1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
5
// Package constants defines constants used throughout Talos.
11
cni "github.com/containerd/go-cni"
12
"github.com/siderolabs/crypto/x509"
16
// DefaultKernelVersion is the default Linux kernel version.
17
DefaultKernelVersion = "6.6.36-talos"
19
// KernelModulesPath is the default path to the kernel modules without the kernel version.
20
KernelModulesPath = "/lib/modules"
22
// KernelParamConfig is the kernel parameter name for specifying the URL.
24
KernelParamConfig = "talos.config"
26
// KernelParamConfigOAuthClientID is the kernel parameter name for specifying the OAuth2 client ID.
27
KernelParamConfigOAuthClientID = "talos.config.oauth.client_id"
29
// KernelParamConfigOAuthClientSecret is the kernel parameter name for specifying the OAuth2 client secret.
30
KernelParamConfigOAuthClientSecret = "talos.config.oauth.client_secret"
32
// KernelParamConfigOAuthAudience is the kernel parameter name for specifying the OAuth2 audience.
33
KernelParamConfigOAuthAudience = "talos.config.oauth.audience"
35
// KernelParamConfigOAuthScope is the kernel parameter name for specifying the OAuth2 scopes (might be repeated).
36
KernelParamConfigOAuthScope = "talos.config.oauth.scope"
38
// KernelParamConfigOAuthDeviceAuthURL is the kernel parameter name for specifying the OAuth2 device auth URL.
39
KernelParamConfigOAuthDeviceAuthURL = "talos.config.oauth.device_auth_url"
41
// KernelParamConfigOAuthTokenURL is the kernel parameter name for specifying the OAuth2 token URL.
42
KernelParamConfigOAuthTokenURL = "talos.config.oauth.token_url"
44
// KernelParamConfigOAuthExtraVariable is the kernel parameter name for specifying the OAuth2 extra variable (might be repeated).
45
KernelParamConfigOAuthExtraVariable = "talos.config.oauth.extra_variable"
47
// ConfigNone indicates no config is required.
50
// KernelParamPlatform is the kernel parameter name for specifying the
52
KernelParamPlatform = "talos.platform"
54
// KernelParamBoard is the kernel parameter name for specifying the
56
KernelParamBoard = "talos.board"
58
// KernelParamEventsSink is the kernel parameter name for specifying the
59
// events sink server.
60
KernelParamEventsSink = "talos.events.sink"
62
// KernelParamLoggingKernel is the kernel parameter name for specifying the
63
// kernel log delivery destination.
64
KernelParamLoggingKernel = "talos.logging.kernel"
66
// KernelParamWipe is the kernel parameter name for specifying the
67
// disk to wipe on the next boot and reboot.
68
KernelParamWipe = "talos.experimental.wipe"
70
// KernelParamCGroups is the kernel parameter name for specifying the
71
// cgroups version to use (default is cgroupsv2, setting this kernel arg to '0' forces cgroupsv1).
72
KernelParamCGroups = "talos.unified_cgroup_hierarchy"
74
// KernelParamDashboardDisabled is the kernel parameter name for disabling the dashboard.
75
KernelParamDashboardDisabled = "talos.dashboard.disabled"
77
// KernelParamEnvironment is the kernel parameter name for passing process environment.
78
KernelParamEnvironment = "talos.environment"
80
// KernelParamNetIfnames is the kernel parameter name to control predictable network interface names.
81
KernelParamNetIfnames = "net.ifnames"
83
// BoardNone indicates that the install is not for a specific board.
86
// BoardLibretechAllH3CCH5 is the name of the Libre Computer board ALL-H3-CC.
87
BoardLibretechAllH3CCH5 = "libretech_all_h3_cc_h5"
89
// BoardRPiGeneric is the name of the Raspberry Pi Compute Module 4.
90
BoardRPiGeneric = "rpi_generic"
92
// BoardBananaPiM64 is the name of the Banana Pi M64.
93
BoardBananaPiM64 = "bananapi_m64"
95
// BoardPine64 is the name of the Pine64.
96
BoardPine64 = "pine64"
98
// BoardJetsonNano is the name of the Jetson Nano.
99
BoardJetsonNano = "jetson_nano"
101
// BoardRock64 is the name of the Rock64.
102
BoardRock64 = "rock64"
104
// BoardRockpi4 is the name of the Radxa Rock pi 4 revisions A and B.
105
BoardRockpi4 = "rockpi_4"
107
// BoardRockpi4c is the name of the Radxa Rock pi 4 revision C.
108
BoardRockpi4c = "rockpi_4c"
110
// BoardNanoPiR4S is the name of the Friendlyelec Nano Pi R4S.
111
BoardNanoPiR4S = "nanopi_r4s"
113
// KernelParamHostname is the kernel parameter name for specifying the
115
KernelParamHostname = "talos.hostname"
117
// KernelParamShutdown is the kernel parameter for specifying the
118
// shutdown type (halt/poweroff).
119
KernelParamShutdown = "talos.shutdown"
121
// KernelParamNetworkInterfaceIgnore is the kernel parameter for specifying network interfaces which should be ignored by talos.
122
KernelParamNetworkInterfaceIgnore = "talos.network.interface.ignore"
124
// KernelParamVlan is the kernel parameter for specifying vlan for the interface.
125
KernelParamVlan = "vlan"
127
// KernelParamBonding is the kernel parameter for specifying bonded network interfaces.
128
KernelParamBonding = "bond"
130
// KernelParamPanic is the kernel parameter name for specifying the time to wait until rebooting after kernel panic (0 disables reboot).
131
KernelParamPanic = "panic"
133
// KernelParamSideroLink is the kernel parameter name to specify SideroLink API endpoint.
134
KernelParamSideroLink = "siderolink.api"
136
// KernelParamEquinixMetalEvents is the kernel parameter name to specify the Equinix Metal phone home endpoint.
137
// This param is injected by Equinix Metal and depends on the device ID and datacenter.
138
KernelParamEquinixMetalEvents = "em.events_url"
140
// NewRoot is the path where the switchroot target is mounted.
143
// ExtensionLayers is the path where the extensions layers are stored.
144
ExtensionLayers = "/layers"
146
// ExtensionsConfigFile is the extensions layers configuration file name in the initramfs.
147
ExtensionsConfigFile = "/extensions.yaml"
149
// ExtensionsRuntimeConfigFile extensions layers configuration file name in the rootfs.
150
ExtensionsRuntimeConfigFile = "/etc/extensions.yaml"
152
// EFIPartitionLabel is the label of the partition to use for mounting at
154
EFIPartitionLabel = "EFI"
156
// EFIMountPoint is the label of the partition to use for mounting at
158
EFIMountPoint = BootMountPoint + "/EFI"
160
// EFIVarsMountPoint is mount point for efivars filesystem type.
161
// https://www.kernel.org/doc/html/next/filesystems/efivarfs.html
162
EFIVarsMountPoint = "/sys/firmware/efi/efivars"
164
// BIOSGrubPartitionLabel is the label of the partition used by grub's second
166
BIOSGrubPartitionLabel = "BIOS"
168
// MetaPartitionLabel is the label of the meta partition.
169
MetaPartitionLabel = "META"
171
// StatePartitionLabel is the label of the state partition.
172
StatePartitionLabel = "STATE"
174
// StateMountPoint is the label of the partition to use for mounting at
176
StateMountPoint = "/system/state"
178
// BootPartitionLabel is the label of the partition to use for mounting at
180
BootPartitionLabel = "BOOT"
182
// BootMountPoint is the label of the partition to use for mounting at
184
BootMountPoint = "/boot"
186
// EphemeralPartitionLabel is the label of the partition to use for
187
// mounting at the data path.
188
EphemeralPartitionLabel = "EPHEMERAL"
190
// EphemeralMountPoint is the label of the partition to use for mounting at
192
EphemeralMountPoint = "/var"
194
// RootMountPoint is the label of the partition to use for mounting at
198
// ISOFilesystemLabel is the label of the ISO file system for the Talos
200
ISOFilesystemLabel = "TALOS"
202
// PATH defines all locations where executables are stored.
203
PATH = "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:" + cni.DefaultCNIDir
205
// KubernetesDefaultCertificateValidityDuration specifies default certificate duration for Kubernetes generated certificates.
206
KubernetesDefaultCertificateValidityDuration = time.Hour * 24 * 365
208
// KubernetesConfigBaseDir is the path to the base Kubernetes configuration directory.
209
KubernetesConfigBaseDir = "/etc/kubernetes"
211
// DefaultCertificatesDir is the path the Kubernetes PKI directory.
212
DefaultCertificatesDir = KubernetesConfigBaseDir + "/" + "pki"
214
// KubernetesCACert is the path to the root CA certificate.
215
KubernetesCACert = DefaultCertificatesDir + "/" + "ca.crt"
217
// EtcdCACert is the path to the etcd CA certificate.
218
EtcdCACert = EtcdPKIPath + "/" + "ca.crt"
220
// EtcdCAKey is the path to the etcd CA private key.
221
EtcdCAKey = EtcdPKIPath + "/" + "ca.key"
223
// EtcdCert is the path to the etcd server certificate.
224
EtcdCert = EtcdPKIPath + "/" + "server.crt"
226
// EtcdKey is the path to the etcd server private key.
227
EtcdKey = EtcdPKIPath + "/" + "server.key"
229
// EtcdPeerCert is the path to the etcd peer certificate.
230
EtcdPeerCert = EtcdPKIPath + "/" + "peer.crt"
232
// EtcdPeerKey is the path to the etcd peer private key.
233
EtcdPeerKey = EtcdPKIPath + "/" + "peer.key"
235
// EtcdAdminCert is the path to the talos client certificate.
236
EtcdAdminCert = EtcdPKIPath + "/" + "admin.crt"
238
// EtcdAdminKey is the path to the talos client private key.
239
EtcdAdminKey = EtcdPKIPath + "/" + "admin.key"
241
// EtcdClientPort defines the port etcd listen on for client traffic.
242
EtcdClientPort = 2379
244
// EtcdPeerPort defines the port etcd listens on for peer traffic.
247
// KubernetesAdminCertCommonName defines CN property of Kubernetes admin certificate.
248
KubernetesAdminCertCommonName = "admin"
250
// KubernetesTalosAdminCertCommonName defines CN property of Kubernetes admin certificate used by Talos itself.
251
KubernetesTalosAdminCertCommonName = "talos:admin"
253
// KubernetesAdminCertOrganization defines Organization values of Kubernetes admin certificate.
254
KubernetesAdminCertOrganization = "system:masters"
256
// KubernetesAPIServerKubeletClientCommonName defines CN property of Kubernetes API server certificate to access kubelet API.
257
KubernetesAPIServerKubeletClientCommonName = "apiserver-kubelet-client"
259
// KubernetesControllerManagerOrganization defines Organization value of kube-controller-manager client certificate.
260
KubernetesControllerManagerOrganization = "system:kube-controller-manager"
262
// KubernetesSchedulerOrganization defines Organization value of kube-scheduler client certificate.
263
KubernetesSchedulerOrganization = "system:kube-scheduler"
265
// KubernetesAdminCertDefaultLifetime defines default lifetime for Kubernetes generated admin certificate.
266
KubernetesAdminCertDefaultLifetime = 365 * 24 * time.Hour
268
// KubebernetesStaticSecretsDir defines ephemeral directory which contains rendered secrets for controlplane components.
269
KubebernetesStaticSecretsDir = "/system/secrets/kubernetes"
271
// KubebernetesStaticConfigDir defines ephemeral directory which contains rendered configs for controlplane components.
272
KubebernetesStaticConfigDir = "/system/config/kubernetes"
274
// KubernetesAuditLogDir defines the ephemeral directory where the kube-apiserver will store its audit logs.
275
KubernetesAuditLogDir = EphemeralMountPoint + "/" + "log" + "/" + "audit" + "/" + "kube"
277
// KubernetesAPIServerSecretsDir defines directory with kube-apiserver secrets.
278
KubernetesAPIServerSecretsDir = KubebernetesStaticSecretsDir + "/" + "kube-apiserver"
280
// KubernetesAPIServerConfigDir defines directory with kube-apiserver configs.
281
KubernetesAPIServerConfigDir = KubebernetesStaticConfigDir + "/" + "kube-apiserver"
283
// KubernetesControllerManagerSecretsDir defines ephemeral directory with kube-controller-manager secrets.
284
KubernetesControllerManagerSecretsDir = KubebernetesStaticSecretsDir + "/" + "kube-controller-manager"
286
// KubernetesSchedulerSecretsDir defines ephemeral directory with kube-scheduler secrets.
287
KubernetesSchedulerSecretsDir = KubebernetesStaticSecretsDir + "/" + "kube-scheduler"
289
// KubernetesSchedulerConfigDir defines ephemeral directory with kube-scheduler configs.
290
KubernetesSchedulerConfigDir = KubebernetesStaticConfigDir + "/" + "kube-scheduler"
292
// KubernetesAPIServerRunUser defines UID to the API Server.
293
KubernetesAPIServerRunUser = 65534
295
// KubernetesAPIServerRunGroup defines GID to run the API Server.
296
KubernetesAPIServerRunGroup = 65534
298
// KubernetesControllerManagerRunUser defines UID to the Controller Manager.
299
KubernetesControllerManagerRunUser = 65535
301
// KubernetesControllerManagerRunGroup defines GID to run the Controller Manager.
302
KubernetesControllerManagerRunGroup = 65535
304
// KubernetesSchedulerRunUser defines UID to the Scheduler.
305
KubernetesSchedulerRunUser = 65536
307
// KubernetesSchedulerRunGroup defines GID to run the Scheduler.
308
KubernetesSchedulerRunGroup = 65536
310
// KubeletBootstrapKubeconfig is the path to the kubeconfig required to
311
// bootstrap the kubelet.
312
KubeletBootstrapKubeconfig = KubernetesConfigBaseDir + "/" + "bootstrap-kubeconfig"
314
// KubeletCredentialProviderBinDir is the path to the directory where kubelet credential provider binaries are stored.
315
KubeletCredentialProviderBinDir = "/usr/local/lib/kubelet/credentialproviders"
317
// KubeletCredentialProviderConfig is the path to the kubelet credential provider config.
318
KubeletCredentialProviderConfig = KubernetesConfigBaseDir + "/" + "kubelet-credentialproviderconfig.yaml"
320
// KubeletPort is the kubelet port for secure API.
323
// KubeletOOMScoreAdj oom_score_adj config.
324
KubeletOOMScoreAdj = -450
326
// KubeletPKIDir is the path to the directory where kubelet stores issued certificates and keys.
327
KubeletPKIDir = "/var/lib/kubelet/pki"
329
// SystemKubeletPKIDir is the path to the directory where Talos copies kubelet issued certificates and keys.
330
SystemKubeletPKIDir = "/system/secrets/kubelet"
332
// KubeletShutdownGracePeriod is the kubelet shutdown grace period.
333
KubeletShutdownGracePeriod = 30 * time.Second
335
// KubeletShutdownGracePeriodCriticalPods is the kubelet shutdown grace period for critical pods.
337
// Should be less than KubeletShutdownGracePeriod.
338
KubeletShutdownGracePeriodCriticalPods = 10 * time.Second
340
// SeccompProfilesDirectory is the path to the directory where user provided seccomp profiles are mounted inside Kubelet.
341
SeccompProfilesDirectory = "/var/lib/kubelet/seccomp/profiles"
343
// DefaultKubernetesVersion is the default target version of the control plane.
344
// renovate: datasource=github-releases depName=kubernetes/kubernetes
345
DefaultKubernetesVersion = "1.30.2"
347
// SupportedKubernetesVersions is the number of Kubernetes versions supported by Talos starting from DefaultKubernesVersion going backwards.
348
SupportedKubernetesVersions = 6
350
// DefaultControlPlanePort is the default port to use for the control plane.
351
DefaultControlPlanePort = 6443
353
// KubeletImage is the enforced kubelet image to use.
354
KubeletImage = "ghcr.io/siderolabs/kubelet"
356
// KubeProxyImage is the enforced kube-proxy image to use for the control plane.
357
KubeProxyImage = "registry.k8s.io/kube-proxy"
359
// KubernetesAPIServerImage is the enforced apiserver image to use for the control plane.
360
KubernetesAPIServerImage = "registry.k8s.io/kube-apiserver"
362
// KubernetesControllerManagerImage is the enforced controllermanager image to use for the control plane.
363
KubernetesControllerManagerImage = "registry.k8s.io/kube-controller-manager"
365
// KubernetesSchedulerImage is the enforced scheduler image to use for the control plane.
366
KubernetesSchedulerImage = "registry.k8s.io/kube-scheduler"
368
// CoreDNSImage is the enforced CoreDNS image to use.
369
CoreDNSImage = "registry.k8s.io/coredns/coredns"
371
// DefaultCoreDNSVersion is the default version for the CoreDNS.
372
// renovate: datasource=docker depName=registry.k8s.io/coredns/coredns
373
DefaultCoreDNSVersion = "v1.11.1"
375
// LabelNodeRoleControlPlane is the node label required by a control plane node.
376
LabelNodeRoleControlPlane = "node-role.kubernetes.io/control-plane"
378
// ManifestsDirectory is the directory that contains all static manifests.
379
ManifestsDirectory = KubernetesConfigBaseDir + "/" + "manifests"
381
// TalosManifestPrefix is the prefix for static pod files created in ManifestsDirectory by Talos.
382
TalosManifestPrefix = "talos-"
384
// KubeletKubeconfig is the generated kubeconfig for kubelet.
385
KubeletKubeconfig = KubernetesConfigBaseDir + "/" + "kubeconfig-kubelet"
387
// KubeletSystemReservedCPU cpu system reservation value for kubelet kubeconfig.
388
KubeletSystemReservedCPU = "50m"
390
// KubeletSystemReservedMemory memory system reservation value for kubelet kubeconfig.
391
KubeletSystemReservedMemory = "192Mi"
393
// KubeletSystemReservedPid pid system reservation value for kubelet kubeconfig.
394
KubeletSystemReservedPid = "100"
396
// KubeletSystemReservedEphemeralStorage ephemeral-storage system reservation value for kubelet kubeconfig.
397
KubeletSystemReservedEphemeralStorage = "256Mi"
399
// DefaultEtcdVersion is the default target version of etcd.
400
// renovate: datasource=github-releases depName=etcd-io/etcd
401
DefaultEtcdVersion = "v3.5.14"
403
// EtcdRootTalosKey is the root etcd key for Talos-specific storage.
404
EtcdRootTalosKey = "talos:v1"
406
// EtcdTalosEtcdUpgradeMutex is the etcd mutex prefix to be used to set an etcd upgrade lock.
407
EtcdTalosEtcdUpgradeMutex = EtcdRootTalosKey + ":etcdUpgradeMutex"
409
// EtcdTalosManifestApplyMutex is the etcd mutex prefix used by manifest apply controller.
410
EtcdTalosManifestApplyMutex = EtcdRootTalosKey + ":manifestApplyMutex"
412
// EtcdTalosServiceAccountCRDControllerMutex is the etcd mutex prefix used by Talos ServiceAccount crd controller.
413
EtcdTalosServiceAccountCRDControllerMutex = EtcdRootTalosKey + ":serviceAccountCRDController"
415
// EtcdImage is the reposistory for the etcd image.
416
EtcdImage = "gcr.io/etcd-development/etcd"
418
// EtcdPKIPath is the path to the etcd PKI directory.
419
EtcdPKIPath = "/system/secrets/etcd"
421
// EtcdDataPath is the path where etcd stores its' data.
422
EtcdDataPath = "/var/lib/etcd"
424
// EtcdRecoverySnapshotPath is the path where etcd snapshot is uploaded for recovery.
425
EtcdRecoverySnapshotPath = "/var/lib/etcd.snapshot"
427
// EtcdUserID is the user ID for the etcd process.
430
// ConfigPath is the path to the downloaded config.
431
ConfigPath = StateMountPoint + "/config.yaml"
433
// ConfigTryTimeout is the timeout of the config apply in try mode.
434
ConfigTryTimeout = time.Minute
436
// MetalConfigISOLabel is the volume label for ISO based configuration.
437
MetalConfigISOLabel = "metal-iso"
439
// ConfigGuestInfo is the name of the VMware guestinfo config strategy.
440
ConfigGuestInfo = "guestinfo"
442
// VMwareGuestInfoConfigKey is the guestinfo key used to provide a config file.
443
VMwareGuestInfoConfigKey = "talos.config"
445
// VMwareGuestInfoFallbackKey is the fallback guestinfo key used to provide a config file.
446
VMwareGuestInfoFallbackKey = "userdata"
448
// VMwareGuestInfoMetadataKey is the guestinfo key used to provide metadata.
449
VMwareGuestInfoMetadataKey = "metadata"
451
// VMwareGuestInfoOvfEnvKey is the guestinfo key used to provide the OVF environment.
452
VMwareGuestInfoOvfEnvKey = "ovfenv"
454
// AuditPolicyPath is the path to the audit-policy.yaml relative to initramfs.
455
AuditPolicyPath = KubernetesConfigBaseDir + "/" + "audit-policy.yaml"
457
// EncryptionConfigPath is the path to the EncryptionConfig relative to initramfs.
458
EncryptionConfigPath = KubernetesConfigBaseDir + "/" + "encryptionconfig.yaml"
460
// EncryptionConfigRootfsPath is the path to the EncryptionConfig relative to rootfs.
461
EncryptionConfigRootfsPath = KubernetesConfigBaseDir + "/" + "encryptionconfig.yaml"
463
// ApidPort is the port for the apid service.
466
// ApidUserID is the user ID for apid.
469
// DashboardUserID is the user ID for dashboard.
470
// We use the same user ID as apid so that the dashboard can write to the machined unix socket.
471
DashboardUserID = ApidUserID
473
// TrustdPort is the port for the trustd service.
476
// TrustdUserID is the user ID for trustd.
479
// DefaultContainerdVersion is the default container runtime version.
480
DefaultContainerdVersion = "2.0.0-rc.3"
482
// SystemContainerdNamespace is the Containerd namespace for Talos services.
483
SystemContainerdNamespace = "system"
485
// SystemContainerdAddress is the path to the system containerd socket.
486
SystemContainerdAddress = SystemRunPath + "/containerd/containerd.sock"
488
// K8sContainerdNamespace is the Containerd namespace for CRI pods.
489
K8sContainerdNamespace = "k8s.io"
491
// CRIContainerdAddress is the path to the CRI containerd socket address.
492
CRIContainerdAddress = "/run/containerd/containerd.sock"
494
// CRIContainerdConfig is the path to the config for the containerd instance that provides the CRI.
495
CRIContainerdConfig = "/etc/cri/containerd.toml"
497
// CRIConfdPath is the path to the directory providing parts of CRI plugin configuration.
498
CRIConfdPath = "/etc/cri/conf.d"
500
// CRIConfig is the path to the CRI merged configuration file relative to /etc.
501
CRIConfig = "cri/conf.d/cri.toml"
503
// CRIRegistryConfigPart is the path to the CRI generated registry configuration relative to /etc.
504
CRIRegistryConfigPart = "cri/conf.d/01-registries.part"
506
// CRICustomizationConfigPart is the path to the CRI generated registry configuration relative to /etc.
507
CRICustomizationConfigPart = "cri/conf.d/20-customization.part"
509
// TalosConfigEnvVar is the environment variable for setting the Talos configuration file path.
510
TalosConfigEnvVar = "TALOSCONFIG"
512
// APISocketPath is the path to file socket of apid.
513
APISocketPath = SystemRunPath + "/apid/apid.sock"
515
// APIRuntimeSocketPath is the path to file socket of runtime server for apid.
516
APIRuntimeSocketPath = SystemRunPath + "/apid/runtime.sock"
518
// TrustdRuntimeSocketPath is the path to file socket of runtime server for trustd.
519
TrustdRuntimeSocketPath = SystemRunPath + "/trustd/runtime.sock"
521
// MachineSocketPath is the path to file socket of machine API.
522
MachineSocketPath = SystemRunPath + "/machined/machine.sock"
524
// NetworkSocketPath is the path to file socket of network API.
525
NetworkSocketPath = SystemRunPath + "/networkd/networkd.sock"
527
// ArchVariable is replaced automatically by the target cluster arch.
528
ArchVariable = "${ARCH}"530
// KernelAsset defines a well known name for our kernel filename.
531
KernelAsset = "vmlinuz"
533
// KernelAssetWithArch defines a well known name for our kernel filename with arch variable.
534
KernelAssetWithArch = "vmlinuz-" + ArchVariable
536
// KernelAssetPath is the path to the kernel on disk.
537
KernelAssetPath = "/usr/install/%s/" + KernelAsset
539
// InitramfsAsset defines a well known name for our initramfs filename.
540
InitramfsAsset = "initramfs.xz"
542
// InitramfsAssetWithArch defines a well known name for our initramfs filename with arch variable.
543
InitramfsAssetWithArch = "initramfs-" + ArchVariable + ".xz"
545
// InitramfsAssetPath is the path to the initramfs on disk.
546
InitramfsAssetPath = "/usr/install/%s/" + InitramfsAsset
548
// RootfsAsset defines a well known name for our rootfs filename.
549
RootfsAsset = "rootfs.sqsh"
551
// UKIAsset defines a well known name for our UKI filename.
552
UKIAsset = "vmlinuz.efi.signed"
554
// UKIAssetPath is the path to the UKI in the installer.
555
UKIAssetPath = "/usr/install/%s/" + UKIAsset
557
// SDStubAsset defines a well known name for our systemd-stub filename.
558
SDStubAsset = "systemd-stub.efi"
560
// SDStubAssetPath is the path to the systemd-stub in the installer.
561
SDStubAssetPath = "/usr/install/%s/" + SDStubAsset
563
// SDBootAsset defines a well known name for our SDBoot filename.
564
SDBootAsset = "systemd-boot.efi"
566
// SDBootAssetPath is the path to the SDBoot in the installer.
567
SDBootAssetPath = "/usr/install/%s/" + SDBootAsset
569
// DTBAssetPath is the path to the device tree blobs in the installer.
570
DTBAssetPath = "/usr/install/%s/dtb"
572
// UBootAssetPath is the path to the u-boot in the installer.
573
UBootAssetPath = "/usr/install/%s/u-boot"
575
// RPiFirmwareAssetPath is the path to the raspberrypi firmware in the installer.
576
RPiFirmwareAssetPath = "/usr/install/%s/raspberrypi-firmware"
578
// ImagerOverlayBasePath is the base path for the imager overlay.
579
ImagerOverlayBasePath = "/overlay"
580
// ImagerOverlayArtifactsPath is the path to the artifacts in the imager overlay.
581
ImagerOverlayArtifactsPath = ImagerOverlayBasePath + "/" + "artifacts"
582
// ImagerOverlayInstallersPath is the path to the installers in the imager overlay.
583
ImagerOverlayInstallersPath = ImagerOverlayBasePath + "/" + "installers"
584
// ImagerOverlayProfilesPath is the path to the profiles in the imager overlay.
585
ImagerOverlayProfilesPath = ImagerOverlayBasePath + "/" + "profiles"
586
// ImagerOverlayInstallerDefault is the default installer name.
587
ImagerOverlayInstallerDefault = "default"
588
// ImagerOverlayInstallerDefaultPath is the path to the default installer in the imager overlay.
589
ImagerOverlayInstallerDefaultPath = ImagerOverlayInstallersPath + "/" + ImagerOverlayInstallerDefault
590
// ImagerOverlayExtraOptionsPath is the path to the generated extra options file in the imager overlay.
591
ImagerOverlayExtraOptionsPath = ImagerOverlayBasePath + "/" + "extra-options"
593
// PlatformKeyAsset defines a well known name for the platform key filename used for auto-enrolling.
594
PlatformKeyAsset = "PK.auth"
596
// KeyExchangeKeyAsset defines a well known name for the key exchange key filename used for auto-enrolling.
597
KeyExchangeKeyAsset = "KEK.auth"
599
// SignatureKeyAsset defines a well known name for the signature key filename used for auto-enrolling.
600
SignatureKeyAsset = "db.auth"
602
// SecureBootSigningKeyAsset defines a well known name for the secure boot signing key filename.
603
SecureBootSigningKeyAsset = "uki-signing-key.pem"
605
// SecureBootSigningCertAsset defines a well known name for the secure boot signing key filename.
606
SecureBootSigningCertAsset = "uki-signing-cert.pem"
608
// PCRSigningKeyAsset defines a well known name for the PCR signing key filename.
609
PCRSigningKeyAsset = "pcr-signing-key.pem"
611
// SDStubDynamicInitrdPath is the path where dynamically generated initrds are placed by systemd-stub.
612
// https://www.mankier.com/7/systemd-stub#Description
613
SDStubDynamicInitrdPath = "/.extra"
615
// PCRSignatureJSON is the path to the PCR signature JSON file.
616
// https://www.mankier.com/7/systemd-stub#Initrd_Resources
617
PCRSignatureJSON = SDStubDynamicInitrdPath + "/" + "tpm2-pcr-signature.json"
619
// PCRPublicKey is the path to the PCR public key file.
620
// https://www.mankier.com/7/systemd-stub#Initrd_Resources
621
PCRPublicKey = SDStubDynamicInitrdPath + "/" + "tpm2-pcr-public-key.pem"
623
// DefaultCertificateValidityDuration is the default duration for a certificate.
624
DefaultCertificateValidityDuration = x509.DefaultCertificateValidityDuration
626
// SystemPath is the path to write temporary runtime system related files
628
SystemPath = "/system"
630
// VarSystemOverlaysPath is the path where overlay mounts are created.
631
VarSystemOverlaysPath = "/var/system/overlays"
633
// SystemRunPath is the path to the system run directory.
634
SystemRunPath = SystemPath + "/run"
636
// SystemVarPath is the path to the system var directory.
637
SystemVarPath = SystemPath + "/var"
639
// SystemEtcPath is the path to the system etc directory.
640
SystemEtcPath = SystemPath + "/etc"
642
// SystemLibexecPath is the path to the system libexec directory.
643
SystemLibexecPath = SystemPath + "/libexec"
645
// SystemExtensionsPath is the path to the system extensions directory.
646
SystemExtensionsPath = SystemPath + "/extensions"
648
// SystemOverlaysPath is the path to the system overlay directory.
649
SystemOverlaysPath = SystemPath + "/overlays"
651
// CgroupMountPath is the default mount path for unified cgroupsv2 setup.
652
CgroupMountPath = "/sys/fs/cgroup"
654
// CgroupInit is the cgroup name for init process.
657
// CgroupInitReservedMemory is the hard memory protection for the init process.
658
CgroupInitReservedMemory = 96 * 1024 * 1024
660
// CgroupSystem is the cgroup name for system processes.
661
CgroupSystem = "/system"
663
// CgroupSystemReservedMemory is the hard memory protection for the system processes.
664
CgroupSystemReservedMemory = 96 * 1024 * 1024
666
// CgroupSystemRuntime is the cgroup name for containerd runtime processes.
667
CgroupSystemRuntime = CgroupSystem + "/runtime"
669
// CgroupApid is the cgroup name for apid runtime processes.
670
CgroupApid = CgroupSystem + "/apid"
672
// CgroupTrustd is the cgroup name for trustd runtime processes.
673
CgroupTrustd = CgroupSystem + "/trustd"
675
// CgroupUdevd is the cgroup name for udevd runtime processes.
676
CgroupUdevd = CgroupSystem + "/udevd"
678
// CgroupExtensions is the cgroup name for system extension processes.
679
CgroupExtensions = CgroupSystem + "/extensions"
681
// CgroupDashboard is the cgroup name for dashboard process.
682
CgroupDashboard = CgroupSystem + "/dashboard"
684
// CgroupPodRuntime is the cgroup name for kubernetes containerd runtime processes.
685
CgroupPodRuntime = "/podruntime/runtime"
687
// CgroupPodRuntimeReservedMemory is the hard memory protection for the cri runtime processes.
688
CgroupPodRuntimeReservedMemory = 128 * 1024 * 1024
690
// CgroupEtcd is the cgroup name for etcd process.
691
CgroupEtcd = "/podruntime/etcd"
693
// CgroupKubelet is the cgroup name for kubelet process.
694
CgroupKubelet = "/podruntime/kubelet"
696
// CgroupKubeletReservedMemory is the hard memory protection for the kubelet processes.
697
CgroupKubeletReservedMemory = 64 * 1024 * 1024
699
// CgroupDashboardReservedMemory is the hard memory protection for the dashboard process.
700
CgroupDashboardReservedMemory = 85 * 1024 * 1024
702
// CgroupDashboardLowMemory is the low memory value for the dashboard process.
703
CgroupDashboardLowMemory = 100 * 1024 * 1024
705
// FlannelCNI is the string to use Tanos-managed Flannel CNI (default).
706
FlannelCNI = "flannel"
708
// CustomCNI is the string to use custom CNI managed by Tanos with extra manifests.
711
// NoneCNI is the string to indicate that CNI will not be managed by Talos.
714
// DefaultIPv4PodNet is the IPv4 network to be used for kubernetes Pods.
715
DefaultIPv4PodNet = "10.244.0.0/16"
717
// DefaultIPv4ServiceNet is the IPv4 network to be used for kubernetes Services.
718
DefaultIPv4ServiceNet = "10.96.0.0/12"
720
// DefaultIPv6PodNet is the IPv6 network to be used for kubernetes Pods.
721
DefaultIPv6PodNet = "fc00:db8:10::/56"
723
// DefaultIPv6ServiceNet is the IPv6 network to be used for kubernetes Services.
724
DefaultIPv6ServiceNet = "fc00:db8:20::/112"
726
// DefaultDNSDomain is the default DNS domain.
727
DefaultDNSDomain = "cluster.local"
729
// ConfigLoadTimeout is the timeout to wait for the config to be loaded from an external source.
730
ConfigLoadTimeout = 3 * time.Hour
732
// ConfigLoadAttemptTimeout is the timeout for a single attempt to download config.
733
ConfigLoadAttemptTimeout = 3 * time.Minute
735
// BootTimeout is the timeout to run all services.
736
BootTimeout = 70 * time.Minute
738
// FailurePauseTimeout is the timeout for the sequencer failures which can be fixed by updating the machine config.
739
FailurePauseTimeout = 35 * time.Minute
741
// EtcdJoinTimeout is the timeout for etcd to join the existing cluster.
743
// BootTimeout should be higher than EtcdJoinTimeout.
744
EtcdJoinTimeout = 30 * time.Minute
746
// NodeReadyTimeout is the timeout to wait for the node to be ready (CNI to be running).
747
// For bootstrap API, this includes time to run bootstrap.
748
NodeReadyTimeout = BootTimeout
750
// AnnotationCordonedKey is the annotation key for the nodes cordoned by Talos.
751
AnnotationCordonedKey = "talos.dev/cordoned"
753
// AnnotationCordonedValue is the annotation key for the nodes cordoned by Talos.
754
AnnotationCordonedValue = "true"
756
// AnnotationStaticPodSecretsVersion is the annotation key for the static pod secret version.
757
AnnotationStaticPodSecretsVersion = "talos.dev/secrets-version"
759
// AnnotationStaticPodConfigVersion is the annotation key for the static pod config version.
760
AnnotationStaticPodConfigVersion = "talos.dev/config-version"
762
// AnnotationStaticPodConfigFileVersion is the annotation key for the static pod configuration file version.
763
AnnotationStaticPodConfigFileVersion = "talos.dev/config-file-version"
765
// AnnotationOwnedLabels is the annotation key for the list of node labels owned by Talos.
766
AnnotationOwnedLabels = "talos.dev/owned-labels"
768
// AnnotationOwnedTaints is the annotation key for the list of node taints owned by Talos.
769
AnnotationOwnedTaints = "talos.dev/owned-taints"
771
// DefaultNTPServer is the NTP server to use if not configured explicitly.
772
DefaultNTPServer = "time.cloudflare.com"
774
// DefaultPrimaryResolver is the default primary DNS server.
775
DefaultPrimaryResolver = "1.1.1.1"
777
// DefaultSecondaryResolver is the default secondary DNS server.
778
DefaultSecondaryResolver = "8.8.8.8"
780
// DefaultClusterIDSize is the default size in bytes for the cluster ID token.
781
DefaultClusterIDSize = 32
783
// DefaultClusterSecretSize is the default size in bytes for the cluster secret.
784
DefaultClusterSecretSize = 32
786
// DefaultNodeIdentitySize is the default size in bytes for the node ID.
787
DefaultNodeIdentitySize = 32
789
// NodeIdentityFilename is the filename to cache node identity across reboots.
790
NodeIdentityFilename = "node-identity.yaml"
792
// DefaultDiscoveryServiceEndpoint is the default endpoint for Talos discovery service.
793
DefaultDiscoveryServiceEndpoint = "https://discovery.talos.dev/"
795
// KubeSpanIdentityFilename is the filename to cache KubeSpan identity across reboots.
796
KubeSpanIdentityFilename = "kubespan-identity.yaml"
798
// KubeSpanDefaultPort is the default Wireguard listening port for incoming connections.
799
KubeSpanDefaultPort = 51820
801
// KubeSpanDefaultRoutingTable is the default routing table for KubeSpan LAN targets.
803
// This specifies the routing table which will be used for Wireguard-available destinations.
804
KubeSpanDefaultRoutingTable = 180
806
// KubeSpanDefaultFirewallMark is the default firewall mark to use for Wireguard encrypted egress packets.
808
// Normal Wireguard configurations will NOT use this firewall mark.
809
KubeSpanDefaultFirewallMark = 0x20
811
// KubeSpanDefaultForceFirewallMark is the default firewall mark to use for packets destined to IPs serviced by KubeSpan.
813
// It is used to signal that matching packets should be forced into the Wireguard interface.
814
KubeSpanDefaultForceFirewallMark = 0x40
816
// KubeSpanDefaultFirewallMask is the mask applied to the packet mark when matching and setting the mark.
818
// This mask signals the bits of the firewall mark used by KubeSpan.
819
KubeSpanDefaultFirewallMask = KubeSpanDefaultFirewallMark | KubeSpanDefaultForceFirewallMark
821
// KubeSpanDefaultPeerKeepalive is the interval at which Wireguard Peer Keepalives should be sent.
822
KubeSpanDefaultPeerKeepalive = 25 * time.Second
824
// NetworkSelfIPsAnnotation is the node annotation used to list the (comma-separated) IP addresses of the host, as discovered by Talos tooling.
825
NetworkSelfIPsAnnotation = "networking.talos.dev/self-ips"
827
// NetworkAPIServerPortAnnotation is the node annotation used to report the control plane API server port.
828
NetworkAPIServerPortAnnotation = "networking.talos.dev/api-server-port"
830
// ClusterNodeIDAnnotation is the node annotation used to represent node ID.
831
ClusterNodeIDAnnotation = "cluster.talos.dev/node-id"
833
// KubeSpanIPAnnotation is the node annotation to be used for indicating the Wireguard IP of the node.
834
KubeSpanIPAnnotation = "networking.talos.dev/kubespan-ip"
836
// KubeSpanPublicKeyAnnotation is the node annotation to be used for indicating the Wireguard Public Key of the node.
837
KubeSpanPublicKeyAnnotation = "networking.talos.dev/kubespan-public-key"
839
// KubeSpanAssignedPrefixesAnnotation is the node annotation use to list the (comma-separated) set of IP prefixes for which the annotated node should be responsible.
840
KubeSpanAssignedPrefixesAnnotation = "networking.talos.dev/assigned-prefixes"
842
// KubeSpanKnownEndpointsAnnotation is the node annotation used to list the (comma-separated) known-good Wireguard endpoints for the node, as seen by other peers.
843
KubeSpanKnownEndpointsAnnotation = "networking.talos.dev/kubespan-endpoints"
845
// KubeSpanLinkName is the link name for the KubeSpan Wireguard interface.
846
KubeSpanLinkName = "kubespan"
848
// KubeSpanLinkMTU is the default link MTU size for the KubeSpan Wireguard interface.
849
KubeSpanLinkMTU = 1420
851
// KubeSpanLinkMinimumMTU is the minimum link MTU size for the KubeSpan Wireguard interface.
853
// This is the minimum MTU size for the Wireguard interface with IPv6 enabled.
854
// See: https://lore.kernel.org/wireguard/20190321033638.1ff82682@natsu/t/
855
KubeSpanLinkMinimumMTU = 1280
857
// UdevDir is the path to the udev directory.
858
UdevDir = "/usr/etc/udev"
860
// UdevRulesPath rules file path.
861
UdevRulesPath = UdevDir + "/" + "rules.d/99-talos.rules"
863
// LoggingFormatJSONLines represents "JSON lines" logging format.
864
LoggingFormatJSONLines = "json_lines"
866
// SideroLinkName is the interface name for SideroLink.
867
SideroLinkName = "siderolink"
869
// SideroLinkDefaultPeerKeepalive is the interval at which Wireguard Peer Keepalives should be sent.
870
SideroLinkDefaultPeerKeepalive = 25 * time.Second
872
// PlatformNetworkConfigFilename is the filename to cache platform network configuration reboots.
873
PlatformNetworkConfigFilename = "platform-network.yaml"
875
// FirmwarePath is the path to the standard Linux firmware location.
876
FirmwarePath = "/lib/firmware"
878
// ExtensionServiceConfigPath is the directory path which contains configuration files of extension services.
880
// See pkg/machinery/extensions/services for the file format.
881
ExtensionServiceConfigPath = "/usr/local/etc/containers"
883
// ExtensionServiceRootfsPath is the path to the extracted rootfs files of extension services.
884
ExtensionServiceRootfsPath = "/usr/local/lib/containers"
886
// ExtensionServiceUserConfigPath is the path to the user provided extension services config directory.
887
ExtensionServiceUserConfigPath = SystemOverlaysPath + "/extensions"
889
// DBusServiceSocketPath is the path to the D-Bus socket for the logind mock to connect to.
890
DBusServiceSocketPath = SystemRunPath + "/dbus/service.socket"
892
// DBusClientSocketPath is the path to the D-Bus socket for the kubelet to connect to.
893
DBusClientSocketPath = "/run/dbus/system_bus_socket"
895
// GoVersion is the version of Go compiler this release was built with.
896
GoVersion = "go1.22.5"
898
// KubernetesTalosAPIServiceName is the name of the Kubernetes service to access Talos API.
899
KubernetesTalosAPIServiceName = "talos"
901
// KubernetesTalosAPIServiceNamespace is the namespace of the Kubernetes service to access Talos API.
902
KubernetesTalosAPIServiceNamespace = "default"
904
// TalosDir is the default name of the Talos directory under user home.
907
// TalosconfigFilename is the file name of Talosconfig under TalosDir or under ServiceAccountMountPath inside a pod.
908
TalosconfigFilename = "config"
910
// KubernetesTalosProvider is the name of the Talos provider as a Kubernetes label.
911
KubernetesTalosProvider = "talos.dev"
913
// ServiceAccountResourceGroup is the group name of the Talos service account CRD.
914
ServiceAccountResourceGroup = "talos.dev"
916
// ServiceAccountResourceVersion is the version of the Talos service account CRD.
917
ServiceAccountResourceVersion = "v1alpha1"
919
// ServiceAccountResourceKind is the kind name of the Talos service account CRD.
920
ServiceAccountResourceKind = "ServiceAccount"
922
// ServiceAccountResourceSingular is the singular name of the Talos service account CRD.
923
ServiceAccountResourceSingular = "serviceaccount"
925
// ServiceAccountResourceShortName is the short name of the service account CRD.
926
ServiceAccountResourceShortName = "tsa"
928
// ServiceAccountResourcePlural is the plural name of the service account CRD.
929
ServiceAccountResourcePlural = ServiceAccountResourceSingular + "s"
931
// ServiceAccountMountPath is the path of the directory in which the Talos service account secrets are mounted.
932
ServiceAccountMountPath = "/var/run/secrets/talos.dev"
934
// DefaultTrustedCAFile is the default path to the trusted CA file.
935
DefaultTrustedCAFile = "/etc/ssl/certs/ca-certificates"
937
// MachinedMaxProcs is the maximum number of GOMAXPROCS for machined.
940
// ApidMaxProcs is the maximum number of GOMAXPROCS for apid.
943
// TrustdMaxProcs is the maximum number of GOMAXPROCS for trustd.
946
// DashboardMaxProcs is the maximum number of GOMAXPROCS for dashboard.
947
DashboardMaxProcs = 2
949
// APIAuthzRoleMetadataKey is the gRPC metadata key used to submit a role with os:impersonator.
950
APIAuthzRoleMetadataKey = "talos-role"
952
// KernelLogsTTY is the number of the TTY device (/dev/ttyN) to redirect Kernel logs to.
955
// DashboardTTY is the number of the TTY device (/dev/ttyN) for dashboard.
958
// FlannelVersion is the version of flannel to use.
959
FlannelVersion = "v0.25.3"
961
// PlatformMetal is the name of the metal platform.
962
PlatformMetal = "metal"
964
// MetaValuesEnvVar is the name of the environment variable to store encoded meta values for the disk image (installer).
965
MetaValuesEnvVar = "INSTALLER_META_BASE64"
967
// MaintenanceServiceCommonName is the CN of the maintenance service server certificate.
968
MaintenanceServiceCommonName = "maintenance-service.talos.dev"
970
// GRPCMaxMessageSize is the maximum message size for Talos API.
971
GRPCMaxMessageSize = 32 * 1024 * 1024
973
// TcellMinimizeEnvironment is the environment variable to minimize tcell library memory usage (skips rune width calculation).
974
TcellMinimizeEnvironment = "TCELL_MINIMIZE=1"
976
// DefaultKubePrismPort is the default port for the KubePrism loadbalancer.
977
DefaultKubePrismPort = 7445
979
// KubePrismDialTimeout is the timeout for the KubePrism loadbalancer dialing an endpoint.
980
KubePrismDialTimeout = 15 * time.Second
982
// KubePrismKeepAlivePeriod is the TCP keepalive period for the KubePrism loadbalancer.
983
KubePrismKeepAlivePeriod = 30 * time.Second
985
// KubePrismTCPUserTimeout is the TCP user timeout for the KubePrism loadbalancer.
986
KubePrismTCPUserTimeout = 30 * time.Second
988
// KubePrismHealthCheckInterval is the interval between health checks for the KubePrism loadbalancer.
989
KubePrismHealthCheckInterval = 20 * time.Second
991
// KubePrismHealthCheckTimeout is the timeout for health checks for the KubePrism loadbalancer.
992
KubePrismHealthCheckTimeout = 15 * time.Second
994
// TalosAPIDefaultCertificateValidityDuration specifies default certificate duration for Talos API generated client certificates.
995
TalosAPIDefaultCertificateValidityDuration = time.Hour * 24 * 365
997
// DefaultNfTablesTableName is the default name of the nftables table created by Talos.
998
DefaultNfTablesTableName = "talos"
1000
// PodResolvConfPath is the path to the pod resolv.conf file.
1001
PodResolvConfPath = "/system/resolved/resolv.conf"
1003
// SyslogListenSocketPath is the path to the syslog socket.
1004
SyslogListenSocketPath = "/dev/log"
1006
// MinimumGOAMD64Level is the minimum x86_64 microarchitecture level required by Talos.
1007
MinimumGOAMD64Level = 2
1009
// ConsoleLogErrorSuppressThreshold is the threshold for suppressing console log errors.
1010
ConsoleLogErrorSuppressThreshold = 4
1013
// See https://linux.die.net/man/3/klogctl
1015
//nolint:stylecheck,revive
1017
// SYSLOG_ACTION_SIZE_BUFFER is a named type argument to klogctl.
1019
SYSLOG_ACTION_SIZE_BUFFER = 10
1021
// SYSLOG_ACTION_READ_ALL is a named type argument to klogctl.
1023
SYSLOG_ACTION_READ_ALL = 3
1026
// names of variable that can be substituted in the talos.config kernel parameter.
1029
SerialNumberKey = "serial"
1030
HostnameKey = "hostname"
1035
// Overlays is the set of paths to create overlay mounts for.
1036
var Overlays = []string{1038
KubernetesConfigBaseDir,
1039
"/usr/libexec/kubernetes",
1043
// DefaultDroppedCapabilities is the default set of capabilities to drop.
1044
var DefaultDroppedCapabilities = map[string]struct{}{1046
"cap_sys_module": {},1049
// UdevdDroppedCapabilities is the set of capabilities to drop for udevd.
1050
var UdevdDroppedCapabilities = map[string]struct{}{1054
// ValidEffects is the set of valid taint effects.
1055
var ValidEffects = []string{1061
// OSReleaseTemplate is the template for /etc/os-release.
1062
const OSReleaseTemplate = `NAME="{{ .Name }}"1064
VERSION_ID={{ .Version }}1065
PRETTY_NAME="{{ .Name }} ({{ .Version }})"1066
HOME_URL="https://www.talos.dev/"
1067
BUG_REPORT_URL="https://github.com/siderolabs/talos/issues"
1068
VENDOR_NAME="Sidero Labs"
1069
VENDOR_URL="https://www.siderolabs.com/"