v1.5.0-alpha.3

[smira]

Talos 1.5.0-alpha.3 (2023-07-25)

Welcome to the v1.5.0-alpha.3 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Extension Services

Talos now supports setting environmentFile for an extension service container spec. Refer: https://www.talos.dev/v1.5/advanced/extension-services/#container
The extension waits for the file to be present before starting the service.

Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to predictable names
same way as systemd does that in other Linux distributions.

The naming schema enx78e7d1ea46da (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

• firmware/BIOS provided index numbers for on-board devices (example: eno1)
• firmware/BIOS provided PCI Express hotplug slot index numbers (example: ens1)
• physical/geographical location of the connector of the hardware (example: enp2s0)
• interfaces's MAC address (example: enx78e7d1ea46da)

The predictable network interface names features can be disabled by specifying net.ifnames=0 in the kernel command line.
Talos automatically adds the net.ifnames=0 kernel argument when upgrading from Talos versions before 1.5.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds net.ifnames=0 to the kernel command line.

Network KMS Disk Encryption

Talos now supports new type of encryption keys which are sealed/unsealed with an external KMS server:

systemDiskEncryption:
  ephemeral:
    keys:
      - kms:
          endpoint: https://1.2.3.4:443
        slot: 0

gRPC API definitions and a simple reference implementation of the KMS server can be found in this
repository.

KubePrism - Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the KubePrism - Kubernetes API Server in-cluster load balancer with machine config
features.kubePrism.port and features.kubePrism.enabled fields.

If enabled, KubePrism binds to localhost and runs on the same port on every machine in the cluster.
The default value for KubePrism endpoint is https://localhost:7445.

The KubePrism is used by the kubelet, kube-scheduler, kube-controller-manager
and kube-proxy by default and can be passed to the CNIs like Cilium and Calico.

The KubePrism provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

Machine Config option .machine.install.bootloader

The .machine.install.bootloader option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time. The bootloader is always installed.

XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate LocalStorageCapacityIsolationFSQuotaMonitoring to use xfs quotas
to monitor volume usage instead of du.

This feature is controlled by the .machine.features.diskQuotaSupport field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

RDMA/RoCE support

Talos no longer loads by default rdma_rxe Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying rdma_rxe in the .machine.kernel.modules field in the machine config.

SecureBoot

Talos now supports generating a custom iso that can be used with SecureBoot. Key generation and enrolling has to be done manually.

talosctl image Command

A new set of commands was introduced to manage container images in the CRI:

• talosctl image list shows list of available images
• talosctl image pull allows to pre-pull an image into the CRI

Both new commands accept --namespace flag with two possible values:

• cri (default): images managed by the CRI (Kubernetes workloads)
• system: images managed by Talos (etcd and kubelet)

### `talosctl images` Command

The command `talosctl images` was renamed to `talosctl image default`.

The backward-compatible alias is kept in Talos 1.5, but it will be dropped in Talos 1.6.


### TPM Disk Encryption

Talos now supports encrypting STATE/EPHEMERAL with keys bound to a TPM device. The TPM device must be TPM2.0 compatible.
This is ideally supported when booting with new Talos SecureBoot UKI ISOs/Metal images. This feature would still work if SecureBoot
is not enabled for UKI images, but not recommended since there is no way to verify the trust of the bootloader.

Example machine config:

systemDiskEncryption:
ephemeral:
keys:
- slot: 0
tpm: {}
state:
keys:
- slot: 0
tpm: {}

### Component Updates

* Linux: 6.1.39
* containerd: 1.6.21
* runc: 1.1.8
* etcd: 3.5.9
* Kubernetes: 1.28.0-beta.0
* Flannel: 0.22.0

Talos is built with Go 1.20.6.


### `talosctl upgrade-k8s` Image Pre-pulling

The command `talosctl upgrade-k8s` now by default pre-pulls images for Kubernetes controlplane components
and kubelet. This provides an early check for missing images, and minimizes downtime during Kubernetes
rolling component update.


### Contributors

* Andrey Smirnov
* Noel Georgi
* Dmitriy Matrenichev
* Utku Ozdemir
* Artem Chernyshev
* Christian Rolland
* Steve Francis
* Nanfei Chen
* Nico Berlee
* Spencer Smith
* Alex Corcoles
* Alex Corcoles
* Alex Lubbock
* Andrei Kvapil
* Artem Chernyshev
* Budiman Jojo
* Chris Hoffman
* DJAlPee
* Dennis Marttinen
* Eirik Askheim
* Florian Klink
* Henk Kraal
* Igor Rzegocki
* James Callahan
* LukasAuerbeck
* Markus Reiter
* Michael A. Davis
* Michael Fornaro
* Niklas Wik
* Piotr Maksymiuk
* Ricky Sadowski
* Roee Klinger
* Sacha Trémoureux
* Scott Cariss
* Serge Logvinov
* Thomas Lemarchand
* Thomas Perronin
* Tim Jones
* Victor Bajada
* Walt Chen
* bdronneau

### Changes
<details><summary>195 commits</summary>
<p>

* siderolabs/talos@663264c86 release(v1.5.0-alpha.3): prepare release
* siderolabs/talos@d2f64af86 chore: disable cloud-images, pull in new kernel and gre module
* siderolabs/talos@8edce4906 docs: improve proxmox install guide
* siderolabs/talos@c783458be docs: typo dhcp -> dhcp
* siderolabs/talos@003cbd161 docs: warn about secretboxEncryptionSecret in kubeadm migration guide
* siderolabs/talos@786e86f5b refactor: rewrite the way Talos acquires the machine configuration
* siderolabs/talos@5e13cafe5 feat: enforce kernel lockdown for UKI
* siderolabs/talos@4d96d642f feat: update default Kubernetes version to 1.28.0-beta.0
* siderolabs/talos@170a73e16 chore: support creating qemu guest socket
* siderolabs/talos@59ac38a6b docs: add docs for installing azure ccm and csi
* siderolabs/talos@6288cd970 release(v1.5.0-alpha.2): prepare release
* siderolabs/talos@60c304126 chore: bump dependencies
* siderolabs/talos@9ef4e5efc fix: log explicitly when kubelet has no nodeIP match
* siderolabs/talos@6b39c6a4d fix: enable compression and bump gRPC max msg size
* siderolabs/talos@2f2eca861 chore: basic support for shutdown/poweroff flags
* siderolabs/talos@b84277d7d docs: fix wrong capability name
* siderolabs/talos@59d7d9344 chore: use machined for `shutdown`, `poweroff`
* siderolabs/talos@2439bfb71 chore: explicitly add timestamps to machined logs
* siderolabs/talos@14966e718 fix: skip over tpm2 1.2 devices
* siderolabs/talos@6716e7bc0 docs: update cilium documentation about KubePrism usage
* siderolabs/talos@166d75fe8 fix: tpm2 encrypt/decrypt flow
* siderolabs/talos@130518de7 chore: change missing renames of KubePrism
* siderolabs/talos@5f34f5b41 chore: rename api load balancer to KubePrism
* siderolabs/talos@c8b7095c0 refactor: use tpm2 library to calculate policy hash
* siderolabs/talos@078aac92e chore: bump deps
* siderolabs/talos@53873b844 refactor: move ukify into Talos code
* siderolabs/talos@d5f6fb9ff chore: add vendor info
* siderolabs/talos@79365d9ba feat: tpm2 based disk encryption
* siderolabs/talos@06369e819 fix: retry CRI pod removal, fix upgrade flow in the tests
* siderolabs/talos@d32dd3a82 chore: update Go to 1.20.6
* siderolabs/talos@8017afb10 feat: implement CRI image management and pre-pull on K8s upgrade
* siderolabs/talos@1c2f19b36 feat: update Kubernetes to 1.28.0-alpha.4
* siderolabs/talos@94e9891c1 chore: bump sd-boot to v254-rc1
* siderolabs/talos@936111ce0 fix: properly set up tls for KMS endpoint
* siderolabs/talos@cb226eec4 fix: rewrite encryption system information flow
* siderolabs/talos@3206db528 feat: drop tpm simulator for ukify measure
* siderolabs/talos@bd4f89f63 fix: disable dashboard on Azure, GCP and Scaleway
* siderolabs/talos@bdb96189f refactor: make maintenance service controller-based
* siderolabs/talos@d23d04de2 feat: seed the kernel random pool from the TPM
* siderolabs/talos@c81ce8cfb feat: support controlplane resources configuration
* siderolabs/talos@74de562b2 fix: mount hugepages with nosuid + nodev
* siderolabs/talos@ce63abb21 feat: add KMS assisted encryption key handler
* siderolabs/talos@dafbe9deb chore: optimize dockerfile instructions
* siderolabs/talos@a4289e870 chore: fix CLI docs generation stability
* siderolabs/talos@2fec8388f chore: bump dependencies
* siderolabs/talos@c1b4262dd docs: split simple and more complex getting started guides
* siderolabs/talos@c9a9f9561 refactor: extract secure boot certificate generation
* siderolabs/talos@6be5a13d5 feat: implement machine config documents for event and log streaming
* siderolabs/talos@e241be85b fix: properly handle YAML comment stripping for multi-doc
* siderolabs/talos@c02ada7d9 fix: capabilities including `ALL` should be uppercase
* siderolabs/talos@cbdf96d46 feat: support environment file for extensions
* siderolabs/talos@35d6adcb9 fix: provide stashed META values before installation
* siderolabs/talos@258f07449 fix: ukify cert generation
* siderolabs/talos@bf3febb7e fix: refine OVMF search paths
* siderolabs/talos@fbebc17f8 fix: disable LVM backups/archive
* siderolabs/talos@e5306ef26 chore: format and cleanup test scripts
* siderolabs/talos@bc371ecfd chore: add `/sbin/shutdown`
* siderolabs/talos@0d313b973 feat: add `reboot-mode` flag to `talosctl upgrade`
* siderolabs/talos@7ce87f20c fix: compare only basename of `os.Args[0]` in machined
* siderolabs/talos@53389b1e7 feat: auto-enroll secure boot keys
* siderolabs/talos@d77f0bc7b docs: fix broken link to powershell module
* siderolabs/talos@e1b150a11 release(v1.5.0-alpha.1): prepare release
* siderolabs/talos@8daf432b2 chore: bump deps
* siderolabs/talos@e3f3f5794 feat: implement revert for sd-boot
* siderolabs/talos@d8b0903d7 docs: vagrant setup document fix
* siderolabs/talos@fe0f46980 feat: implement secure boot from disk
* siderolabs/talos@445f5ad54 feat: support API server load balancer
* siderolabs/talos@19bc223de refactor: bootloader interface, labels
* siderolabs/talos@665702ddd chore: fix cilium e2e tests
* siderolabs/talos@71a548d18 chore: generic boootloader implementation
* siderolabs/talos@e9dbc9311 test: bump versions for upgrade tests
* siderolabs/talos@0a99965ef refactor: replace `uncordonNode` with controllers
* siderolabs/talos@e858bca3a test: fix cilium integration tests
* siderolabs/talos@455328d05 fix: allow time skew for generated kubeconfig
* siderolabs/talos@3ae05648a fix: usage of custom kernels
* siderolabs/talos@0797b0d16 chore: add a pipeline to test cloud-images step without a release
* siderolabs/talos@e5a36268b docs: include `allowSchedulingOnControlPlanes` on `talosctl gen config` output
* siderolabs/talos@c74d93728 chore: bump github.com/cosi-project/runtime
* siderolabs/talos@dbaf5c699 refactor: task `labelControlPlane` into controllers
* siderolabs/talos@1865a0c29 chore: modify some usages that are not recommended
* siderolabs/talos@3816318b9 chore: wrap config.Provider in atomic wrapper
* siderolabs/talos@d04cf1978 chore: clean up unnecessary self assignment
* siderolabs/talos@a34a94898 fix: copy missing modules.* files
* siderolabs/talos@f5e3272fc refactor: task 'updateBootLoader' as controller
* siderolabs/talos@e7be6ee7c refactor: make event log streaming fully reactive
* siderolabs/talos@aef2192a6 chore: use fixed module list
* siderolabs/talos@c719aa231 fix: allow http:// for discovery service URL
* siderolabs/talos@39134d8d5 chore: fix cron pipeline
* siderolabs/talos@a61dcdbbd fix: don't load RDMA over Ethernet driver by default
* siderolabs/talos@aac441f61 chore: update Go to 1.20.5, bump dependencies
* siderolabs/talos@1c0c7933d chore: cleanup partition code
* siderolabs/talos@31b988281 docs: add some words about certifcates
* siderolabs/talos@e912c0dfc chore: use go-blockdevice for zeroing partitions
* siderolabs/talos@e6dde8ffc feat: add network chaos to qemu development environment
* siderolabs/talos@47986cb79 chore: unify kexec phase
* siderolabs/talos@3a865370f feat: qemu secureboot
* siderolabs/talos@5dab45e86 refactor: allow kmsg log streaming to be reconfigured on the fly
* siderolabs/talos@8a02ecd4c chore: add endpoints balancer controller
* siderolabs/talos@423a31ac9 chore: deprectae `bootloader` installer option
* siderolabs/talos@cdfece7d6 chore: optimize image compression
* siderolabs/talos@bfc341937 chore: add default console args
* siderolabs/talos@2749aeeda feat: add support for multi-doc strategic merge patching
* siderolabs/talos@3f68485e4 feat: add uki iso generation
* siderolabs/talos@bab484a40 feat: use stable network interface names
* siderolabs/talos@196dfb99b fix: do not probe kernel args in dashboard if not needed
* siderolabs/talos@8c071b579 fix: skip DHCP RENEW if server IP in the lease is all zeroes
* siderolabs/talos@badbc51e6 refactor: rewrite code to include preliminary support for multi-doc
* siderolabs/talos@ecce29dee fix: upgrade-k8s use internal IP first, external IP fallback
* siderolabs/talos@3c64a5ffb chore: optimize image generation time
* siderolabs/talos@2292f36d9 chore: registry.k8s.io for coredns image
* siderolabs/talos@f2b258b37 docs: document talosctl version for upgrades
* siderolabs/talos@a0773f783 chore: add ukify Go script
* siderolabs/talos@b69e38d1f chore: bump dependencies
* siderolabs/talos@adce65103 docs: add piraeus/drbd to storage documentation
* siderolabs/talos@a982cabe7 docs: link support matrix in k8s update doc
* siderolabs/talos@1fb29a56a fix: fail quickly if upgrade-k8s is used with multiple nodes
* siderolabs/talos@51d931c47 chore: faster dev cycle
* siderolabs/talos@dc6764871 refactor: move around config interfaces, make RawV1Alpha1 typed
* siderolabs/talos@ea9a97dba fix: fall back to external IP when discovering nodes in upgrade-k8s
* siderolabs/talos@0bb7e8a5c refactor: split config.Provider into Config & Container
* siderolabs/talos@85d8a1619 chore: bump deps
* siderolabs/talos@39b7a56f0 chore: use 8GiB instead of 10GiB for cloud images
* siderolabs/talos@ff11fd39c fix: race with `udevd` and `mountUserDisks`
* siderolabs/talos@c3fabb982 chore: update default image sizes to 10GB for all "cloud" images
* siderolabs/talos@10155c390 feat: enable xfs project quota support, kubelet feature
* siderolabs/talos@eba818564 release(v1.5.0-alpha.0): prepare release
* siderolabs/talos@383471c3e feat: update default Kubernetes to v1.27.2
* siderolabs/talos@8f68d1abe chore: bump deps
* siderolabs/talos@e0c1585d3 feat: create azure community gallery image version on release
* siderolabs/talos@dd8336c9e fix: refresh kubelet self-issued serving certificates
* siderolabs/talos@bb02dd263 chore: drop deprecated stuff for Talos 1.5
* siderolabs/talos@61cad8673 chore: bump deps
* siderolabs/talos@01dfd3af7 feat: update etcd to v3.5.9
* siderolabs/talos@aa65fbb8a chore: update KUBECTL_URL to reflect the community bucket
* siderolabs/talos@cc3128d94 chore: bump kernel to 6.1.28
* siderolabs/talos@97fffaf78 chore: use ctest.UpdateWithConflicts instead of plain UpdateWithConflicts
* siderolabs/talos@3b36993b9 fix: rlimit nofile test
* siderolabs/talos@45e6e27af chore: bump runtime
* siderolabs/talos@4f720d465 fix: revert: set rlimit explicitly in wrapperd
* siderolabs/talos@a2565f674 fix: set rlimit explicitly in wrapperd
* siderolabs/talos@cdfc242b8 chore: re-enable Go buildid
* siderolabs/talos@e67f3f5c5 feat: linux 6.1.27, containerd 1.6.21, go 1.20.4
* siderolabs/talos@55ae59a0a fix: properly skip/cleanup controlplane configs for workers
* siderolabs/talos@64eade9bd chore: clean up unused constant
* siderolabs/talos@62c6e9655 feat: introduce siderolink config resource & reconnect
* siderolabs/talos@860002c73 fix: don't reload control plane pods on cert SANs changes
* siderolabs/talos@d43c61e80 fix: enforce nolock option for all NFS mounts by default
* siderolabs/talos@339986db9 fix: inhibit timer to follow kubelet timer
* siderolabs/talos@cbf6dc100 fix: set timeout for unmount calls
* siderolabs/talos@b58f913d5 fix: set the static pod priority as values
* siderolabs/talos@f8a7a5b6b docs: add information about KubeSpan ports and topology
* siderolabs/talos@2bad74d64 docs: add how to on scaling down
* siderolabs/talos@7442ff8b0 chore: fix typos inteface -> interface (docs and tests)
* siderolabs/talos@d4e94f7a1 fix: add back required TARGETARCH for installer
* siderolabs/talos@e6fffda01 chore: linux 6.1.26, runc 1.1.7
* siderolabs/talos@344746ae2 fix: bump max inhibit delay to 20 min
* siderolabs/talos@d9bdea2b5 chore: fork docs and compatibility modules for Talos 1.5
* siderolabs/talos@3d99610fc docs: document building, verifying image and process caps
* siderolabs/talos@014008ea2 fix: udevd rules trigger
* siderolabs/talos@9b36bb613 feat: update Linux to 6.1.25, fix virtio on arm64
* siderolabs/talos@08ec66c55 feat: clean up (garbage collect) system images which are not referenced
* siderolabs/talos@b097efcde fix: display correct number of machines on dashboard
* siderolabs/talos@cad43f0ad chore: remove k8s master label
* siderolabs/talos@e296a566e fix: support kernel userspace module loading
* siderolabs/talos@103f0ffdd feat: add startup probes to controller-manager and scheduler
* siderolabs/talos@5a1ae8aae chore: bump dependences
* siderolabs/talos@ec8c8dbaf chore: fix container image reproducibility
* siderolabs/talos@f661d8487 fix: allow `talosctl cp` to handle special files in `/proc`
* siderolabs/talos@2d824b563 fix: do not show control plane status for workers on dashboard
* siderolabs/talos@e5491ddad docs: update documentation for nocloud
* siderolabs/talos@7a004a6f7 fix: parse errors correctly
* siderolabs/talos@374ef5385 test: submit verbose flag to e2e tests
* siderolabs/talos@e1d38b6fe feat: show template URL in dashboard config URL tab
* siderolabs/talos@45d7f0ce9 docs: fix the latest url
* siderolabs/talos@96efbf147 docs: activate 1.4.0 docs by default
* siderolabs/talos@8c1f515b1 feat: update Linux to 6.1.24
* siderolabs/talos@8689bef5f docs: update documentation for Talos 1.4
* siderolabs/talos@a781dfb8e feat: update Kubernetes to 1.27.1
* siderolabs/talos@a737dd83a chore: typo in `compatibility.ParseKubernetesVersion`
* siderolabs/talos@f14928b0a fix: fix dashboard crash when a non-existent node is specified
* siderolabs/talos@3e406d9b0 feat: update etcd to v3.5.8
* siderolabs/talos@bd1cff3e8 chore: remove Go buildid
* siderolabs/talos@e31f7f50b feat: update Kubernetes to 1.27.0
* siderolabs/talos@aa3640d74 docs: update storage.md
* siderolabs/talos@07bb61e60 chore: module-sig-verify cleanup
* siderolabs/talos@5e9d836c3 chore: add kernel module signtaure verification
* siderolabs/talos@3cd1c6bb0 fix: send 'STOP' event on phase end
* siderolabs/talos@5176d27dc feat: update Kubernetes to 1.27.0-rc.1
* siderolabs/talos@2c55550a6 fix: quote ISO kernel args for GRUB
* siderolabs/talos@319d76e38 fix: respect BROWSER=echo in client auth interceptor
* siderolabs/talos@4e4ace839 chore: update Go to 1.20.3
* siderolabs/talos@170f73899 fix: correctly parse static pod phase
* siderolabs/talos@c3a595d5b fix: improve action tracking post checks
* siderolabs/talos@eb01edbc8 fix: rework DHCP flow
* siderolabs/talos@e095150a6 test: bump CAPI components versions
</p>
</details>

### Changes since v1.5.0-alpha.2
<details><summary>10 commits</summary>
<p>

* siderolabs/talos@663264c86 release(v1.5.0-alpha.3): prepare release
* siderolabs/talos@d2f64af86 chore: disable cloud-images, pull in new kernel and gre module
* siderolabs/talos@8edce4906 docs: improve proxmox install guide
* siderolabs/talos@c783458be docs: typo dhcp -> dhcp
* siderolabs/talos@003cbd161 docs: warn about secretboxEncryptionSecret in kubeadm migration guide
* siderolabs/talos@786e86f5b refactor: rewrite the way Talos acquires the machine configuration
* siderolabs/talos@5e13cafe5 feat: enforce kernel lockdown for UKI
* siderolabs/talos@4d96d642f feat: update default Kubernetes version to 1.28.0-beta.0
* siderolabs/talos@170a73e16 chore: support creating qemu guest socket
* siderolabs/talos@59ac38a6b docs: add docs for installing azure ccm and csi
</p>
</details>

### Changes from siderolabs/crypto
<details><summary>2 commits</summary>
<p>

* siderolabs/crypto@8f77da3 feat: add a method to load PEM key from file
* siderolabs/crypto@c03ff58 feat: add a way to represent redacted x509 private keys
</p>
</details>

### Changes from siderolabs/discovery-api
<details><summary>1 commit</summary>
<p>

* siderolabs/discovery-api@5e3db3c chore: app optional ControlPlane data
</p>
</details>

### Changes from siderolabs/discovery-client
<details><summary>1 commit</summary>
<p>

* siderolabs/discovery-client@9ba5f03 chore: app optional ControlPlane data
</p>
</details>

### Changes from siderolabs/extras
<details><summary>3 commits</summary>
<p>

* siderolabs/extras@f415aac feat: update Go to 1.20.6
* siderolabs/extras@a73d524 feat: update Go to 1.20.5
* siderolabs/extras@36c8ac4 chore: update to Go 1.20.3
</p>
</details>

### Changes from siderolabs/gen
<details><summary>3 commits</summary>
<p>

* siderolabs/gen@f9f5805 chore: bump rekres and add functions from exp
* siderolabs/gen@b968d21 feat: add `TryRecv` and `RecvWithContext` functions
* siderolabs/gen@476dfea feat: add foreach and clear to lazymap
</p>
</details>

### Changes from siderolabs/go-blockdevice
<details><summary>4 commits</summary>
<p>

* siderolabs/go-blockdevice@fbb01f7 fix: properly detect token not found error
* siderolabs/go-blockdevice@3e08968 fix: do not attach token to a key slot
* siderolabs/go-blockdevice@f2c419e feat: support LUKS token management
* siderolabs/go-blockdevice@076874a chore: resolve blockdevice symlinks
</p>
</details>

### Changes from siderolabs/go-debug
<details><summary>1 commit</summary>
<p>

* siderolabs/go-debug@43d9100 chore: allow enabling pprof manually
</p>
</details>

### Changes from siderolabs/go-kubernetes
<details><summary>2 commits</summary>
<p>

* siderolabs/go-kubernetes@69fea5b feat: support upgrades to Kubernetes 1.28
* siderolabs/go-kubernetes@5a3df5b fix: remove removed APIs for 1.27 upgrade
</p>
</details>

### Changes from siderolabs/go-loadbalancer
<details><summary>6 commits</summary>
<p>

* siderolabs/go-loadbalancer@574126c chore: add 0.1ms tier and fix tiers
* siderolabs/go-loadbalancer@5301800 chore: fix logging and tests
* siderolabs/go-loadbalancer@b23a173 chore: replace std log with zap
* siderolabs/go-loadbalancer@1a2f374 feat: add multi-tier scoring based for generic List
* siderolabs/go-loadbalancer@56a27da chore: move to siderolabs/tcpproxy of inet.af/tcpproxy
* siderolabs/go-loadbalancer@f3a0e24 fix: use SO_LINGER option when doing TCP healthchecks
</p>
</details>

### Changes from siderolabs/kms-client
<details><summary>3 commits</summary>
<p>

* siderolabs/kms-client@50064b6 fix: pass context to the key handler in the server wrapper
* siderolabs/kms-client@83e0a2e feat: define API and add reference implementation for KMS server
* siderolabs/kms-client@8c37ee8 Initial commit
</p>
</details>

### Changes from siderolabs/pkgs
<details><summary>41 commits</summary>
<p>

* siderolabs/pkgs@fedfafa feat: add thunderbolt/USB4 module
* siderolabs/pkgs@17d5b94 feat: enable NET_IPGRE kernel config
* siderolabs/pkgs@84cdfb6 feat: add 'zfs' package
* siderolabs/pkgs@d0eaedc feat: enable DM_RAID kernel config
* siderolabs/pkgs@d5e0fad feat: update dependencies
* siderolabs/pkgs@c644633 feat: enable multi-gen lru by default
* siderolabs/pkgs@75696ba feat: update Go to 1.20.6
* siderolabs/pkgs@205cab6 chore: feat use new sd-boot
* siderolabs/pkgs@fb817fe fix: enable USB attached SCSI driver on x86 systems
* siderolabs/pkgs@43451e6 chore: bump dependencies
* siderolabs/pkgs@eca94f8 feat: enable sriov
* siderolabs/pkgs@5a8e8e5 feat: enable VMWARE/HYPERV vsockets
* siderolabs/pkgs@edd725a chore: bump deps
* siderolabs/pkgs@c0ac69b feat: enable CONFIG_NVME_{MULTIPATH|AUTH}
* siderolabs/pkgs@f7cd916 fix: bump drbd to 9.2.4
* siderolabs/pkgs@a56d15a fix: copy missing `modules.*` files
* siderolabs/pkgs@1eefa66 feat: build isb modem drivers as module
* siderolabs/pkgs@a859f4f fix: build RDMA_RXE as a module
* siderolabs/pkgs@5fb5e95 feat: bump dependencies
* siderolabs/pkgs@39a64b2 feat: update Linux to 6.1.31, add GENEVE for arm64
* siderolabs/pkgs@97177be feat: update Linux to 6.1.30
* siderolabs/pkgs@b1f9d4e chore: prevent unsigned kexec with secureboot
* siderolabs/pkgs@9232a42 feat: add reproducibility pipelines
* siderolabs/pkgs@702d7a7 chore: bump deps
* siderolabs/pkgs@7958db1 chore: copy over sd-boot and sd-stub from tools
* siderolabs/pkgs@813b3c3 chore: revert xfsprogs
* siderolabs/pkgs@0cc78ab chore: bump kernel to 6.1.28
* siderolabs/pkgs@70189e3 chore: bump deps
* siderolabs/pkgs@c5d3bf1 feat: add sd-stub and sd-boot
* siderolabs/pkgs@30a7ac2 feat: update Linux 6.1.27, containerd 1.6.21
* siderolabs/pkgs@fbc6ee5 chore: bump deps
* siderolabs/pkgs@82b9489 chore: bump dependencies
* siderolabs/pkgs@f37e520 feat: update Linux to 6.1.25
* siderolabs/pkgs@3920b16 feat: add multi-gen LRU kernel support
* siderolabs/pkgs@988f1ec feat: update Linux to 6.1.24
* siderolabs/pkgs@5327d12 fix: remove FB_NVIDIA drivers, Linux 6.1.23
* siderolabs/pkgs@4eae958 chore: copy over the kernel signing public key
* siderolabs/pkgs@174f8fc chore: update Go to 1.20.3
* siderolabs/pkgs@41629b0 chore: reorder pkgs for better kernel caching
* siderolabs/pkgs@b483a6b feat: build 'snp.efi' for iPXE
* siderolabs/pkgs@fb853ff feat: update containerd to 1.6.20
</p>
</details>

### Changes from siderolabs/tools
<details><summary>20 commits</summary>
<p>

* siderolabs/tools@dc7dd9e chore: remove libseccomp
* siderolabs/tools@e27c249 feat: update Go to 1.20.6
* siderolabs/tools@9b6d512 feat: use systemd 254-rc1
* siderolabs/tools@cd3b692 chore: bump deps
* siderolabs/tools@c1027a6 chore: remove sbsign
* siderolabs/tools@e0c76c0 chore: bump dependencies
* siderolabs/tools@7d0cd58 feat: update Go to 1.20.5
* siderolabs/tools@150efc2 chore: remove non needed tools
* siderolabs/tools@88ebb40 feat: add swtpm
* siderolabs/tools@4c5d7fe chore: use same source epoch everywhere
* siderolabs/tools@2e46e5b feat: add reproducibility pipelines
* siderolabs/tools@c6a41b6 fix: add sd-stub assertion patch
* siderolabs/tools@d2dde48 chore: bump deps
* siderolabs/tools@8e45ad7 feat: add sbsign
* siderolabs/tools@271c4a6 feat: add sd-tools
* siderolabs/tools@eedc294 chore: bump deps
* siderolabs/tools@81b09a5 feat: add libcap and gnuefi
* siderolabs/tools@47b0fd3 chore: bump go to 1.20.4
* siderolabs/tools@ff4cf2b chore: bump deps
* siderolabs/tools@1563556 feat: update Go to 1.20.3
</p>
</details>

### Dependency Changes

* **github.com/BurntSushi/toml**                     v1.2.1 -> v1.3.2
* **github.com/aws/aws-sdk-go**                      v1.44.232 -> v1.44.304
* **github.com/beevik/ntp**                          v0.3.0 -> v1.2.0
* **github.com/benbjohnson/clock**                   v1.1.0 -> v1.3.5
* **github.com/cenkalti/backoff/v4**                 v4.2.0 -> v4.2.1
* **github.com/containerd/containerd**               v1.6.19 -> v1.6.21
* **github.com/containerd/typeurl/v2**               v2.1.1 **_new_**
* **github.com/containernetworking/plugins**         v1.2.0 -> v1.3.0
* **github.com/cosi-project/runtime**                v0.3.0 -> v0.3.1-alpha.8
* **github.com/docker/distribution**                 v2.8.1 -> v2.8.2
* **github.com/docker/docker**                       v23.0.2 -> v24.0.4
* **github.com/ecks/uefi**                           caef65d070eb **_new_**
* **github.com/emicklei/dot**                        v1.4.2 -> v1.5.0
* **github.com/foxboron/go-uefi**                    32187aa193d0 **_new_**
* **github.com/google/go-tpm**                       v0.9.0 **_new_**
* **github.com/hashicorp/go-envparse**               v0.1.0 **_new_**
* **github.com/hetznercloud/hcloud-go**              v1.41.0 -> v1.48.0
* **github.com/insomniacslk/dhcp**                   74ae03f2425e -> 5648422c16cd
* **github.com/jsimonetti/rtnetlink**                v1.3.1 -> v1.3.4
* **github.com/mattn/go-isatty**                     v0.0.18 -> v0.0.19
* **github.com/mdlayher/ethtool**                    ba3b4bc2e02c -> v0.1.0
* **github.com/mdlayher/genetlink**                  v1.3.1 -> v1.3.2
* **github.com/mdlayher/netlink**                    v1.7.1 -> v1.7.2
* **github.com/mdlayher/netx**                       c711c2f8512f -> 7e21880baee8
* **github.com/nberlee/go-netstat**                  v0.1.1 -> v0.1.2
* **github.com/opencontainers/go-digest**            v1.0.0 **_new_**
* **github.com/opencontainers/image-spec**           v1.1.0-rc2 -> v1.1.0-rc4
* **github.com/packethost/packngo**                  v0.29.0 -> v0.30.0
* **github.com/prometheus/procfs**                   v0.9.0 -> v0.11.0
* **github.com/rivo/tview**                          281d14d896d7 -> 6cc0565babaf
* **github.com/rs/xid**                              v1.4.0 -> v1.5.0
* **github.com/scaleway/scaleway-sdk-go**            v1.0.0-beta.15 -> v1.0.0-beta.19
* **github.com/siderolabs/crypto**                   v0.4.0 -> v0.4.1
* **github.com/siderolabs/discovery-api**            v0.1.2 -> v0.1.3
* **github.com/siderolabs/discovery-client**         v0.1.4 -> v0.1.5
* **github.com/siderolabs/extras**                   v1.4.0-1-g9b07505 -> v1.5.0-alpha.0-2-gf415aac
* **github.com/siderolabs/gen**                      v0.4.3 -> v0.4.5
* **github.com/siderolabs/go-blockdevice**           v0.4.4 -> v0.4.6
* **github.com/siderolabs/go-debug**                 v0.2.2 -> v0.2.3
* **github.com/siderolabs/go-kubernetes**            v0.2.0 -> v0.2.2
* **github.com/siderolabs/go-loadbalancer**          v0.2.1 -> v0.3.2
* **github.com/siderolabs/kms-client**               v0.1.0 **_new_**
* **github.com/siderolabs/pkgs**                     v1.4.1-5-ga333a84 -> v1.5.0-alpha.0-40-gfedfafa
* **github.com/siderolabs/talos/pkg/machinery**      v1.4.0 -> v1.5.0-alpha.3
* **github.com/siderolabs/tools**                    v1.4.0-1-g955aabc -> v1.5.0-alpha.0-19-gdc7dd9e
* **github.com/spf13/cobra**                         v1.6.1 -> v1.7.0
* **github.com/stretchr/testify**                    v1.8.2 -> v1.8.4
* **github.com/vmware-tanzu/sonobuoy**               v0.56.16 -> v0.56.17
* **github.com/vmware/govmomi**                      v0.30.4 -> v0.30.6
* **go.etcd.io/etcd/api/v3**                         v3.5.8 -> v3.5.9
* **go.etcd.io/etcd/client/pkg/v3**                  v3.5.8 -> v3.5.9
* **go.etcd.io/etcd/client/v3**                      v3.5.8 -> v3.5.9
* **go.etcd.io/etcd/etcdutl/v3**                     v3.5.8 -> v3.5.9
* **golang.org/x/net**                               v0.8.0 -> v0.12.0
* **golang.org/x/sync**                              v0.1.0 -> v0.3.0
* **golang.org/x/sys**                               v0.6.0 -> v0.10.0
* **golang.org/x/term**                              v0.6.0 -> v0.10.0
* **golang.org/x/text**                              v0.11.0 **_new_**
* **golang.zx2c4.com/wireguard/wgctrl**              9c5414ab4bde -> 925a1e7659e6
* **google.golang.org/grpc**                         v1.54.0 -> v1.56.2
* **google.golang.org/protobuf**                     v1.30.0 -> v1.31.0
* **k8s.io/api**                                     v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/apimachinery**                            v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/apiserver**                               v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/client-go**                               v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/component-base**                          v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/cri-api**                                 v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/klog/v2**                                 v2.90.1 -> v2.100.1
* **k8s.io/kubectl**                                 v0.27.1 -> v0.28.0-alpha.4
* **k8s.io/kubelet**                                 v0.27.1 -> v0.28.0-alpha.4
* **kernel.org/pub/linux/libs/security/libcap/cap**  v1.2.68 -> v1.2.69

Previous release can be found at [v1.4.0](https://github.com/siderolabs/talos/releases/tag/v1.4.0)

## Images

ghcr.io/siderolabs/flannel:v0.22.0
ghcr.io/siderolabs/install-cni:v1.5.0-alpha.0-2-gf415aac
registry.k8s.io/coredns/coredns:v1.10.1
gcr.io/etcd-development/etcd:v3.5.9
registry.k8s.io/kube-apiserver:v1.28.0-beta.0
registry.k8s.io/kube-controller-manager:v1.28.0-beta.0
registry.k8s.io/kube-scheduler:v1.28.0-beta.0
registry.k8s.io/kube-proxy:v1.28.0-beta.0
ghcr.io/siderolabs/kubelet:v1.28.0-beta.0
ghcr.io/siderolabs/installer:v1.5.0-alpha.3
registry.k8s.io/pause:3.6

<hr /><em>This discussion was created from the release <a href='https://github.com/siderolabs/talos/releases/tag/v1.5.0-alpha.3'>v1.5.0-alpha.3</a>.</em>