fix(deps): update module github.com/siderolabs/talos/pkg/machinery v1.14.0-alpha.1 → v1.14.0-alpha.2#250
Closed
truecharts-admin wants to merge 1 commit into
Conversation
….14.0-alpha.1 → v1.14.0-alpha.2
Contributor
Author
ℹ️ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Crow-Control
approved these changes
Jun 26, 2026
Crow-Control
left a comment
Member
There was a problem hiding this comment.
Auto approved automated PR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.14.0-alpha.1→v1.14.0-alpha.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
siderolabs/talos (github.com/siderolabs/talos/pkg/machinery)
v1.14.0-alpha.2Compare Source
Talos 1.14.0-alpha.2 (2026-06-26)
Welcome to the v1.14.0-alpha.2 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
DNS over TLS (DoT) and DNS over HTTPS (DoH) Support
Talos now supports DNS over TLS (DoT) and DNS over HTTPS (DoH) for secure DNS resolution.
These features allow Talos to encrypt DNS queries and responses, enhancing privacy and security for DNS traffic.
The DNS protocol can be configured on a per-name server basis in the
ResolverConfigdocument, allowing for flexible configuration of DNS resolution.noexec on EPHEMERAL (/var)
The EPHEMERAL volume (
/var) is now mounted withnoexecin addition to the existingnosuidandnodev,blocking binary execution from
/var.Workloads that exec binaries placed under
/varwill break.For example, Longhorn v1's
instance-managerexec's engine binaries theengine-imageDaemonSet drops under/var/lib/longhorn/engine-binaries/,which now fails with
permission denied. Affected users can opt out via aVolumeConfigdocument:Upgrade note: apply this
VolumeConfigpatch before upgrading, otherwise affected workloads will fail after the next reboot. Longhorn v2 (SPDK data engine) runs the data plane inside the instance manager process and is not affected.Apply Configuration Modes
The '--mode=reboot' option has been removed from the
talosctl apply-configcommand; by default, configuration is applied without a reboot.Most configuration changes don't require a reboot; the documentation lists the changes that do.
Btrfs Support
Talos now supports mounting and provisioning
btrfsfilesystem for user volumes and existing volumes.Support for
btrfsis enabled by installingbtrfssystem extension.Containerd NRI
Talos no longer disables NRI (Node Resource Interface) for the CRI containerd instance by default, so NRI is available
to use without any machine config patches.
To bring back the old behavior of NRI disabled by default, use the following machine config patch:
Default Installer Image
The default installer image has been updated to use the Image Factory.
The
ghcr.io/siderolabs/installerimage is no longer published with releases; use the Image Factory installer image instead.DHCP Search Domains
DHCPv4 search domains are now applied to the resolver configuration.
Encryption Discards
Volume encryption now supports an
allowDiscardsoption (disabled by default) which passes TRIM/discard requeststhrough to the underlying device when the encrypted volume is opened.
This only enables passing discards through to the underlying device; Talos does not perform any fstrim/discard operation by itself.
etcd
Talos is now compatible with etcd v3.6.x only (the default etcd version was 3.6.x since Talos v1.11).
The default version is 3.7.0+ now.
etcd now serves its HTTP-only endpoints (
/metrics,/health, the gRPC-gateway JSON API) on a dedicatedlistener on port
2383, while the client port2379serves gRPC only. This keeps gRPC off Go'snet/httpHTTP/2 server, avoiding watch-stream starvation under TLS (see etcd-io/etcd#15402, golang/go#58804,
etcd-io/etcd#21605).
Upgrade note: etcd metrics and the HTTP health endpoint are no longer reachable on
2379; scrape them onport
2383instead (same client mTLS as before). etcd gRPC clients and the Talos health check are unaffected.Firewall might need to be adjusted to block the port
2383if previously2379was blocked.If
--listen-metrics-urlswas customized, the metrics should not move.Filesystem Trim
Talos can now periodically trim (the equivalent of the
fstrimcommand) mounted filesystems which support trimming,discarding unused blocks. This is useful for SSDs and thin-provisioned storage.
Trimming is opt-in via a new
FilesystemTrimConfigdocument which sets the global trim interval:The default machine configuration for Talos 1.14+ includes a
FilesystemTrimConfigdocument with a default trim interval of one week,so trimming is enabled by default for eligible filesystems. For cluster which were upgraded from older versions, the
FilesystemTrimConfigdocument will be missing,so trimming will be disabled by default until the document is added.
When the document is present, Talos builds a stable schedule (hashed by node ID and volume ID, so trims are spread out
across volumes and across nodes in a cluster) and trims eligible volumes (ready disk/partition volumes with a
trim-capable filesystem; for encrypted volumes only when
allowDiscardsis set).The trim interval can be overridden or disabled per-volume via a
trimblock on the volume documents(
VolumeConfig,UserVolumeConfig,ExistingVolumeConfig,ExternalVolumeConfig):Flannel CNI
Talos now configures Flannel with the
EnableNFTablesoption enabled, which uses nftables native backend instead ofiptables-nftcompatibility layer.Host DNS Configuration
HostDNS configuration was moved from the v1alpha1 config
.machine.features.hostDNSfield to the newhostDNSin theResolverConfigdocument.HTTP Probe Support
Talos now supports HTTP network probes, allowing for monitoring of HTTP endpoints.
HTTP responses with status 200-399 are considered successful, while connection and transport errors are treated as failures.
Image Cache Configuration
Talos now supports a new
ImageCacheConfigdocument for configuring the Image Cache feature, replacing the oldmachine.features.imageCachefield in the v1alpha1 config.Old configuration is still supported for backwards compatibility.
Kernel Multi-document Configuration
Talos introduces new multi-document configuration for kernel parameters (sysctl and sysfs settings), replacing the old v1alpha1 config fields.
The old configuration is still supported for backwards compatibility, but new deployments should use the new documents.
If both old and new configuration sources are used, the new multi-document configuration takes precedence over the old v1alpha1 config on conflicting fields.
List of changes:
.machine.sysctlsin the v1alpha1 config; use theSysctlConfigdocument for kernel sysctl configuration..machine.sysfsin the v1alpha1 config; use theSysfsConfigdocument for sysfs configuration.Kernel Module Status
Talos now reports the status of both dynamically loaded, and built-in kernel modules.
The
LoadedKernelModuleresource has been deprecated and superseded by the newKernelModuleStatusresource.Kubernetes Multi-document Configuration
Talos introduces new multi-document Kubernetes configuration, which allows for more flexible and modular configuration of Kubernetes components.
Talos still supports the old v1alpha1 config for backwards compatibility, but new features and fields will only be available in the new multi-document format.
Talos introduces support for configuring multiple discovery service endpoints.
The
kube-proxyis now using configuration to manage its settings instead of command line arguments (with newKubeProxyConfigdocument).List of changes:
.cluster.secretboxEncryptionSecretin the v1alpha1 config; use theKubeEtcdEncryptionConfigdocument for full etcd encryption configuration..cluster.apiServerin the v1alpha1 config; use theKubeAPIServerConfig,KubeAdmissionControlConfig,KubeAuditPolicyConfig,KubeAuthenticationConfigandKubeAuthorizerConfigdocuments for kube-apiserver configuration..cluster.controllerManagerin the v1alpha1 config; use theKubeControllerManagerConfigdocument for kube-controller-manager configuration..cluster.schedulerin the v1alpha1 config; use theKubeSchedulerConfigdocument for kube-scheduler configuration..cluster.proxyin the v1alpha1 config; use theKubeProxyConfigdocument for kube-proxy configuration..cluster.networkin the v1alpha1 config; use theKubeNetworkConfigdocument for Kubernetes network configuration; Flannel can be configured using theKubeFlannelCNIConfigdocument..cluster.discoveryin the v1alpha1 config; use theDiscoveryServiceConfigdocument for discovery service configuration. The v1alpha1 config andDiscoveryServiceConfigare mutually exclusive.LVM Logical Volume Creation
Logical volumes can now be declared with a new
LVMLogicalVolumeConfigmulti-doc config kind. Each documentnames a logical volume, its parent
volumeGroup, atype(linear,raid0,raid1orraid10) and amaxSize(absolute, e.g.50GiB, or a percentage of the volume group, e.g.80%). RAID layouts acceptoptional
mirrors(raid1/raid10, default 1) andstripes(raid0/raid10, default: all available physicalvolumes) fields. Once the volume group is assembled the logical volume is created via
lvcreate.Raising
maxSizegrows an existing logical volume vialvextend; percentage-sized volumes also grow whentheir volume group is extended. Shrinking is never performed (it risks data loss) - a request to reduce the
size surfaces an
LVMValidationErrorinstead. Removal stays an explicit operation via the LVMService LVremove RPC (
talosctl wipe lv).LVM Status
Talos now provides detailed LVM status information, allowing for better monitoring and management of LVM volumes.
New resources
LVMPhysicalVolumeStatus,LVMVolumeGroupStatus, andLVMLogicalVolumeStatusexpose PV, VG, and LV details.DiscoveredVolumeresources for logical volumes are listed by their kernel name (e.g.dm-0). To resolve the<vg>/<lv>for a given device, use theDisksorBlockSymlinksresources, which carry the udev-managed symlinks (e.g./dev/disk/by-id/dm-name-<vg>-<lv>).LVM Volume Group Creation
Talos can now create and grow LVM Volume Groups declaratively through a new
LVMVolumeGroupConfigmulti-docconfig kind. Each document names a Volume Group and a CEL
volumeSelectorover the disk inventory; matcheddisks are initialised as Physical Volumes (
pvcreate) and aggregated into the requested VG (vgcreate).Newly matched disks added to an existing VG are attached via
vgextend.Reconciliation is strictly additive and safe-by-default.
LVM Wipe
Talos now provides the ability to securely wipe LVM metadata from logical volumes, volume groups, and physical volumes.
This feature allows for selective wiping of logical volumes, volume groups, and physical volumes.
With
talosctl wipe lv/vg/pv <name>, users can wipe LVM metadata from a specific logical volume, volume group, or physical volume.NTS for Time Synchronization
Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.
NTS is enabled by default (without any configuration sources) for the default
time.cloudflare.comtime serverNTS can be enabled for custom time servers via the new
useNTSfield in theTimeServerConfigdocument.ICMP send_redirects Disabled by Default
Talos now sets
net.ipv4.conf.all.send_redirects=0andnet.ipv4.conf.default.send_redirects=0by default,preventing the node from emitting ICMP redirect messages. This aligns with CIS Benchmark recommendations and
does not affect normal Kubernetes pod or service traffic. Nodes that deliberately act as L3 gateways relying
on ICMP redirects can override this via
machine.sysctls.Support Bundle Encryption
The
talosctl supportcommand now encrypts support bundles using the age encryption tool, enhancing the security of support data.The default set of recipients includes the 'siderolabs' GitHub organization members, but it can be overridden with custom recipients.
TLS 1.3 Minimum Version
Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.
Component Updates
Linux: 6.18.36
Kubernetes: 1.36.2
containerd: 2.3.2
etcd: 3.7.0-rc.0-0
Flannel: v0.28.5
runc: 1.5.0-rc.3
CoreDNS: 1.14.2
Talos is built with Go 1.26.4.
Contributors
Changes
332 commits
cd8b0ferelease(v1.14.0-alpha.2): prepare release917820cchore: sync pkgs/toolsb34be14fix: cli.md codeblock generation25abcc6docs: update kubespanconfig to match discoveryserviceconfig742589ffeat: support multiple discovery service configsfc3f27dchore: enrich the SBOM with Go module licenses47d5c33fix: handle image cache being disabled1a965aetest: disable LongHorn ublk test and add more cores6d03b3ffix: align documented image cache partition label6447d85fix(talosctl): use aio threads on darwinf856d18fix: image verification with referrers11a7fbefeat: extract kube-apiserver config into multi-doc configs337654dtest: fix rook-ceph testse33a868feat: add AMD XGBE driver to initramfsbd2d624fix: revert coredns to 1.14.27c4e644feat: update Linux to 6.18.366e23a5cchore: refactor bare opentree_clone into a mount helperdfbd309fix(talosctl): prevent appending type 11 smbios values on restart5926dd7test: support running integration test against remote provisionerf146c6afeat: refactor /etc mountsebe3641chore: bump containerd to 2.3.2bc30c61chore: bump deps (go, k8s, docker)00d739dtest: skip fstrim default schedule on cloud testsd9c6edffix: bump number of open files for etcd990c539chore: update tools and pkgs 2026-06-17325be7crefactor: config generate uses multi-doc sysctlconfigd693063fix: clean up and overhaul mount opsa021940fix: cgroups cleanup58d8b71fix: stop the log persistence and close all files on shutdown4b32ebcrefactor: simplify trustd/apid rootfs setupdc98e35feat: implement filesystem trim support897bef6feat: introduce KubeProxyConfig multi-docebde543feat: introduce BootID resourcecd178b9fix: ensure consistent manifest apply order19fac61feat: remote provisionerb6412e0fix: drop one more reference to removed 'nodes'be7f7a7feat: add human-readable size fields to LVM resourcesd4e0ca1fix: make LVM reconciliation robust and idempotent0dbc1e5chore(ci): fix flaky testb687a47feat: implement an option to allow discards on encrypted volumes3fc981cfix: improve security of scheduler/controller-manager5d4af9ffix: gracefully stop node containers before removalc1593d8fix: honor FailurePauseTimeout when pausing before reboot506dc13feat: add imager flag to set the SecureBoot key enrollment mode5d4ba70refactor: generate pod definitions in k8stemplates995bc30feat: drop apply config method reboot18f6cb4fix: increment time epoch on wall-clock jump when time sync is disabled755a8c8feat: update etcd to 3.7.0-rc.0a0c76fafeat(talosctl): implement cluster logsdb05216feat(talosctl): support rebooting cluster nodes0a04f46feat(talosctl): use gateway dns for clustercf3eb1cchore(talosctl): disable kexec for cluster create on arm64180182bfix: correct the link alias conditionac9014ffix: introduce pull attempt stall detection for image pullf2286d6fix: move Flannel netpol patch to the controlplane9986c0bfeat: bump kernel to 6.18.35e8845fbfix: route ProxyURL test via reachable endpoint44acedffeat: add declarative LVM logical volume provisioningf6058a1feat: grab support bundle via client factorycdd7197feat: add CPUCores resource8e41eb1feat: verify go.mod tidiness in generate targetb19e2eafeat: add kube-apiserver probesa321a1dfeat: support proxy-url in talosconfig contextbb2ac75feat: parse schematic info out of extension status0c02a5afix: align flannel MTU with kubespan to avoid permanent fragmentation3d5fd82feat: expose disk firmware and BIOS version3011598fix: relax LUKS header validation5923199refactor: use ClientFactory for the action tracker72c0cedrefactor: deprecate sysfs and sysctl in machineconfigee74a41fix: handle cluster-scoped resources with a namespace correctly9df5a64feat: allow to disable access time for EPHEMERAL partition9b667dbchore: fix lint error in test3113783test: increase resource inmem buffer to stabilize the tests6f85ce3docs: hack/release.toml explains kernelmodulestatus9bb0a5dfix(talosctl): add scrolling to dashboard footer node list4c029c2fix: machine configuration schemasc3052e8feat: move CNI config out of v1alpha1 config1d2f120feat: add declarative LVM volume group provisioning85f1d42chore: refactor tests to use debug apic901d47refactor: talosctl streaming commands and more fixes1668549fix: mark more resources as sensitive58adf2efix: classify installer and imager exits9549930feat: update Flannel to v0.28.527362d1refactor: replace the callback strategy for most commandscb42d9dfeat: implement support bundle encryption9ae260bfeat: enable NRI by defaultd1d5847fix: flaky test0f23315feat: support external secureboot and pcr signersb349d91feat: enforce strict QoS ordering in OOM victim selection76d9b49fix(ci): aws nvidia tests3131826fix: provide NTS sync with bad initial clock state89e307efix: etcd client leak in the (legacy) Upgrade API476c4d0fix: recreate dns server and listeners on host DNS runner restart9a283d9feat: bump Go to 1.26.44759dc2chore: bump dependencies26a25a0chore(ci): drop homebrew workflowfa8a551feat: update etcd to v3.6.1241fcab4feat: update kernel to 6.18.348ba0061feat: update dependencies6e2dec1refactor: update talosctl commands to stop using WithNodesf9ad63afeat: add custom logging convention linter30dbce0chore: make oci images reproducible38244fdfeat: add sbom builder5177c50refactor: deprecate loadedkernelmodulec2eef36fix: health request server-sided6eff8erefactor: drop multi-nodes proxying for the dashboard2e547a9refactor: deprecate multi-node proxyingddcc519fix: add --fail to image-signer curl downloade5b0b1dfix: normalize log fieldsd8e95c3fix: drop installer from bundle7aad9ecfeat: update pkgs, tools, Go dependenciesb50ee39fix: fix trace fix to also lookup release branches027c93drelease(v1.14.0-alpha.1): prepare release4eb862dfeat: add LVMService for VG/LV/PV removalb88f16afix: use POSIX shell idioms for error propagation5290eb3fix: suppress ICMP redirects by default7b4aba2fix: marshal kube-scheduler config correctly with int types894be9bfix: touch rootfs files with SOURCE_DATE_EPOCHcde8222fix: ignore cgroups with zero rank in OOM handlerbc03724fix: bring in a change to BCM2712_MIPf572c33chore: fail on makefile errore317d4bfix: drop modprobe path and enforce usermode helper89e53f6fix(machined): make built-in mod state always 'permanent'cfbec9btest: skip UEFI vars wipe if TPM is enabled1e31dedfix: create parent directories when extracting tar archives14dc188chore: verify go-containerregistry preserves symlinks951922dfix: guard apply config API call3e173adfeat: move kube-controller-manager config to multi-docb5cda34fix: reset QEMU UEFI variable store when disk is wiped4a17ac6chore: script for tracking fixes made in upstream toolchain/tools/pkgsd71edeefeat: add LVM status resource definitions4aeba1cfix: perform backwards-compatible kernel args cleanup9b7b2bffeat: implement support for btrfs user volumes03ee8eefeat(machined): support instance tags on Akamaid19f9adfix: memorymodules resource reportinga6edcf6chore: move out adv library40e66eafix: bump Go golang.org/x modulese23ca4achore(ci): add upgrade tests for trustedboote3003c0chore: bump tpm nonce size to match the algorithm used8fd04dafeat: add bnxt_re module to the rootfs1cfab00fix: update etcd experimental argsad96fc6fix: relax hostname config validationefd7353chore(ci): add missing labels, move release metadata check to job9ec0450feat: update containerd to 2.3.142f4144feat: introduce new KubeSchedulerConfigf2b7f39refactor: move Args type out of config/v1alpha1b959dcbfix: bump Kubernetes to 1.36.1 in one more place8ecc77ffeat: update default Kubernetes version to 1.36.1cbd9c37chore: rekres to secure slack workflows6a92fc6test: update Canal version used in the testsbe12d3dfeat: support 4k sector size disk imagesa7e8f4cchore(ci): fix cloud image upload job name4319399feat: introduce more modular Linux kerneled5df89feat(ci): rotate credentialsa6a984fchore(ci): fix the job conditionsecb7d45feat: enable Flannel nftables mode9919ff7feat: update Linux to 6.18.321a7d136feat: add Azure Secure Boot imager profiledf68e73feat: implement kernel module status resourcee98ee99fix: streamline config validation flowd7f0a2ffeat: update Linux to 6.18.312b66e25chore: update image signer5aa1795chore: drop e2e step dependenciesd42b3b3feat: update Linux to 6.18.30c3f6f35feat: implement static host resolving via host DNS2f06a68refactor: split host DNS handlere99c5befeat: implement DNS over HTTP(S)cf60652chore: stop publishing installer to ghcr0edabd2fix: restore some shared (and some lower tier slave) mount propagationf1578dcfix: image verification issue with registry.k8s.io46b1f8afix: rework how scheduler config is marshaled820a9fachore: fix typos in comments649a384feat: move more kernel stuff to modules4f3ab20chore(ci): try fixing homebrew action600c0abfeat(ci): validate that extensions PKGS and TOOLS sync with talos7608041feat: redact more machine config secrets and audit redactorsaabf639docs: drop controlplane endpoint examplesb48a2betest: relax kernel-default routing rule assertiond2208b0refactor(talosctl): propagate command context throughout, handle interrupts0760b5cfix: normalize source name for syft consistencyc49ac0edocs: document release policyec7e6effeat: bump in-toto indirect dependency21858a6feat: update kernel to 6.18.295a49dc6feat: migrate Image Cache config to multi-doc574298efix: handle empty GCP operation errors366b10bfeat: dockerfile improvements9a1d9d0feat: bump go 1.26.36eec1c2feat: support DNS over TLS for upstream resolversdee139afeat: revert update CoreDNS to 1.14.3087bc4cchore: lint packages under tools9e7516ffix: clarify documentation for image verification pattern41c8e9dfeat: bump dependencies2b6c06efeat: update CoreDNS to 1.14.36b6f797feat: update containerd to 2.3.0f9c4f90feat(ci): longhorn v2 ublk tests84d169cfix: make dnsd retry listening689974bfix: volume mount permissionsff0f66bfix: skip reserved routing rule priorities850e2c7feat: drop fakeroot, use go helper0c1bd70feat: add golangci-lint fmt target53bd669feat: support conditional start of IPv6 dns serversb31d93efeat: auto-enroll SecureBoot keys for disk images849a680test: update pkgs to test new extensionsc30a6dffix: preserve DHCP DNS servers5b81b20feat: apply DHCP search domains4e5ff8ffix(ci): zfs test14abe51fix: handle gateways which are not on-link routes in dhcp4e1f759achore: fix lint issues automatically664c5f6chore: update toolsc64df2bfix: add missing kernel modules in rootfsf73c245feat: run depmod with verification on rootfs build1371596fix: provide proper AWS platform metadata4f11f02feat: implement etcd encryption config (kube-apiserver)876f836feat: add support for HTTP Probes9b776d5feat: update etcd to 3.6.11631a1bcfix: bring in hardened kernela349dacfix: stale discovered volume children13ce018fix: re-enable kexec on arm6432539d4fix: deadlock in the makefs ext4 with populated source0f3e196fix: panic in Kubernetes manifest sync3bae01afix: do not pick up a system disk from a loop devicededb7a9fix(talosctl): protect k8sNames map writes with mutexcc2be21fix: drop explicit platform matcher1dffebafix: mount throws EPERM on virtiofs with SELinux48a481cfix: replace Canal manifest with a more recent one6a44540fix: make lacp active nilable0d1d95cfix: bump go-kmsg to fix the timestamp driftbd344fdfix: reset the ticker when the KubeSpan is disabled/enabled462015brelease(v1.14.0-alpha.0): prepare release8a037a5test: fix flaky tests08c81d8feat: bump kernel to 6.18.25fe40b6efix(ci): fetch empty pr labels837a9edfeat: move host DNS config into ResolverConfig96a8ecdfeat: default to factory installer imagef19eef7fix: revert add extraArgs from service-account-issuer6821225fix: revert use append instead of prepend in service-account-issuerb43c3a1feat: add quirk for talosctl factory downloadsdf0b9a8refactor: make all controller unit-test follow modern patternsc2948cefeat: support auth for Image Factory in cluster create560bcf0feat: enforce TLS 1.3 minmum version for Kubernetes components3db1430fix(talosctl): ensure uncordon runs after reboot/upgrade errorsecf2fa8feat: update Kubernetes to v1.36.071557eafix(ci): skip misc jobs not on pull request026313bdocs: rename security-insights.yml to lowercase for LFX detectiondc4ffd4fix(ci): fix jobs not interpolating matrix due to condition25e2f37chore: generate comments for fields in resource proto149592ffix: watch kubelet's kubeconfig and time out for cache sync1f315e6feat: update Linux to 6.18.230198eedfeat: add NTS (Network Time Security) support for NTP time sync6830a8bfix(ci): matrix jobs cleanups71aeb34test: fix OOM test flake9b9542ctest: fix a flake in the manifest sync test863d882test: add image verification for factory.talos.devbba0b4achore(ci): nvidia update helm values3399ff4fix: propagate route table down to the resourcec684ec6chore: prepare for Talos 1.14 releaseed9545dchore(ci): bump gpu operator version4de3e43fix(ci): cron triggered workflows212182echore: bump container registry libraryc028db0fix: do not flip machine stage to rebooting during shutdown6ce62d9fix(ci): workflow runs withworkflow_run509cd97fix: boot entry detection5e3f301feat(ci): rework to schedule daily runs after a cron7fa4d39fix: zfs extensions test1ef8e63test: allow more tests to run in FIPS strict modebdcc932fix: reduce memory dashboard usage2d177afchore: update Syft to v1.42.4+patches0d83621fix: return failed precondition on upgrade when not installedbe58eaffix: wrong slot of encryption key was logged015081cfeat: update dependencies9fbb7c9fix: audit trustd code for security986e97ffeat: update Flannel to 0.28.4f3817d1chore: update sign images to support image name suffixe776721feat: update Kubernetes 1.36.0-rc.1f6e7346fix: encode extra args fields in resources with new id3c7bb80chore: bump tools3ba35c9chore(ci): nvidia try UKI boote3e8f01chore: bump tools181584afix: handle boot failurec464c7efix: upgrade API in maintenance mode (legacy)b7512d9feat: update Kubernetes to 1.36.0-rc.04ba1115refactor: allow overriding out image name suffixc81aa12fix: panic in reading PCR values6a3ab87feat(ci): add nvidia arm64 matrix21f459afix(talosctl): always use default GRPC dial optionsca208e5fix: validate hostDNS forwarding requires hostDNS to be enabled9fcb9e0feat: bump go to 1.26.20bfdf7ffix: create correct blackhole routes for IPv452b9200feat: add client-side Kubernetes node drain to reboot and upgrade commands968ec1erefactor: propagate NAME properly, allow to set on buildacc69c3fix: set the minimum TLS version to 1.30cfa6e3chore: bump some tool dependencies4229bb9feat: add dis-vulncheck toold697f55fix: don't set xattrs while decompressing extensions34fb2cbrefactor: remove manual shell completion and replace with cobra completion79fa2e3feat: allow more nvidia and nvme files from extensions414f78afeat: allow glibc ld files in etc1bbba43feat: update Flannel to v0.28.255815e0fix: handle ISOs with zeroes in volume labels7b6ab0cfeat: add flag to force fallback to legacy upgrade5e24d52feat: add resource view to talosctl dashboard649ab7ffix: add os:meta:writer role to the dashboard10cdfa9fix: drop talosctl install087ced8fix: unseal with "slow" TPM11ab0a8fix: drop unused type from ExternalVolume schemae2df0f6fix: always grow disks919d8c3chore: drop debug shell783a358fix: add metal-agent mode to runtime capabilities37b2221docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01bed2bd4feat: add graceful power off support to QEMU VM launcher3400059fix: incorrect route source for on-link routesb3dfbf7feat: bump musl to 1.2.64227921test: fix the PKI mismatch test flakef2bc2dcfeat: update NVIDIA production drivers to 595.58.03aa5946dtest: fix cron failures for provision-1 & provision-21dd701efix: allow blockdevice wipe in maintenance mode786bf00feat: add --platform=all support to image cache-createe1f645efeat: validate luks headers for tamperingad72c73test: improve maintenance API provision tests70cefabtest: fix the flakes in tests with trusted rootsaacff17test: bump memory for Flannel netpolicy tests9c34591feat: update Linux to 6.18.19, CNI to 1.9.1038cb87feat: enforce PID check on connections to services over file socketse2b2dd3chore: update go-kubernetes library9597714fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin8ac47d6fix: unset rlimits for extension servicesb1a02f3feat: update Kubernetes to 1.36.0-beta.0362fdc9feat: update etcd to 3.6.90a47f40](https://redConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.