feat(talos): upgrade to talos 1.9

jfroy · Dec 20, 2024 · b23eba3 · b23eba3
1 parent b6b7aa4
commit b23eba3
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 9 deletions.
diff --git a/kubernetes/apps/talos-admin/system-upgrade-controller/ks.yaml b/kubernetes/apps/talos-admin/system-upgrade-controller/ks.yaml
@@ -43,6 +43,6 @@ spec:
   postBuild:
     substitute:
       # renovate: datasource=docker depName=ghcr.io/jfroy/siderolabs/imager
-      TALOS_VERSION: v1.8.3000
+      TALOS_VERSION: v1.9.1000
       # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
       KUBERNETES_VERSION: v1.31.4
diff --git a/kubernetes/apps/talos-admin/system-upgrade-controller/plans/talos-etincelle-s1.yaml b/kubernetes/apps/talos-admin/system-upgrade-controller/plans/talos-etincelle-s1.yaml
@@ -7,7 +7,7 @@ metadata:
   annotations:
     description: Schema for kantai1 (and kantai3, but it does not support secureboot, see s2)
     secure-boot: true
-    extensions: jfroy/siderolabs/glibc, jfroy/siderolabs/nvidia-driver-production, jfroy/siderolabs/zfs, siderolabs/amd-ucode
+    extensions: jfroy/siderolabs/nvidia-driver-production, jfroy/siderolabs/zfs, siderolabs/amd-ucode, siderolabs/glibc
     cmdline: lsm=landlock,lockdown,yama,apparmor,bpf lsm.debug amd_pstate=active spec_rstack_overflow=microcode zfs.zfs_arc_max=26843545600 zfs.zfs_arc_shrinker_limit=0
 spec:
   version: ${TALOS_VERSION}
@@ -49,6 +49,6 @@ spec:
     args:
       - --nodes=$(NODE_IP)
       - upgrade
-      - --image=tif.etincelle.cloud/installer-secureboot/62f9fce7f705007200ec6e510c078227eea151cd8f2efc30338fe3c4521c99cf:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
+      - --image=tif.etincelle.cloud/installer-secureboot/d23b1d9b4724da9b63e7c06c4f28e560c26c8161b131b058fd7dae0f46f02211:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
       - --preserve=true
       - --wait=false
diff --git a/kubernetes/apps/talos-admin/system-upgrade-controller/plans/talos-etincelle-s2.yaml b/kubernetes/apps/talos-admin/system-upgrade-controller/plans/talos-etincelle-s2.yaml
@@ -7,7 +7,7 @@ metadata:
   annotations:
     description: Mostly the same as talos-etincelle-s1. No secureboot and different zfs tuning.
     secure-boot: false
-    extensions: jfroy/siderolabs/glibc, jfroy/siderolabs/nvidia-driver-production, jfroy/siderolabs/zfs, siderolabs/amd-ucode
+    extensions: jfroy/siderolabs/nvidia-driver-production, jfroy/siderolabs/zfs, siderolabs/amd-ucode, siderolabs/glibc
     cmdline: lsm=landlock,lockdown,yama,apparmor,bpf lsm.debug amd_pstate=active spec_rstack_overflow=microcode zfs.zfs_arc_max=6871947674 zfs.zfs_arc_shrinker_limit=0
 spec:
   version: ${TALOS_VERSION}
@@ -49,6 +49,6 @@ spec:
     args:
       - --nodes=$(NODE_IP)
       - upgrade
-      - --image=tif.etincelle.cloud/installer/ad8785c1d7e983857bdb8ccdffd55d90c5bd160cb4212f295d3098c1ecbd6b1c:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
+      - --image=tif.etincelle.cloud/installer/ea8f6a3c788c7958f182958694998974519a9c964e91bc7fde368d9f325c71b0:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
       - --preserve=true
       - --wait=false
diff --git a/kubernetes/apps/talos-admin/system-upgrade-controller/plans/talos-siderolabs-minimal.yaml b/kubernetes/apps/talos-admin/system-upgrade-controller/plans/talos-siderolabs-minimal.yaml
@@ -8,7 +8,7 @@ metadata:
     description: Schema for VM nodes with no hardware requirements
     secure-boot: false
     extensions: ""
-    cmdline: ""
+    cmdline: "lsm=landlock,lockdown,yama,apparmor,bpf lsm.debug"
 spec:
   version: ${TALOS_VERSION}
   serviceAccountName: system-upgrade
@@ -49,6 +49,6 @@ spec:
     args:
       - --nodes=$(NODE_IP)
       - upgrade
-      - --image=tif.etincelle.cloud/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
+      - --image=tif.etincelle.cloud/installer/9036a9f19c942ed92f4d1235768f54e49264a702a6d0bf87bd3f9c71bdd04e6d:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
       - --preserve=true
       - --wait=false
diff --git a/kubernetes/bootstrap/talos/talconfig.yaml b/kubernetes/bootstrap/talos/talconfig.yaml
@@ -60,10 +60,10 @@ nodes:
           - zfs.zfs_arc_shrinker_limit=0
         systemExtensions:
           officialExtensions:
-            - jfroy/siderolabs/glibc
             - jfroy/siderolabs/nvidia-driver-production
             - jfroy/siderolabs/zfs
             - siderolabs/amd-ucode
+            - siderolabs/glibc
     patches:
       # sysctls
       - |-
@@ -152,6 +152,11 @@ nodes:
         mtu: 1500
         vip:
           ip: "192.168.1.8"
+    schematic:
+      customization:
+        extraKernelArgs:
+          - lsm=landlock,lockdown,yama,apparmor,bpf
+          - lsm.debug
     nodeTaints:
       node-role.kubernetes.io/control-plane: :NoSchedule
     patches:
@@ -194,10 +199,10 @@ nodes:
           - zfs.zfs_arc_shrinker_limit=0
         systemExtensions:
           officialExtensions:
-            - jfroy/siderolabs/glibc
             - jfroy/siderolabs/nvidia-driver-production
             - jfroy/siderolabs/zfs
             - siderolabs/amd-ucode
+            - siderolabs/glibc
     patches:
       # sysctls
       - |-