diff --git a/.conform.yaml b/.conform.yaml index 45c20ad3ca7..27fe2814767 100644 --- a/.conform.yaml +++ b/.conform.yaml @@ -1,3 +1,7 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2024-05-02T14:45:40Z by kres fcfe226-dirty. + policies: - type: commit spec: @@ -34,15 +38,18 @@ policies: - talosctl - kernel - security + - ci - ^v1.8 - type: license spec: skipPaths: - .git/ + - testdata/ includeSuffixes: - .go excludeSuffixes: - .pb.go + - .pb.gw.go - _string.go - _enumer.go - _string_linux.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 00000000000..e33bf2dec17 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,1219 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2024-05-06T09:33:33Z by kres 97aa50e. + +name: default +concurrency: + group: ${{ github.head_ref || github.run_id }} + cancel-in-progress: true +"on": + push: + branches: + - main + - release-* + tags: + - v* + pull_request: + branches: + - main + - release-* +jobs: + default: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/')) + outputs: + labels: ${{ steps.retrieve-pr-labels.outputs.result }} + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: external-artifacts + run: | + make external-artifacts + - name: generate + run: | + make generate docs + - name: uki-certs + env: + PLATFORM: linux/amd64 + run: | + make uki-certs + - name: check-dirty + run: | + make check-dirty + - name: build + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + PLATFORM: linux/amd64,linux/arm64 + PUSH: "true" + run: | + make talosctl-all kernel sd-boot sd-stub initramfs installer imager talos _out/integration-test-linux-amd64 + - name: lint + run: | + make lint + - name: talosctl-cni-bundle + run: | + make talosctl-cni-bundle + - name: iso + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + make iso secureboot-iso + - name: images-essential + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + PLATFORM: linux/amd64,linux/arm64 + run: | + make images-essential + - name: unit-tests + run: | + make unit-tests + - name: unit-tests-race + run: | + make unit-tests-race + - name: coverage + uses: codecov/codecov-action@v4 + with: + files: _out/coverage.txt + token: ${{ secrets.CODECOV_TOKEN }} + timeout-minutes: 3 + - name: Generate executable list + run: | + find _out -type f -executable > _out/executable-artifacts + - name: save-artifacts + uses: actions/upload-artifact@v4 + with: + name: artifacts + path: | + _out + retention-days: "5" + - name: Retrieve PR labels + id: retrieve-pr-labels + uses: actions/github-script@v7 + with: + retries: "3" + script: | + if (context.eventName != "pull_request") { return "[]" } + + const resp = await github.rest.issues.get({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + }) + + return resp.data.labels.map(label => label.name) + e2e-docker-short: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/')) + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-docker + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + run: | + make e2e-docker + e2e-iso: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/')) + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-iso + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + sudo -E make e2e-iso + e2e-qemu-short: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: (!startsWith(github.head_ref, 'renovate/') && !startsWith(github.head_ref, 'dependabot/')) + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-qemu + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + run: | + sudo -E make e2e-qemu + integration-aws: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: contains(fromJSON(needs.default.outputs.labels), 'integration/aws') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Mask secrets + run: | + echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')" + - name: Set secrets for job + run: | + sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV" + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-aws-prepare + env: + E2E_AWS_TARGET: default + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + make e2e-aws-prepare + - name: checkout contrib + uses: actions/checkout@v4 + with: + path: _out/contrib + ref: main + repository: siderolabs/contrib + - name: setup tf + uses: hashicorp/setup-terraform@v3 + with: + terraform_wrapper: "false" + - name: tf apply + env: + TF_E2E_ACTION: apply + TF_E2E_TEST_TYPE: aws + TF_SCRIPT_DIR: _out/contrib + run: | + make e2e-cloud-tf + - name: e2e-aws + run: | + make e2e-aws + - name: tf destroy + if: always() + env: + TF_E2E_ACTION: destroy + TF_E2E_TEST_TYPE: aws + TF_SCRIPT_DIR: _out/contrib + run: | + make e2e-cloud-tf + integration-aws-nvidia-oss: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: contains(fromJSON(needs.default.outputs.labels), 'integration/aws-nvidia-oss') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Mask secrets + run: | + echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')" + - name: Set secrets for job + run: | + sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV" + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: checkout extensions + uses: actions/checkout@v4 + with: + path: _out/extensions + ref: main + repository: siderolabs/extensions + - name: set variables + run: | + cat _out/talos-metadata >> "$GITHUB_ENV" + - name: build extensions + env: + PLATFORM: linux/amd64 + PUSH: "true" + REGISTRY: registry.dev.siderolabs.io + run: | + make nvidia-container-toolkit nvidia-open-gpu-kernel-modules nonfree-kmod-nvidia extensions-metadata -C _out/extensions + - name: e2e-aws-prepare + env: + E2E_AWS_TARGET: nvidia-oss + EXTENSIONS_METADATA_FILE: _out/extensions/_out/extensions-metadata + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + make e2e-aws-prepare + - name: checkout contrib + uses: actions/checkout@v4 + with: + path: _out/contrib + ref: main + repository: siderolabs/contrib + - name: setup tf + uses: hashicorp/setup-terraform@v3 + with: + terraform_wrapper: "false" + - name: tf apply + env: + TF_E2E_ACTION: apply + TF_E2E_TEST_TYPE: aws + TF_SCRIPT_DIR: _out/contrib + run: | + make e2e-cloud-tf + - name: e2e-aws + env: + EXTRA_TEST_ARGS: -talos.extensions.nvidia + TEST_NUM_NODES: "4" + run: | + make e2e-aws + - name: tf destroy + if: always() + env: + TF_E2E_ACTION: destroy + TF_E2E_TEST_TYPE: aws + TF_SCRIPT_DIR: _out/contrib + run: | + make e2e-cloud-tf + integration-cilium: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/cilium') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-cilium + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + QEMU_WORKERS: "2" + SHORT_INTEGRATION_TEST: "yes" + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}]' + WITH_CUSTOM_CNI: cilium + WITH_FIREWALL: accept + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: "yes" + run: | + sudo -E make e2e-qemu + - name: e2e-cilium-strict + env: + CILIUM_INSTALL_TYPE: strict + IMAGE_REGISTRY: registry.dev.siderolabs.io + QEMU_WORKERS: "2" + SHORT_INTEGRATION_TEST: "yes" + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]' + WITH_CUSTOM_CNI: cilium + WITH_FIREWALL: accept + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: "yes" + run: | + sudo -E make e2e-qemu + - name: e2e-cilium-strict-kubespan + env: + CILIUM_INSTALL_TYPE: strict + IMAGE_REGISTRY: registry.dev.siderolabs.io + QEMU_WORKERS: "2" + SHORT_INTEGRATION_TEST: "yes" + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]' + WITH_CUSTOM_CNI: cilium + WITH_FIREWALL: accept + WITH_KUBESPAN: "true" + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: "yes" + run: | + sudo -E make e2e-qemu + integration-cloud-images: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: contains(fromJSON(needs.default.outputs.labels), 'integration/cloud-images') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Mask secrets + run: | + echo -e "$(sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | "::add-mask::" + .value')" + - name: Set secrets for job + run: | + sops -d .secrets.yaml | yq -e '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV" + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: images + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + PLATFORM: linux/amd64,linux/arm64 + run: | + make images + - name: cloud-images + run: | + make cloud-images + integration-extensions: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/extensions') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: checkout extensions + uses: actions/checkout@v4 + with: + path: _out/extensions + ref: main + repository: siderolabs/extensions + - name: set variables + run: | + cat _out/talos-metadata >> "$GITHUB_ENV" + - name: build extensions + env: + PLATFORM: linux/amd64 + PUSH: "true" + REGISTRY: registry.dev.siderolabs.io + run: | + make all extensions-metadata -C _out/extensions + - name: installer extensions + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + make installer-with-extensions + - name: e2e-extensions + env: + EXTRA_TEST_ARGS: -talos.extensions.qemu + IMAGE_REGISTRY: registry.dev.siderolabs.io + QEMU_EXTRA_DISKS: "3" + QEMU_MEMORY_WORKERS: "4096" + SHORT_INTEGRATION_TEST: "yes" + WITH_CONFIG_PATCH_WORKER: '@_out/extensions-patch.yaml' + run: | + sudo -E make e2e-qemu + integration-image-factory: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/image-factory') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: factory-1.6-iso + env: + FACTORY_BOOT_METHOD: iso + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_UPGRADE: "true" + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.6.1 + FACTORY_VERSION: v1.6.0 + KUBERNETES_VERSION: 1.29.0 + run: | + sudo -E make e2e-image-factory + - name: factory-1.6-image + env: + FACTORY_BOOT_METHOD: disk-image + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_UPGRADE: "true" + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.6.1 + FACTORY_VERSION: v1.6.0 + KUBERNETES_VERSION: 1.29.0 + run: | + sudo -E make e2e-image-factory + - name: factory-1.6-pxe + env: + FACTORY_BOOT_METHOD: pxe + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_VERSION: v1.6.1 + KUBERNETES_VERSION: 1.29.0 + run: | + sudo -E make e2e-image-factory + - name: factory-1.6-secureboot + env: + FACTORY_BOOT_METHOD: secureboot-iso + FACTORY_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE: "true" + FACTORY_UPGRADE_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_UPGRADE_VERSION: v1.6.1 + FACTORY_VERSION: v1.6.0 + KUBERNETES_VERSION: 1.29.0 + run: | + sudo -E make e2e-image-factory + - name: factory-1.5-iso + env: + FACTORY_BOOT_METHOD: iso + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_UPGRADE: "true" + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.5.5 + FACTORY_VERSION: v1.5.5 + KUBERNETES_VERSION: 1.28.5 + run: | + sudo -E make e2e-image-factory + - name: factory-1.3-iso + env: + FACTORY_BOOT_METHOD: iso + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_UPGRADE: "true" + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.3.7 + FACTORY_VERSION: v1.3.7 + KUBERNETES_VERSION: 1.26.5 + run: | + sudo -E make e2e-image-factory + - name: factory-1.3-image + env: + FACTORY_BOOT_METHOD: disk-image + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_VERSION: v1.3.7 + KUBERNETES_VERSION: 1.26.5 + run: | + sudo -E make e2e-image-factory + integration-images: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - generic + if: contains(fromJSON(needs.default.outputs.labels), 'integration/images') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: images + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + PLATFORM: linux/amd64,linux/arm64 + run: | + make images + integration-misc: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/misc') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-firewall + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + WITH_FIREWALL: block + run: | + sudo -E make e2e-qemu + - name: e2e-network-chaos + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + WITH_NETWORK_CHAOS: "yes" + run: | + sudo -E make e2e-qemu + - name: e2e-canal-reset + env: + CUSTOM_CNI_URL: https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/canal.yaml + IMAGE_REGISTRY: registry.dev.siderolabs.io + INTEGRATION_TEST_RUN: TestIntegration/api.ResetSuite/TestResetWithSpec + run: | + sudo -E make e2e-qemu + - name: e2e-bios-cgroupsv1 + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/machine/install/extraKernelArgs/-", "value": "talos.unified_cgroup_hierarchy=0"}]' + WITH_UEFI: "false" + run: | + sudo -E make e2e-qemu + - name: e2e-disk-image + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + USE_DISK_IMAGE: "true" + VIA_MAINTENANCE_MODE: "true" + WITH_DISK_ENCRYPTION: "true" + run: | + sudo -E make e2e-qemu + - name: e2e-controlplane-port + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + WITH_CONTROL_PLANE_PORT: "443" + run: | + sudo -E make e2e-qemu + - name: e2e-no-cluster-discovery + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + WITH_CLUSTER_DISCOVERY: "false" + run: | + sudo -E make e2e-qemu + - name: e2e-kubespan + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io\ + SHORT_INTEGRATION_TEST: "yes" + WITH_CLUSTER_DISCOVERY: "true" + WITH_KUBESPAN: "true" + run: | + sudo -E make e2e-qemu + - name: e2e-default-hostname + env: + DISABLE_DHCP_HOSTNAME: "true" + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + VIA_MAINTENANCE_MODE: "true" + run: | + sudo -E make e2e-qemu + - name: e2e-siderolink + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + VIA_MAINTENANCE_MODE: "true" + WITH_SIDEROLINK_AGENT: "true" + run: | + sudo -E make e2e-qemu + - name: e2e-siderolink-tunnel + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: "yes" + VIA_MAINTENANCE_MODE: "true" + WITH_SIDEROLINK_AGENT: tunnel + run: | + sudo -E make e2e-qemu + integration-provision-0: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/provision') || contains(fromJSON(needs.default.outputs.labels), 'integration/provision-0') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: provision-tests-prepare + run: | + make provision-tests-prepare + - name: provision-tests-track-0 + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + sudo -E make provision-tests-track-0 + integration-provision-1: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/provision') || contains(fromJSON(needs.default.outputs.labels), 'integration/provision-1') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: provision-tests-prepare + run: | + make provision-tests-prepare + - name: provision-tests-track-1 + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + sudo -E make provision-tests-track-1 + integration-provision-2: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/provision') || contains(fromJSON(needs.default.outputs.labels), 'integration/provision-2') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: provision-tests-prepare + run: | + make provision-tests-prepare + - name: provision-tests-track-2 + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + sudo -E make provision-tests-track-2 + integration-qemu: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/qemu') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-qemu + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + sudo -E make e2e-qemu + integration-qemu-csi: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/qemu-csi') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-qemu-csi + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + QEMU_CPUS_WORKERS: "4" + QEMU_EXTRA_DISKS: "1" + QEMU_EXTRA_DISKS_SIZE: "12288" + QEMU_MEMORY_WORKERS: "5120" + QEMU_WORKERS: "3" + SHORT_INTEGRATION_TEST: "yes" + WITH_TEST: run_csi_tests + run: | + sudo -E make e2e-qemu + integration-qemu-encrypted-vip: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/qemu-encrypted-vip') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: e2e-qemu + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + WITH_DISK_ENCRYPTION: "true" + WITH_KUBESPAN: "true" + WITH_VIRTUAL_IP: "true" + run: | + sudo -E make e2e-qemu + integration-qemu-race: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/qemu-race') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: build-race + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + PLATFORM: linux/amd64 + PUSH: "true" + TAG_SUFFIX: -race + WITH_RACE: "1" + run: | + make initramfs installer + - name: e2e-qemu-race + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + TAG_SUFFIX: -race + run: | + sudo -E make e2e-qemu + integration-reproducibility-test: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/reproducibility-test') + needs: + - default + services: + buildkitd: + image: moby/buildkit:v0.13.1 + options: --privileged + ports: + - 1234:1234 + volumes: + - /var/lib/buildkit/${{ github.repository }}:/var/lib/buildkit + - /usr/etc/buildkit/buildkitd.toml:/etc/buildkit/buildkitd.toml + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Set up Docker Buildx + id: setup-buildx + uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: tcp://127.0.0.1:1234 + timeout-minutes: 10 + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: reproducibility-test + env: + IMAGE_REGISTRY: registry.dev.siderolabs.io + run: | + make reproducibility-test + integration-trusted-boot: + permissions: + actions: read + contents: write + issues: read + packages: write + pull-requests: read + runs-on: + - self-hosted + - talos + if: contains(fromJSON(needs.default.outputs.labels), 'integration/trusted-boot') + needs: + - default + steps: + - name: checkout + uses: actions/checkout@v4 + - name: Unshallow + run: | + git fetch --prune --unshallow + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: artifacts + path: _out + - name: Fix artifact permissions + run: | + xargs -a _out/executable-artifacts -I {} chmod +x {} + - name: integration-trusted-boot + env: + EXTRA_TEST_ARGS: -talos.trustedboot + IMAGE_REGISTRY: registry.dev.siderolabs.io + VIA_MAINTENANCE_MODE: "true" + WITH_TRUSTED_BOOT_ISO: "true" + run: | + sudo -E make e2e-qemu diff --git a/.github/workflows/slack-notify.yaml b/.github/workflows/slack-notify.yaml new file mode 100644 index 00000000000..f92a0812a51 --- /dev/null +++ b/.github/workflows/slack-notify.yaml @@ -0,0 +1,92 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2024-04-27T09:00:21Z by kres ebc009d-dirty. + +name: slack-notify +"on": + workflow_run: + workflows: + - default + types: + - completed +jobs: + slack-notify: + runs-on: + - self-hosted + - generic + if: github.event.workflow_run.conclusion != 'skipped' + steps: + - name: Get PR number + id: get-pr-number + if: github.event.workflow_run.event == 'pull_request' + env: + GH_TOKEN: ${{ github.token }} + run: | + echo pull_request_number=$(gh pr view -R ${{ github.repository }} ${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }} --json number --jq .number) >> $GITHUB_OUTPUT + - name: Slack Notify + uses: slackapi/slack-github-action@v1 + with: + channel-id: proj-talos-maintainers + payload: | + { + "attachments": [ + { + "color": "${{ github.event.workflow_run.conclusion == 'success' && '#2EB886' || github.event.workflow_run.conclusion == 'failure' && '#A30002' || '#FFCC00' }}", + "fallback": "test", + "blocks": [ + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "${{ github.event.workflow_run.event == 'pull_request' && format('*Pull Request:* {0} (`{1}`)\n<{2}/pull/{3}|{4}>', github.repository, github.ref_name, github.event.repository.html_url, steps.get-pr-number.outputs.pull_request_number, github.event.workflow_run.display_title) || format('*Build:* {0} (`{1}`)\n<{2}/commit/{3}|{4}>', github.repository, github.ref_name, github.event.repository.html_url, github.sha, github.event.workflow_run.display_title) }}" + }, + { + "type": "mrkdwn", + "text": "*Status:*\n`${{ github.event.workflow_run.conclusion }}`" + } + ] + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Author:*\n`${{ github.actor }}`" + }, + { + "type": "mrkdwn", + "text": "*Event:*\n`${{ github.event.workflow_run.event }}`" + } + ] + }, + { + "type": "divider" + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "text": "Logs" + }, + "url": "${{ github.event.workflow_run.html_url }}" + }, + { + "type": "button", + "text": { + "type": "plain_text", + "text": "Commit" + }, + "url": "${{ github.event.repository.html_url }}/commit/${{ github.sha }}" + } + ] + } + ] + } + ] + } + env: + SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} diff --git a/.kres.yaml b/.kres.yaml new file mode 100644 index 00000000000..3acebad28d7 --- /dev/null +++ b/.kres.yaml @@ -0,0 +1,749 @@ +--- +kind: auto.CI +spec: + compileGHWorkflowsOnly: true +--- +kind: common.SOPS +spec: + enabled: true + config: |- + creation_rules: + - age: age1xrpa9ujxxcj2u2gzfrzv8mxak4rts94a6y60ypurv6rs5cpr4e4sg95f0k + # order: Andrey, Noel, Artem, Utku, Dmitriy + pgp: >- + 15D5721F5F5BAF121495363EFE042E3D4085A811, + CC51116A94490FA6FB3C18EB2401FCAE863A06CA, + 4919F560F0D35F80CF382D76E084A2DF1143C14D, + 966BC282A680D8BB3E8363E865933E76F0549B0D, + AA5213AF261C1977AF38B03A94B473337258BFD5 +--- +kind: common.Repository +spec: + conformScopes: + - apid + - machined + - networkd + - talosctl + - trustd + - talosctl + - kernel + - security + - ci + - ^v1.8 + licenseChecks: + - skipPaths: + - .git/ + - testdata/ + includeSuffixes: + - .go + excludeSuffixes: + - .pb.go + - .pb.gw.go + - _string.go + - _enumer.go + - _string_linux.go + - zz_generated.deepcopy.go + header: | + // This Source Code Form is subject to the terms of the Mozilla Public + // License, v. 2.0. If a copy of the MPL was not distributed with this + // file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- +kind: common.GHWorkflow +spec: + jobs: + - name: default + setupBuildx: true + runners: + - self-hosted + - generic + steps: + - name: external-artifacts + - name: generate + command: generate docs + - name: uki-certs + environment: + PLATFORM: linux/amd64 + - name: check-dirty + - name: build + command: talosctl-all kernel sd-boot sd-stub initramfs installer imager talos _out/integration-test-linux-amd64 + environment: + PLATFORM: linux/amd64,linux/arm64 + IMAGE_REGISTRY: registry.dev.siderolabs.io + PUSH: true + - name: lint + - name: talosctl-cni-bundle + - name: iso + command: iso secureboot-iso + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: images-essential + environment: + PLATFORM: linux/amd64,linux/arm64 + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: unit-tests + - name: unit-tests-race + - name: coverage + coverageStep: + files: + - _out/coverage.txt + timeoutMinutes: 3 + - name: save-artifacts + artifactStep: + type: upload + artifactPath: _out + - name: e2e-iso + depends: + - default + runners: + - self-hosted + - generic + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-iso + withSudo: true + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-qemu-short + depends: + - default + runners: + - self-hosted + - generic + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-qemu + withSudo: true + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: yes + - name: e2e-docker-short + depends: + - default + runners: + - self-hosted + - generic + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-docker + withSudo: false + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + SHORT_INTEGRATION_TEST: yes + - name: integration-qemu + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/qemu + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-qemu + withSudo: true + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-trusted-boot + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/trusted-boot + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: integration-trusted-boot + command: e2e-qemu + withSudo: true + environment: + VIA_MAINTENANCE_MODE: true + WITH_TRUSTED_BOOT_ISO: true + EXTRA_TEST_ARGS: -talos.trustedboot + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-provision-0 + setupBuildx: true + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/provision + - integration/provision-0 + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: provision-tests-prepare + - name: provision-tests-track-0 + withSudo: true + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-provision-1 + setupBuildx: true + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/provision + - integration/provision-1 + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: provision-tests-prepare + - name: provision-tests-track-1 + withSudo: true + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-provision-2 + setupBuildx: true + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/provision + - integration/provision-2 + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: provision-tests-prepare + - name: provision-tests-track-2 + withSudo: true + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-misc + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/misc + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-firewall + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_FIREWALL: block + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-network-chaos + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_NETWORK_CHAOS: yes + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-canal-reset + command: e2e-qemu + withSudo: true + environment: + INTEGRATION_TEST_RUN: TestIntegration/api.ResetSuite/TestResetWithSpec + CUSTOM_CNI_URL: https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/canal.yaml + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-bios-cgroupsv1 + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_UEFI: false + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/machine/install/extraKernelArgs/-", "value": "talos.unified_cgroup_hierarchy=0"}]' #use cgroupsv1 + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-disk-image + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + USE_DISK_IMAGE: true + VIA_MAINTENANCE_MODE: true + WITH_DISK_ENCRYPTION: true + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-controlplane-port + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_CONTROL_PLANE_PORT: 443 + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-no-cluster-discovery + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_CLUSTER_DISCOVERY: false + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-kubespan + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_CLUSTER_DISCOVERY: true + WITH_KUBESPAN: true + IMAGE_REGISTRY: registry.dev.siderolabs.io\ + - name: e2e-default-hostname + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + VIA_MAINTENANCE_MODE: true + DISABLE_DHCP_HOSTNAME: true + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-siderolink + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_SIDEROLINK_AGENT: true + VIA_MAINTENANCE_MODE: true + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-siderolink-tunnel + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_SIDEROLINK_AGENT: tunnel + VIA_MAINTENANCE_MODE: true + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-extensions + setupBuildx: true + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/extensions + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: checkout extensions + checkoutStep: + repository: siderolabs/extensions + ref: main + path: _out/extensions + - name: set variables + nonMakeStep: true + command: cat _out/talos-metadata >> "$GITHUB_ENV" + - name: build extensions + command: all extensions-metadata + arguments: + - -C + - _out/extensions + environment: + PLATFORM: linux/amd64 + PUSH: true + REGISTRY: registry.dev.siderolabs.io + - name: installer extensions + command: installer-with-extensions + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-extensions + command: e2e-qemu + withSudo: true + environment: + QEMU_MEMORY_WORKERS: 4096 + WITH_CONFIG_PATCH_WORKER: "@_out/extensions-patch.yaml" + QEMU_EXTRA_DISKS: 3 + SHORT_INTEGRATION_TEST: yes + EXTRA_TEST_ARGS: -talos.extensions.qemu + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-cilium + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/cilium + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-cilium + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: yes + WITH_CUSTOM_CNI: cilium + WITH_FIREWALL: accept + QEMU_WORKERS: 2 + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}]' + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-cilium-strict + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: yes + WITH_CUSTOM_CNI: cilium + WITH_FIREWALL: accept + QEMU_WORKERS: 2 + CILIUM_INSTALL_TYPE: strict + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]' + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-cilium-strict-kubespan + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: yes + WITH_CUSTOM_CNI: cilium + WITH_FIREWALL: accept + WITH_KUBESPAN: true + QEMU_WORKERS: 2 + CILIUM_INSTALL_TYPE: strict + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]' + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-qemu-encrypted-vip + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/qemu-encrypted-vip + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-qemu + withSudo: true + environment: + WITH_DISK_ENCRYPTION: true + WITH_VIRTUAL_IP: true + WITH_KUBESPAN: true + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-qemu-race + setupBuildx: true + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/qemu-race + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: build-race + command: initramfs installer + environment: + PUSH: true + TAG_SUFFIX: -race + WITH_RACE: 1 + PLATFORM: linux/amd64 + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: e2e-qemu-race + command: e2e-qemu + withSudo: true + environment: + TAG_SUFFIX: -race + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-qemu-csi + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/qemu-csi + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-qemu-csi + command: e2e-qemu + withSudo: true + environment: + SHORT_INTEGRATION_TEST: yes + QEMU_WORKERS: 3 + QEMU_CPUS_WORKERS: 4 + QEMU_MEMORY_WORKERS: 5120 + QEMU_EXTRA_DISKS: 1 + QEMU_EXTRA_DISKS_SIZE: 12288 + WITH_TEST: run_csi_tests + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-images + depends: + - default + runners: + - self-hosted + - generic # this is pretty fast, so we can use generic + triggerLabels: + - integration/images + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: images + environment: + PLATFORM: linux/amd64,linux/arm64 + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-reproducibility-test + setupBuildx: true + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/reproducibility-test + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: reproducibility-test + environment: + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: integration-cloud-images + sops: true + depends: + - default + runners: + - self-hosted + - generic # this is not compute intensive, so we can use generic + triggerLabels: + - integration/cloud-images + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: images + environment: + PLATFORM: linux/amd64,linux/arm64 + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: cloud-images + - name: integration-image-factory + depends: + - default + runners: + - self-hosted + - talos + triggerLabels: + - integration/image-factory + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: factory-1.6-iso + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: iso + FACTORY_VERSION: v1.6.0 + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + KUBERNETES_VERSION: 1.29.0 + FACTORY_UPGRADE: true + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.6.1 + - name: factory-1.6-image + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: disk-image + FACTORY_VERSION: v1.6.0 + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + KUBERNETES_VERSION: 1.29.0 + FACTORY_UPGRADE: true + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.6.1 + - name: factory-1.6-pxe + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: pxe + FACTORY_VERSION: v1.6.1 + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + KUBERNETES_VERSION: 1.29.0 + - name: factory-1.6-secureboot + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: secureboot-iso + FACTORY_VERSION: v1.6.0 + FACTORY_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + KUBERNETES_VERSION: 1.29.0 + FACTORY_UPGRADE: true + FACTORY_UPGRADE_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + FACTORY_UPGRADE_VERSION: v1.6.1 + - name: factory-1.5-iso + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: iso + FACTORY_VERSION: v1.5.5 + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + KUBERNETES_VERSION: 1.28.5 + FACTORY_UPGRADE: true + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.5.5 + - name: factory-1.3-iso + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: iso + FACTORY_VERSION: v1.3.7 + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + KUBERNETES_VERSION: 1.26.5 + FACTORY_UPGRADE: true + FACTORY_UPGRADE_SCHEMATIC: cf9b7aab9ed7c365d5384509b4d31c02fdaa06d2b3ac6cc0bc806f28130eff1f + FACTORY_UPGRADE_VERSION: v1.3.7 + - name: factory-1.3-image + command: e2e-image-factory + withSudo: true + environment: + FACTORY_BOOT_METHOD: disk-image + FACTORY_VERSION: v1.3.7 + FACTORY_SCHEMATIC: 376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba + KUBERNETES_VERSION: 1.26.5 + - name: integration-aws + sops: true + depends: + - default + runners: + - self-hosted + - generic # we can use generic here since thw tests run against a remote talos cluster + triggerLabels: + - integration/aws + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: e2e-aws-prepare + environment: + E2E_AWS_TARGET: default + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: checkout contrib + checkoutStep: + repository: siderolabs/contrib + ref: main + path: _out/contrib + - name: setup tf + terraformStep: true + - name: tf apply + command: e2e-cloud-tf + environment: + TF_SCRIPT_DIR: _out/contrib + TF_E2E_TEST_TYPE: aws + TF_E2E_ACTION: apply + - name: e2e-aws + - name: tf destroy + command: e2e-cloud-tf + always: true + environment: + TF_SCRIPT_DIR: _out/contrib + TF_E2E_TEST_TYPE: aws + TF_E2E_ACTION: destroy + - name: integration-aws-nvidia-oss + setupBuildx: true + sops: true + depends: + - default + runners: + - self-hosted + - generic # we can use generic here since thw tests run against a remote talos cluster + triggerLabels: + - integration/aws-nvidia-oss + steps: + - name: download-artifacts + artifactStep: + type: download + artifactPath: _out + - name: checkout extensions + checkoutStep: + repository: siderolabs/extensions + ref: main + path: _out/extensions + - name: set variables + nonMakeStep: true + command: cat _out/talos-metadata >> "$GITHUB_ENV" + - name: build extensions + command: nvidia-container-toolkit nvidia-open-gpu-kernel-modules nonfree-kmod-nvidia extensions-metadata + arguments: + - -C + - _out/extensions + environment: + PLATFORM: linux/amd64 + PUSH: true + REGISTRY: registry.dev.siderolabs.io + - name: e2e-aws-prepare + environment: + EXTENSIONS_METADATA_FILE: _out/extensions/_out/extensions-metadata + E2E_AWS_TARGET: nvidia-oss + IMAGE_REGISTRY: registry.dev.siderolabs.io + - name: checkout contrib + checkoutStep: + repository: siderolabs/contrib + ref: main + path: _out/contrib + - name: setup tf + terraformStep: true + - name: tf apply + command: e2e-cloud-tf + environment: + TF_SCRIPT_DIR: _out/contrib + TF_E2E_TEST_TYPE: aws + TF_E2E_ACTION: apply + # AZURE_STORAGE_ACCOUNT_NAME: siderogeneralstorage + # ARM_SUBSCRIPTION_ID: ${{ env.AZURE_SUBSCRIPTION_ID }} + # ARM_CLIENT_ID: ${{ env.AZURE_CLIENT_ID }} + # ARM_CLIENT_SECRET: ${{ env.AZURE_CLIENT_SECRET }} + # ARM_TENANT_ID: ${{ env.AZURE_TENANT_ID }} + - name: e2e-aws + environment: + TEST_NUM_NODES: 4 + EXTRA_TEST_ARGS: -talos.extensions.nvidia + - name: tf destroy + command: e2e-cloud-tf + always: true + environment: + TF_SCRIPT_DIR: _out/contrib + TF_E2E_TEST_TYPE: aws + TF_E2E_ACTION: destroy + # AZURE_STORAGE_ACCOUNT_NAME: siderogeneralstorage + # ARM_SUBSCRIPTION_ID: ${{ env.AZURE_SUBSCRIPTION_ID }} + # ARM_CLIENT_ID: ${{ env.AZURE_CLIENT_ID }} + # ARM_CLIENT_SECRET: ${{ env.AZURE_CLIENT_SECRET }} + # ARM_TENANT_ID: ${{ env.AZURE_TENANT_ID }} diff --git a/.secrets.yaml b/.secrets.yaml new file mode 100644 index 00000000000..b496fe706f7 --- /dev/null +++ b/.secrets.yaml @@ -0,0 +1,89 @@ +secrets: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:AeXmU6IET6Mu1m7RrGbUxKYfeGw=,iv:ivTCvzsvlMDeRi1Xo+Xig+q/MFjinRT25oTQ4dTpD5w=,tag:ZgeWJ9306rFP2QCfn13XEQ==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:jOYsF4j5MuwJnUDW+m2TQxCaf1DOH+6QeAwtkBI2UKSCepG0ptHuzw==,iv:bYHZmQZly0S0fpRTQ6VwbafDYxH18jmfn6T/0/KQuqQ=,tag:55xc/fyBbb96QYzlohkZ+A==,type:str] + AWS_DEFAULT_REGION: ENC[AES256_GCM,data:Q7KZm7eenYFn,iv:VuzTTfAHe9FOTcqrGiJU9qdNixTxszm23rSXuNDB3cA=,tag:eGbIm8M/1Lsl0aoa9NanOQ==,type:str] + AZURE_SUBSCRIPTION_ID: ENC[AES256_GCM,data:vSY8xRgtR/ZGaztRyKUZsPUfFOJF2Nn5Zj8uO4q4Xm/uMKHA,iv:gImkSQLPnK2lDs8BpKP/y5qtYUTQREBXPR+LiUz8RQU=,tag:CVeHJ5YOz6BW8M7JDgQHYQ==,type:str] + AZURE_CLIENT_ID: ENC[AES256_GCM,data:sr2EhYwKjlsHYatqEoDXcm3yp5W8kzLyU4wpUPVvIwquxfM/,iv:ZMqoaG+F9JCfpUUbH6S0vvpwUmrfbCNpv4EJzFkb7Ng=,tag:RN5psxUWFa0SHroi4iqPHQ==,type:str] + AZURE_CLIENT_SECRET: ENC[AES256_GCM,data:DXH6XWJ1hfdrJJ2ue7Oq2cKsZKjuIAVACCBXRrp86EjrMY/4I9StnA==,iv:GHFK7zQmBQNUHOQvozGigW1pvfbFxaOZQR/HJc58XD4=,tag:1ciek8BjoJjTjIaoImJj6Q==,type:str] + AZURE_TENANT_ID: ENC[AES256_GCM,data:dZapmCqJeTx9C0us38mxDpPbdxBn39fJOmIc+5MgnAI6esT5,iv:s/GuStsQKgdc/6jpq2YMAE9GggLH/xGfrDzzgk/4kmQ=,tag:+dVM3/Joq3OA/opmSU6TSA==,type:str] + EM_PROJECT_ID: ENC[AES256_GCM,data:nPVZ+Uoul/W7UpxIoeMP1n3YhuEjq3fNKD+zoso4FBP2Obd0,iv:SSF8KZBczWvCJjZpvDo60mnoM21CrzdmmKs2reLi8w0=,tag:VKjsQSHqiQY+IzkIXO70MA==,type:str] + EM_API_TOKEN: ENC[AES256_GCM,data:PnNDZTRDTubebmtAuH1sAuEp5ZwzVie5WA0AhCUk26M=,iv:5MdcOwY+QrIdkFgCXcs2rBGCXQBnhi/EDxTPWr/vCMs=,tag:mcQ9qrWPYMaPalzr/GV7pQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1xrpa9ujxxcj2u2gzfrzv8mxak4rts94a6y60ypurv6rs5cpr4e4sg95f0k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvL24xdzZ5WVF6Mmxxa0NW + TnFSM00xWHFYRHJhbmxZU09hWG0weFNBdkdFCmVrQ1pxd2hJWkltMHo1S0dvMWwr + QXlMN1FCbTc3ajZQVS9xNXNtUDB0NEkKLS0tIHdtbmd3NG9Kdlo1VzdqMENVcVkr + ZE0zRWwxVzBLL3Q1WW1FNmVvc0txZm8K+GkjAq/WSduuDrsbeyqVi29Pj2IL25mA + a11K/HVqTCU834uHQXjpN3keJS23v5BJGZCpOwVXyZX8f1yAm/ZQAA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-06T06:16:37Z" + mac: ENC[AES256_GCM,data:q3NlR1Yi/4J/aCZUbatqL50gW7FPCMrYhYXSZWaZz4f+MLqzV+ymk4dO2QvS7ssgIX7TUVXjR2ClXgl+U3p31rqeVm8o8+LQPimJJnaQ0JrbO8tRZP3sQrQ4tghOKM1hFO/sz/52NTvoxl9OS9qIsq38fM+LUor4gEFekBQEyow=,iv:tZu7y6uezwvUFeHq4DdgNI0izg7DWspDIbzUxKTIBDs=,tag:PvYXbzD4HcWOP1Jw+zmHmA==,type:str] + pgp: + - created_at: "2024-04-29T17:03:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D/dYBJRlWfQISAQdAG/X828buETcY2yNXRA2dORhwHSfBk25lhTMOesAozk0w + 42HQ4ZHV/xc/a9QsfX5pqAZgWbXUGce473RSMfbx3Xd2qnurqhOxyJ41xIQ2U1RX + 0l4BQKFt84pgtGHzVdmOsqGzn+kHVxeL9vmsNmC8GGiTGOt/YlLepTwN/0lxl9YC + CtPehgXh1HEjPF6+97KEe/LsIqsEusiBvnz7ieF5bzpt0rhje0mG/yRPpHdE3tzp + =eUa+ + -----END PGP MESSAGE----- + fp: 15D5721F5F5BAF121495363EFE042E3D4085A811 + - created_at: "2024-04-29T17:03:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D+EORkHurkvgSAQdAc9l7LbjRnrmSkDnnqyjJgRso3exRZoFeHPvhd5FS3C8w + fa5KZkhoTCx9G19FFMOFksjLlCRVET7iN4/eI51KOuQ2XAj1PfG+fLPMucNtU7xz + 0l4Baqj1OkL2vF+u0r1OHpZO3R+8h0N1sMoN/4tgQc58ClNCSrslrUiclZXv1brN + yX+sK8AtlxiBl9f5DIVqA5v+emtHx38OvR3o9iX8JppYuChmnU6a2mHy0cjwEgM/ + =xkKE + -----END PGP MESSAGE----- + fp: CC51116A94490FA6FB3C18EB2401FCAE863A06CA + - created_at: "2024-04-29T17:03:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DCsA/BhMt3V4SAQdAdsc6wpQaH5PxlLbUgJ1AtQQLAfzW8N8u9tMoYUsw9Cww + jfAQCIpFjOCcKn2EfQzb/KXSHHiAFBx0BYF4kEoEnclyytkBtny1O14eZMVp0Ja0 + 0l4BAEzpCeHkgxS19TghHguj7dmRvwk+C3U/qZR0Yd5F8okK3OyLGxE8SzOCC+Ex + YZ2LiEerDzj7N3SxdzRBtYgpturs0TUlZwbO2jWvb92LrCg+fwZTDf+FXBMKJMgJ + =F891 + -----END PGP MESSAGE----- + fp: 4919F560F0D35F80CF382D76E084A2DF1143C14D + - created_at: "2024-04-29T17:03:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAxQwM84t19oOAQgApMfAt5Si/Uo/Mk5VoOXvRXljrdRAkr7NXcRgw7aR99oR + oMp6M6yd6mMej840Vchrd5QPavMd6Pyrepebip50QViXzZKub4uw7ulSXr9Yy0Oa + cuVL7kimrjQE/3RfZfU4sHzoZUioz3lmfD1tVz7dCTxTp/wlJlb/68sZRG6fS/vE + KXjTf4P7IccTb5UWj8XMXcIaFrZ29MiHW/SBVeiYUkJk9gx37hTffz9lFKPx7iAN + MTZrbrqgyo5ZjM/z17j+F4I9M9eXaxld6fysFsuLHGmsZSvOrUSem8Db0gjr6hIi + ryv2tktT3HOuwhtSD9LuSa8Fkht5eOK9xu9E2MZSPtJeASK9n4FBaX+29mdtsW3z + +W7z1+hI/rWA6wVbJr/3h7gn0Z72/AlTcGqMJnITx73cBZTib30oMGtWWZ5dRBGU + TUeLQF8E0j4W7JMC+pDSUI71mMksoD+ihysJ3If96w== + =tZQw + -----END PGP MESSAGE----- + fp: 966BC282A680D8BB3E8363E865933E76F0549B0D + - created_at: "2024-04-29T17:03:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DzfZC0UNQ1VgSAQdAIOqJfm6hMsqYmTZtTbI1akgjnyMqXpK39iBZNx+HtzEw + DFLS/aioTT3QTndbSCtv4zlh5GqlhfMZrstgWBNhta0g4gxifX9VKWG2PUns4RX3 + 0l4BO3JwpHIV23X56gt9/H94GtuebNOaoNRLW7WmqpclpLV9Z3gm9Q0FOBeUGCPX + JDYt0QL0rcqIGPAcxEgLcx42vxHtUWfGcYGBugRbKVQ1xiEPZUAZgYAC5WqeKne2 + =lE3W + -----END PGP MESSAGE----- + fp: AA5213AF261C1977AF38B03A94B473337258BFD5 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000000..8f6ca07e6d7 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,13 @@ +# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT. +# +# Generated on 2024-04-29T16:25:51Z by kres ebc009d-dirty. + +creation_rules: + - age: age1xrpa9ujxxcj2u2gzfrzv8mxak4rts94a6y60ypurv6rs5cpr4e4sg95f0k + # order: Andrey, Noel, Artem, Utku, Dmitriy + pgp: >- + 15D5721F5F5BAF121495363EFE042E3D4085A811, + CC51116A94490FA6FB3C18EB2401FCAE863A06CA, + 4919F560F0D35F80CF382D76E084A2DF1143C14D, + 966BC282A680D8BB3E8363E865933E76F0549B0D, + AA5213AF261C1977AF38B03A94B473337258BFD5 \ No newline at end of file diff --git a/Makefile b/Makefile index 1eec42184b8..43b78eb79d2 100644 --- a/Makefile +++ b/Makefile @@ -22,6 +22,9 @@ PKGS_PREFIX ?= ghcr.io/siderolabs PKGS ?= v1.8.0-alpha.0-10-g28c5696 EXTRAS ?= v1.8.0-alpha.0 +KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest +CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest + PKG_FHS ?= $(PKGS_PREFIX)/fhs:$(PKGS) PKG_CA_CERTIFICATES ?= $(PKGS_PREFIX)/ca-certificates:$(PKGS) PKG_CRYPTSETUP ?= $(PKGS_PREFIX)/cryptsetup:$(PKGS) @@ -403,7 +406,7 @@ talosctl-cni-bundle: ## Creates a compressed tarball that includes CNI bundle fo cloud-images: ## Uploads cloud images (AMIs, etc.) to the cloud registry. @docker run --rm -v $(PWD):/src -w /src \ -e TAG=$(TAG) -e ARTIFACTS=$(ARTIFACTS) -e ABBREV_TAG=$(ABBREV_TAG) \ - -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SVC_ACCT \ + -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY \ -e AZURE_SUBSCRIPTION_ID -e AZURE_CLIENT_ID -e AZURE_CLIENT_SECRET -e AZURE_TENANT_ID \ golang:$(GO_VERSION) \ ./hack/cloud-image-uploader.sh $(CLOUD_IMAGES_EXTRA_ARGS) @@ -526,9 +529,9 @@ provision-tests-track-%: REGISTRY=$(IMAGE_REGISTRY) \ ARTIFACTS=$(ARTIFACTS) -installer-with-extensions: $(ARTIFACTS)/extensions-metadata +installer-with-extensions: $(ARTIFACTS)/extensions/_out/extensions-metadata $(MAKE) image-installer \ - IMAGER_ARGS="--base-installer-image=$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG) $(shell cat $(ARTIFACTS)/extensions-metadata | grep -vE 'tailscale|xen-guest-agent|nvidia' | xargs -n 1 echo --system-extension-image)" + IMAGER_ARGS="--base-installer-image=$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG) $(shell cat $(ARTIFACTS)/extensions/_out/extensions-metadata | grep -vE 'tailscale|xen-guest-agent|nvidia' | xargs -n 1 echo --system-extension-image)" crane push $(ARTIFACTS)/installer-amd64.tar $(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-amd64-extensions echo -n "$(REGISTRY_AND_USERNAME)/installer:$(IMAGE_TAG)-amd64-extensions" | jq -Rs -f hack/test/extensions/extension-patch-filter.jq | yq eval ".[] | split_doc" -P > $(ARTIFACTS)/extensions-patch.yaml @@ -557,9 +560,15 @@ release-artifacts: # Utilities +.PHONY: rekres +rekres: + @docker pull $(KRES_IMAGE) + @docker run --rm --net=host --user $(shell id -u):$(shell id -g) -v $(PWD):/src -w /src -e GITHUB_TOKEN $(KRES_IMAGE) + .PHONY: conformance -conformance: ## Performs policy checks against the commit and source code. - docker run --rm -it -v $(PWD):/src -w /src ghcr.io/siderolabs/conform:latest enforce +conformance: + @docker pull $(CONFORMANCE_IMAGE) + @docker run --rm -it -v $(PWD):/src -w /src $(CONFORMANCE_IMAGE) enforce .PHONY: release-notes release-notes: diff --git a/hack/test/e2e-aws-prepare.sh b/hack/test/e2e-aws-prepare.sh index 20d1f20d77e..699006a9d5f 100755 --- a/hack/test/e2e-aws-prepare.sh +++ b/hack/test/e2e-aws-prepare.sh @@ -19,16 +19,16 @@ function get_ami_id() { function cloud_image_upload_with_extensions() { case "${1}" in nvidia-oss) - EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') + EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') ;; nvidia-oss-fabricmanager) - EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') + EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nonfree-kmod-nvidia") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') ;; nvidia-proprietary) - EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') + EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-fabricmanager") or contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') ;; nvidia-proprietary-fabricmanager) - EXTENSIONS=$(jq -R < _out/extensions-metadata | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') + EXTENSIONS=$(jq -R < "${EXTENSIONS_METADATA_FILE}" | jq -rs 'map(select(. | contains("nvidia") and (contains("nvidia-open-gpu-kernel-modules") | not))) | .[] |= "--system-extension-image=" + . | join(" ")') ;; *) ;; diff --git a/hack/test/e2e-cloud-tf.sh b/hack/test/e2e-cloud-tf.sh new file mode 100755 index 00000000000..8919731fd65 --- /dev/null +++ b/hack/test/e2e-cloud-tf.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + +set -eou pipefail + +source ./hack/test/e2e.sh + +# This script is used to run the end-to-end tests on a cloud provider using Terraform. + +if [[ "${CI}" != "true" ]]; then + echo "This script is only meant to be run in CI." + exit 1 +fi + +cp "${TF_SCRIPT_DIR}/hack/backend-aws.tf" "${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}/backend.tf" + +cp "${ARTIFACTS}/e2e-${TF_E2E_TEST_TYPE}-generated"/* "${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" + +terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \ + init \ + -backend-config="bucket=talos-ci-e2e" \ + -backend-config="key=cloud-tf/${TF_E2E_TEST_TYPE}-${GITHUB_SHA}-terraform.tfstate" + +case "${TF_E2E_ACTION}" in + "apply") + terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \ + apply \ + -auto-approve \ + -var-file="vars.json" + + terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \ + output \ + -raw \ + talosconfig > "${ARTIFACTS}/e2e-${TF_E2E_TEST_TYPE}-talosconfig" + + terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \ + output \ + -raw \ + kubeconfig > "${ARTIFACTS}/e2e-${TF_E2E_TEST_TYPE}-kubeconfig" + ;; + "destroy") + terraform -chdir="${TF_SCRIPT_DIR}/examples/terraform/${TF_E2E_TEST_TYPE}" \ + apply \ + -destroy \ + -auto-approve \ + -var-file="vars.json" \ + -refresh="${TF_E2E_REFRESH_ON_DESTROY:-true}" + + aws s3api delete-object --bucket talos-ci-e2e --key "cloud-tf/${TF_E2E_TEST_TYPE}-${GITHUB_SHA}-terraform.tfstate" + ;; + *) + echo "Unsupported action: ${TF_E2E_ACTION}" + exit 1 + ;; +esac diff --git a/hack/test/e2e-docker.sh b/hack/test/e2e-docker.sh index 9c8972928e2..6c2f2883006 100755 --- a/hack/test/e2e-docker.sh +++ b/hack/test/e2e-docker.sh @@ -17,11 +17,11 @@ function create_cluster { --image="${IMAGE}" \ --controlplanes=1 \ --workers=1 \ - --mtu=1450 \ + --mtu=1430 \ --memory=2048 \ --cpus=2.0 \ --with-init-node=false \ - ${REGISTRY_MIRROR_FLAGS} \ + "${REGISTRY_MIRROR_FLAGS[@]}" \ --crashdump "${TALOSCTL}" config node 10.5.0.2 diff --git a/hack/test/e2e-image-factory.sh b/hack/test/e2e-image-factory.sh index ee6b70c8d68..9225f073d55 100755 --- a/hack/test/e2e-image-factory.sh +++ b/hack/test/e2e-image-factory.sh @@ -48,7 +48,7 @@ function create_cluster { --controlplanes=3 \ --workers="${QEMU_WORKERS:-1}" \ --disk=15360 \ - --mtu=1450 \ + --mtu=1430 \ --memory=2048 \ --memory-workers="${QEMU_MEMORY_WORKERS:-2048}" \ --cpus="${QEMU_CPUS:-2}" \ diff --git a/hack/test/e2e-iso.sh b/hack/test/e2e-iso.sh index dd702308ddb..103aaac81f9 100755 --- a/hack/test/e2e-iso.sh +++ b/hack/test/e2e-iso.sh @@ -19,7 +19,7 @@ function create_cluster { --iso-path=${ARTIFACTS}/metal-amd64.iso \ --controlplanes=1 \ --workers=0 \ - --mtu=1450 \ + --mtu=1430 \ --memory=2048 \ --cpus=2.0 \ --cidr=172.20.2.0/24 \ @@ -27,7 +27,7 @@ function create_cluster { --install-image=${REGISTRY:-ghcr.io}/siderolabs/installer:${TAG} \ --cni-bundle-url=${ARTIFACTS}/talosctl-cni-bundle-'${ARCH}'.tar.gz \ --crashdump \ - ${REGISTRY_MIRROR_FLAGS} + "${REGISTRY_MIRROR_FLAGS[@]}" "${TALOSCTL}" config node "${NODE}" } diff --git a/hack/test/e2e-qemu.sh b/hack/test/e2e-qemu.sh index d655602cb2a..10fb221d831 100755 --- a/hack/test/e2e-qemu.sh +++ b/hack/test/e2e-qemu.sh @@ -173,7 +173,7 @@ function create_cluster { --disk=15360 \ --extra-disks="${QEMU_EXTRA_DISKS:-0}" \ --extra-disks-size="${QEMU_EXTRA_DISKS_SIZE:-5120}" \ - --mtu=1450 \ + --mtu=1430 \ --memory=2048 \ --memory-workers="${QEMU_MEMORY_WORKERS:-2048}" \ --cpus="${QEMU_CPUS:-2}" \ diff --git a/hack/test/e2e.sh b/hack/test/e2e.sh index 10f180ad162..3707ad51aeb 100755 --- a/hack/test/e2e.sh +++ b/hack/test/e2e.sh @@ -108,7 +108,7 @@ function create_cluster_capi { # Wait for nodes to check in timeout=$(($(date +%s) + TIMEOUT)) - until ${KUBECTL} get nodes -o go-template='{{ len .items }}' | grep ${NUM_NODES} >/dev/null; do + until ${KUBECTL} get nodes -o go-template='{{ len .items }}' | grep "${NUM_NODES}" >/dev/null; do [[ $(date +%s) -gt $timeout ]] && exit 1 ${KUBECTL} get nodes -o wide && : sleep 10 @@ -210,7 +210,7 @@ function build_registry_mirrors { if [[ "${CI:-false}" == "true" ]]; then REGISTRY_MIRROR_FLAGS=() - for registry in docker.io registry.k8s.io quay.io gcr.io ghcr.io registry.dev.talos-systems.io; do + for registry in docker.io registry.k8s.io quay.io gcr.io ghcr.io; do local service="registry-${registry//./-}.ci.svc" addr=$(python3 -c "import socket; print(socket.gethostbyname('${service}'))") @@ -218,7 +218,7 @@ function build_registry_mirrors { done else # use the value from the environment, if present - REGISTRY_MIRROR_FLAGS=(${REGISTRY_MIRROR_FLAGS:-}) + REGISTRY_MIRROR_FLAGS=("${REGISTRY_MIRROR_FLAGS:-}") fi } diff --git a/hack/test/provision-tests.sh b/hack/test/provision-tests.sh index 678b9818fd7..4b505068748 100755 --- a/hack/test/provision-tests.sh +++ b/hack/test/provision-tests.sh @@ -2,46 +2,45 @@ set -eoux pipefail +INTEGRATION_TEST_FLAGS=() + case "${CI:-false}" in true) - mirror_flag="" + MIRROR_FLAG=() - for registry in docker.io k8s.gcr.io registry.k8s.io quay.io gcr.io ghcr.io registry.dev.talos-systems.io; do + for registry in docker.io k8s.gcr.io registry.k8s.io quay.io gcr.io ghcr.io; do service="registry-${registry//./-}.ci.svc" - addr=`python3 -c "import socket; print(socket.gethostbyname('${service}'))"` - - if [[ ! -z "${mirror_flag}" ]]; then - mirror_flag="${mirror_flag}," - fi + addr=$(python3 -c "import socket; print(socket.gethostbyname('${service}'))") - mirror_flag="${mirror_flag}${registry}=http://${addr}:5000" + MIRROR_FLAG+=("${registry}=http://${addr}:5000") done - INTEGRATION_TEST_FLAGS="-talos.provision.target-installer-registry=${REGISTRY} -talos.provision.registry-mirror ${mirror_flag}" + MIRROR_FLAGS="${MIRROR_FLAG[*]}" + + INTEGRATION_TEST_FLAGS+=("-talos.provision.target-installer-registry=${REGISTRY}" "-talos.provision.registry-mirror=${MIRROR_FLAGS// /,}") ;; *) - INTEGRATION_TEST_FLAGS= ;; esac if [ "${INTEGRATION_TEST_RUN:-undefined}" != "undefined" ]; then - INTEGRATION_TEST_FLAGS="${INTEGRATION_TEST_FLAGS} -test.run ${INTEGRATION_TEST_RUN}" + INTEGRATION_TEST_FLAGS+=("-test.run=${INTEGRATION_TEST_RUN}") fi if [ "${INTEGRATION_TEST_TRACK:-undefined}" != "undefined" ]; then - INTEGRATION_TEST_FLAGS="${INTEGRATION_TEST_FLAGS} -talos.provision.cidr 172.$(( ${INTEGRATION_TEST_TRACK} + 21 )).0.0/24" + INTEGRATION_TEST_FLAGS+=("-talos.provision.cidr=172.$(( INTEGRATION_TEST_TRACK + 21 )).0.0/24") fi case "${CUSTOM_CNI_URL:-false}" in false) ;; *) - INTEGRATION_TEST_FLAGS="${INTEGRATION_TEST_FLAGS} -talos.provision.custom-cni-url=${CUSTOM_CNI_URL}" + INTEGRATION_TEST_FLAGS+=("-talos.provision.custom-cni-url=${CUSTOM_CNI_URL}") ;; esac "${INTEGRATION_TEST}" -test.v \ -talos.talosctlpath "${TALOSCTL}" \ - -talos.provision.mtu 1450 \ - -talos.provision.cni-bundle-url ${ARTIFACTS}/talosctl-cni-bundle-'${ARCH}'.tar.gz \ - ${INTEGRATION_TEST_FLAGS} + -talos.provision.mtu 1430 \ + -talos.provision.cni-bundle-url "${ARTIFACTS}/talosctl-cni-bundle-\${ARCH}.tar.gz" \ + "${INTEGRATION_TEST_FLAGS[@]}"