feat: update to Talos 1.5, latest CAPI

Bump Talos, update with new machinery config generation APIs.

Bump CAPI and adjust accordingly.

Signed-off-by: Andrey Smirnov <[email protected]>

Author: smira

Makefile

@@ -9,13 +9,13 @@ NAME := cluster-api-talos-controller
 ARTIFACTS := _out
 TEST_RUN ?= ./...
 
-TOOLS ?= ghcr.io/siderolabs/tools:v1.4.0-1-g955aabc
-PKGS ?= v1.4.1-5-ga333a84
-TALOS_VERSION ?= v1.4.0
-K8S_VERSION ?= 1.27.1
+TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0
+PKGS ?= v1.5.0
+TALOS_VERSION ?= v1.5.0
+K8S_VERSION ?= 1.27.4
 
-CONTROLLER_GEN_VERSION ?= v0.11.3
-CONVERSION_GEN_VERSION ?= v0.26.0
+CONTROLLER_GEN_VERSION ?= v0.12.0
+CONVERSION_GEN_VERSION ?= v0.27.2
 
 BUILD := docker buildx build
 PLATFORM ?= linux/amd64

README.md

@@ -54,17 +54,17 @@ This provider's versions are compatible with the following versions of Cluster A
 
 This provider's versions are able to install and manage the following versions of Kubernetes:
 
-|                | v1.19 | v1.20 | v1.21 | v1.22 | v1.23 | v1.24 | v1.25 | v1.26 | v1.27 |
-| -------------- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
-| CABPT (v0.5.x) | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |       |
-| CABPT (v0.6.x) |       |       |       |       |       | ✓     | ✓     | ✓     | ✓     |
+|                | v1.19 | v1.20 | v1.21 | v1.22 | v1.23 | v1.24 | v1.25 | v1.26 | v1.27 | v1.28 |
+| -------------- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| CABPT (v0.5.x) | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     | ✓     |       |       |
+| CABPT (v0.6.x) |       |       |       |       |       | ✓     | ✓     | ✓     | ✓     | ✓     |
 
 This provider's versions are compatible with the following versions of Talos:
 
-|                  | v1.0  | v1.1  | v1.2  | v1.3  | v1.4  |
-| ---------------- | ----- | ----- | ----- | ----- | ----- |
-| CABPT (v0.5.x)   | ✓     | ✓     | ✓     | ✓     |       |
-| CABPT (v0.6.x)   |       |       | ✓     | ✓     | ✓     |
+|                  | v1.0  | v1.1  | v1.2  | v1.3  | v1.4  | v1.5  |
+| ---------------- | ----- | ----- | ----- | ----- | ----- | ----- |
+| CABPT (v0.5.x)   | ✓     | ✓     | ✓     | ✓     |       |       |
+| CABPT (v0.6.x)   |       |       | ✓     | ✓     | ✓     | ✓     |
 
 CABPT generates machine configuration compatible with Talos version specified in the `talosVersion:` field (see below).
 
@@ -118,7 +118,7 @@ Machine configuration generated is compatible with the Talos version set in the
 ```yaml
 spec:
   generateType: controlplane
-  talosVersion: v1.1
+  talosVersion: v1.5
 ```
 
 ### User-supplied Machine Configuration
@@ -148,7 +148,7 @@ The format of these patches is based on [JSON 6902](http://jsonpatch.com/) that
 ```yaml
 spec:
   generateType: controlplane
-  talosVersion: v1.0
+  talosVersion: v1.5
   configPatches:
     - op: replace
       path: /machine/install

api/v1alpha3/talosconfig_webhook.go

@@ -14,6 +14,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
 func (r *TalosConfig) SetupWebhookWithManager(mgr ctrl.Manager) error {
@@ -27,24 +28,24 @@ func (r *TalosConfig) SetupWebhookWithManager(mgr ctrl.Manager) error {
 var _ webhook.Validator = &TalosConfig{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *TalosConfig) ValidateCreate() error {
-	return r.validate()
+func (r *TalosConfig) ValidateCreate() (admission.Warnings, error) {
+	return nil, r.validate()
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *TalosConfig) ValidateUpdate(oldRaw runtime.Object) error {
+func (r *TalosConfig) ValidateUpdate(oldRaw runtime.Object) (admission.Warnings, error) {
 	old := oldRaw.(*TalosConfig)
 
 	if !cmp.Equal(r.Spec, old.Spec) {
-		return apierrors.NewBadRequest("TalosConfig.Spec is immutable")
+		return nil, apierrors.NewBadRequest("TalosConfig.Spec is immutable")
 	}
 
-	return r.validate()
+	return nil, r.validate()
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *TalosConfig) ValidateDelete() error {
-	return nil
+func (r *TalosConfig) ValidateDelete() (admission.Warnings, error) {
+	return nil, nil
 }
 
 func (r *TalosConfig) validate() error {

api/v1alpha3/talosconfigtemplate_webhook.go

@@ -10,6 +10,7 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
 func (r *TalosConfigTemplate) SetupWebhookWithManager(mgr ctrl.Manager) error {
@@ -23,22 +24,22 @@ func (r *TalosConfigTemplate) SetupWebhookWithManager(mgr ctrl.Manager) error {
 var _ webhook.Validator = &TalosConfigTemplate{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (r *TalosConfigTemplate) ValidateCreate() error {
-	return nil
+func (r *TalosConfigTemplate) ValidateCreate() (admission.Warnings, error) {
+	return nil, nil
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (r *TalosConfigTemplate) ValidateUpdate(oldRaw runtime.Object) error {
+func (r *TalosConfigTemplate) ValidateUpdate(oldRaw runtime.Object) (admission.Warnings, error) {
 	old := oldRaw.(*TalosConfigTemplate)
 
 	if !cmp.Equal(r.Spec, old.Spec) {
-		return apierrors.NewBadRequest("TalosConfigTemplate.Spec is immutable")
+		return nil, apierrors.NewBadRequest("TalosConfigTemplate.Spec is immutable")
 	}
 
-	return nil
+	return nil, nil
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (r *TalosConfigTemplate) ValidateDelete() error {
-	return nil
+func (r *TalosConfigTemplate) ValidateDelete() (admission.Warnings, error) {
+	return nil, nil
 }

config/crd/bases/bootstrap.cluster.x-k8s.io_talosconfigs.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: talosconfigs.bootstrap.cluster.x-k8s.io
 spec:
   group: bootstrap.cluster.x-k8s.io

config/crd/bases/bootstrap.cluster.x-k8s.io_talosconfigtemplates.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.12.0
   name: talosconfigtemplates.bootstrap.cluster.x-k8s.io
 spec:
   group: bootstrap.cluster.x-k8s.io

config/rbac/role.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: manager-role
 rules:
 - apiGroups:

config/webhook/manifests.yaml

@@ -2,7 +2,6 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:

controllers/secrets.go

@@ -8,11 +8,13 @@ import (
 	"context"
 	"fmt"
 	"sort"
+	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/siderolabs/crypto/x509"
-	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1/generate"
-	talosmachine "github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1/machine"
+	"github.com/siderolabs/talos/pkg/machinery/config"
+	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
+	talosmachine "github.com/siderolabs/talos/pkg/machinery/config/machine"
 	"gopkg.in/yaml.v2"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -26,7 +28,7 @@ import (
 
 func (r *TalosConfigReconciler) fetchSecret(ctx context.Context, config *bootstrapv1alpha3.TalosConfig, secretName string) (*corev1.Secret, error) {
 	retSecret := &corev1.Secret{}
-	err := r.Client.Get(context.Background(), client.ObjectKey{
+	err := r.Client.Get(ctx, client.ObjectKey{
 		Namespace: config.GetNamespace(),
 		Name:      secretName,
 	}, retSecret)
@@ -39,8 +41,8 @@ func (r *TalosConfigReconciler) fetchSecret(ctx context.Context, config *bootstr
 }
 
 // getSecretsBundle either generates or loads existing secret.
-func (r *TalosConfigReconciler) getSecretsBundle(ctx context.Context, scope *TalosConfigScope, allowGenerate bool, opts ...generate.GenOption) (*generate.SecretsBundle, error) {
-	var secretsBundle *generate.SecretsBundle
+func (r *TalosConfigReconciler) getSecretsBundle(ctx context.Context, scope *TalosConfigScope, allowGenerate bool, versionContract *config.VersionContract) (*secrets.Bundle, error) {
+	var secretsBundle *secrets.Bundle
 
 	secretName := scope.Cluster.Name + "-talos"
 
@@ -54,7 +56,7 @@ retry:
 		}
 
 		// no cluster secret yet, generate new one
-		secretsBundle, err = generate.NewSecretsBundle(generate.NewClock(), opts...)
+		secretsBundle, err = secrets.NewBundle(secrets.NewFixedClock(time.Now()), versionContract)
 		if err != nil {
 			return nil, fmt.Errorf("error generating new secrets bundle: %w", err)
 		}
@@ -71,8 +73,8 @@ retry:
 		return nil, fmt.Errorf("error reading secrets bundle: %w", err)
 	default:
 		// successfully loaded secret, initialize secretsBundle from it
-		secretsBundle = &generate.SecretsBundle{
-			Clock: generate.NewClock(),
+		secretsBundle = &secrets.Bundle{
+			Clock: secrets.NewFixedClock(time.Now()),
 		}
 
 		if _, ok := secret.Data["bundle"]; ok {
@@ -95,14 +97,14 @@ retry:
 			}
 
 			// not stored in legacy format, use empty values
-			secretsBundle.Cluster = &generate.Cluster{}
+			secretsBundle.Cluster = &secrets.Cluster{}
 		}
 	}
 
 	return secretsBundle, nil
 }
 
-func (r *TalosConfigReconciler) writeSecretsBundleSecret(ctx context.Context, scope *TalosConfigScope, secretName string, secretsBundle *generate.SecretsBundle) error {
+func (r *TalosConfigReconciler) writeSecretsBundleSecret(ctx context.Context, scope *TalosConfigScope, secretName string, secretsBundle *secrets.Bundle) error {
 	bundle, err := yaml.Marshal(secretsBundle)
 	if err != nil {
 		return fmt.Errorf("error marshaling secrets bundle: %w", err)
@@ -225,7 +227,7 @@ func (r *TalosConfigReconciler) reconcileClientConfig(ctx context.Context, log l
 
 	sort.Strings(endpoints)
 
-	secretBundle, err := r.getSecretsBundle(ctx, scope, false)
+	secretBundle, err := r.getSecretsBundle(ctx, scope, false, defaultVersionContract) // version contract doesn't matter, as we're getting the secrets
 	if err != nil {
 		return err
 	}