chore: upgrade & sync with upstream

.github/tests/config-talos.yaml

@@ -10,12 +10,16 @@ node_inventory:
     disk: fake
     mac_addr: fake
     schematic_id: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"
+    secureboot: true
+    encrypt_disk: true
   - name: k8s-worker-0
     address: 10.10.10.101
     controller: false
     disk: fake
     mac_addr: fake
     schematic_id: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"
+    secureboot: false
+    encrypt_disk: false
 dns_servers: ["1.1.1.1", "1.0.0.1"]
 ntp_servers: ["time.cloudflare.com"]
 pod_network: 10.69.0.0/16

.github/workflows/e2e.yaml

@@ -48,5 +48,8 @@ jobs:
       - name: Run configure task
         run: task configure --yes
 
+      - name: Run generate talconfig task
+        run: task talos:generate-config
+
       - name: Run cleanup task
-        run: task template:cleanup --yes
+        run: task template:tidy --yes

.github/workflows/mise.yaml

@@ -0,0 +1,66 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Mise"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # once a day at midnight
+
+jobs:
+  mise:
+    name: upgrade-tools
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup mise
+        uses: jdx/mise-action@v2
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Upgrade dependencies
+        run: mise upgrade --bump
+
+      - name: Get diff of .mise.toml
+        run: |
+          git diff > diff.patch
+
+      - name: Generate Diff
+        id: diff
+        run: |
+          cat diff.patch;
+          {
+              echo 'diff<<EOF'
+              cat diff.patch
+              echo EOF
+          } >> "$GITHUB_OUTPUT";
+          {
+              echo "### Diff"
+              echo '```diff'
+              cat diff.patch
+              echo '```'
+          } >> "$GITHUB_STEP_SUMMARY";
+          rm diff.patch
+
+      - if: ${{ steps.diff.outputs.diff != '' }}
+        name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          title: "chore(mise): upgrade dependencies"
+          commit-message: "chore(mise): upgrade dependencies"
+          branch: "mise-upgrade-dependencies"
+          body: |
+            Upgraded dependencies found in `.mise.toml`:
+
+            ```diff
+            ${{ steps.diff.outputs.diff }}
+            ```
+
+            > [!TIP]
+            > Merge this pull request and then run `mise upgrade --bump` on your workstation.

.mise.toml

@@ -15,7 +15,7 @@ run = "uv pip install -r requirements.txt"
 python = "3.13"
 uv = "0.5.21"
 # Operations tools
-"aqua:budimanjojo/talhelper" = "3.0.15"
+"aqua:budimanjojo/talhelper" = "3.0.16"
 "aqua:cloudflare/cloudflared" = "2025.1.0"
 "aqua:FiloSottile/age" = "1.2.1"
 "aqua:fluxcd/flux2" = "2.4.0"
@@ -25,8 +25,8 @@ uv = "0.5.21"
 "aqua:helmfile/helmfile" = "0.170.0"
 "aqua:jqlang/jq" = "1.7.1"
 "aqua:kubernetes-sigs/kustomize" = "5.6.0"
-"aqua:kubernetes/kubectl" = "1.32.0"
+"aqua:kubernetes/kubectl" = "1.32.1"
 "aqua:mikefarah/yq" = "4.45.1"
-"aqua:siderolabs/talos" = "1.9.1"
+"aqua:siderolabs/talos" = "1.9.2"
 "aqua:yannh/kubeconform" = "0.6.7"
 k9s = "latest"

.taskfiles/talos/Taskfile.yaml

@@ -14,56 +14,46 @@ tasks:
       - which talhelper
 
   apply-node:
-    desc: Apply Talos config to a node [HOSTNAME=required]
-    cmds:
-      - talosctl --nodes {{.HOSTNAME}} apply-config --mode={{.MODE}} --file {{.TALHELPER_CLUSTER_DIR}}/kubernetes-{{.HOSTNAME}}.yaml
-      - talosctl --nodes {{.HOSTNAME}} health --wait-timeout=10m --server=false
+    desc: Apply Talos config to a node [IP=required]
+    cmd: talhelper gencommand apply --node {{.IP}} --config-file {{.TALHELPER_CONFIG_FILE}} --secret-file {{.TALHELPER_SECRET_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags '--mode={{.MODE}}' | bash
     vars:
       MODE: '{{.MODE | default "auto"}}'
     requires:
-      vars: [HOSTNAME]
+      vars: [IP]
     preconditions:
-      - talosctl --nodes {{.HOSTNAME}} get machineconfig
+      - talosctl --nodes {{.IP}} get machineconfig
       - talosctl config info
-      - test -f {{.TALHELPER_CLUSTER_DIR}}/kubernetes-{{.HOSTNAME}}.yaml
       - test -f {{.TALOSCONFIG}}
-      - which talosctl yq
+      - which talhelper talosctl yq
 
   upgrade-node:
-    desc: Upgrade Talos on a single node [HOSTNAME=required]
-    cmds:
-      - talosctl --nodes {{.HOSTNAME}} upgrade --image="factory.talos.dev/installer{{if ne .TALOS_SECUREBOOT "false"}}-secureboot{{end}}/{{.TALOS_SCHEMATIC_ID}}:{{.TALOS_VERSION}}" --timeout=10m
-      - talosctl --nodes {{.HOSTNAME}} health --wait-timeout=10m --server=false
+    desc: Upgrade Talos on a single node [IP=required]
+    cmd: talhelper gencommand upgrade --node {{.IP}} --config-file {{.TALHELPER_CONFIG_FILE}} --secret-file {{.TALHELPER_SECRET_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags "--image='factory.talos.dev/installer{{if eq .TALOS_SECUREBOOT "true"}}-secureboot{{end}}/{{.TALOS_SCHEMATIC_ID}}:{{.TALOS_VERSION}}' --timeout=10m" | bash
     vars:
       TALOS_SCHEMATIC_ID:
-        sh: yq '.nodes[] | select(.hostname == "{{.HOSTNAME}}") | .talosImageURL' {{.TALHELPER_CONFIG_FILE}} | awk -F/ '{print $NF}'
+        sh: yq '.nodes[] | select(.ipAddress == "{{.IP}}") | .talosImageURL' {{.TALHELPER_CONFIG_FILE}} | awk -F/ '{print $NF}'
       TALOS_SECUREBOOT:
-        sh: yq '.nodes[] | select(.hostname == "{{.HOSTNAME}}") | .machineSpec.secureboot' {{.TALHELPER_CONFIG_FILE}}
+        sh: yq '.nodes[] | select(.ipAddress == "{{.IP}}") | .machineSpec.secureboot' {{.TALHELPER_CONFIG_FILE}}
       TALOS_VERSION:
         sh: yq '.talosVersion' {{.TALHELPER_CONFIG_FILE}}
     requires:
-      vars: [HOSTNAME]
+      vars: [IP]
     preconditions:
-      - curl -fsSL -o /dev/null --fail https://github.com/siderolabs/talos/releases/tag/{{.TALOS_VERSION}}
-      - talosctl --nodes {{.HOSTNAME}} get machineconfig
+      - talosctl --nodes {{.IP}} get machineconfig
       - talosctl config info
       - test -f {{.TALOSCONFIG}}
-      - which kubectl talosctl yq
+      - which kubectl talhelper talosctl yq
 
   upgrade-k8s:
     desc: Upgrade Kubernetes
-    cmd: talosctl --nodes {{.KUBERNETES_CONTROLLER}} upgrade-k8s --to {{.KUBERNETES_VERSION}}
+    cmd: talhelper gencommand upgrade-k8s --config-file {{.TALHELPER_CONFIG_FILE}} --secret-file {{.TALHELPER_SECRET_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags "--to '{{.KUBERNETES_VERSION}}'" | bash
     vars:
-      KUBERNETES_CONTROLLER:
-        sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1
       KUBERNETES_VERSION:
         sh: yq '.kubernetesVersion' {{.TALHELPER_CONFIG_FILE}}
     preconditions:
-      - curl -fsSL -o /dev/null --fail https://github.com/siderolabs/kubelet/releases/tag/{{.KUBERNETES_VERSION}}
-      - talosctl --nodes {{.KUBERNETES_CONTROLLER}} get machineconfig
       - talosctl config info
       - test -f {{.TALOSCONFIG}}
-      - which talosctl yq
+      - which talhelper talosctl yq
 
   reset:
     desc: Resets nodes back to maintenance mode

README.orig

@@ -58,7 +58,7 @@ There are **4 stages** outlined below for completing this project, make sure you
 
 3. **Install** and **activate** [mise](https://mise.jdx.dev/) following the instructions for your workstation [here](https://mise.jdx.dev/getting-started.html).
 
-4. Use `mise` to install the **required** CLI tools.
+4. Use `mise` to install the **required** CLI tools:
 
    📍 _If `mise` is having trouble compiling Python, try running `mise settings python.compile=0` and try these commands again_
 
@@ -73,7 +73,7 @@ There are **4 stages** outlined below for completing this project, make sure you
 > [!IMPORTANT]
 > The [config.sample.yaml](./config.sample.yaml) file contains config that are **vital** to the template process.
 
-1. Generate the `config.yaml` from the [config.sample.yaml](./config.sample.yaml) configuration file.
+1. Generate the `config.yaml` from the [config.sample.yaml](./config.sample.yaml) configuration file:
 
    📍 _If the below command fails `mise` is either not install or configured incorrectly._
 
@@ -83,19 +83,19 @@ There are **4 stages** outlined below for completing this project, make sure you
 
 2. Fill out the `config.yaml` configuration file using the comments in that file as a guide.
 
-3. Run the following command which will generate all the files needed to continue.
+3. Template out all the configuration files:
 
     ```sh
     task configure
     ```
 
-4. Push your changes to git
+4. Push your changes to git:
 
    📍 _**Verify** all the `./kubernetes/**/*.sops.*` files are **encrypted** with SOPS_
 
     ```sh
     git add -A
-    git commit -m "Initial commit :rocket:"
+    git commit -m "chore: initial commit :rocket:"
     git push
     ```
 
@@ -109,11 +109,11 @@ There are **4 stages** outlined below for completing this project, make sure you
     task bootstrap:talos
     ```
 
-2. Push your changes to git
+2. Push your changes to git:
 
     ```sh
     git add -A
-    git commit -m "Add talhelper encrypted secret :lock:"
+    git commit -m "chore: add talhelper encrypted secret :lock:"
     git push
     ```
 
@@ -160,15 +160,15 @@ By default Flux will periodically check your git repository for changes. In orde
 > [!IMPORTANT]
 > This will only work after you have switched over certificates to the Let's Encrypt Production servers.
 
-1. Obtain the webhook path
+1. Obtain the webhook path:
 
     📍 _Hook id and path should look like `/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123`_
 
     ```sh
     kubectl -n flux-system get receiver github-receiver -o jsonpath='{.status.webhookPath}'
     ```
 
-2. Piece together the full URL with the webhook path appended
+2. Piece together the full URL with the webhook path appended:
 
     ```text
     https://flux-webhook.${cloudflare.domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
@@ -195,19 +195,19 @@ task talos:reset # --force
 # (Re)generate the Talos config
 task talos:generate-config
 # Apply the config to the node
-task talos:apply-node HOSTNAME=? MODE=?
-# e.g. task talos:apply-config HOSTNAME=k8s-0 MODE=auto
+task talos:apply-node IP=? MODE=?
+# e.g. task talos:apply-config IP=10.10.10.10 MODE=auto
 ```
 
 ### ⬆️ Updating Talos and Kubernetes versions
 
 > [!IMPORTANT]
-> Ensure the `talosVersion` and `kubernetesVersion` in `talhelper.yaml` are up-to-date with the version you wish to upgrade to.
+> Ensure the `talosVersion` and `kubernetesVersion` in `talconfig.yaml` are up-to-date with the version you wish to upgrade to.
 
 ```sh
 # Upgrade node to a newer Talos version
-task talos:upgrade-node HOSTNAME=?
-# e.g. task talos:upgrade HOSTNAME=k8s-0
+task talos:upgrade-node IP=?
+# e.g. task talos:upgrade IP=10.10.10.10
 ```
 
 ```sh
@@ -220,9 +220,19 @@ task talos:upgrade-k8s
 
 After you have successfully bootstrapped Talos, Kubernetes and Flux it might be a good idea to clean up the repository and remove the [templates](./templates) directory and any files related to the templating process. This will also remove most of the cruft brought in from the upstream template repo.
 
-```sh
-task template:cleanup
-```
+1. Tidy up your repository:
+
+    ```sh
+    task template:tidy
+    ```
+
+2. Push your changes to git:
+
+    ```sh
+    git add -A
+    git commit -m "chore: tidy up :broom:"
+    git push
+    ```
 
 ## 🤖 Renovate
 

kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml

@@ -4,7 +4,7 @@ kind: Secret
 metadata:
   name: cert-manager-secret
 stringData:
-  api-token: ENC[AES256_GCM,data:yREFP+tffSVSOipyimU9kzDPYhSk/oQ08hE4omEAXE4X2Ss/+p8VtQ==,iv:4sSjZv2pEevNH6/PsNS9/zU2yJv4arXU/TmTvuWpnz4=,tag:+hyblS+QkVeBXurJ0224sg==,type:str]
+  api-token: ENC[AES256_GCM,data:xUBn0K+sbnagEMAnULOxdWJjuCgIMtvbLhUiMNctJCgq5Q1LyOxUbA==,iv:Y1EvkHpc05AAh121kIeZ+MiTsdAZShy2j0PuRbmqYWc=,tag:g17DHpX0b/zqhFVlm5+dUQ==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -14,14 +14,14 @@ sops:
     - recipient: age1vzkvfwvx9z7jpvm938cwjpsdsgkf3f7rfxa3v2ha42t3gwn40chqqknd2n
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxa3dLR243R00zT3B2UFZm
-        MHhJN0RmKytvbGR5VkdtNkpSTGFoYmlEM3pJCmJGK0JRc3ZiRmZORG1aOXladGRT
-        TVovV0hGcUZVeVJ5VGJSU3RDb1hCclEKLS0tIFJoUDNJR3liMFhYSWM5UW05ZUE4
-        RzZVSDl6ZVoxVDUxT0VLZ0FsWS8zRTgKI3qniTe+gMK5qxlW4QKVbxalWGYNn71E
-        SrVBJxxUlou0lew/rAxz6MXDMDjKzUkAKv3p3195i2fAnIfDo1ieGw==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SzVNcDZOalBZZ3k4b01L
+        YUhNUmdNVDYvbHg4UkRleklSSFJEZy9NSWkwCkQxamF3UGhiRWh1SWRGbWJFMmdm
+        UitSUjJKM091ZVJCZkIyWitsR1ZMUlkKLS0tIE1zNUx2djIyc1ZmRTFRQmZ1N0tP
+        MkZjTUtOL25NUlp6T3paZkIwUmdWMTAKpqjjTtUrON5AyBhQG07z8PK/J6gILl0u
+        ewIYIgFphG+OSmotT8axyA4dEPt0/jmmGkhXdqpH74IYSn5lnF2D0Q==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-01-19T17:48:43Z"
-  mac: ENC[AES256_GCM,data:v7nm1CR/++26Fs7JKfRH1Rb6D33+q0wOGMUyoW8G4D08EC4fNWh/M8kvBzv4j/eLqBWg0L53S0FuG/6HjKt+q+z8z+4XmoqSQJUcTma8sz3wV95MZ8iCCaSAOuPBVtQNFEIEkenhz4iwY1z3+art+GCnJIxP2tg1zzQKX+XuaUI=,iv:9BlqVubXjBO9+nff3ReO5NJ2cLuMB4fT81qqC0ZZa4A=,tag:HIsoWvXB6MGJ8AjdxgIIig==,type:str]
+  lastmodified: "2025-01-21T02:53:11Z"
+  mac: ENC[AES256_GCM,data:BjOOcyJ/3M4EkTVzbOb5aZXvaQMaiW8/Gyradrxi24jUOIPwhDRGjP6YNRHskQD38sBdmx6XH6G0SEvVWzPBfX8ohqvJIFlw9XxGdsLhTLBn5M4EsP+09KRv8g3Ho2qO9DYM/TxsrjGdQPugfGfKaA59NUxVaS1J1v6WKMscZaE=,iv:K7cD7RrhXrpBJwsLADnawrhiolPzIv1whJ2zgfqJkZ0=,tag:Rze/tSuYfVqY0c7vi6U53w==,type:str]
   pgp: []
   encrypted_regex: ^(data|stringData)$
   mac_only_encrypted: true

kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/secret.sops.yaml

@@ -4,7 +4,7 @@ kind: Secret
 metadata:
   name: github-webhook-token-secret
 stringData:
-  token: ENC[AES256_GCM,data:R6KOHv5UY80N5mK7geeV79xBYKCO9V+NmvNHlsCOsDA=,iv:zEYnChXVwBWkAEaC9RlbvSRCp6kxQFs+J9CbxafTgQI=,tag:X4WKPSapiyMIP/QHm5KUAw==,type:str]
+  token: ENC[AES256_GCM,data:raLp5YUv2r3nC6UxdiotLWiws1Xx/rRAnRX5qykzTp4=,iv:mKsvjb+B25TNbO/CT0tzZv9IpzLOkMObr8xye+vt1lg=,tag:SYG4WRMxtZtMlaRxZ85vXQ==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -14,14 +14,14 @@ sops:
     - recipient: age1vzkvfwvx9z7jpvm938cwjpsdsgkf3f7rfxa3v2ha42t3gwn40chqqknd2n
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwak5nRWFSTlJUZ3g2b3BM
-        U3ZMWEQyZk1aWnREeDlRangvL3BzVmJSTWxNClhrTkozV1JuSkRIY3JDVlc4dFZP
-        NFNHVUluekFGTDRPSmZUVDRDQzFMQU0KLS0tIEx0QWRLcTlvbTAzcEl5UGpyeTVw
-        eHJVS0VUOHM1QitNRno1bnJGK2gzN1EKAg4B5tXnVCZjqHndugh5hoaC8fmKG3v6
-        lPH2xF1YnRDF5rxja6fC1xEXdmSBrvpGwQzjXIZ+CKc05KOyy/cAgA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSK0E0dU5aTGFrQVJvTEdO
+        c3NsbERlM1hXSEw2MzZMYXJ1am9ValB2bG5VCk5KK3NYWEI2MlU4bkZlRnpTUWRq
+        VC9aRlBUV3M0bEtBbVpUSUM3VTcwOEEKLS0tIDJnTkROTjUvd2ZjREM1UWpOZ0lN
+        cUJwMDhSTStnbjFnRll1MnRUdmsrSWMKd1I6e8SQRAacT/FNCHFNLrP8wiNrgcot
+        5L5Nkc7WCuZFMEz/3OgkfMqDW576XBwTUjQxZmHs+H8r8BfdGbr0tw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-01-19T17:48:43Z"
-  mac: ENC[AES256_GCM,data:laTKm3feePfgkoul9ayTAD7tLmdlRB4VshnIwFRgbdv6fVsxzU3/hxj9FL4FYO2Xov6JEWvKf8zeWbe+RUnQeKXfBLxIy44A1LPAbRhKrdJc0UyHo40ebIzg1PJfY20aOAScbJFBBgg+G6SR5z9Hl+89W39AsVRUYlbdX1Ste+k=,iv:6O9esRoZadCoiJdcJ5bvVXQ/uVPxtAWGe4y2AraBEUU=,tag:pkPqzKgoif1GAP7oSRKJJA==,type:str]
+  lastmodified: "2025-01-21T02:53:11Z"
+  mac: ENC[AES256_GCM,data:bW64dx58Ffs1D//pfB433ORg0YgtXX3EWrC0x4geKP/6o3ApX3ddzBUM1jMW2xZevpuzrP/r8xwhqNtp2LCDGxqAkx6vLZvMTT8pyVM9nqFeRek512UPdrKJAWG4POXkBhdn83BypDCnhggAFtIH1/k7uF9ajV1St6gTKmn4ggQ=,iv:hb8d0MnlCGWqEemhmHoDkIh3lZakvXKgRZZDz19En0E=,tag:H8kJF7mnZ9wBb88ceWx5RQ==,type:str]
   pgp: []
   encrypted_regex: ^(data|stringData)$
   mac_only_encrypted: true