Add secureboot support

Update Talos v1.9.1
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
2026-02-05 08:17:59 +00:00 · 2025-01-03 00:53:12 +01:00 · 2024-12-31 17:36:31 +01:00 · 2024-12-30 15:31:48 +01:00 · 2024-12-30 09:46:08 +01:00
11 changed files with 51 additions and 34 deletions
--- a/hack/e2e.sh
+++ b/hack/e2e.sh
@@ -113,8 +113,6 @@ machine:
        - usermode_helper=disabled
    - name: zfs
    - name: spl
  install:
    image: ghcr.io/aenix-io/cozystack/talos:v1.8.4
  files:
  - content: |
      [plugins]
@@ -142,6 +140,9 @@ EOT
 cat > patch-controlplane.yaml <<\EOT
 machine:
  nodeLabels:
    node.kubernetes.io/exclude-from-external-load-balancers:
      $patch: delete
  network:
    interfaces:
    - interface: eth0
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 type: application
-version: 1.6.4
+version: 1.6.5
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -31,6 +31,9 @@ rules:
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get"]
 - apiGroups: ["apps.cozystack.io"]
  resources: ['*']
  verbs: ['*']
 ---
 apiVersion: rbac.authorization.k8s.io/v1
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -94,7 +94,8 @@ tenant 1.6.0 df448b99
 tenant 1.6.1 edbbb9be
 tenant 1.6.2 ccedc5fe
 tenant 1.6.3 2057bb96
-tenant 1.6.4 HEAD
+tenant 1.6.4 3c9e50a4
 tenant 1.6.5 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -38,8 +38,8 @@ image-cozystack:
 	rm -f images/cozystack.json
 image-talos:
-	test -f ../../../_out/assets/installer-amd64.tar || make talos-installer
+	test -f ../../../_out/assets/installer-amd64-secureboot.tar || make talos-installer
-	docker load -i ../../../_out/assets/installer-amd64.tar
+	docker load -i ../../../_out/assets/installer-amd64-secureboot.tar
 	docker tag ghcr.io/siderolabs/installer:$(TALOS_VERSION) $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
 	docker push $(REGISTRY)/talos:$(call settag,$(TALOS_VERSION))
@@ -59,8 +59,17 @@ image-matchbox:
 assets: talos-iso talos-nocloud talos-metal
-talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal:
+talos-initramfs talos-kernel talos-installer talos-iso talos-nocloud talos-metal: secureboot-keys
 	mkdir -p ../../../_out/assets
 	docker rm -f talos-imager 2>/dev/null || true 
 	docker run -d --rm --name talos-imager --privileged -v /dev:/dev --entrypoint=/bin/sleep "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" infinity
 	docker cp ../../../_out/secureboot talos-imager:/secureboot && \
 	cat images/talos/profiles/$(subst talos-,,$@).yaml | \
-		docker run --rm -i -v /dev:/dev --privileged "ghcr.io/siderolabs/imager:$(TALOS_VERSION)" --tar-to-stdout - | \
+		docker exec -i talos-imager /bin/imager --tar-to-stdout - | \
-		tar -C ../../../_out/assets -xzf-
+		tar -C ../../../_out/assets -xzf- ; \
 	docker rm -f talos-imager
 secureboot-keys:
 	test -d ../../../_out/secureboot || ( \
 	talosctl gen secureboot uki --common-name "SecureBoot Key" -o ../../../_out/secureboot/ && \
 	talosctl gen secureboot pcr -o ../../../_out/secureboot/ )
--- a/packages/core/installer/images/talos/profiles/initramfs.yaml
+++ b/packages/core/installer/images/talos/profiles/initramfs.yaml
@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.4
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.4
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.4
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: initramfs
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/installer.yaml
+++ b/packages/core/installer/images/talos/profiles/installer.yaml
@@ -2,15 +2,15 @@
 # do not edit it
 arch: amd64
 platform: metal
-secureboot: false
+version: v1.9.1
-version: v1.8.4
+secureboot: true
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.4
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,9 +19,12 @@ input:
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.4
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: installer
  imageOptions: {}
  outFormat: raw
 customization:
  extraKernelArgs:
  - -selinux
--- a/packages/core/installer/images/talos/profiles/iso.yaml
+++ b/packages/core/installer/images/talos/profiles/iso.yaml
@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.4
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.4
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.4
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: iso
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/kernel.yaml
+++ b/packages/core/installer/images/talos/profiles/kernel.yaml
@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.4
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.4
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.4
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: kernel
  imageOptions: {}
--- a/packages/core/installer/images/talos/profiles/metal.yaml
+++ b/packages/core/installer/images/talos/profiles/metal.yaml
@@ -3,14 +3,14 @@
 arch: amd64
 platform: metal
 secureboot: false
-version: v1.8.4
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.4
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.4
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
--- a/packages/core/installer/images/talos/profiles/nocloud.yaml
+++ b/packages/core/installer/images/talos/profiles/nocloud.yaml
@@ -3,14 +3,14 @@
 arch: amd64
 platform: nocloud
 secureboot: false
-version: v1.8.4
+version: v1.9.1
 input:
  kernel:
    path: /usr/install/amd64/vmlinuz
  initramfs:
    path: /usr/install/amd64/initramfs.xz
  baseInstaller:
-    imageRef: ghcr.io/siderolabs/installer:v1.8.4
+    imageRef: ghcr.io/siderolabs/installer:v1.9.1
  systemExtensions:
    - imageRef: ghcr.io/siderolabs/amd-ucode:20241210
    - imageRef: ghcr.io/siderolabs/amdgpu-firmware:20241110
@@ -19,8 +19,8 @@ input:
    - imageRef: ghcr.io/siderolabs/intel-ice-firmware:20241210
    - imageRef: ghcr.io/siderolabs/intel-ucode:20241112
    - imageRef: ghcr.io/siderolabs/qlogic-firmware:20241210
-    - imageRef: ghcr.io/siderolabs/drbd:9.2.11-v1.8.4
+    - imageRef: ghcr.io/siderolabs/drbd:9.2.12-v1.9.1
-    - imageRef: ghcr.io/siderolabs/zfs:2.2.6-v1.8.4
+    - imageRef: ghcr.io/kvaps/talos/zfs:2.2.7-v1.9.1-2-gc043c0a
 output:
  kind: image
  imageOptions: { diskSize: 1306525696, diskFormat: raw }
Author	SHA1	Message	Date
Andrei Kvapil	942b636f68	Add secureboot support	2025-01-03 00:53:12 +01:00
Andrei Kvapil	c6edf6cb9e	Update Talos v1.9.1 Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-12-31 17:36:31 +01:00
Andrei Kvapil	b6e27cb3dc	disable node.kubernetes.io/exclude-from-external-load-balancers label (#552 )	2024-12-30 15:31:48 +01:00
Andrei Kvapil	f1e11451fa	Fix tenant permissions for oidc disabled cluster (#549 )	2024-12-30 09:46:08 +01:00