From 5eb5ff532d9a26578645a6b67d98f0c17742cc07 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Wed, 11 Sep 2024 14:14:14 +0400
Subject: [PATCH] feat: update etcd to 3.5.16

See https://github.com/etcd-io/etcd/releases/tag/v3.5.16

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 5c6277d171eea58878ce4fcb4d2fdb7154333ae7)
---
 go.mod                                        |  16 +-
 go.sum                                        |  32 +--
 hack/release.toml                             |   2 +-
 pkg/machinery/constants/constants.go          |   2 +-
 .../v1.8/introduction/what-is-new/index.md    | 206 +++++++++++++++++-
 .../configuration/v1alpha1/config.md          |   6 +-
 6 files changed, 234 insertions(+), 30 deletions(-)

diff --git a/go.mod b/go.mod
index dea413e8fc..5b3a83c17a 100644
--- a/go.mod
+++ b/go.mod
@@ -162,10 +162,10 @@ require (
 	github.com/vishvananda/netlink v1.3.0
 	github.com/vmware/vmw-guestinfo v0.0.0-20220317130741-510905f0efa3
 	github.com/vultr/metadata v1.1.0
-	go.etcd.io/etcd/api/v3 v3.5.15
-	go.etcd.io/etcd/client/pkg/v3 v3.5.15
-	go.etcd.io/etcd/client/v3 v3.5.15
-	go.etcd.io/etcd/etcdutl/v3 v3.5.15
+	go.etcd.io/etcd/api/v3 v3.5.16
+	go.etcd.io/etcd/client/pkg/v3 v3.5.16
+	go.etcd.io/etcd/client/v3 v3.5.16
+	go.etcd.io/etcd/etcdutl/v3 v3.5.16
 	go.uber.org/zap v1.27.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
 	golang.org/x/net v0.29.0
@@ -329,10 +329,10 @@ require (
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.etcd.io/bbolt v1.3.11 // indirect
-	go.etcd.io/etcd/client/v2 v2.305.15 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.5.15 // indirect
-	go.etcd.io/etcd/raft/v3 v3.5.15 // indirect
-	go.etcd.io/etcd/server/v3 v3.5.15 // indirect
+	go.etcd.io/etcd/client/v2 v2.305.16 // indirect
+	go.etcd.io/etcd/pkg/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/raft/v3 v3.5.16 // indirect
+	go.etcd.io/etcd/server/v3 v3.5.16 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
diff --git a/go.sum b/go.sum
index e45f4c3009..18ee517c7c 100644
--- a/go.sum
+++ b/go.sum
@@ -710,22 +710,22 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
 go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
-go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk=
-go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM=
-go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA=
-go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU=
-go.etcd.io/etcd/client/v2 v2.305.15 h1:VG2xbf8Vz1KJh65Ar2V5eDmfkp1bpzkSEHlhJM3usp8=
-go.etcd.io/etcd/client/v2 v2.305.15/go.mod h1:Ad5dRjPVb/n5yXgAWQ/hXzuXXkBk0Y658ocuXYaUU48=
-go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4=
-go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU=
-go.etcd.io/etcd/etcdutl/v3 v3.5.15 h1:EBMtdngexC5s65NY4QKr7dCpXmzdfSVnnueJ4URg6vY=
-go.etcd.io/etcd/etcdutl/v3 v3.5.15/go.mod h1:4Kia4UPkWnD+qrUodawwd1ZcvteGTW97BpXI5zkSUS4=
-go.etcd.io/etcd/pkg/v3 v3.5.15 h1:/Iu6Sr3iYaAjy++8sIDoZW9/EfhcwLZwd4FOZX2mMOU=
-go.etcd.io/etcd/pkg/v3 v3.5.15/go.mod h1:e3Acf298sPFmTCGTrnGvkClEw9RYIyPtNzi1XM8rets=
-go.etcd.io/etcd/raft/v3 v3.5.15 h1:jOA2HJF7zb3wy8H/pL13e8geWqkEa/kUs0waUggZC0I=
-go.etcd.io/etcd/raft/v3 v3.5.15/go.mod h1:k3r7P4seEiUcgxOPLp+mloJWV3Q4QLPGNvy/OgC8OtM=
-go.etcd.io/etcd/server/v3 v3.5.15 h1:x35jrWnZgsRwMsFsUJIUdT1bvzIz1B+29HjMfRYVN/E=
-go.etcd.io/etcd/server/v3 v3.5.15/go.mod h1:l9jX9oa/iuArjqz0RNX/TDbc70dLXxRZo/nmPucrpFo=
+go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0=
+go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28=
+go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q=
+go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E=
+go.etcd.io/etcd/client/v2 v2.305.16 h1:kQrn9o5czVNaukf2A2At43cE9ZtWauOtf9vRZuiKXow=
+go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE=
+go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE=
+go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50=
+go.etcd.io/etcd/etcdutl/v3 v3.5.16 h1:E2CuxEdP8tteS7cn+6e6at93EYYN8X+Q5a16UXjkDeg=
+go.etcd.io/etcd/etcdutl/v3 v3.5.16/go.mod h1:X22QojXcHZNS3TPAitpcYW7rwTvnmchFwAKkSSz0Ncw=
+go.etcd.io/etcd/pkg/v3 v3.5.16 h1:cnavs5WSPWeK4TYwPYfmcr3Joz9BH+TZ6qoUtz6/+mc=
+go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY=
+go.etcd.io/etcd/raft/v3 v3.5.16 h1:zBXA3ZUpYs1AwiLGPafYAKKl/CORn/uaxYDwlNwndAk=
+go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI=
+go.etcd.io/etcd/server/v3 v3.5.16 h1:d0/SAdJ3vVsZvF8IFVb1k8zqMZ+heGcNfft71ul9GWE=
+go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s=
 go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M=
 go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
diff --git a/hack/release.toml b/hack/release.toml
index 490b8a9ade..0dd25f0153 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -32,7 +32,7 @@ Kubernetes: 1.31.0
 Linux: 6.6.49
 containerd: 2.0.0-rc.4
 runc: 1.2.0-rc.3
-etcd: 3.5.15
+etcd: 3.5.16
 Flannel: 0.25.6
 Flannel CNI plugin: 1.5.1
 CoreDNS: 1.1.13
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index 0d7b938287..d80f891429 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -413,7 +413,7 @@ const (
 
 	// DefaultEtcdVersion is the default target version of etcd.
 	// renovate: datasource=github-releases depName=etcd-io/etcd
-	DefaultEtcdVersion = "v3.5.15"
+	DefaultEtcdVersion = "v3.5.16"
 
 	// EtcdRootTalosKey is the root etcd key for Talos-specific storage.
 	EtcdRootTalosKey = "talos:v1"
diff --git a/website/content/v1.8/introduction/what-is-new/index.md b/website/content/v1.8/introduction/what-is-new/index.md
index 75a89a54fd..37fedf76a6 100644
--- a/website/content/v1.8/introduction/what-is-new/index.md
+++ b/website/content/v1.8/introduction/what-is-new/index.md
@@ -6,4 +6,208 @@ description: "List of new and shiny features in Talos Linux."
 
 See also [upgrade notes]({{< relref "../../talos-guides/upgrading-talos/">}}) for important changes.
 
-TBD
+## Important Changes
+
+### Release Artifacts
+
+Starting with Talos v1.8.0, only standard assets would be published as github release assets.
+These include:
+
+* `cloud-images.json`
+* `talosctl` binaries
+* `kernel`
+* `initramfs`
+* `metal` iso and disk images
+* `talosctl-cni-bundle`
+
+All other release assets can be downloaded from [Image Factory]({{< relref "../../talos-guides/install/boot-assets#image-factory" >}}).
+
+### Serial Console for `metal` Platform
+
+Starting from Talos 1.8, the `console=ttyS0` kernel argument is no longer included by default in the metal images and installer.
+If you are running Talos virtualized in QEMU (e.g., Proxmox), you can add this as an extra kernel argument if needed.
+You can refer to the [Image Factory or Imager documentation]({{< relref "../../talos-guides/install/boot-assets" >}}) for instructions on how to do this.
+This change addresses issues such as slow boot or lack of console output on bare metal hardware without a serial console.
+
+## Disk Management
+
+The disk management backend has been rewritten to support more complex configurations, but the existing configuration should continue to work as before.
+
+The detailed information about the new disk management subsystem can be found in the [disk management guide]({{< relref "../../talos-guides/configuration/disk-management" >}}).
+
+### `EPHEMERAL` Volume
+
+Talos Linux introduces support for configuring the `EPHEMERAL` volume (`/var`): location (disk), minimum and maximum size, etc.
+You can find more information about the configuration in the [disk management guide]({{< relref "../../talos-guides/configuration/disk-management#machine-configuration" >}}).
+
+### Upgrades
+
+In Talos Linux installer, the system disk is never wiped during upgrades.
+This means that the `--preserve` flag is now automatically set for `talosctl upgrade` command.
+
+## Kubernetes
+
+### Slim Kubelet Image
+
+Starting from Kubernetes 1.31.0, the `kubelet` container image has been optimized to include fewer utilities.
+This change was made as the in-tree CSI plugins were removed in Kubernetes 1.31.0.
+The reduction in utilities results in a smaller image size and reduces the potential attack surface.
+
+For Kubernetes versions prior to 1.31.0, two images will be built: the default "fat" image (`v1.x.y`) and a slim image (`v1.x.y-slim`).
+
+For Kubernetes versions 1.31.0 and later, the default tag will point to the slim image, while the "fat" image will be tagged as `v1.x.y-fat`.
+
+### Node Annotations
+
+Talos Linux now supports configuring Kubernetes node annotations via machine configuration (`.machine.nodeAnnotations`) in a way similar to node labels.
+
+### CNI Plugins
+
+Talos Linux now bundles by default the following standard CNI plugins (required by default Flannel installation):
+
+* `bridge`
+* `firewall`
+* `flannel`
+* `host-local`
+* `loopback`
+* `portmap`
+
+The Talos bundled Flannel manifest was simplified to remove the `install-cni` step.
+
+> Note: Custom CNI plugins can be still copied over to the `/opt/cni/bin` directory using init containers as before.
+
+### Default Node Labels
+
+Talos Linux now includes a default label `node.kubernetes.io/exclude-from-external-load-balancers` for control plane nodes during configuration generation.
+
+### `kube-proxy` Backend
+
+Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by default.
+
+### Talos Extensions as Kubernetes Node Labels/Annotations
+
+Talos Linux now includes the list of installed extensions as Kubernetes node labels or annotations.
+
+The key format for the labels is `extensions.talos.dev/<name>`, and the value represents the version of the extension.
+If the extension name is not a valid label key, it will be skipped.
+If the extension version is a valid label value, it will be added as a label; otherwise, it will be added as an annotation.
+
+For Talos machines booted from the Image Factory artifacts, the schematic ID will be published as the annotation `extensions.talos.dev/schematic` since it exceeds the maximum length of 63 characters for label keys.
+
+### DNS Forwarding for CoreDNS pods
+
+Use of the host DNS resolver as the upstream for Kubernetes CoreDNS pods is now enabled by default in new clusters.
+
+To disable this feature, you can use the following configuration:
+
+```yaml
+machine:
+    features:
+        hostDNS:
+            enabled: true
+            forwardKubeDNSToHost: false
+```
+
+Please note that for running clusters, you will need to kill the CoreDNS pods for this change to take effect.
+
+The IP address used for forwarding DNS queries has been changed to the fixed address `169.254.116.108`.
+If you are upgrading from Talos 1.7 with `forwardKubeDNSToHost` enabled, you can clean up the old Kubernetes service by running `kubectl delete -n kube-system service host-dns`.
+
+## Hardware Support
+
+### PCI Devices
+
+A list of PCI devices can now be obtained via `PCIDevices` resource, e.g. `talosctl get pcidevices`.
+
+### NVIDIA GPU Support
+
+Starting from Talos 1.8.0, SideroLabs will include extensions for both LTS and Production versions of NVIDIA extensions.
+
+The NVIDIA drivers and the container toolkits now ships an LTS and Production version as per [NVIDIA driver lifecycle](https://docs.nvidia.com/datacenter/tesla/drivers/index.html#lifecycle).
+
+The new extensions names are
+
+* nvidia-container-toolkit-production
+* nvidia-container-toolkit-lts
+* nvidia-open-gpu-kernel-modules-production
+* nvidia-open-gpu-kernel-modules-lts
+* nonfree-kmod-nvidia-lts
+* nonfree-kmod-nvidia-production
+
+For Talos 1.8, the `-lts` variant follows `535.x` and the `-production` variant follows `550.x` upstream driver versions.
+
+If you are upgrading and already have a schematic ID from the Image Factory, the LTS version of the NVIDIA extension will be retained.
+
+### Device Extra Settle Timeout
+
+Talos Linux now supports a kernel command line argument `talos.device.settle_time=3m` to set the device extra settle timeout to workaround issues with broken drivers.
+
+## Security
+
+### Workload Apparmor Profile
+
+Talos Linux can now apply the default AppArmor profiles to all workloads started via `containerd`, if the machine is installed with the AppArmor LSM enabled in the kernel args (`security=apparmor`).
+
+### Secure Boot
+
+Talos Linux now can optionally include well-known UEFI (Microsoft) SecureBoot keys into the auto-enrollment UEFI database.
+
+### Custom Trusted Roots
+
+Talos Linux now supports adding [custom trusted roots]({{< relref "../../talos-guides/configuration/certificate-authorities" >}}) (CA certificates) via
+a [`TrustedRootsConfig`]({{< relref "../../reference/configuration/security/trustedrootsconfig" >}}) configuration document.
+
+## Networking
+
+### Bridge
+
+Talos Linux now support configuring [`vlan_filtering`]({{< relref "../../reference/configuration/v1alpha1/config#Config.machine.network.interfaces..bridge.vlan" >}}) for bridge interfaces.
+
+### KubeSpan
+
+Extra announced endpoints can be added using the [`KubespanEndpointsConfig` document]({{< relref "../../talos-guides/network/kubespan#configuration" >}}).
+
+## Machine Configuration
+
+### Machine Configuration via Kernel Command Line
+
+Talos Linux supports supplying zstd-compressed, base64-encoded machine configuration small documents via the [kernel command line parameter]({{< relref "../../reference/kernel" >}}) `talos.config.inline`.
+
+### Strategic Merge Patches with `$patch: delete`
+
+Talos Linux now supports removing parts of the machine configuration by [patching]({{< relref "../../talos-guides/configuration/patching#strategic-merge-patches" >}}) using the `$patch: delete` syntax similar to the Kubernetes strategic merge patch.
+
+## Miscellaneous
+
+### Diagnostics
+
+Talos Linux now shows diagnostics information for common problems related to misconfiguration via `talosctl health` and Talos dashboard.
+
+### `talos.halt_if_installed` kernel argument
+
+Starting with Talos 1.8, ISO's generated from Boot Assets would have a new kernel argument `talos.halt_if_installed` which would pause the boot sequence until boot timeout if Talos is already installed on the disk.
+ISOs generated for pre 1.8 versions would not have this kernel argument.
+
+This can be also explicitly enabled by setting `talos.halt_if_installed=1` in kernel argument.
+
+### Platform Support
+
+Talos Linux now supports [Apache CloudStack platform]({{< relref "../../talos-guides/install/cloud-platforms/cloudstack" >}}).
+
+### ZSTD Compression
+
+Talos Linux now compresses kernel and initramfs using `zstd` (previously `xz` was used).
+Linux arm64 kernel is now compressed (previously it was uncompressed).
+
+## Component Updates
+
+* Kubernetes: 1.31.1
+* Linux: 6.6.49
+* containerd: 2.0.0-rc.4
+* runc: 1.2.0-rc.3
+* etcd: 3.5.16
+* Flannel: 0.25.6
+* Flannel CNI plugin: 1.5.1
+* CoreDNS: 1.1.13
+
+Talos is built with Go 1.22.7.
diff --git a/website/content/v1.8/reference/configuration/v1alpha1/config.md b/website/content/v1.8/reference/configuration/v1alpha1/config.md
index aa7fa7589c..f57bfcb009 100644
--- a/website/content/v1.8/reference/configuration/v1alpha1/config.md
+++ b/website/content/v1.8/reference/configuration/v1alpha1/config.md
@@ -2987,7 +2987,7 @@ discovery:
 {{< /highlight >}}</details> | |
 |`etcd` |<a href="#Config.cluster.etcd">EtcdConfig</a> |Etcd specific configuration options. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
 etcd:
-    image: gcr.io/etcd-development/etcd:v3.5.15 # The container image used to create the etcd service.
+    image: gcr.io/etcd-development/etcd:v3.5.16 # The container image used to create the etcd service.
     # The `ca` is the root certificate authority of the PKI.
     ca:
         crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
@@ -3673,7 +3673,7 @@ EtcdConfig represents the etcd configuration options.
 {{< highlight yaml >}}
 cluster:
     etcd:
-        image: gcr.io/etcd-development/etcd:v3.5.15 # The container image used to create the etcd service.
+        image: gcr.io/etcd-development/etcd:v3.5.16 # The container image used to create the etcd service.
         # The `ca` is the root certificate authority of the PKI.
         ca:
             crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
@@ -3691,7 +3691,7 @@ cluster:
 | Field | Type | Description | Value(s) |
 |-------|------|-------------|----------|
 |`image` |string |The container image used to create the etcd service. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
-image: gcr.io/etcd-development/etcd:v3.5.15
+image: gcr.io/etcd-development/etcd:v3.5.16
 {{< /highlight >}}</details> | |
 |`ca` |PEMEncodedCertificateAndKey |<details><summary>The `ca` is the root certificate authority of the PKI.</summary>It is composed of a base64 encoded `crt` and `key`.</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
 ca: