Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backports: for Talos v1.7.0-beta.1 #8588

Merged
merged 16 commits into from
Apr 12, 2024
Merged

backports: for Talos v1.7.0-beta.1 #8588

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
abf302f
docs: change localDNS to hostDNS in release notes yaml section
DmitriyMV Apr 5, 2024
41a54e8
fix: pre-create nftables chain to make kubelet use nftables
smira Apr 8, 2024
dd7d8d3
fix: close the apid connection to other machines gracefully
smira Apr 8, 2024
4f7cb9c
fix: make static pods check output consistent
smira Apr 8, 2024
09ef5b3
fix: validate that workers don't get cluster CA key
smira Apr 8, 2024
5019c9f
fix: present all accepted CAs to the kube-apiserver
smira Apr 8, 2024
028a5b4
fix: reconnect to the logs stream in dashboard after reboot
utkuozdemir Apr 10, 2024
7d24ddd
fix: generate secureboot ISO .der certificate correctly
smira Apr 10, 2024
fb84efc
feat: provide Kubernets/Talos version compatibility for 1.8
smira Apr 10, 2024
4da63d1
test: add a test for 'spin' container runtime
smira Apr 10, 2024
eca03b0
fix: don't modify a global map of profiles
smira Apr 10, 2024
d5932a3
chore: optimize DNSResolveCacheController
DmitriyMV Apr 10, 2024
eea41cd
fix: assign different priority to IPv6 default gateway on OpenStack
smira Apr 10, 2024
a5b4a8a
feat: update Linux 6.6.24, containerd 1.7.15
smira Apr 11, 2024
50d475b
feat: update Kubernetes to v1.30.0-rc.2
smira Apr 12, 2024
1c0a917
chore: disable max of one commit
smira Apr 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .conform.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ policies:
gitHubOrganization: siderolabs
spellcheck:
locale: US
maximumOfOneCommit: true
maximumOfOneCommit: false
header:
length: 89
imperative: true
Expand Down
2 changes: 1 addition & 1 deletion .drone.jsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,7 @@ local ExtensionsStep(with_e2e=true) =
local extensions_build = TriggerDownstream(
'extensions-build',
'e2e-talos',
['siderolabs/extensions@main'],
['siderolabs/extensions@release-1.7'],
params=[
std.format('REGISTRY=%s', local_registry),
'PLATFORM=linux/amd64',
Expand Down
4 changes: 2 additions & 2 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ ARTIFACTS := _out
TOOLS ?= ghcr.io/siderolabs/tools:v1.7.0-1-g10b2a69

PKGS_PREFIX ?= ghcr.io/siderolabs
PKGS ?= v1.7.0-2-g6101299
PKGS ?= v1.7.0-5-gb7f1920
EXTRAS ?= v1.7.0-1-gbb76755

PKG_FHS ?= $(PKGS_PREFIX)/fhs:$(PKGS)
Expand Down Expand Up @@ -86,7 +86,7 @@ INTEGRATION_TEST_DEFAULT_TARGET := integration-test-$(OPERATING_SYSTEM)
MODULE_SIG_VERIFY_DEFAULT_TARGET := module-sig-verify-$(OPERATING_SYSTEM)
INTEGRATION_TEST_PROVISION_DEFAULT_TARGET := integration-test-provision-$(OPERATING_SYSTEM)
# renovate: datasource=github-releases depName=kubernetes/kubernetes
KUBECTL_VERSION ?= v1.30.0-rc.1
KUBECTL_VERSION ?= v1.30.0-rc.2
# renovate: datasource=github-releases depName=kastenhq/kubestr
KUBESTR_VERSION ?= v0.4.44
# renovate: datasource=github-releases depName=helm/helm
Expand Down
22 changes: 11 additions & 11 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,16 @@ replace (

// Kubernetes dependencies sharing the same version.
require (
k8s.io/api v0.30.0-rc.1
k8s.io/apimachinery v0.30.0-rc.1
k8s.io/apiserver v0.30.0-rc.1
k8s.io/client-go v0.30.0-rc.1
k8s.io/component-base v0.30.0-rc.1
k8s.io/cri-api v0.30.0-rc.1
k8s.io/kube-scheduler v0.30.0-rc.1
k8s.io/kubectl v0.30.0-rc.1
k8s.io/kubelet v0.30.0-rc.1
k8s.io/pod-security-admission v0.30.0-rc.1
k8s.io/api v0.30.0-rc.2
k8s.io/apimachinery v0.30.0-rc.2
k8s.io/apiserver v0.30.0-rc.2
k8s.io/client-go v0.30.0-rc.2
k8s.io/component-base v0.30.0-rc.2
k8s.io/cri-api v0.30.0-rc.2
k8s.io/kube-scheduler v0.30.0-rc.2
k8s.io/kubectl v0.30.0-rc.2
k8s.io/kubelet v0.30.0-rc.2
k8s.io/pod-security-admission v0.30.0-rc.2
)

require (
Expand Down Expand Up @@ -353,7 +353,7 @@ require (
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/cli-runtime v0.30.0-rc.1 // indirect
k8s.io/cli-runtime v0.30.0-rc.2 // indirect
k8s.io/klog v1.0.0 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
Expand Down
44 changes: 22 additions & 22 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1261,34 +1261,34 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.30.0-rc.1 h1:0163kmXvT0JoER+nh9h1nSgX+sDwYYHPBgs+rWqjVIg=
k8s.io/api v0.30.0-rc.1/go.mod h1:mfiQxBiaioCBgc+jzmDpSXmSEQkqeHTh4FVOAh1iEqU=
k8s.io/apimachinery v0.30.0-rc.1 h1:Zi5mcxPCvhwJL8S8tNC5AakszlABd3UWr6OOXqPDToM=
k8s.io/apimachinery v0.30.0-rc.1/go.mod h1:wEJvNDlfxMRaMhyv38SIHIEC9hah/xuzqUUhxIyUv7Y=
k8s.io/apiserver v0.30.0-rc.1 h1:61klJwjoORznFtXWKdhD1hl2hDtZDAHs+iR4DcFfNkk=
k8s.io/apiserver v0.30.0-rc.1/go.mod h1:ceP6uSYuNHIx35dD74S5yb/v8HR9sZylInNkyg5uTLI=
k8s.io/cli-runtime v0.30.0-rc.1 h1:dyEoZPmO89jirDPm3dkkVe1/TWrzBlgW99hOhge/FWs=
k8s.io/cli-runtime v0.30.0-rc.1/go.mod h1:PPSMp1dE5CimHuJP0Eef6BAliWn7uZtQ6xmkO2aVVas=
k8s.io/client-go v0.30.0-rc.1 h1:vUhzEA59XUwGtFjea4UPLa9Tal3SskmNYSgR7lmjQNU=
k8s.io/client-go v0.30.0-rc.1/go.mod h1:LnVJuaom1T1YD5IN2KwCJN9WvWbEfUNTg1lsmErIW3g=
k8s.io/component-base v0.30.0-rc.1 h1:Rzj2ev1hG3bfvenMBdsm+M5aeARZ7MH+zUW/fYn1DJk=
k8s.io/component-base v0.30.0-rc.1/go.mod h1:bln4m7L7DC075qpAVDxLSbmQthruJPmDC5OgdywDdVE=
k8s.io/cri-api v0.30.0-rc.1 h1:74C6n5E7I3zoLlRxZUPhWwFjR5yOIFa42+wajnD9teg=
k8s.io/cri-api v0.30.0-rc.1/go.mod h1:4MvRsG7Jr/C0uyVjCforyO0BNJJlngqcMRsJvObl4q0=
k8s.io/api v0.30.0-rc.2 h1:wnrY4jFP4Kx7h/Ppg86D0dyctlKfiMSXHme004ptkCU=
k8s.io/api v0.30.0-rc.2/go.mod h1:AsZ3vl/SZOLpqzfIKhleVYl5R5ruyzhB3G08xpDEjPQ=
k8s.io/apimachinery v0.30.0-rc.2 h1:Q1JPqws5zCGjRwKtLW8ZKOY8lvl6aJejqIixJlHoAhc=
k8s.io/apimachinery v0.30.0-rc.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
k8s.io/apiserver v0.30.0-rc.2 h1:FGIjvgG6HrOjjeVQKSI2qItT6dXbmYKTD1KbBW8TsIo=
k8s.io/apiserver v0.30.0-rc.2/go.mod h1:Qs+prNQNN52O3tGv5Krq9r1Cm2rqz2+r+LCkM50dJNw=
k8s.io/cli-runtime v0.30.0-rc.2 h1:lY8Vs7jixol3rtbOCrIZxSvz86T+Q+OaCsCzERjq9jc=
k8s.io/cli-runtime v0.30.0-rc.2/go.mod h1:Xn4RL/ZV2nz2kRLBo43fbSPdmPtCWZZ+XEA8CegcStQ=
k8s.io/client-go v0.30.0-rc.2 h1:AqXSYq6s2BIr4WqK2dXGebxLPIsN48cMYjP71aXKspM=
k8s.io/client-go v0.30.0-rc.2/go.mod h1:vCtim9VeBumah2j1nZ/95O0V7F4Ad8N0wwCkSkgOE+Y=
k8s.io/component-base v0.30.0-rc.2 h1:0Qa6faUg01rBp9VxU76B8PmK58rBcAGB+7r4ckpLtgI=
k8s.io/component-base v0.30.0-rc.2/go.mod h1:rdQm+7+FBi+t74zJKiKBYVgQJEiNRMqvESRh8/f5z5k=
k8s.io/cri-api v0.30.0-rc.2 h1:7duYOq8BtLqDOE5zqDJvGix2WVUhPp6KbtH/1bITYwQ=
k8s.io/cri-api v0.30.0-rc.2/go.mod h1://4/umPJSW1ISNSNng4OwjpkvswJOQwU8rnkvO8P+xg=
k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
k8s.io/kube-scheduler v0.30.0-rc.1 h1:OMZ2MALMRFe3DHOPqcB1lUxb6xbwKP7UeF+yNqexYW8=
k8s.io/kube-scheduler v0.30.0-rc.1/go.mod h1:/LW8Z2f6fqtn8LjRwOpkI5PMsCFsyw06kcGTjz4e/bY=
k8s.io/kubectl v0.30.0-rc.1 h1:MQ69d1SadPj9nL77XYSjEmylAKWYXM5aPweyYfrdQq4=
k8s.io/kubectl v0.30.0-rc.1/go.mod h1:vQSyksXUAoBXp9qpEr2y4yBLK2KONxiC1nwLXnaRMuE=
k8s.io/kubelet v0.30.0-rc.1 h1:HcjkEQgxpgAFlbhoCxhEjUlJmRZqIUiVRcAI0lRMD3o=
k8s.io/kubelet v0.30.0-rc.1/go.mod h1:T6p2fE038tUe//Zzw/K6IdeQbB8cFifiNZHbGjgWFU0=
k8s.io/pod-security-admission v0.30.0-rc.1 h1:r7iVpC+PrrOImQBf08O1pik+TnXGV7AjYTOpIUnFHHc=
k8s.io/pod-security-admission v0.30.0-rc.1/go.mod h1:ejiJNRssoIjTEWV90HZNjXBtZmpbry7LhvwpFcIp9+E=
k8s.io/kube-scheduler v0.30.0-rc.2 h1:ubgPuv1ECrXdQ711xRHBjl0K5orsrgy1d6rUp9Rc/gc=
k8s.io/kube-scheduler v0.30.0-rc.2/go.mod h1:FNgXnUZ56HIJMxVLwJnT3g1c0CHR8kfrYoxZpXL+cmc=
k8s.io/kubectl v0.30.0-rc.2 h1:zbJXzsl61XTs5kX5eV+14bcbPDH7f1BQ8htjHVi+aUU=
k8s.io/kubectl v0.30.0-rc.2/go.mod h1:A6CtbMlPch2+nMydUVImHA5RS7Ux1n9pX3wqS9u3ABE=
k8s.io/kubelet v0.30.0-rc.2 h1:JgHEHrTA55t0SO8EJ/BF5tfjcO07c+skVRB3p345/y8=
k8s.io/kubelet v0.30.0-rc.2/go.mod h1:GlLJUJ8rpptITej1l+jLUMZZwn1tUv2WatTSoNxzEP0=
k8s.io/pod-security-admission v0.30.0-rc.2 h1:Uszvw24nQVwT4FagnhCbsckS7sQ3oiGrXPIfl6hdjPs=
k8s.io/pod-security-admission v0.30.0-rc.2/go.mod h1:vNN82cNzahoJY5V1S4FZ0WNAcmR30h9Js8eZY9uQ2fg=
k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
kernel.org/pub/linux/libs/security/libcap/cap v1.2.69 h1:N0m3tKYbkRMmDobh/47ngz+AWeV7PcfXMDi8xu3Vrag=
Expand Down
33 changes: 28 additions & 5 deletions hack/release.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ preface = """\
[notes.updates]
title = "Component Updates"
description = """\
Linux: 6.6.24
Linux: 6.6.26
etcd: 3.5.11
Kubernetes: 1.30.0-rc.1
containerd: 1.7.14
Kubernetes: 1.30.0-rc.2
containerd: 1.7.15
runc: 1.1.12
Flannel: 0.24.4

Expand All @@ -40,9 +40,22 @@ Talos Linux now provides a caching DNS resolver for host workloads (including h

```yaml
machine:
features:
localDNS: false
features:
hostDNS:
enabled: false
```

You can also enable dns caching for k8s pods with:

```yaml
machine:
features:
hostDNS:
enabled: true
forwardKubeDNSToHost: true
```

Please note that on running cluster you will have to kill CoreDNS pods for this change to apply.
"""

[notes.secureboot-image]
Expand Down Expand Up @@ -199,6 +212,16 @@ machine:
title = "Platforms"
description = """\
Talos Linux now supports [Akamai Connected Cloud](https://www.linode.com/) provider (platform `akamai`).
"""

[notes.iptables]
title = "IPTables"
description = """\
Talos Linux now forces `kubelet` and `kube-proxy` to use `iptables-nft` instead of `iptables-legacy` (`xtables`) which was the default
before Talos 1.7.0.

Container images based on `iptables-wrapper` should work without changes, but if there was a direct call to `legacy` mode of `iptables`, make sure
to update to use `iptables-nft`.
"""

[make_deps]
Expand Down
2 changes: 1 addition & 1 deletion hack/test/e2e.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ export TALOS_VERSION
# Kubernetes

export KUBECONFIG="${TMP}/kubeconfig"
export KUBERNETES_VERSION=${KUBERNETES_VERSION:-1.30.0-rc.1}
export KUBERNETES_VERSION=${KUBERNETES_VERSION:-1.30.0-rc.2}

export NAME_PREFIX="talos-e2e-${SHA}-${PLATFORM}"
export TIMEOUT=1200
Expand Down
37 changes: 36 additions & 1 deletion internal/app/apid/pkg/backend/apid.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
"github.com/siderolabs/net"
"google.golang.org/grpc"
"google.golang.org/grpc/backoff"
"google.golang.org/grpc/connectivity"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
Expand All @@ -26,6 +27,11 @@ import (
"github.com/siderolabs/talos/pkg/machinery/proto"
)

// GracefulShutdownTimeout is the timeout for graceful shutdown of the backend connection.
//
// Talos has a few long-running API calls, so we need to give the backend some time to finish them.
const GracefulShutdownTimeout = 30 * time.Minute

var _ proxy.Backend = (*APID)(nil)

// APID backend performs proxying to another apid instance.
Expand Down Expand Up @@ -253,7 +259,36 @@ func (a *APID) Close() {
defer a.mu.Unlock()

if a.conn != nil {
a.conn.Close() //nolint:errcheck
gracefulGRPCClose(a.conn, GracefulShutdownTimeout)
a.conn = nil
}
}

func gracefulGRPCClose(conn *grpc.ClientConn, timeout time.Duration) {
// close the client connection in the background, tries to avoid closing the connection
// if the connection is in the middle of a call (e.g. streaming API)
//
// see https://github.com/grpc/grpc/blob/master/doc/connectivity-semantics-and-api.md for details on connection states
go func() {
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()

for ctx.Err() != nil {
switch state := conn.GetState(); state { //nolint:exhaustive
case connectivity.Idle,
connectivity.Shutdown,
connectivity.TransientFailure:
// close immediately, connection is not used
conn.Close() //nolint:errcheck

return
default:
// wait for state change of the connection
conn.WaitForStateChange(ctx, state)
}
}

// close anyways on timeout
conn.Close() //nolint:errcheck
}()
}
7 changes: 6 additions & 1 deletion internal/app/machined/pkg/controllers/k8s/render_secrets_static_pod.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/cosi-project/runtime/pkg/state"
"github.com/siderolabs/crypto/x509"
"github.com/siderolabs/gen/optional"
"github.com/siderolabs/gen/xslices"
"go.uber.org/zap"

"github.com/siderolabs/talos/pkg/machinery/constants"
Expand Down Expand Up @@ -184,7 +185,11 @@ func (ctrl *RenderSecretsStaticPodController) Run(ctx context.Context, r control
keyFilename: "etcd-client.key",
},
{
getter: func() *x509.PEMEncodedCertificateAndKey { return rootK8sSecrets.IssuingCA },
getter: func() *x509.PEMEncodedCertificateAndKey {
return &x509.PEMEncodedCertificateAndKey{
Crt: bytes.Join(xslices.Map(rootK8sSecrets.AcceptedCAs, func(ca *x509.PEMEncodedCertificate) []byte { return ca.Crt }), nil),
}
},
certFilename: "ca.crt",
},
{
Expand Down
Loading