fix(talos): migrate configmanager to alpha.2 multi-document config API#5775
fix(talos): migrate configmanager to alpha.2 multi-document config API#5775devantler wants to merge 2 commits into
Conversation
Talos v1.14.0-alpha.2 removed Network() and APIServer() from the config.ClusterConfig interface, moving them to the K8sNetworkConfig, K8sFlannelCNIConfig and K8sAPIServerConfig documents. Read CNI presence, pod CIDRs and the kube-apiserver image via the new accessors (available on config.Provider through the machinery's v1alpha1 bridge, so config generation is unchanged). Unblocks the Talos alpha.2 dependency bumps #5765 and #5766. Fixes #5771
📝 WalkthroughWalkthroughThis PR updates indirect Go module versions in ChangesGo module dependency bumps
Talos alpha.2 config API migration
Estimated code review effort: 3 (Moderate) | ~25 minutes Possibly related issues
Suggested reviewers: devantler 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
✅MegaLinter analysis: Success✅ Linters with no issuesactionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint Notices📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining See detailed reports in MegaLinter artifacts
|
Code Coverage OverviewLanguages: Go Go / code-coverage/goThe overall coverage in the branch remains at 65%, unchanged from the branch. Show a code coverage summary of the most impacted files.
Updated |
CI shows a clean split: every leg that boots a Talos node fails, everything else passes.
Not a flake: the concurrent #5773 run (same CI window, same registry, no Talos-config change) had all its Talos legs pass. So the alpha.2 config migration itself breaks the generated Talos machine config at real bring-up — the "config generation is unchanged" assumption holds for the unit-tested structure but not for a live boot (unit tests don't boot a node). Next: root-cause the config incompatibility introduced by the alpha.1→alpha.2 machinery bump (likely a generated machine-config / certs / apid-facing change vs the Talos image the tests boot; a lockstep Talos test-image bump may be required). Keeping this draft blocked — and the dependabot alpha.2 bumps #5765/#5766 stay blocked with it — until a Talos node bootstraps green. |
Root-cause of the failing System Tests — confirmed upstream, not fixable in ksail. The accessor-API migration in this PR is correct and unit-green. The System Test failures are a Talos v1.14.0-alpha.2 boot regression in Docker (container) mode, unrelated to this diff: Talos's Disposition: the migration stays a draft until the upstream Docker-mode boot regression is fixed (or a fixed alpha ships). Superseding dependabot bumps #5766 / #5765 (both to the same alpha.2) are being closed in favour of this PR, which does the required API adaptation they lack. |
Correction to my previous comment — the root cause is a node-image/module version mismatch, not an upstream regression. My earlier note framed the failing System Tests as an "upstream Talos alpha.2 Docker-mode boot regression." That is inaccurate and I'm superseding it. The accurate root cause: ksail pins the Talos node image separately from the machinery module. The module and node image are coupled and must move together. So this is our coupled-bump decision, not an external block:
Tracked by #5771. Superseding dependabot bumps #5765/#5766 were closed in favour of this PR. Do not rerun the red E2E — it is expected until the node image moves with the module. |
Resolve go.mod/go.sum conflicts: keep the Talos machinery v1.14.0-alpha.2 bump, take gopacket v1.6.1 from main (#5767), regenerate go.sum via go mod tidy for both root and desktop modules. Clears the DIRTY merge state on this parked draft; its E2E remains red-by-design (node-image/module version hold — see PR body). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Parked — blocker live-verified (2026-07-04). Confirmed against Decision: hold this migration until Talos v1.14.0 stable ships, then bump the module + node image together in one PR. Converting back to draft so it isn't accidentally merged (merging as-is breaks every Talos cluster create). Dependabot #5765/#5766 stay parked behind this. Re-evaluate when v1.14.0 stable is released. |

Why
Talos
v1.14.0-alpha.2removed the top-level network and API-server accessors from its config interface, breaking ksail's build and leaving the Dependabot bumps #5765/#5766 red.What
Migrates the Talos configmanager to read CNI/pod-CIDRs/apiserver-image via Talos's new multi-document accessors. Unit tests, lint and build are green.
E2E proves the machinery bump cannot land alone: with the module on alpha.2 but ksail's pinned Talos node image still at the stable
v1.13.5, every Talos cluster create fails to boot (setupSharedFilesystems: invalid argument) — the alpha.2-generated machine config is incompatible with the v1.13.5 node. The same suite is fully green on the alpha.1 baseline (#5773), confirming this is the bump, not a flake.Making this green requires also bumping ksail's default Talos node image to
v1.14.0-alpha.2— i.e. shipping a moving Talos 1.14 alpha as the default local node image. That's a stability call I won't make unilaterally.Recommendation: hold the Talos 1.14 bump until
v1.14.0stable ships, then bump machinery + node image together. Kept as a draft with the prepared migration code; see #5771. Promote only if you want ksail tracking Talos 1.14-alpha now (I'll add the node-image bump on request).Part of #5771