feat: update Talos to 1.6.0

Also update CAPI to 1.6.0.

Signed-off-by: Andrey Smirnov <[email protected]>

Dockerfile

@@ -49,8 +49,9 @@ ARG CGO_ENABLED
 ENV CGO_ENABLED ${CGO_ENABLED}
 ENV GOCACHE /.cache/go-build
 ENV GOMODCACHE /.cache/mod
-RUN --mount=type=cache,target=/.cache go install sigs.k8s.io/controller-tools/cmd/[email protected]
-RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/[email protected]
+ENV GOTOOLCHAIN local
+RUN --mount=type=cache,target=/.cache go install sigs.k8s.io/controller-tools/cmd/[email protected]
+RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/[email protected]
 RUN --mount=type=cache,target=/.cache go install mvdan.cc/gofumpt/[email protected]
 RUN --mount=type=cache,target=/.cache go install github.com/golangci/golangci-lint/cmd/[email protected] \
 	&& mv /go/bin/golangci-lint /toolchain/bin/golangci-lint

Makefile

@@ -9,11 +9,11 @@ MODULE := $(shell head -1 go.mod | cut -d' ' -f2)
 
 ARTIFACTS := _out
 TEST_PKGS ?= ./...
-TALOS_RELEASE ?= v1.6.0-alpha.0
-DEFAULT_K8S_VERSION ?= v1.27.2
+TALOS_RELEASE ?= v1.6.0
+DEFAULT_K8S_VERSION ?= v1.28.4
 
-TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0-2-g8adf637
-PKGS ?= v1.5.0
+TOOLS ?= ghcr.io/siderolabs/tools:v1.6.0-1-g336d248
+PKGS ?= v1.6.0-3-g617d342
 
 SFYRA_CLUSTERCTL_CONFIG ?= $(HOME)/.cluster-api/clusterctl.sfyra.yaml
 

README.md

@@ -2,7 +2,7 @@
 
 Kubernetes Bare Metal Lifecycle Management.
 Sidero Metal provides lightweight, composable tools that can be used to create bare-metal Talos + Kubernetes clusters.
- Sidero Metal is an open source project from [Sidero Labs](https://www.SideroLabs.com).
+Sidero Metal is an open-source project from [Sidero Labs](https://www.SideroLabs.com).
 
 ## Documentation
 
@@ -19,19 +19,19 @@ This provider's versions are compatible with the following versions of Cluster A
 
 This provider's versions are able to install and manage the following versions of Kubernetes:
 
-|                        | v1.19 | v1.20 | v1.21 | v1.22 | v1.23 | v1.24 | v1.25 | v1.26 | v1.27 | v1.28 |
-| ---------------------- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Sidero Provider (v0.5) | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |       |
-| Sidero Provider (v0.6) |       |       |       |       |       | ✓     | ✓     | ✓     | ✓     | ✓     |
+|                        | v1.19 | v1.20 | v1.21 | v1.22 | v1.23 | v1.24 | v1.25 | v1.26 | v1.27 | v1.28 | v1.29 |
+| ---------------------- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Sidero Provider (v0.5) | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |       |       |
+| Sidero Provider (v0.6) |       |       |       |       |       | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |
 
 This provider's versions are compatible with the following versions of Talos:
 
-|                        | v0.12  | v0.13 | v0.14 | v1.0  | v1.1  | v1.2  | v1.3  | v1.4  | v1.5  |
-| ---------------------- | ------ | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| Sidero Provider (v0.5) | ✓ (+)  | ✓ (+) | ✓     | ✓     | ✓     | ✓     | ✓     |       |       |
-| Sidero Provider (v0.6) |        |       |       | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |
+|                        | v0.12  | v0.13 | v0.14 | v1.0  | v1.1  | v1.2  | v1.3  | v1.4  | v1.5  | v1.6  |
+| ---------------------- | ------ | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Sidero Provider (v0.5) | ✓ (+)  | ✓ (+) | ✓     | ✓     | ✓     | ✓     | ✓     |       |       |       |
+| Sidero Provider (v0.6) |        |       |       | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |
 
-> (+): Some Sidero 0.5 features (SideroLink) are only available with Talos v0.14+.
+> Note: Sidero Metal is not compatible with multi-document Talos Linux machine configuration, as it relies on JSON patch to apply configuration patches.
 
 ## Support
 

app/caps-controller-manager/config/crd/bases/infrastructure.cluster.x-k8s.io_metalclusters.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: metalclusters.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

app/caps-controller-manager/config/crd/bases/infrastructure.cluster.x-k8s.io_metalmachines.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: metalmachines.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

app/caps-controller-manager/config/crd/bases/infrastructure.cluster.x-k8s.io_metalmachinetemplates.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: metalmachinetemplates.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

app/caps-controller-manager/config/crd/bases/infrastructure.cluster.x-k8s.io_serverbindings.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: serverbindings.infrastructure.cluster.x-k8s.io
 spec:
   group: infrastructure.cluster.x-k8s.io

app/caps-controller-manager/config/default/kustomization.yaml

@@ -14,7 +14,7 @@ bases:
   - ../manager
 
 patchesStrategicMerge:
-  - manager_auth_proxy_patch.yaml
+  # - manager_auth_proxy_patch.yaml
   - manager_webhook_patch.yaml
   - webhookcainjection_patch.yaml
 

app/caps-controller-manager/config/manager/manager.yaml

@@ -20,7 +20,9 @@ spec:
             - /manager
           image: controller:latest
           args:
-            - --metrics-bind-addr=127.0.0.1:8080
+            - --enable-leader-election
+            - "--diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443}"
+            - "--insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false}"
           imagePullPolicy: Always
           name: manager
           resources:
@@ -31,6 +33,9 @@ spec:
               cpu: 100m
               memory: 128Mi
           ports:
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
             - containerPort: 9440
               name: healthz
               protocol: TCP

app/caps-controller-manager/controllers/metalmachine_controller.go

@@ -10,14 +10,14 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
+	"github.com/siderolabs/go-pointer"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/tools/reference"
-	"k8s.io/utils/pointer"
 	capiv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controllers/remote"
 	"sigs.k8s.io/cluster-api/util"
@@ -194,7 +194,7 @@ func (r *MetalMachineReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 
 	// Set the providerID, as its required in upstream capi for machine lifecycle
-	metalMachine.Spec.ProviderID = pointer.String(fmt.Sprintf("%s://%s", constants.ProviderID, metalMachine.Spec.ServerRef.Name))
+	metalMachine.Spec.ProviderID = pointer.To(fmt.Sprintf("%s://%s", constants.ProviderID, metalMachine.Spec.ServerRef.Name))
 
 	// Copy over statuses from ServerBinding to MetalMachine
 	if metalMachine.Spec.ServerRef != nil {

app/caps-controller-manager/main.go

@@ -10,15 +10,20 @@ import (
 	"os"
 
 	debug "github.com/siderolabs/go-debug"
+	"github.com/spf13/pflag"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	cgrecord "k8s.io/client-go/tools/record"
+	"k8s.io/component-base/logs"
+	logsv1 "k8s.io/component-base/logs/api/v1"
 	capiv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controllers/remote"
+	"sigs.k8s.io/cluster-api/util/flags"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	infrav1alpha2 "github.com/siderolabs/sidero/app/caps-controller-manager/api/v1alpha2"
 	infrav1alpha3 "github.com/siderolabs/sidero/app/caps-controller-manager/api/v1alpha3"
@@ -47,24 +52,50 @@ func init() {
 	// +kubebuilder:scaffold:scheme
 }
 
+var (
+	healthAddr           string
+	enableLeaderElection bool
+	webhookPort          int
+	webhookCertDir       string
+	tlsOptions           = flags.TLSOptions{}
+	diagnosticsOptions   = flags.DiagnosticsOptions{}
+	logOptions           = logs.NewOptions()
+)
+
+// InitFlags initializes the flags.
+func InitFlags(fs *pflag.FlagSet) {
+	logsv1.AddFlags(logOptions, fs)
+
+	fs.BoolVar(&enableLeaderElection, "enable-leader-election", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	fs.IntVar(&webhookPort, "webhook-port", 9443, "Webhook Server port, disabled by default. When enabled, the manager will only work as webhook server, no reconcilers are installed.")
+	fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/",
+		"Webhook cert dir, only used when webhook-port is specified.")
+	fs.StringVar(&healthAddr, "health-addr", ":9440",
+		"The address the health endpoint binds to.")
+
+	flags.AddDiagnosticsOptions(fs, &diagnosticsOptions)
+	flags.AddTLSOptions(fs, &tlsOptions)
+}
+
 func main() {
-	var (
-		metricsAddr          string
-		healthAddr           string
-		enableLeaderElection bool
-		webhookPort          int
-	)
-
-	flag.StringVar(&metricsAddr, "metrics-bind-addr", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "enable-leader-election", true,
-		"Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.")
-	flag.IntVar(&webhookPort, "webhook-port", 9443, "Webhook Server port, disabled by default. When enabled, the manager will only work as webhook server, no reconcilers are installed.")
-	flag.Parse()
-
-	ctrl.SetLogger(zap.New(func(o *zap.Options) {
-		o.Development = true
-	}))
+	InitFlags(pflag.CommandLine)
+	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+	pflag.Parse()
+
+	if err := logsv1.ValidateAndApply(logOptions, nil); err != nil {
+		setupLog.Error(err, "unable to start manager")
+		os.Exit(1)
+	}
+
+	diagnosticsOpts := flags.GetDiagnosticsOptions(diagnosticsOptions)
+
+	tlsOptionOverrides, err := flags.GetTLSOptionOverrideFuncs(tlsOptions)
+	if err != nil {
+		setupLog.Error(err, "unable to add TLS settings to the webhook server")
+		os.Exit(1)
+	}
 
 	go func() {
 		debugLogFunc := func(msg string) {
@@ -84,12 +115,26 @@ func main() {
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
-		MetricsBindAddress:     metricsAddr,
+		Metrics:                diagnosticsOpts,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "controller-leader-election-capm",
-		Port:                   webhookPort,
 		EventBroadcaster:       broadcaster,
 		HealthProbeBindAddress: healthAddr,
+		Client: client.Options{
+			Cache: &client.CacheOptions{
+				DisableFor: []client.Object{
+					&corev1.ConfigMap{},
+					&corev1.Secret{},
+				},
+			},
+		},
+		WebhookServer: webhook.NewServer(
+			webhook.Options{
+				Port:    webhookPort,
+				CertDir: webhookCertDir,
+				TLSOpts: tlsOptionOverrides,
+			},
+		),
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

app/sidero-controller-manager/cmd/agent/dhcp.go

@@ -16,7 +16,7 @@ import (
 	"github.com/insomniacslk/dhcp/dhcpv4"
 	"github.com/insomniacslk/dhcp/dhcpv4/nclient4"
 	"github.com/jsimonetti/rtnetlink"
-	"github.com/siderolabs/gen/slices"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-procfs/procfs"
 	"github.com/siderolabs/go-retry/retry"
 	"golang.org/x/sys/unix"
@@ -253,7 +253,7 @@ func configureNetworking(linkIndex int, lease *nclient4.Lease) error {
 	if len(lease.ACK.DNS()) > 0 {
 		log.Printf("setting DNS servers to %s", lease.ACK.DNS())
 
-		contents := strings.Join(slices.Map(lease.ACK.DNS(),
+		contents := strings.Join(xslices.Map(lease.ACK.DNS(),
 			func(ns net.IP) string {
 				return fmt.Sprintf("nameserver %s\n", ns)
 			}), "")

app/sidero-controller-manager/config/crd/bases/metal.sidero.dev_environments.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: environments.metal.sidero.dev
 spec:
   group: metal.sidero.dev

app/sidero-controller-manager/config/crd/bases/metal.sidero.dev_serverclasses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: serverclasses.metal.sidero.dev
 spec:
   group: metal.sidero.dev

app/sidero-controller-manager/config/crd/bases/metal.sidero.dev_servers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: servers.metal.sidero.dev
 spec:
   group: metal.sidero.dev

app/sidero-controller-manager/config/kustomization.yaml

@@ -16,7 +16,7 @@ patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
   # Only one of manager_auth_proxy_patch.yaml and
   # manager_prometheus_metrics_patch.yaml should be enabled.
-  - manager_auth_proxy_patch.yaml
+  # - manager_auth_proxy_patch.yaml
   # If you want your controller-manager to expose the /metrics
   # endpoint w/o any authn/z, uncomment the following line and
   # comment manager_auth_proxy_patch.yaml.

app/sidero-controller-manager/config/manager/manager.yaml

@@ -74,7 +74,9 @@ spec:
         - command:
             - /manager
           args:
-            - --metrics-bind-addr=127.0.0.1:8080
+            - --enable-leader-election
+            - "--diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443}"
+            - "--insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false}"
             - --api-endpoint=${SIDERO_CONTROLLER_MANAGER_API_ENDPOINT:=-}
             - --api-port=${SIDERO_CONTROLLER_MANAGER_API_PORT:=8081}
             - --http-port=${SIDERO_CONTROLLER_MANAGER_CONTAINER_API_PORT:=8081}
@@ -104,6 +106,9 @@ spec:
             - containerPort: 9440
               name: healthz
               protocol: TCP
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
           env:
             - name: API_ENDPOINT
               valueFrom: