zones and timestamps
siderolabs/pkgs@049b3c6 chore: enable intel ice drivers
siderolabs/pkgs@606ff32 chore: bump deps
siderolabs/pkgs@eee5c8a chore: disable irc in conntrack
siderolabs/pkgs@70e6c46 chore: bump kernel to 5.15.64
siderolabs/pkgs@e510321 chore: update renovate config
siderolabs/pkgs@d1fa510 feat: enable renovate bot
siderolabs/pkgs@e427a77 chore: bump runc to v1.1.4
siderolabs/pkgs@40e1215 chore: enable nfsv4.2 client support
siderolabs/pkgs@15efada chore: bump kernel to 5.15.63
siderolabs/pkgs@e70e3c1 fix: nvidia oss pkg name
siderolabs/pkgs@30b8d79 chore: bump kernel to 5.15.62
siderolabs/pkgs@862c392 chore: bump gcc to 12.2.0
siderolabs/pkgs@2ecd14e fix: containerd version
siderolabs/pkgs@01df058 feat: add NanoPi R4S configuration
siderolabs/pkgs@d4cb33b chore: bump containerd to v1.6.8

Changes from siderolabs/tools

15 commits

siderolabs/tools@5df6589 chore: disable drone for renovate/dependabot
siderolabs/tools@1f00d2e fix: revert gawk to 5.1.1
siderolabs/tools@feeda1f chore: bump grpc-go
siderolabs/tools@8542014 chore: bump deps
siderolabs/tools@e5c4968 chore: update renovate config
siderolabs/tools@f34f94d chore: update renovate config
siderolabs/tools@cef4cc6 chore: update renovate config
siderolabs/tools@bab8e9e chore: add libbpf to tools
siderolabs/tools@0a15f7b chore: build pahole properly
siderolabs/tools@a322d06 chore: remove img
siderolabs/tools@c7ff47b feat: enable renovate dependency updates (3/3)
siderolabs/tools@6e095cf feat: enable renovate dependency updates (2/n)
siderolabs/tools@bad1ad1 feat: add renovatebot
siderolabs/tools@7d6f9c3 chore: bump gcc to 12.2.0
siderolabs/tools@2719b4b chore: bump toolchain

Dependency Changes

cloud.google.com/go/compute v1.8.0 -> v1.10.0
github.com/aws/aws-sdk-go v1.44.76 -> v1.44.105
github.com/cosi-project/runtime v0.1.1 -> v0.2.0-alpha.1
github.com/docker/docker v20.10.17 -> v20.10.18
github.com/google/go-cmp v0.5.8 -> v0.5.9
github.com/google/nftables 2eca00135732 -> cbeb0fb1eccf
github.com/hetznercloud/hcloud-go v1.35.2 -> v1.35.3
github.com/insomniacslk/dhcp 509691fd59ec -> 043f1726f02e
github.com/mdlayher/ethtool 856bd6cb8a38 -> 0e16326d06d1
github.com/mdlayher/netlink v1.6.0 -> v1.6.2
github.com/opencontainers/image-spec c5a74bcca799 -> v1.1.0-rc1
github.com/packethost/packngo v0.25.0 -> v0.26.0
github.com/rivo/tview 0e6b21a48e96 -> 2e69b7385a37
github.com/siderolabs/crypto v0.4.0 new
github.com/siderolabs/discovery-api v0.1.1 new
github.com/siderolabs/discovery-client v0.1.1 -> v0.1.2
github.com/siderolabs/gen v0.2.0 new
github.com/siderolabs/go-blockdevice v0.4.0 new
github.com/siderolabs/pkgs v1.2.0-8-g970860d -> v1.3.0-alpha.0-25-g0ac7773
github.com/siderolabs/tools v1.2.0 -> v1.3.0-alpha.0-14-g5df6589
github.com/vmware-tanzu/sonobuoy v0.56.9 -> v0.56.10
go.etcd.io/etcd/api/v3 v3.5.4 -> v3.5.5
go.etcd.io/etcd/client/pkg/v3 v3.5.4 -> v3.5.5
go.etcd.io/etcd/client/v3 v3.5.4 -> v3.5.5
go.etcd.io/etcd/etcdutl/v3 v3.5.4 -> v3.5.5
go.uber.org/atomic v1.9.0 -> v1.10.0
go.uber.org/zap v1.22.0 -> v1.23.0
go4.org/netipx 797b0c90d8ab new
golang.org/x/net 3211cb980234 -> 8be639271d50
golang.org/x/sync 886fb9371eb4 -> 7f9b1623fab7
golang.org/x/sys fbc7d0a398ab -> fb04ddd9f9c8
golang.org/x/term a9ba230a4035 -> 7a66f970e087
golang.org/x/time e5dcc9cfc0b9 -> f3bd1da661af
golang.zx2c4.com/wireguard/wgctrl 3d4a969bb56b -> 473347a5e6e3
google.golang.org/grpc v1.48.0 -> v1.49.0
k8s.io/api v0.25.0 -> v0.26.0-alpha.1
k8s.io/apimachinery v0.25.0 -> v0.26.0-alpha.1
k8s.io/apiserver v0.25.0 -> v0.26.0-alpha.1
k8s.io/client-go v0.25.0 -> v0.26.0-alpha.1
k8s.io/component-base v0.25.0 -> v0.26.0-alpha.1
k8s.io/cri-api v0.25.0 -> v0.26.0-alpha.1
k8s.io/kubectl v0.25.0 -> v0.26.0-alpha.1
k8s.io/kubelet v0.25.0 -> v0.26.0-alpha.1
kernel.org/pub/linux/libs/security/libcap/cap v1.2.65 -> v1.2.66

Previous release can be found at v1.2.0

Images

ghcr.io/siderolabs/flannel:v0.19.2
ghcr.io/siderolabs/install-cni:v1.2.0
docker.io/coredns/coredns:1.10.0
gcr.io/etcd-development/etcd:v3.5.5
k8s.gcr.io/kube-apiserver:v1.26.0-alpha.1
k8s.gcr.io/kube-controller-manager:v1.26.0-alpha.1
k8s.gcr.io/kube-scheduler:v1.26.0-alpha.1
k8s.gcr.io/kube-proxy:v1.26.0-alpha.1
ghcr.io/siderolabs/kubelet:v1.26.0-alpha.1
ghcr.io/siderolabs/installer:v1.3.0-alpha.0
k8s.gcr.io/pause:3.6