From caf4227ef68c02adef5e0876e26d3a297aa7e8b3 Mon Sep 17 00:00:00 2001
From: Noel Georgi <git@frezbo.dev>
Date: Tue, 21 Jan 2025 16:28:54 +0530
Subject: [PATCH 1/3] fix: skip if aggregator certs are nil

Skip is K8s aggregator certs are nil.

Fixes: #225

Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 69596f1e4b74a1d0f95e663315724d9e8150b5b0)
---
 pkg/talos/util.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/pkg/talos/util.go b/pkg/talos/util.go
index 974acac..4607036 100644
--- a/pkg/talos/util.go
+++ b/pkg/talos/util.go
@@ -154,10 +154,6 @@ func secretsBundleTomachineSecrets(secretsBundle *secrets.Bundle) (talosMachineS
 					Cert: types.StringValue(bytesToBase64(secretsBundle.Certs.K8s.Crt)),
 					Key:  types.StringValue(bytesToBase64(secretsBundle.Certs.K8s.Key)),
 				},
-				K8sAggregator: machineSecretsCertKeyPair{
-					Cert: types.StringValue(bytesToBase64(secretsBundle.Certs.K8sAggregator.Crt)),
-					Key:  types.StringValue(bytesToBase64(secretsBundle.Certs.K8sAggregator.Key)),
-				},
 				K8sServiceAccount: machineSecretsCertsK8sServiceAccount{
 					Key: types.StringValue(bytesToBase64(secretsBundle.Certs.K8sServiceAccount.Key)),
 				},
@@ -169,6 +165,11 @@ func secretsBundleTomachineSecrets(secretsBundle *secrets.Bundle) (talosMachineS
 		},
 	}
 
+	if secretsBundle.Certs.K8sAggregator.Crt != nil {
+		model.MachineSecrets.Certs.K8sAggregator.Cert = types.StringValue(bytesToBase64(secretsBundle.Certs.K8sAggregator.Crt))
+		model.MachineSecrets.Certs.K8sAggregator.Key = types.StringValue(bytesToBase64(secretsBundle.Certs.K8sAggregator.Key))
+	}
+
 	// support for talos < 1.3
 	if secretsBundle.Secrets.AESCBCEncryptionSecret != "" {
 		model.MachineSecrets.Secrets.AESCBCEncryptionSecret = types.StringValue(secretsBundle.Secrets.AESCBCEncryptionSecret)

From 06de97e620d1e4192fdb936a08c399956dd12b45 Mon Sep 17 00:00:00 2001
From: Noel Georgi <git@frezbo.dev>
Date: Tue, 21 Jan 2025 17:27:20 +0530
Subject: [PATCH 2/3] fix: drop talos<->k8s compatibility check

We don't have correct way of knowing which talos version or the k8s
version the cluster is currently running, so drop the check which was
based on talos version contract which would prevent setting kubernetes
version if the cluster was initially created with an old version
contract.

Fixes: #228

Signed-off-by: Noel Georgi <git@frezbo.dev>
(cherry picked from commit 46ab81ca8b799e5390cf398a4a65210d2425a41e)
---
 ...talos_machine_configuration_data_source.go | 44 -------------------
 ..._machine_configuration_data_source_test.go | 14 ------
 2 files changed, 58 deletions(-)

diff --git a/pkg/talos/talos_machine_configuration_data_source.go b/pkg/talos/talos_machine_configuration_data_source.go
index b2077c3..7855480 100644
--- a/pkg/talos/talos_machine_configuration_data_source.go
+++ b/pkg/talos/talos_machine_configuration_data_source.go
@@ -6,7 +6,6 @@ package talos
 
 import (
 	"context"
-	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
@@ -16,8 +15,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/siderolabs/crypto/x509"
-	machineapi "github.com/siderolabs/talos/pkg/machinery/api/machine"
-	"github.com/siderolabs/talos/pkg/machinery/compatibility"
 	"github.com/siderolabs/talos/pkg/machinery/config/configpatcher"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
 	"github.com/siderolabs/talos/pkg/machinery/config/machine"
@@ -333,47 +330,6 @@ func (d *talosMachineConfigurationDataSource) ValidateConfig(ctx context.Context
 
 		return
 	}
-
-	if !state.KubernetesVersion.IsUnknown() && !state.KubernetesVersion.IsNull() && !state.TalosVersion.IsUnknown() {
-		k8sVersionCompatibility, err := compatibility.ParseKubernetesVersion(strings.TrimPrefix(state.KubernetesVersion.ValueString(), "v"))
-		if err != nil {
-			resp.Diagnostics.AddError(
-				"kubernetes_version is invalid",
-				err.Error(),
-			)
-
-			return
-		}
-
-		talosVersionInfo := &machineapi.VersionInfo{}
-
-		if state.TalosVersion.IsNull() {
-			talosVersionInfo.Tag = gendata.VersionTag
-		}
-
-		if !state.TalosVersion.IsNull() {
-			talosVersionInfo.Tag = state.TalosVersion.ValueString()
-		}
-
-		talosVersionCompatibility, err := compatibility.ParseTalosVersion(talosVersionInfo)
-		if err != nil {
-			resp.Diagnostics.AddError(
-				"talos_version is invalid",
-				err.Error(),
-			)
-
-			return
-		}
-
-		if err := k8sVersionCompatibility.SupportedWith(talosVersionCompatibility); err != nil {
-			resp.Diagnostics.AddError(
-				"talos_version is not compatible with kubernetes_version",
-				err.Error(),
-			)
-
-			return
-		}
-	}
 }
 
 func certSchemaInput() schema.SingleNestedAttribute {
diff --git a/pkg/talos/talos_machine_configuration_data_source_test.go b/pkg/talos/talos_machine_configuration_data_source_test.go
index 1d35ede..d8f678d 100644
--- a/pkg/talos/talos_machine_configuration_data_source_test.go
+++ b/pkg/talos/talos_machine_configuration_data_source_test.go
@@ -191,26 +191,12 @@ func TestAccTalosMachineConfigurationDataSource(t *testing.T) {
 				Config:      testAccTalosMachineConfigurationDataSourceConfig("", "example-cluster-6", "control", "https://cluster.local", "", false, false, true, true),
 				ExpectError: regexp.MustCompile("Attribute machine_type value must be one of:"),
 			},
-			// test validating kubernetes compatibility with the default talos version
-			{
-				Config:      testAccTalosMachineConfigurationDataSourceConfig("", "example-cluster-7", "controlplane", "https://cluster.local", "v1.23.0", false, false, true, true),
-				ExpectError: regexp.MustCompile(fmt.Sprintf("version of Kubernetes 1.23.0 is too old to be used with Talos %s", strings.TrimPrefix(gendata.VersionTag, "v"))),
-			},
-			// test validating kubernetes compatibility with a specific talos version
-			{
-				Config:      testAccTalosMachineConfigurationDataSourceConfig("v1.3", "example-cluster-8", "controlplane", "https://cluster.local", "v1.23.0", false, false, true, true),
-				ExpectError: regexp.MustCompile("version of Kubernetes 1.23.0 is too old to be used with Talos 1.3.0"),
-			},
 			// test validating config patches at plan time
 			{
 				PlanOnly:    true,
 				Config:      testAccTalosMachineConfigurationDataSourceConfig("v1.3", "example-cluster-8", "controlplane", "https://cluster.local", "v1.23.0", true, true, true, true),
 				ExpectError: regexp.MustCompile("unknown keys found during decoding:"),
 			},
-			{ // this is just added so that the plan only test above doesn't fail
-				PlanOnly: true,
-				Config:   testAccTalosMachineConfigurationDataSourceConfig("v1.3", "example-cluster-8", "controlplane", "https://cluster.local", "", false, false, true, true),
-			},
 		},
 	})
 }

From 7ba1d20519a29a7b91220663d9168aaadcda9e07 Mon Sep 17 00:00:00 2001
From: Noel Georgi <git@frezbo.dev>
Date: Wed, 22 Jan 2025 13:05:47 +0530
Subject: [PATCH 3/3] chore: bump talos machinery

Bump talos machinery.

Signed-off-by: Noel Georgi <git@frezbo.dev>
---
 .conform.yaml                                 |  4 ++--
 go.mod                                        |  8 ++++----
 go.sum                                        | 20 +++++++++----------
 ...image_factory_versions_data_source_test.go |  2 +-
 4 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/.conform.yaml b/.conform.yaml
index a952203..f5d3505 100644
--- a/.conform.yaml
+++ b/.conform.yaml
@@ -13,7 +13,7 @@ policies:
         gitHubOrganization: siderolabs
     spellcheck:
       locale: US
-    maximumOfOneCommit: true
+    maximumOfOneCommit: false
     header:
       length: 89
       imperative: true
@@ -23,4 +23,4 @@ policies:
       required: true
     conventional:
       types: ["chore","docs","perf","refactor","style","test","release"]
-      scopes: [".*"]
\ No newline at end of file
+      scopes: [".*"]
diff --git a/go.mod b/go.mod
index 1818039..566d535 100644
--- a/go.mod
+++ b/go.mod
@@ -20,8 +20,8 @@ require (
 	github.com/siderolabs/go-blockdevice v0.4.8
 	github.com/siderolabs/image-factory v0.6.4
 	github.com/siderolabs/net v0.4.0
-	github.com/siderolabs/talos v1.9.0
-	github.com/siderolabs/talos/pkg/machinery v1.9.0
+	github.com/siderolabs/talos v1.9.2
+	github.com/siderolabs/talos/pkg/machinery v1.9.2
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/mod v0.22.0
 	google.golang.org/grpc v1.69.0
@@ -174,13 +174,13 @@ require (
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
-	github.com/siderolabs/go-blockdevice/v2 v2.0.7 // indirect
+	github.com/siderolabs/go-blockdevice/v2 v2.0.11 // indirect
 	github.com/siderolabs/go-circular v0.2.1 // indirect
 	github.com/siderolabs/go-kubernetes v0.2.17 // indirect
 	github.com/siderolabs/go-pointer v1.0.0 // indirect
 	github.com/siderolabs/go-procfs v0.1.2 // indirect
 	github.com/siderolabs/go-retry v0.3.3 // indirect
-	github.com/siderolabs/go-talos-support v0.1.1 // indirect
+	github.com/siderolabs/go-talos-support v0.1.2 // indirect
 	github.com/sigstore/cosign/v2 v2.4.1 // indirect
 	github.com/sigstore/protobuf-specs v0.3.2 // indirect
 	github.com/sigstore/rekor v1.3.6 // indirect
diff --git a/go.sum b/go.sum
index 2902e30..5d631ce 100644
--- a/go.sum
+++ b/go.sum
@@ -213,8 +213,8 @@ github.com/cosi-project/runtime v0.7.6/go.mod h1:AmDu/IfE/Q0YYzWRnAkDw2GNuMazpNp
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc=
 github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
-github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
+github.com/cyphar/filepath-securejoin v0.3.5 h1:L81NHjquoQmcPgXcttUS9qTSR/+bXry6pbSINQGpjj4=
+github.com/cyphar/filepath-securejoin v0.3.5/go.mod h1:edhVd3c6OXKjUmSrVa/tGJRS9joFTxlslFCAyaxigkE=
 github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE=
 github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -655,8 +655,8 @@ github.com/siderolabs/go-api-signature v0.3.6 h1:wDIsXbpl7Oa/FXvxB6uz4VL9INA9fmr
 github.com/siderolabs/go-api-signature v0.3.6/go.mod h1:hoH13AfunHflxbXfh+NoploqV13ZTDfQ1mQJWNVSW9U=
 github.com/siderolabs/go-blockdevice v0.4.8 h1:KfdWvIx0Jft5YVuCsFIJFwjWEF1oqtzkgX9PeU9cX4c=
 github.com/siderolabs/go-blockdevice v0.4.8/go.mod h1:4PeOuk71pReJj1JQEXDE7kIIQJPVe8a+HZQa+qjxSEA=
-github.com/siderolabs/go-blockdevice/v2 v2.0.7 h1:OCxxA7W1xVqbEP3MrCttqhKpuV4t1KkBTzNeboYDTmc=
-github.com/siderolabs/go-blockdevice/v2 v2.0.7/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
+github.com/siderolabs/go-blockdevice/v2 v2.0.11 h1:r7mbbXMn8OZmJA2fJJdomjlZKexRi66ELVZGXJUaNU8=
+github.com/siderolabs/go-blockdevice/v2 v2.0.11/go.mod h1:74htzCV913UzaLZ4H+NBXkwWlYnBJIq5m/379ZEcu8w=
 github.com/siderolabs/go-circular v0.2.1 h1:a++iVCn9jyhICX3POQZZX8n72p2h5JGdGU6w1ulmpcA=
 github.com/siderolabs/go-circular v0.2.1/go.mod h1:ZDItzVyXK+B/XuqTBV5MtQtSv06VI+oCmWGRnNCATo8=
 github.com/siderolabs/go-kubernetes v0.2.17 h1:xxwDtoPQx032Ot6zAhDyOssfMazZG57gjzDGkpaVJuE=
@@ -667,18 +667,18 @@ github.com/siderolabs/go-procfs v0.1.2 h1:bDs9hHyYGE2HO1frpmUsD60yg80VIEDrx31fkb
 github.com/siderolabs/go-procfs v0.1.2/go.mod h1:dBzQXobsM7+TWRRI3DS9X7vAuj8Nkfgu3Z/U9iY3ZTY=
 github.com/siderolabs/go-retry v0.3.3 h1:zKV+S1vumtO72E6sYsLlmIdV/G/GcYSBLiEx/c9oCEg=
 github.com/siderolabs/go-retry v0.3.3/go.mod h1:Ff/VGc7v7un4uQg3DybgrmOWHEmJ8BzZds/XNn/BqMI=
-github.com/siderolabs/go-talos-support v0.1.1 h1:g51J0WQssQAycU/0cDliC2l4uX2H02yUs2+fa5pCvHg=
-github.com/siderolabs/go-talos-support v0.1.1/go.mod h1:o4woiYS+2J3djCQgyHZRVZQm8XpazQr+XPcTXAZvamo=
+github.com/siderolabs/go-talos-support v0.1.2 h1:xKFwT8emzxpmamIe3W35QlmadC54OaPNO9/Y+fL7WwM=
+github.com/siderolabs/go-talos-support v0.1.2/go.mod h1:o9zRfWJQhW5j3PQxs7v0jmG4igD4peDatqbAGQFe4oo=
 github.com/siderolabs/image-factory v0.6.4 h1:BMirVs99OODjjzjfMyGblvF/OrXqOwAACfp++ipfriM=
 github.com/siderolabs/image-factory v0.6.4/go.mod h1:KY9UkMRqzC+dVVy3z8sWpN/Jg6Ce+I8cVJb97SR32SI=
 github.com/siderolabs/net v0.4.0 h1:1bOgVay/ijPkJz4qct98nHsiB/ysLQU0KLoBC4qLm7I=
 github.com/siderolabs/net v0.4.0/go.mod h1:/ibG+Hm9HU27agp5r9Q3eZicEfjquzNzQNux5uEk0kM=
 github.com/siderolabs/protoenc v0.2.1 h1:BqxEmeWQeMpNP3R6WrPqDatX8sM/r4t97OP8mFmg6GA=
 github.com/siderolabs/protoenc v0.2.1/go.mod h1:StTHxjet1g11GpNAWiATgc8K0HMKiFSEVVFOa/H0otc=
-github.com/siderolabs/talos v1.9.0 h1:hfQA/YKgT7zUvEsHfxNaOmWtl3kaXfogdjLdUQyEkTE=
-github.com/siderolabs/talos v1.9.0/go.mod h1:tfpH28CTBURTF68lf97xUEFZt/p4TKzCMzhd7JgU054=
-github.com/siderolabs/talos/pkg/machinery v1.9.0 h1:9WWhu6yOlnbGousV6E8StwSntI3+JJf0debXEJZCAkg=
-github.com/siderolabs/talos/pkg/machinery v1.9.0/go.mod h1:0EnV+wg+qr86sR+riUgutxaOZqWFSnrC/mx52TpNyIQ=
+github.com/siderolabs/talos v1.9.2 h1:TT3MAoeh6v/pcAXkiu5Dd7XLutz2NH34DxLqCGvX0ek=
+github.com/siderolabs/talos v1.9.2/go.mod h1:oCHfobIOBITDvOFavqI6CcFalVk4Pa/dXmHed+MYKP8=
+github.com/siderolabs/talos/pkg/machinery v1.9.2 h1:Y1MuXHUHOHikxF7IG76HniOo8tJvC8JoBlDfZ8URjpM=
+github.com/siderolabs/talos/pkg/machinery v1.9.2/go.mod h1:AESzrVUMVMbrGiVdCQ5af7qYtL4ykCyee7dAgOTia3s=
 github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU=
 github.com/sigstore/cosign/v2 v2.4.1/go.mod h1:GvzjBeUKigI+XYnsoVQDmMAsMMc6engxztRSuxE+x9I=
 github.com/sigstore/fulcio v1.6.3 h1:Mvm/bP6ELHgazqZehL8TANS1maAkRoM23CRAdkM4xQI=
diff --git a/pkg/talos/talos_image_factory_versions_data_source_test.go b/pkg/talos/talos_image_factory_versions_data_source_test.go
index 609852e..b741207 100644
--- a/pkg/talos/talos_image_factory_versions_data_source_test.go
+++ b/pkg/talos/talos_image_factory_versions_data_source_test.go
@@ -26,7 +26,7 @@ func TestAccTalosImageFactoryVersionsDataSource(t *testing.T) {
 			{
 				Config: testAccTalosImageFactoryVersionsDataSourceWithFilterConfig(),
 				ConfigStateChecks: []statecheck.StateCheck{
-					statecheck.ExpectKnownOutputValue("talos_version", knownvalue.StringExact("v1.9.0")),
+					statecheck.ExpectKnownOutputValue("talos_version", knownvalue.StringExact("v1.9.2")),
 				},
 			},
 		},