Skip to content

fix(deps): update module github.com/siderolabs/talos/pkg/machinery v1.14.0-alpha.1 → v1.14.0-alpha.2#250

Closed
truecharts-admin wants to merge 1 commit into
mainfrom
renovate/github.com-siderolabs-talos-pkg-machinery-1.14.x
Closed

fix(deps): update module github.com/siderolabs/talos/pkg/machinery v1.14.0-alpha.1 → v1.14.0-alpha.2#250
truecharts-admin wants to merge 1 commit into
mainfrom
renovate/github.com-siderolabs-talos-pkg-machinery-1.14.x

Conversation

@truecharts-admin

@truecharts-admin truecharts-admin commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
github.com/siderolabs/talos/pkg/machinery v1.14.0-alpha.1v1.14.0-alpha.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

siderolabs/talos (github.com/siderolabs/talos/pkg/machinery)

v1.14.0-alpha.2

Compare Source

Talos 1.14.0-alpha.2 (2026-06-26)

Welcome to the v1.14.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

DNS over TLS (DoT) and DNS over HTTPS (DoH) Support

Talos now supports DNS over TLS (DoT) and DNS over HTTPS (DoH) for secure DNS resolution.
These features allow Talos to encrypt DNS queries and responses, enhancing privacy and security for DNS traffic.
The DNS protocol can be configured on a per-name server basis in the ResolverConfig document, allowing for flexible configuration of DNS resolution.

noexec on EPHEMERAL (/var)

The EPHEMERAL volume (/var) is now mounted with noexec in addition to the existing nosuid and nodev,
blocking binary execution from /var.

Workloads that exec binaries placed under /var will break.
For example, Longhorn v1's instance-manager exec's engine binaries the engine-image DaemonSet drops under /var/lib/longhorn/engine-binaries/,
which now fails with permission denied. Affected users can opt out via a VolumeConfig document:

apiVersion: v1alpha1
kind: VolumeConfig
name: EPHEMERAL
mount:
  secure: false

NOTE: Setting secure: false will also disable nosuid and nodev, which may have security implications. Use with caution.

Upgrade note: apply this VolumeConfig patch before upgrading, otherwise affected workloads will fail after the next reboot. Longhorn v2 (SPDK data engine) runs the data plane inside the instance manager process and is not affected.

Apply Configuration Modes

The '--mode=reboot' option has been removed from the talosctl apply-config command; by default, configuration is applied without a reboot.
Most configuration changes don't require a reboot; the documentation lists the changes that do.

Btrfs Support

Talos now supports mounting and provisioning btrfs filesystem for user volumes and existing volumes.

Support for btrfs is enabled by installing btrfs system extension.

Containerd NRI

Talos no longer disables NRI (Node Resource Interface) for the CRI containerd instance by default, so NRI is available
to use without any machine config patches.

To bring back the old behavior of NRI disabled by default, use the following machine config patch:

machine:
  files:
    - content: |
        [plugins]
          [plugins."io.containerd.nri.v1.nri"]
             disable = true
      path: /etc/cri/conf.d/20-customization.part
      op: create
Default Installer Image

The default installer image has been updated to use the Image Factory.
The ghcr.io/siderolabs/installer image is no longer published with releases; use the Image Factory installer image instead.

DHCP Search Domains

DHCPv4 search domains are now applied to the resolver configuration.

Encryption Discards

Volume encryption now supports an allowDiscards option (disabled by default) which passes TRIM/discard requests
through to the underlying device when the encrypted volume is opened.

This only enables passing discards through to the underlying device; Talos does not perform any fstrim/discard operation by itself.

etcd

Talos is now compatible with etcd v3.6.x only (the default etcd version was 3.6.x since Talos v1.11).
The default version is 3.7.0+ now.

etcd now serves its HTTP-only endpoints (/metrics, /health, the gRPC-gateway JSON API) on a dedicated
listener on port 2383, while the client port 2379 serves gRPC only. This keeps gRPC off Go's net/http
HTTP/2 server, avoiding watch-stream starvation under TLS (see etcd-io/etcd#15402, golang/go#58804,
etcd-io/etcd#21605).

Upgrade note: etcd metrics and the HTTP health endpoint are no longer reachable on 2379; scrape them on
port 2383 instead (same client mTLS as before). etcd gRPC clients and the Talos health check are unaffected.

Firewall might need to be adjusted to block the port 2383 if previously 2379 was blocked.

If --listen-metrics-urls was customized, the metrics should not move.

Filesystem Trim

Talos can now periodically trim (the equivalent of the fstrim command) mounted filesystems which support trimming,
discarding unused blocks. This is useful for SSDs and thin-provisioned storage.

Trimming is opt-in via a new FilesystemTrimConfig document which sets the global trim interval:

apiVersion: v1alpha1
kind: FilesystemTrimConfig
interval: 168h0m0s # one week

The default machine configuration for Talos 1.14+ includes a FilesystemTrimConfig document with a default trim interval of one week,
so trimming is enabled by default for eligible filesystems. For cluster which were upgraded from older versions, the FilesystemTrimConfig document will be missing,
so trimming will be disabled by default until the document is added.

When the document is present, Talos builds a stable schedule (hashed by node ID and volume ID, so trims are spread out
across volumes and across nodes in a cluster) and trims eligible volumes (ready disk/partition volumes with a
trim-capable filesystem; for encrypted volumes only when allowDiscards is set).

The trim interval can be overridden or disabled per-volume via a trim block on the volume documents
(VolumeConfig, UserVolumeConfig, ExistingVolumeConfig, ExternalVolumeConfig):

trim:
  enabled: true
  interval: 24h0m0s
Flannel CNI

Talos now configures Flannel with the EnableNFTables option enabled, which uses nftables native backend instead of iptables-nft compatibility layer.

Host DNS Configuration

HostDNS configuration was moved from the v1alpha1 config .machine.features.hostDNS field to the new hostDNS in the ResolverConfig document.

HTTP Probe Support

Talos now supports HTTP network probes, allowing for monitoring of HTTP endpoints.
HTTP responses with status 200-399 are considered successful, while connection and transport errors are treated as failures.

Image Cache Configuration

Talos now supports a new ImageCacheConfig document for configuring the Image Cache feature, replacing the old machine.features.imageCache field in the v1alpha1 config.
Old configuration is still supported for backwards compatibility.

Kernel Multi-document Configuration

Talos introduces new multi-document configuration for kernel parameters (sysctl and sysfs settings), replacing the old v1alpha1 config fields.
The old configuration is still supported for backwards compatibility, but new deployments should use the new documents.

If both old and new configuration sources are used, the new multi-document configuration takes precedence over the old v1alpha1 config on conflicting fields.

List of changes:

  • Deprecated .machine.sysctls in the v1alpha1 config; use the SysctlConfig document for kernel sysctl configuration.
  • Deprecated .machine.sysfs in the v1alpha1 config; use the SysfsConfig document for sysfs configuration.
Kernel Module Status

Talos now reports the status of both dynamically loaded, and built-in kernel modules.

The LoadedKernelModule resource has been deprecated and superseded by the new KernelModuleStatus resource.

Kubernetes Multi-document Configuration

Talos introduces new multi-document Kubernetes configuration, which allows for more flexible and modular configuration of Kubernetes components.
Talos still supports the old v1alpha1 config for backwards compatibility, but new features and fields will only be available in the new multi-document format.
Talos introduces support for configuring multiple discovery service endpoints.
The kube-proxy is now using configuration to manage its settings instead of command line arguments (with new KubeProxyConfig document).

List of changes:

  • Deprecated .cluster.secretboxEncryptionSecret in the v1alpha1 config; use the KubeEtcdEncryptionConfig document for full etcd encryption configuration.
  • Deprecated .cluster.apiServer in the v1alpha1 config; use the KubeAPIServerConfig, KubeAdmissionControlConfig, KubeAuditPolicyConfig, KubeAuthenticationConfig and KubeAuthorizerConfig documents for kube-apiserver configuration.
  • Deprecated .cluster.controllerManager in the v1alpha1 config; use the KubeControllerManagerConfig document for kube-controller-manager configuration.
  • Deprecated .cluster.scheduler in the v1alpha1 config; use the KubeSchedulerConfig document for kube-scheduler configuration.
  • Deprecated .cluster.proxy in the v1alpha1 config; use the KubeProxyConfig document for kube-proxy configuration.
  • Deprecated .cluster.network in the v1alpha1 config; use the KubeNetworkConfig document for Kubernetes network configuration; Flannel can be configured using the KubeFlannelCNIConfig document.
  • Deprecated .cluster.discovery in the v1alpha1 config; use the DiscoveryServiceConfig document for discovery service configuration. The v1alpha1 config and DiscoveryServiceConfig are mutually exclusive.
LVM Logical Volume Creation

Logical volumes can now be declared with a new LVMLogicalVolumeConfig multi-doc config kind. Each document
names a logical volume, its parent volumeGroup, a type (linear, raid0, raid1 or raid10) and a
maxSize (absolute, e.g. 50GiB, or a percentage of the volume group, e.g. 80%). RAID layouts accept
optional mirrors (raid1/raid10, default 1) and stripes (raid0/raid10, default: all available physical
volumes) fields. Once the volume group is assembled the logical volume is created via lvcreate.

Raising maxSize grows an existing logical volume via lvextend; percentage-sized volumes also grow when
their volume group is extended. Shrinking is never performed (it risks data loss) - a request to reduce the
size surfaces an LVMValidationError instead. Removal stays an explicit operation via the LVMService LV
remove RPC (talosctl wipe lv).

LVM Status

Talos now provides detailed LVM status information, allowing for better monitoring and management of LVM volumes.
New resources LVMPhysicalVolumeStatus, LVMVolumeGroupStatus, and LVMLogicalVolumeStatus expose PV, VG, and LV details.
DiscoveredVolume resources for logical volumes are listed by their kernel name (e.g. dm-0). To resolve the <vg>/<lv> for a given device, use the Disks or BlockSymlinks resources, which carry the udev-managed symlinks (e.g. /dev/disk/by-id/dm-name-<vg>-<lv>).

LVM Volume Group Creation

Talos can now create and grow LVM Volume Groups declaratively through a new LVMVolumeGroupConfig multi-doc
config kind. Each document names a Volume Group and a CEL volumeSelector over the disk inventory; matched
disks are initialised as Physical Volumes (pvcreate) and aggregated into the requested VG (vgcreate).
Newly matched disks added to an existing VG are attached via vgextend.

Reconciliation is strictly additive and safe-by-default.

LVM Wipe

Talos now provides the ability to securely wipe LVM metadata from logical volumes, volume groups, and physical volumes.
This feature allows for selective wiping of logical volumes, volume groups, and physical volumes.

With talosctl wipe lv/vg/pv <name>, users can wipe LVM metadata from a specific logical volume, volume group, or physical volume.

NTS for Time Synchronization

Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.

NTS is enabled by default (without any configuration sources) for the default time.cloudflare.com time server
NTS can be enabled for custom time servers via the new useNTS field in the TimeServerConfig document.

ICMP send_redirects Disabled by Default

Talos now sets net.ipv4.conf.all.send_redirects=0 and net.ipv4.conf.default.send_redirects=0 by default,
preventing the node from emitting ICMP redirect messages. This aligns with CIS Benchmark recommendations and
does not affect normal Kubernetes pod or service traffic. Nodes that deliberately act as L3 gateways relying
on ICMP redirects can override this via machine.sysctls.

Support Bundle Encryption

The talosctl support command now encrypts support bundles using the age encryption tool, enhancing the security of support data.
The default set of recipients includes the 'siderolabs' GitHub organization members, but it can be overridden with custom recipients.

TLS 1.3 Minimum Version

Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.

Component Updates

Linux: 6.18.36
Kubernetes: 1.36.2
containerd: 2.3.2
etcd: 3.7.0-rc.0-0
Flannel: v0.28.5
runc: 1.5.0-rc.3
CoreDNS: 1.14.2

Talos is built with Go 1.26.4.

Contributors
  • Andrey Smirnov
  • Noel Georgi
  • Mateusz Urbanek
  • Maja Bojarska
  • Orzelius
  • Erwan Leboucher
  • Utku Ozdemir
  • Lukasz Raczylo
  • Mickaël Canévet
  • Dmitrii Sharshakov
  • Dmitriy Matrenichev
  • Oguz Kilcan
  • Rokoucha
  • buckaroo
  • immanuwell
  • Aleksei Sviridkin
  • Ansgar Dahlen
  • Artem Chernyshev
  • Benoît Knecht
  • Christian Korneck
  • David Orman
  • Dharsan Baskar
  • Edward Sammut Alessi
  • Filip Boye-Kofi
  • Fritz Schaal
  • Immanuel Tikhonov
  • Jaakko Sirén
  • Jonny
  • Justin Garrison
  • Kevin Tijssen
  • Konstantin Nesterov
  • Nico Berlee
  • Pranav Patil
  • YANG JOO WOONG
  • Zadkiel AHARONIAN
  • appkins
  • kastakhov
Changes
332 commits

  • @​cd8b0fe release(v1.14.0-alpha.2): prepare release
  • @​917820c chore: sync pkgs/tools
  • @​b34be14 fix: cli.md codeblock generation
  • @​25abcc6 docs: update kubespanconfig to match discoveryserviceconfig
  • @​742589f feat: support multiple discovery service configs
  • @​fc3f27d chore: enrich the SBOM with Go module licenses
  • @​47d5c33 fix: handle image cache being disabled
  • @​1a965ae test: disable LongHorn ublk test and add more cores
  • @​6d03b3f fix: align documented image cache partition label
  • @​6447d85 fix(talosctl): use aio threads on darwin
  • @​f856d18 fix: image verification with referrers
  • @​11a7fbe feat: extract kube-apiserver config into multi-doc configs
  • @​337654d test: fix rook-ceph tests
  • @​e33a868 feat: add AMD XGBE driver to initramfs
  • @​bd2d624 fix: revert coredns to 1.14.2
  • @​7c4e644 feat: update Linux to 6.18.36
  • @​6e23a5c chore: refactor bare opentree_clone into a mount helper
  • @​dfbd309 fix(talosctl): prevent appending type 11 smbios values on restart
  • @​5926dd7 test: support running integration test against remote provisioner
  • @​f146c6a feat: refactor /etc mounts
  • @​ebe3641 chore: bump containerd to 2.3.2
  • @​bc30c61 chore: bump deps (go, k8s, docker)
  • @​00d739d test: skip fstrim default schedule on cloud tests
  • @​d9c6edf fix: bump number of open files for etcd
  • @​990c539 chore: update tools and pkgs 2026-06-17
  • @​325be7c refactor: config generate uses multi-doc sysctlconfig
  • @​d693063 fix: clean up and overhaul mount ops
  • @​a021940 fix: cgroups cleanup
  • @​58d8b71 fix: stop the log persistence and close all files on shutdown
  • @​4b32ebc refactor: simplify trustd/apid rootfs setup
  • @​dc98e35 feat: implement filesystem trim support
  • @​897bef6 feat: introduce KubeProxyConfig multi-doc
  • @​ebde543 feat: introduce BootID resource
  • @​cd178b9 fix: ensure consistent manifest apply order
  • @​19fac61 feat: remote provisioner
  • @​b6412e0 fix: drop one more reference to removed 'nodes'
  • @​be7f7a7 feat: add human-readable size fields to LVM resources
  • @​d4e0ca1 fix: make LVM reconciliation robust and idempotent
  • @​0dbc1e5 chore(ci): fix flaky test
  • @​b687a47 feat: implement an option to allow discards on encrypted volumes
  • @​3fc981c fix: improve security of scheduler/controller-manager
  • @​5d4af9f fix: gracefully stop node containers before removal
  • @​c1593d8 fix: honor FailurePauseTimeout when pausing before reboot
  • @​506dc13 feat: add imager flag to set the SecureBoot key enrollment mode
  • @​5d4ba70 refactor: generate pod definitions in k8stemplates
  • @​995bc30 feat: drop apply config method reboot
  • @​18f6cb4 fix: increment time epoch on wall-clock jump when time sync is disabled
  • @​755a8c8 feat: update etcd to 3.7.0-rc.0
  • @​a0c76fa feat(talosctl): implement cluster logs
  • @​db05216 feat(talosctl): support rebooting cluster nodes
  • @​0a04f46 feat(talosctl): use gateway dns for cluster
  • @​cf3eb1c chore(talosctl): disable kexec for cluster create on arm64
  • @​180182b fix: correct the link alias condition
  • @​ac9014f fix: introduce pull attempt stall detection for image pull
  • @​f2286d6 fix: move Flannel netpol patch to the controlplane
  • @​9986c0b feat: bump kernel to 6.18.35
  • @​e8845fb fix: route ProxyURL test via reachable endpoint
  • @​44acedf feat: add declarative LVM logical volume provisioning
  • @​f6058a1 feat: grab support bundle via client factory
  • @​cdd7197 feat: add CPUCores resource
  • @​8e41eb1 feat: verify go.mod tidiness in generate target
  • @​b19e2ea feat: add kube-apiserver probes
  • @​a321a1d feat: support proxy-url in talosconfig context
  • @​bb2ac75 feat: parse schematic info out of extension status
  • @​0c02a5a fix: align flannel MTU with kubespan to avoid permanent fragmentation
  • @​3d5fd82 feat: expose disk firmware and BIOS version
  • @​3011598 fix: relax LUKS header validation
  • @​5923199 refactor: use ClientFactory for the action tracker
  • @​72c0ced refactor: deprecate sysfs and sysctl in machineconfig
  • @​ee74a41 fix: handle cluster-scoped resources with a namespace correctly
  • @​9df5a64 feat: allow to disable access time for EPHEMERAL partition
  • @​9b667db chore: fix lint error in test
  • @​3113783 test: increase resource inmem buffer to stabilize the tests
  • @​6f85ce3 docs: hack/release.toml explains kernelmodulestatus
  • @​9bb0a5d fix(talosctl): add scrolling to dashboard footer node list
  • @​4c029c2 fix: machine configuration schemas
  • @​c3052e8 feat: move CNI config out of v1alpha1 config
  • @​1d2f120 feat: add declarative LVM volume group provisioning
  • @​85f1d42 chore: refactor tests to use debug api
  • @​c901d47 refactor: talosctl streaming commands and more fixes
  • @​1668549 fix: mark more resources as sensitive
  • @​58adf2e fix: classify installer and imager exits
  • @​9549930 feat: update Flannel to v0.28.5
  • @​27362d1 refactor: replace the callback strategy for most commands
  • @​cb42d9d feat: implement support bundle encryption
  • @​9ae260b feat: enable NRI by default
  • @​d1d5847 fix: flaky test
  • @​0f23315 feat: support external secureboot and pcr signers
  • @​b349d91 feat: enforce strict QoS ordering in OOM victim selection
  • @​76d9b49 fix(ci): aws nvidia tests
  • @​3131826 fix: provide NTS sync with bad initial clock state
  • @​89e307e fix: etcd client leak in the (legacy) Upgrade API
  • @​476c4d0 fix: recreate dns server and listeners on host DNS runner restart
  • @​9a283d9 feat: bump Go to 1.26.4
  • @​4759dc2 chore: bump dependencies
  • @​26a25a0 chore(ci): drop homebrew workflow
  • @​fa8a551 feat: update etcd to v3.6.12
  • @​41fcab4 feat: update kernel to 6.18.34
  • @​8ba0061 feat: update dependencies
  • @​6e2dec1 refactor: update talosctl commands to stop using WithNodes
  • @​f9ad63a feat: add custom logging convention linter
  • @​30dbce0 chore: make oci images reproducible
  • @​38244fd feat: add sbom builder
  • @​5177c50 refactor: deprecate loadedkernelmodule
  • @​c2eef36 fix: health request server-side
  • @​d6eff8e refactor: drop multi-nodes proxying for the dashboard
  • @​2e547a9 refactor: deprecate multi-node proxying
  • @​ddcc519 fix: add --fail to image-signer curl download
  • @​e5b0b1d fix: normalize log fields
  • @​d8e95c3 fix: drop installer from bundle
  • @​7aad9ec feat: update pkgs, tools, Go dependencies
  • @​b50ee39 fix: fix trace fix to also lookup release branches
  • @​027c93d release(v1.14.0-alpha.1): prepare release
  • @​4eb862d feat: add LVMService for VG/LV/PV removal
  • @​b88f16a fix: use POSIX shell idioms for error propagation
  • @​5290eb3 fix: suppress ICMP redirects by default
  • @​7b4aba2 fix: marshal kube-scheduler config correctly with int types
  • @​894be9b fix: touch rootfs files with SOURCE_DATE_EPOCH
  • @​cde8222 fix: ignore cgroups with zero rank in OOM handler
  • @​bc03724 fix: bring in a change to BCM2712_MIP
  • @​f572c33 chore: fail on makefile error
  • @​e317d4b fix: drop modprobe path and enforce usermode helper
  • @​89e53f6 fix(machined): make built-in mod state always 'permanent'
  • @​cfbec9b test: skip UEFI vars wipe if TPM is enabled
  • @​1e31ded fix: create parent directories when extracting tar archives
  • @​14dc188 chore: verify go-containerregistry preserves symlinks
  • @​951922d fix: guard apply config API call
  • @​3e173ad feat: move kube-controller-manager config to multi-doc
  • @​b5cda34 fix: reset QEMU UEFI variable store when disk is wiped
  • @​4a17ac6 chore: script for tracking fixes made in upstream toolchain/tools/pkgs
  • @​d71edee feat: add LVM status resource definitions
  • @​4aeba1c fix: perform backwards-compatible kernel args cleanup
  • @​9b7b2bf feat: implement support for btrfs user volumes
  • @​03ee8ee feat(machined): support instance tags on Akamai
  • @​d19f9ad fix: memorymodules resource reporting
  • @​a6edcf6 chore: move out adv library
  • @​40e66ea fix: bump Go golang.org/x modules
  • @​e23ca4a chore(ci): add upgrade tests for trustedboot
  • @​e3003c0 chore: bump tpm nonce size to match the algorithm used
  • @​8fd04da feat: add bnxt_re module to the rootfs
  • @​1cfab00 fix: update etcd experimental args
  • @​ad96fc6 fix: relax hostname config validation
  • @​efd7353 chore(ci): add missing labels, move release metadata check to job
  • @​9ec0450 feat: update containerd to 2.3.1
  • @​42f4144 feat: introduce new KubeSchedulerConfig
  • @​f2b7f39 refactor: move Args type out of config/v1alpha1
  • @​b959dcb fix: bump Kubernetes to 1.36.1 in one more place
  • @​8ecc77f feat: update default Kubernetes version to 1.36.1
  • @​cbd9c37 chore: rekres to secure slack workflows
  • @​6a92fc6 test: update Canal version used in the tests
  • @​be12d3d feat: support 4k sector size disk images
  • @​a7e8f4c chore(ci): fix cloud image upload job name
  • @​4319399 feat: introduce more modular Linux kernel
  • @​ed5df89 feat(ci): rotate credentials
  • @​a6a984f chore(ci): fix the job conditions
  • @​ecb7d45 feat: enable Flannel nftables mode
  • @​9919ff7 feat: update Linux to 6.18.32
  • @​1a7d136 feat: add Azure Secure Boot imager profile
  • @​df68e73 feat: implement kernel module status resource
  • @​e98ee99 fix: streamline config validation flow
  • @​d7f0a2f feat: update Linux to 6.18.31
  • @​2b66e25 chore: update image signer
  • @​5aa1795 chore: drop e2e step dependencies
  • @​d42b3b3 feat: update Linux to 6.18.30
  • @​c3f6f35 feat: implement static host resolving via host DNS
  • @​2f06a68 refactor: split host DNS handler
  • @​e99c5be feat: implement DNS over HTTP(S)
  • @​cf60652 chore: stop publishing installer to ghcr
  • @​0edabd2 fix: restore some shared (and some lower tier slave) mount propagation
  • @​f1578dc fix: image verification issue with registry.k8s.io
  • @​46b1f8a fix: rework how scheduler config is marshaled
  • @​820a9fa chore: fix typos in comments
  • @​649a384 feat: move more kernel stuff to modules
  • @​4f3ab20 chore(ci): try fixing homebrew action
  • @​600c0ab feat(ci): validate that extensions PKGS and TOOLS sync with talos
  • @​7608041 feat: redact more machine config secrets and audit redactors
  • @​aabf639 docs: drop controlplane endpoint examples
  • @​b48a2be test: relax kernel-default routing rule assertion
  • @​d2208b0 refactor(talosctl): propagate command context throughout, handle interrupts
  • @​0760b5c fix: normalize source name for syft consistency
  • @​c49ac0e docs: document release policy
  • @​ec7e6ef feat: bump in-toto indirect dependency
  • @​21858a6 feat: update kernel to 6.18.29
  • @​5a49dc6 feat: migrate Image Cache config to multi-doc
  • @​574298e fix: handle empty GCP operation errors
  • @​366b10b feat: dockerfile improvements
  • @​9a1d9d0 feat: bump go 1.26.3
  • @​6eec1c2 feat: support DNS over TLS for upstream resolvers
  • @​dee139a feat: revert update CoreDNS to 1.14.3
  • @​087bc4c chore: lint packages under tools
  • @​9e7516f fix: clarify documentation for image verification pattern
  • @​41c8e9d feat: bump dependencies
  • @​2b6c06e feat: update CoreDNS to 1.14.3
  • @​6b6f797 feat: update containerd to 2.3.0
  • @​f9c4f90 feat(ci): longhorn v2 ublk tests
  • @​84d169c fix: make dnsd retry listening
  • @​689974b fix: volume mount permissions
  • @​ff0f66b fix: skip reserved routing rule priorities
  • @​850e2c7 feat: drop fakeroot, use go helper
  • @​0c1bd70 feat: add golangci-lint fmt target
  • @​53bd669 feat: support conditional start of IPv6 dns servers
  • @​b31d93e feat: auto-enroll SecureBoot keys for disk images
  • @​849a680 test: update pkgs to test new extensions
  • @​c30a6df fix: preserve DHCP DNS servers
  • @​5b81b20 feat: apply DHCP search domains
  • @​4e5ff8f fix(ci): zfs test
  • @​14abe51 fix: handle gateways which are not on-link routes in dhcp4
  • @​e1f759a chore: fix lint issues automatically
  • @​664c5f6 chore: update tools
  • @​c64df2b fix: add missing kernel modules in rootfs
  • @​f73c245 feat: run depmod with verification on rootfs build
  • @​1371596 fix: provide proper AWS platform metadata
  • @​4f11f02 feat: implement etcd encryption config (kube-apiserver)
  • @​876f836 feat: add support for HTTP Probes
  • @​9b776d5 feat: update etcd to 3.6.11
  • @​631a1bc fix: bring in hardened kernel
  • @​a349dac fix: stale discovered volume children
  • @​13ce018 fix: re-enable kexec on arm64
  • @​32539d4 fix: deadlock in the makefs ext4 with populated source
  • @​0f3e196 fix: panic in Kubernetes manifest sync
  • @​3bae01a fix: do not pick up a system disk from a loop device
  • @​dedb7a9 fix(talosctl): protect k8sNames map writes with mutex
  • @​cc2be21 fix: drop explicit platform matcher
  • @​1dffeba fix: mount throws EPERM on virtiofs with SELinux
  • @​48a481c fix: replace Canal manifest with a more recent one
  • @​6a44540 fix: make lacp active nilable
  • @​0d1d95c fix: bump go-kmsg to fix the timestamp drift
  • @​bd344fd fix: reset the ticker when the KubeSpan is disabled/enabled
  • @​462015b release(v1.14.0-alpha.0): prepare release
  • @​8a037a5 test: fix flaky tests
  • @​08c81d8 feat: bump kernel to 6.18.25
  • @​fe40b6e fix(ci): fetch empty pr labels
  • @​837a9ed feat: move host DNS config into ResolverConfig
  • @​96a8ecd feat: default to factory installer image
  • @​f19eef7 fix: revert add extraArgs from service-account-issuer
  • @​6821225 fix: revert use append instead of prepend in service-account-issuer
  • @​b43c3a1 feat: add quirk for talosctl factory downloads
  • @​df0b9a8 refactor: make all controller unit-test follow modern patterns
  • @​c2948ce feat: support auth for Image Factory in cluster create
  • @​560bcf0 feat: enforce TLS 1.3 minmum version for Kubernetes components
  • @​3db1430 fix(talosctl): ensure uncordon runs after reboot/upgrade errors
  • @​ecf2fa8 feat: update Kubernetes to v1.36.0
  • @​71557ea fix(ci): skip misc jobs not on pull request
  • @​026313b docs: rename security-insights.yml to lowercase for LFX detection
  • @​dc4ffd4 fix(ci): fix jobs not interpolating matrix due to condition
  • @​25e2f37 chore: generate comments for fields in resource proto
  • @​149592f fix: watch kubelet's kubeconfig and time out for cache sync
  • @​1f315e6 feat: update Linux to 6.18.23
  • @​0198eed feat: add NTS (Network Time Security) support for NTP time sync
  • @​6830a8b fix(ci): matrix jobs cleanups
  • @​71aeb34 test: fix OOM test flake
  • @​9b9542c test: fix a flake in the manifest sync test
  • @​863d882 test: add image verification for factory.talos.dev
  • @​bba0b4a chore(ci): nvidia update helm values
  • @​3399ff4 fix: propagate route table down to the resource
  • @​c684ec6 chore: prepare for Talos 1.14 release
  • @​ed9545d chore(ci): bump gpu operator version
  • @​4de3e43 fix(ci): cron triggered workflows
  • @​212182e chore: bump container registry library
  • @​c028db0 fix: do not flip machine stage to rebooting during shutdown
  • @​6ce62d9 fix(ci): workflow runs with workflow_run
  • @​509cd97 fix: boot entry detection
  • @​5e3f301 feat(ci): rework to schedule daily runs after a cron
  • @​7fa4d39 fix: zfs extensions test
  • @​1ef8e63 test: allow more tests to run in FIPS strict mode
  • @​bdcc932 fix: reduce memory dashboard usage
  • @​2d177af chore: update Syft to v1.42.4+patches
  • @​0d83621 fix: return failed precondition on upgrade when not installed
  • @​be58eaf fix: wrong slot of encryption key was logged
  • @​015081c feat: update dependencies
  • @​9fbb7c9 fix: audit trustd code for security
  • @​986e97f feat: update Flannel to 0.28.4
  • @​f3817d1 chore: update sign images to support image name suffix
  • @​e776721 feat: update Kubernetes 1.36.0-rc.1
  • @​f6e7346 fix: encode extra args fields in resources with new id
  • @​3c7bb80 chore: bump tools
  • @​3ba35c9 chore(ci): nvidia try UKI boot
  • @​e3e8f01 chore: bump tools
  • @​181584a fix: handle boot failure
  • @​c464c7e fix: upgrade API in maintenance mode (legacy)
  • @​b7512d9 feat: update Kubernetes to 1.36.0-rc.0
  • @​4ba1115 refactor: allow overriding out image name suffix
  • @​c81aa12 fix: panic in reading PCR values
  • @​6a3ab87 feat(ci): add nvidia arm64 matrix
  • @​21f459a fix(talosctl): always use default GRPC dial options
  • @​ca208e5 fix: validate hostDNS forwarding requires hostDNS to be enabled
  • @​9fcb9e0 feat: bump go to 1.26.2
  • @​0bfdf7f fix: create correct blackhole routes for IPv4
  • @​52b9200 feat: add client-side Kubernetes node drain to reboot and upgrade commands
  • @​968ec1e refactor: propagate NAME properly, allow to set on build
  • @​acc69c3 fix: set the minimum TLS version to 1.3
  • @​0cfa6e3 chore: bump some tool dependencies
  • @​4229bb9 feat: add dis-vulncheck tool
  • @​d697f55 fix: don't set xattrs while decompressing extensions
  • @​34fb2cb refactor: remove manual shell completion and replace with cobra completion
  • @​79fa2e3 feat: allow more nvidia and nvme files from extensions
  • @​414f78a feat: allow glibc ld files in etc
  • @​1bbba43 feat: update Flannel to v0.28.2
  • @​55815e0 fix: handle ISOs with zeroes in volume labels
  • @​7b6ab0c feat: add flag to force fallback to legacy upgrade
  • @​5e24d52 feat: add resource view to talosctl dashboard
  • @​649ab7f fix: add os:meta:writer role to the dashboard
  • @​10cdfa9 fix: drop talosctl install
  • @​087ced8 fix: unseal with "slow" TPM
  • @​11ab0a8 fix: drop unused type from ExternalVolume schema
  • @​e2df0f6 fix: always grow disks
  • @​919d8c3 chore: drop debug shell
  • @​783a358 fix: add metal-agent mode to runtime capabilities
  • @​37b2221 docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
  • @​bed2bd4 feat: add graceful power off support to QEMU VM launcher
  • @​3400059 fix: incorrect route source for on-link routes
  • @​b3dfbf7 feat: bump musl to 1.2.6
  • @​4227921 test: fix the PKI mismatch test flake
  • @​f2bc2dc feat: update NVIDIA production drivers to 595.58.03
  • @​aa5946d test: fix cron failures for provision-1 & provision-2
  • @​1dd701e fix: allow blockdevice wipe in maintenance mode
  • @​786bf00 feat: add --platform=all support to image cache-create
  • @​e1f645e feat: validate luks headers for tampering
  • @​ad72c73 test: improve maintenance API provision tests
  • @​70cefab test: fix the flakes in tests with trusted roots
  • @​aacff17 test: bump memory for Flannel netpolicy tests
  • @​9c34591 feat: update Linux to 6.18.19, CNI to 1.9.1
  • @​038cb87 feat: enforce PID check on connections to services over file sockets
  • @​e2b2dd3 chore: update go-kubernetes library
  • @​9597714 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
  • @​8ac47d6 fix: unset rlimits for extension services
  • @​b1a02f3 feat: update Kubernetes to 1.36.0-beta.0
  • @​362fdc9 feat: update etcd to 3.6.9
  • [@​0a47f40](https://red

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@truecharts-admin

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 10 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.26.3 -> 1.26.4
github.com/google/cel-go v0.28.0 -> v0.28.1
github.com/jsimonetti/rtnetlink/v2 v2.2.1-0.20260317095713-310581b9c6ac -> v2.2.1-0.20260614152944-ab8601692836
github.com/mdlayher/ethtool v0.6.0 -> v0.6.1
github.com/mdlayher/netlink v1.11.1 -> v1.11.2
github.com/mdlayher/socket v0.6.0 -> v0.6.1
go.yaml.in/yaml/v4 v4.0.0-rc.4 -> v4.0.0-rc.5
golang.org/x/net v0.55.0 -> v0.56.0
google.golang.org/genproto/googleapis/api v0.0.0-20260504160031-60b97b32f348 -> v0.0.0-20260618152121-87f3d3e198d3
google.golang.org/genproto/googleapis/rpc v0.0.0-20260504160031-60b97b32f348 -> v0.0.0-20260615183401-62b3387ff324
google.golang.org/grpc v1.81.0 -> v1.81.1

@Crow-Control Crow-Control left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved automated PR

@alfi0812 alfi0812 closed this Jun 26, 2026
@truecharts-admin truecharts-admin deleted the renovate/github.com-siderolabs-talos-pkg-machinery-1.14.x branch June 26, 2026 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants