From 241e8ef05e8966e93b27c6010d4f4e50626f29db Mon Sep 17 00:00:00 2001 From: Amarachi Iheanacho Date: Tue, 23 Jun 2026 19:37:05 +0100 Subject: [PATCH] docs: update the image factory config Signed-off-by: Amarachi Iheanacho --- public/changelog.mdx | 25 + .../reference/image-factory-configuration.mdx | 481 ++++++++++++++---- public/snippets/custom-variables.mdx | 4 +- 3 files changed, 423 insertions(+), 87 deletions(-) diff --git a/public/changelog.mdx b/public/changelog.mdx index bef9fea5..b2fdf94a 100644 --- a/public/changelog.mdx +++ b/public/changelog.mdx @@ -4,6 +4,31 @@ description: "Product updates and announcements" rss: true --- + + [Release notes →](https://github.com/siderolabs/talos/releases/tag/v1.13.5) + + ### Component Updates + + Linux: 6.18.36 + containerd: 2.2.5 + runc: 1.4.3 + + Talos is built with Go 1.26.4. + + + + [Release notes →](https://github.com/siderolabs/talos/releases/tag/v1.12.9) + + ### Component Updates + + Linux: 6.18.35 + runc: 1.3.6 + CoreDNS: 1.14.2 + containerd: 2.2.5 + + Talos is built with Go 1.25.11. + + [Release notes →](https://github.com/siderolabs/talos/releases/tag/v1.13.4) diff --git a/public/omni/reference/image-factory-configuration.mdx b/public/omni/reference/image-factory-configuration.mdx index 5b526e9c..f2e0b5e0 100644 --- a/public/omni/reference/image-factory-configuration.mdx +++ b/public/omni/reference/image-factory-configuration.mdx @@ -1,11 +1,11 @@ --- title: Image Factory Configuration description: Complete reference for configuring Omni’s Image Factory service ---- +--- This document provides a comprehensive reference for configuring the Image Factory service used in Omni. -## CLI usage +## CLI Usage ```console Usage of image-factory: @@ -25,50 +25,46 @@ Usage of image-factory: --log-level level Log level [debug info warn error dpanic panic fatal] (default info) ``` -## Configuration reference - -Documentation for basic configuration parameters. - ### `http` HTTP configuration for the image factory frontend. -#### `http.httpListenAddr` +### `http.httpListenAddr` - **Type:** `string` - **Env:** `HTTP_HTTPLISTENADDR` ListenAddr is the local address to bind the HTTP frontend to. -#### `http.certFile` +### `http.certFile` - **Type:** `string` - **Env:** `HTTP_CERTFILE` CertFile is the path to the TLS certificate for the HTTP frontend (optional). -#### `http.keyFile` +### `http.keyFile` - **Type:** `string` - **Env:** `HTTP_KEYFILE` KeyFile is the path to the TLS key for the HTTP frontend (optional). -#### `http.externalURL` +### `http.externalURL` - **Type:** `string` - **Env:** `HTTP_EXTERNALURL` ExternalURL is the public URL for the image factory HTTP frontend, used in links and redirects. -#### `http.externalPXEURL` +### `http.externalPXEURL` - **Type:** `string` - **Env:** `HTTP_EXTERNALPXEURL` ExternalPXEURL is the public URL for the PXE frontend, used for booting nodes via PXE. -#### `http.allowedOrigins` +### `http.allowedOrigins` - **Type:** `[]string` - **Env:** `HTTP_ALLOWEDORIGINS` @@ -79,14 +75,22 @@ AllowedOrigins configures the frontend API CORS with custom origins list. Options for building assets used in images, including concurrency and Talos version constraints. -#### `build.minTalosVersion` +### `build.minTalosVersion` - **Type:** `string` - **Env:** `BUILD_MINTALOSVERSION` MinTalosVersion specifies the minimum supported Talos version for assets. -#### `build.maxConcurrency` +### `build.brokenTalosVersions` + +- **Type:** `[]string` +- **Env:** `BUILD_BROKENTALOSVERSIONS` + +BrokenTalosVersions lists Talos versions that should be considered broken and avoided when building assets. +Those are versions that are known to have critical issues that prevent them from working correctly, such as bugs in Talos that cause build failures or runtime errors. + +### `build.maxConcurrency` - **Type:** `int` - **Env:** `BUILD_MAXCONCURRENCY` @@ -97,7 +101,7 @@ MaxConcurrency sets the maximum number of simultaneous asset build operations. ContainerSignature holds configuration for verifying container image signatures. -#### `containerSignature.subjectRegExp` +### `containerSignature.subjectRegExp` - **Type:** `string` - **Env:** `CONTAINERSIGNATURE_SUBJECTREGEXP` @@ -107,21 +111,21 @@ SubjectRegExp is a regular expression used to validate the subject in container Set explicitly to empty string to disable subject validation, otherwise it defaults to a regex that allows trusted Sidero Labs account identities. This keyless verification method will not work in air-gapped environments. -#### `containerSignature.issuerRegExp` +### `containerSignature.issuerRegExp` - **Type:** `string` - **Env:** `CONTAINERSIGNATURE_ISSUERREGEXP` IssuerRegExp is a regular expression used to validate the issuer in container signatures. -#### `containerSignature.issuer` +### `containerSignature.issuer` - **Type:** `string` - **Env:** `CONTAINERSIGNATURE_ISSUER` Issuer is the expected issuer for container signatures (overrides RegExp if set). -#### `containerSignature.publicKeyFile` +### `containerSignature.publicKeyFile` - **Type:** `string` - **Env:** `CONTAINERSIGNATURE_PUBLICKEYFILE` @@ -131,14 +135,14 @@ PublicKeyFile is the path to the public key used for signature verification. Alternative to keyless verification using SubjectRegExp and Issuer/IssuerRegExp. If set, the image factory will use this public key to verify signatures instead of relying on keyless identities. -#### `containerSignature.publicKeyHashAlgo` +### `containerSignature.publicKeyHashAlgo` - **Type:** `string` - **Env:** `CONTAINERSIGNATURE_PUBLICKEYHASHALGO` PublicKeyHashAlgo specifies the hash algorithm used for verifying the public key. -#### `containerSignature.disabled` +### `containerSignature.disabled` - **Type:** `bool` - **Env:** `CONTAINERSIGNATURE_DISABLED` @@ -149,12 +153,12 @@ Disabled disables signature verification. Cache contains configuration for storing and retrieving boot assets. -#### `cache.oci` +### `cache.oci` OCI contains configuration for using OCI Registry to store cached assets. This configuration is required. -#### `cache.oci.registry` +### `cache.oci.registry` - **Type:** `string` - **Env:** `CACHE_OCI_REGISTRY` @@ -162,7 +166,7 @@ This configuration is required. Registry is the hostname of the container registry, e.g., `ghcr.io`. This is where images are stored. -#### `cache.oci.namespace` +### `cache.oci.namespace` - **Type:** `string` - **Env:** `CACHE_OCI_NAMESPACE` @@ -170,7 +174,7 @@ This is where images are stored. Namespace is the repository namespace or organization within the registry, e.g., `sidero-labs`. Some registries allow repositories without a namespace. -#### `cache.oci.repository` +### `cache.oci.repository` - **Type:** `string` - **Env:** `CACHE_OCI_REPOSITORY` @@ -178,89 +182,154 @@ Some registries allow repositories without a namespace. Repository is the name of the repository inside the namespace, e.g., `talos`. Combined with Registry and Namespace, it forms the fully qualified repository path. -#### `cache.oci.insecure` +### `cache.oci.insecure` - **Type:** `bool` - **Env:** `CACHE_OCI_INSECURE` Insecure allows connections to registries over HTTP or with invalid TLS certificates. -#### `cache.signingKeyPath` +### `cache.signingKeyPath` - **Type:** `string` - **Env:** `CACHE_SIGNINGKEYPATH` SigningKeyPath is the path to the ECDSA key used to sign cached assets. +Mutually exclusive with GSA signing. + +### `cache.gsa` + +GSA contains configuration for Google Service Account keyless signing via Sigstore. +When set, GSA-based keyless signing is used instead of a static key. +Mutually exclusive with SigningKeyPath. + +### `cache.gsa.serviceAccountEmail` + +- **Type:** `string` +- **Env:** `CACHE_GSA_SERVICEACCOUNTEMAIL` + +ServiceAccountEmail is the GSA email embedded in the Fulcio certificate. +Used for signature verification — callers must trust signatures issued for this identity. + +### `cache.gsa.keyFile` + +- **Type:** `string` +- **Env:** `CACHE_GSA_KEYFILE` + +KeyFile is the path to a service account JSON key file. +If empty, Application Default Credentials are used (GOOGLE_APPLICATION_CREDENTIALS +environment variable or the metadata server on GCE). + +### `cache.gsa.fulcioURL` + +- **Type:** `string` +- **Env:** `CACHE_GSA_FULCIOURL` + +FulcioURL is the Fulcio CA endpoint. +Defaults to the public Sigstore instance. + +### `cache.gsa.rekorURL` + +- **Type:** `string` +- **Env:** `CACHE_GSA_REKORURL` -#### `cache.cdn` +RekorURL is the Rekor transparency log endpoint. +Defaults to the public Sigstore instance. + +### `cache.cdn` CDN contains configuration for using a CDN to serve cached assets. -#### `cache.cdn.host` +### `cache.cdn.host` - **Type:** `string` - **Env:** `CACHE_CDN_HOST` Host is the CDN URL used to serve cached assets. -#### `cache.cdn.trimPrefix` +### `cache.cdn.trimPrefix` - **Type:** `string` - **Env:** `CACHE_CDN_TRIMPREFIX` TrimPrefix removes a prefix from asset paths before redirecting to the CDN. -#### `cache.cdn.enabled` +### `cache.cdn.enabled` - **Type:** `bool` - **Env:** `CACHE_CDN_ENABLED` Enabled enables the CDN cache. -#### `cache.s3` +### `cache.s3` S3 contains configuration for using S3 to store cached assets. -#### `cache.s3.bucket` +### `cache.s3.bucket` - **Type:** `string` - **Env:** `CACHE_S3_BUCKET` Bucket is the S3 bucket name where cached assets are stored. -#### `cache.s3.endpoint` +### `cache.s3.endpoint` - **Type:** `string` - **Env:** `CACHE_S3_ENDPOINT` Endpoint is the S3 endpoint URL (without scheme or trailing slash). -#### `cache.s3.region` +### `cache.s3.region` - **Type:** `string` - **Env:** `CACHE_S3_REGION` Region is the S3 region for the bucket. -#### `cache.s3.insecure` +### `cache.s3.insecure` - **Type:** `bool` - **Env:** `CACHE_S3_INSECURE` Insecure allows connecting to S3 without TLS or with invalid certificates. -#### `cache.s3.enabled` +### `cache.s3.enabled` - **Type:** `bool` - **Env:** `CACHE_S3_ENABLED` Enabled enables S3 cache. +### `cache.s3.presignedURLTTL` + +- **Type:** `time.Duration` +- **Env:** `CACHE_S3_PRESIGNEDURLTTL` + +PresignedURLTTL is the duration for which presigned URLs are valid. + +### `cache.schematic` + +Schematic contains configuration for caching schematic blobs. + +### `cache.schematic.capacity` + +- **Type:** `uint64` +- **Env:** `CACHE_SCHEMATIC_CAPACITY` + +Capacity sets the maximum number of schematics to keep in the in-memory cache. + +### `cache.schematic.negativeTTL` + +- **Type:** `time.Duration` +- **Env:** `CACHE_SCHEMATIC_NEGATIVETTL` + +NegativeTTL sets the time-to-live for negative cache entries (schematics not found in underlying storage). + ### `metrics` Metrics holds configuration for the Prometheus metrics endpoint. -#### `metrics.addr` +### `metrics.addr` - **Type:** `string` - **Env:** `METRICS_ADDR` @@ -272,96 +341,96 @@ Leave empty to disable metrics. SecureBoot contains configuration for generating SecureBoot-enabled assets. -#### `secureBoot.file` +### `secureBoot.file` File specifies file-based SecureBoot keys and certificates. -#### `secureBoot.file.signingKeyPath` +### `secureBoot.file.signingKeyPath` - **Type:** `string` - **Env:** `SECUREBOOT_FILE_SIGNINGKEYPATH` SigningKeyPath is the path to the private key used for signing boot assets. -#### `secureBoot.file.signingCertPath` +### `secureBoot.file.signingCertPath` - **Type:** `string` - **Env:** `SECUREBOOT_FILE_SIGNINGCERTPATH` SigningCertPath is the path to the certificate used for signing boot assets. -#### `secureBoot.file.pcrKeyPath` +### `secureBoot.file.pcrKeyPath` - **Type:** `string` - **Env:** `SECUREBOOT_FILE_PCRKEYPATH` PCRKeyPath is the path to the key used for PCR measurement. -#### `secureBoot.azureKeyVault` +### `secureBoot.azureKeyVault` AzureKeyVault configures SecureBoot using Azure Key Vault. -#### `secureBoot.azureKeyVault.url` +### `secureBoot.azureKeyVault.url` - **Type:** `string` - **Env:** `SECUREBOOT_AZUREKEYVAULT_URL` URL is the Key Vault endpoint. -#### `secureBoot.azureKeyVault.certificateName` +### `secureBoot.azureKeyVault.certificateName` - **Type:** `string` - **Env:** `SECUREBOOT_AZUREKEYVAULT_CERTIFICATENAME` CertificateName is the name of the certificate in Key Vault. -#### `secureBoot.azureKeyVault.keyName` +### `secureBoot.azureKeyVault.keyName` - **Type:** `string` - **Env:** `SECUREBOOT_AZUREKEYVAULT_KEYNAME` KeyName is the name of the key in Key Vault. -#### `secureBoot.awsKMS` +### `secureBoot.awsKMS` AWSKMS configures SecureBoot using AWS KMS. -#### `secureBoot.awsKMS.keyID` +### `secureBoot.awsKMS.keyID` - **Type:** `string` - **Env:** `SECUREBOOT_AWSKMS_KEYID` KeyID is the AWS KMS Key ID used for signing boot assets. -#### `secureBoot.awsKMS.pcrKeyID` +### `secureBoot.awsKMS.pcrKeyID` - **Type:** `string` - **Env:** `SECUREBOOT_AWSKMS_PCRKEYID` PCRKeyID is the AWS KMS Key ID used for PCR measurement. -#### `secureBoot.awsKMS.certPath` +### `secureBoot.awsKMS.certPath` - **Type:** `string` - **Env:** `SECUREBOOT_AWSKMS_CERTPATH` CertPath is the path to the certificate used with AWS KMS. -#### `secureBoot.awsKMS.certARN` +### `secureBoot.awsKMS.certARN` - **Type:** `string` - **Env:** `SECUREBOOT_AWSKMS_CERTARN` CertARN is the ARN of the ACM certificate used with AWS KMS. -#### `secureBoot.awsKMS.region` +### `secureBoot.awsKMS.region` - **Type:** `string` - **Env:** `SECUREBOOT_AWSKMS_REGION` Region is the AWS region containing the KMS keys. -#### `secureBoot.enabled` +### `secureBoot.enabled` - **Type:** `bool` - **Env:** `SECUREBOOT_ENABLED` @@ -372,11 +441,11 @@ Enabled enables SecureBoot asset generation. Artifacts defines names and references for various images used by the factory. -#### `artifacts.core` +### `artifacts.core` Core contains configuration for core images used by the image factory. -#### `artifacts.core.registry` +### `artifacts.core.registry` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_REGISTRY` @@ -384,54 +453,54 @@ Core contains configuration for core images used by the image factory. Registry specifies the OCI registry host for base images, extensions, and related artifacts. E.g., "ghcr.io". -#### `artifacts.core.components` +### `artifacts.core.components` Components defines the names of images used by the image factory. This typically maps to repositories and tags for core components. -#### `artifacts.core.components.installerBase` +### `artifacts.core.components.installerBase` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_COMPONENTS_INSTALLERBASE` InstallerBase is the base image for creating installer images. -#### `artifacts.core.components.installer` +### `artifacts.core.components.installer` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_COMPONENTS_INSTALLER` Installer is the main installer image. -#### `artifacts.core.components.imager` +### `artifacts.core.components.imager` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_COMPONENTS_IMAGER` Imager is the image builder used by the factory. -#### `artifacts.core.components.extensionManifest` +### `artifacts.core.components.extensionManifest` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_COMPONENTS_EXTENSIONMANIFEST` ExtensionManifest is the image manifest for extensions. -#### `artifacts.core.components.overlayManifest` +### `artifacts.core.components.overlayManifest` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_COMPONENTS_OVERLAYMANIFEST` OverlayManifest is the image manifest for overlays. -#### `artifacts.core.components.talosctl` +### `artifacts.core.components.talosctl` - **Type:** `string` - **Env:** `ARTIFACTS_CORE_COMPONENTS_TALOSCTL` Talosctl is the image containing the Talos CLI tool. -#### `artifacts.core.insecure` +### `artifacts.core.insecure` - **Type:** `bool` - **Env:** `ARTIFACTS_CORE_INSECURE` @@ -439,11 +508,11 @@ Talosctl is the image containing the Talos CLI tool. Insecure allows connections to the registry over HTTP or with invalid TLS certificates. Use with caution, as this may expose security risks. -#### `artifacts.schematic` +### `artifacts.schematic` Schematic is the OCI repository used to store schematic blobs required by the image factory for building images. -#### `artifacts.schematic.registry` +### `artifacts.schematic.registry` - **Type:** `string` - **Env:** `ARTIFACTS_SCHEMATIC_REGISTRY` @@ -451,7 +520,7 @@ Schematic is the OCI repository used to store schematic blobs required by the im Registry is the hostname of the container registry, e.g., `ghcr.io`. This is where images are stored. -#### `artifacts.schematic.namespace` +### `artifacts.schematic.namespace` - **Type:** `string` - **Env:** `ARTIFACTS_SCHEMATIC_NAMESPACE` @@ -459,7 +528,7 @@ This is where images are stored. Namespace is the repository namespace or organization within the registry, e.g., `sidero-labs`. Some registries allow repositories without a namespace. -#### `artifacts.schematic.repository` +### `artifacts.schematic.repository` - **Type:** `string` - **Env:** `ARTIFACTS_SCHEMATIC_REPOSITORY` @@ -467,22 +536,22 @@ Some registries allow repositories without a namespace. Repository is the name of the repository inside the namespace, e.g., `talos`. Combined with Registry and Namespace, it forms the fully qualified repository path. -#### `artifacts.schematic.insecure` +### `artifacts.schematic.insecure` - **Type:** `bool` - **Env:** `ARTIFACTS_SCHEMATIC_INSECURE` Insecure allows connections to registries over HTTP or with invalid TLS certificates. -#### `artifacts.installer` +### `artifacts.installer` Installer contains configuration for storing and accessing installer images. -#### `artifacts.installer.internal` +### `artifacts.installer.internal` Internal is the internal OCI registry used by the image factory to push installer images. -#### `artifacts.installer.internal.registry` +### `artifacts.installer.internal.registry` - **Type:** `string` - **Env:** `ARTIFACTS_INSTALLER_INTERNAL_REGISTRY` @@ -490,7 +559,7 @@ Internal is the internal OCI registry used by the image factory to push installe Registry is the hostname of the container registry, e.g., `ghcr.io`. This is where images are stored. -#### `artifacts.installer.internal.namespace` +### `artifacts.installer.internal.namespace` - **Type:** `string` - **Env:** `ARTIFACTS_INSTALLER_INTERNAL_NAMESPACE` @@ -498,7 +567,7 @@ This is where images are stored. Namespace is the repository namespace or organization within the registry, e.g., `sidero-labs`. Some registries allow repositories without a namespace. -#### `artifacts.installer.internal.repository` +### `artifacts.installer.internal.repository` - **Type:** `string` - **Env:** `ARTIFACTS_INSTALLER_INTERNAL_REPOSITORY` @@ -506,21 +575,21 @@ Some registries allow repositories without a namespace. Repository is the name of the repository inside the namespace, e.g., `talos`. Combined with Registry and Namespace, it forms the fully qualified repository path. -#### `artifacts.installer.internal.insecure` +### `artifacts.installer.internal.insecure` - **Type:** `bool` - **Env:** `ARTIFACTS_INSTALLER_INTERNAL_INSECURE` Insecure allows connections to registries over HTTP or with invalid TLS certificates. -#### `artifacts.installer.external` +### `artifacts.installer.external` External is the public OCI registry used for redirects to installer images. If this field is not set, Image Factory will proxy requests to the internal registry through itself instead of issuing HTTP redirects to the external registry endpoint. -#### `artifacts.installer.external.registry` +### `artifacts.installer.external.registry` - **Type:** `string` - **Env:** `ARTIFACTS_INSTALLER_EXTERNAL_REGISTRY` @@ -528,7 +597,7 @@ through itself instead of issuing HTTP redirects to the external registry endpoi Registry is the hostname of the container registry, e.g., `ghcr.io`. This is where images are stored. -#### `artifacts.installer.external.namespace` +### `artifacts.installer.external.namespace` - **Type:** `string` - **Env:** `ARTIFACTS_INSTALLER_EXTERNAL_NAMESPACE` @@ -536,7 +605,7 @@ This is where images are stored. Namespace is the repository namespace or organization within the registry, e.g., `sidero-labs`. Some registries allow repositories without a namespace. -#### `artifacts.installer.external.repository` +### `artifacts.installer.external.repository` - **Type:** `string` - **Env:** `ARTIFACTS_INSTALLER_EXTERNAL_REPOSITORY` @@ -544,30 +613,210 @@ Some registries allow repositories without a namespace. Repository is the name of the repository inside the namespace, e.g., `talos`. Combined with Registry and Namespace, it forms the fully qualified repository path. -#### `artifacts.installer.external.insecure` +### `artifacts.installer.external.insecure` - **Type:** `bool` - **Env:** `ARTIFACTS_INSTALLER_EXTERNAL_INSECURE` Insecure allows connections to registries over HTTP or with invalid TLS certificates. -#### `artifacts.talosVersionRecheckInterval` +### `artifacts.talosVersionRecheckInterval` - **Type:** `time.Duration` - **Env:** `ARTIFACTS_TALOSVERSIONRECHECKINTERVAL` TalosVersionRecheckInterval sets the interval at which the image factory rechecks available Talos versions. -#### `artifacts.refreshInterval` +### `artifacts.refreshInterval` - **Type:** `time.Duration` - **Env:** `ARTIFACTS_REFRESHINTERVAL` RefreshInterval specifies how often the image factory should refresh its connection to registries. -## Default configuration +### `authentication` -#### YAML +Authentication settings. + +Note: only available in the Enterprise edition. + +### `authentication.enabled` + +- **Type:** `bool` +- **Env:** `AUTHENTICATION_ENABLED` + +Enabled enables authentication. + +### `authentication.htpasswdPath` + +- **Type:** `string` +- **Env:** `AUTHENTICATION_HTPASSWDPATH` + +HTPasswdPath is the path to the htpasswd file containing user credentials. + +The file follows the standard htpasswd format (username:bcrypt_hash, one per line). +Multiple entries with the same username are supported, allowing multiple API keys per user. +Only bcrypt hashes ($2y$/$2a$/$2b$) are accepted. + +It is required if authentication is enabled. + +### `enterprise` + +Enterprise contains configuration for enterprise-specific features. + +### `enterprise.scanner` + +Scanner contains configuration for the vulnerability scanner. + +### `enterprise.scanner.databaseURL` + +- **Type:** `string` +- **Env:** `ENTERPRISE_SCANNER_DATABASEURL` + +DatabaseURL overrides the Grype vulnerability database listing URL. +Set this to point at a mirror or air-gapped database service. + +### `enterprise.scanner.cache` + +Cache contains configuration for caching vulnerability scan results. + +### `enterprise.scanner.cache.ttl` + +- **Type:** `time.Duration` +- **Env:** `ENTERPRISE_SCANNER_CACHE_TTL` + +TTL is the duration for caching objects. + +### `enterprise.scanner.cache.capacity` + +- **Type:** `uint64` +- **Env:** `ENTERPRISE_SCANNER_CACHE_CAPACITY` + +Capacity caps the number of cached objects before LRU eviction. + +### `enterprise.spdx` + +SPDX contains configuration for SPDX document generation. + +### `enterprise.spdx.cache` + +### `enterprise.spdx.cache.registry` + +- **Type:** `string` +- **Env:** `ENTERPRISE_SPDX_CACHE_REGISTRY` + +Registry is the hostname of the container registry, e.g., `ghcr.io`. +This is where images are stored. + +### `enterprise.spdx.cache.namespace` + +- **Type:** `string` +- **Env:** `ENTERPRISE_SPDX_CACHE_NAMESPACE` + +Namespace is the repository namespace or organization within the registry, e.g., `sidero-labs`. +Some registries allow repositories without a namespace. + +### `enterprise.spdx.cache.repository` + +- **Type:** `string` +- **Env:** `ENTERPRISE_SPDX_CACHE_REPOSITORY` + +Repository is the name of the repository inside the namespace, e.g., `talos`. +Combined with Registry and Namespace, it forms the fully qualified repository path. + +### `enterprise.spdx.cache.insecure` + +- **Type:** `bool` +- **Env:** `ENTERPRISE_SPDX_CACHE_INSECURE` + +Insecure allows connections to registries over HTTP or with invalid TLS certificates. + +### `enterprise.vex` + +VEX contains configuration for VEX data fetching. + +### `enterprise.vex.data` + +Data specifies the OCI repository where VEX documents are stored. + +### `enterprise.vex.data.registry` + +- **Type:** `string` +- **Env:** `ENTERPRISE_VEX_DATA_REGISTRY` + +Registry is the hostname of the container registry, e.g., `ghcr.io`. +This is where images are stored. + +### `enterprise.vex.data.namespace` + +- **Type:** `string` +- **Env:** `ENTERPRISE_VEX_DATA_NAMESPACE` + +Namespace is the repository namespace or organization within the registry, e.g., `sidero-labs`. +Some registries allow repositories without a namespace. + +### `enterprise.vex.data.repository` + +- **Type:** `string` +- **Env:** `ENTERPRISE_VEX_DATA_REPOSITORY` + +Repository is the name of the repository inside the namespace, e.g., `talos`. +Combined with Registry and Namespace, it forms the fully qualified repository path. + +### `enterprise.vex.data.insecure` + +- **Type:** `bool` +- **Env:** `ENTERPRISE_VEX_DATA_INSECURE` + +Insecure allows connections to registries over HTTP or with invalid TLS certificates. + +### `enterprise.vex.cache` + +Cache contains configuration for caching VEX documents. + +### `enterprise.vex.cache.ttl` + +- **Type:** `time.Duration` +- **Env:** `ENTERPRISE_VEX_CACHE_TTL` + +TTL is the duration for caching objects. + +### `enterprise.vex.cache.capacity` + +- **Type:** `uint64` +- **Env:** `ENTERPRISE_VEX_CACHE_CAPACITY` + +Capacity caps the number of cached objects before LRU eviction. + +### `registry` + +Registry contains low-level tuning for the registry client (pull/push concurrency, debugging). + +### `registry.jobs` + +- **Type:** `int` +- **Env:** `REGISTRY_JOBS` + +Jobs is the maximum number of concurrent blob pull/push operations per registry client. + +go-containerregistry gates concurrent blob fetches on this value; too low a value can +deadlock under Image Factory's concurrent, multiplexed fetch pattern. +Defaults to remotewrap.DefaultJobs. + +### `registry.debug` + +- **Type:** `bool` +- **Env:** `REGISTRY_DEBUG` + +Debug tracks registry response bodies to help diagnose pull-limiter token leaks/stalls: +it periodically logs how many bodies are open and dumps any body that stays open too long +together with the stack that opened it. + +Set via config or the IF_REGISTRY_DEBUG environment variable. + +## Default Configuration + +### YAML ```yaml artifacts: @@ -599,7 +848,11 @@ artifacts: registry: ghcr.io repository: schematics talosVersionRecheckInterval: 15m0s +authentication: + enabled: false + htpasswdPath: "" build: + brokenTalosVersions: [] maxConcurrency: 6 minTalosVersion: 1.2.0 cache: @@ -607,6 +860,11 @@ cache: enabled: false host: "" trimPrefix: "" + gsa: + fulcioURL: "" + keyFile: "" + rekorURL: "" + serviceAccountEmail: "" oci: insecure: false namespace: siderolabs/image-factory @@ -617,7 +875,11 @@ cache: enabled: false endpoint: "" insecure: false + presignedURLTTL: 1h0m0s region: "" + schematic: + capacity: 100000 + negativeTTL: 30s signingKeyPath: "" containerSignature: disabled: false @@ -626,6 +888,27 @@ containerSignature: publicKeyFile: "" publicKeyHashAlgo: sha256 subjectRegExp: (@siderolabs\.com$|^releasemgr-svc@talos-production\.iam\.gserviceaccount\.com$) +enterprise: + scanner: + cache: + capacity: 4096 + ttl: 15m0s + databaseURL: https://grype.anchore.io/databases + spdx: + cache: + insecure: false + namespace: siderolabs/image-factory + registry: ghcr.io + repository: spdx-cache + vex: + cache: + capacity: 65536 + ttl: 15m0s + data: + insecure: false + namespace: siderolabs/talos-vex + registry: ghcr.io + repository: talos-vex-data http: allowedOrigins: - '*' @@ -636,6 +919,9 @@ http: keyFile: "" metrics: addr: :2122 +registry: + debug: false + jobs: 64 secureBoot: awsKMS: certARN: "" @@ -654,7 +940,7 @@ secureBoot: signingKeyPath: "" ``` -#### Environment variables +### Environment Variables ```env IF_ARTIFACTS_CORE_COMPONENTS_EXTENSIONMANIFEST=siderolabs/extensions @@ -679,11 +965,18 @@ IF_ARTIFACTS_SCHEMATIC_NAMESPACE=siderolabs/image-factory IF_ARTIFACTS_SCHEMATIC_REGISTRY=ghcr.io IF_ARTIFACTS_SCHEMATIC_REPOSITORY=schematics IF_ARTIFACTS_TALOSVERSIONRECHECKINTERVAL=15m0s +IF_AUTHENTICATION_ENABLED=false +IF_AUTHENTICATION_HTPASSWDPATH= +IF_BUILD_BROKENTALOSVERSIONS=[] IF_BUILD_MAXCONCURRENCY=6 IF_BUILD_MINTALOSVERSION=1.2.0 IF_CACHE_CDN_ENABLED=false IF_CACHE_CDN_HOST= IF_CACHE_CDN_TRIMPREFIX= +IF_CACHE_GSA_FULCIOURL= +IF_CACHE_GSA_KEYFILE= +IF_CACHE_GSA_REKORURL= +IF_CACHE_GSA_SERVICEACCOUNTEMAIL= IF_CACHE_OCI_INSECURE=false IF_CACHE_OCI_NAMESPACE=siderolabs/image-factory IF_CACHE_OCI_REGISTRY=ghcr.io @@ -692,7 +985,10 @@ IF_CACHE_S3_BUCKET=image-factory IF_CACHE_S3_ENABLED=false IF_CACHE_S3_ENDPOINT= IF_CACHE_S3_INSECURE=false +IF_CACHE_S3_PRESIGNEDURLTTL=1h0m0s IF_CACHE_S3_REGION= +IF_CACHE_SCHEMATIC_CAPACITY=100000 +IF_CACHE_SCHEMATIC_NEGATIVETTL=30s IF_CACHE_SIGNINGKEYPATH= IF_CONTAINERSIGNATURE_DISABLED=false IF_CONTAINERSIGNATURE_ISSUER=https://accounts.google.com @@ -700,13 +996,28 @@ IF_CONTAINERSIGNATURE_ISSUERREGEXP= IF_CONTAINERSIGNATURE_PUBLICKEYFILE= IF_CONTAINERSIGNATURE_PUBLICKEYHASHALGO=sha256 IF_CONTAINERSIGNATURE_SUBJECTREGEXP=(@siderolabs\.com$|^releasemgr-svc@talos-production\.iam\.gserviceaccount\.com$) -IF_HTTP_ALLOWEDORIGINS=[*] +IF_ENTERPRISE_SCANNER_CACHE_CAPACITY=4096 +IF_ENTERPRISE_SCANNER_CACHE_TTL=15m0s +IF_ENTERPRISE_SCANNER_DATABASEURL=https://grype.anchore.io/databases +IF_ENTERPRISE_SPDX_CACHE_INSECURE=false +IF_ENTERPRISE_SPDX_CACHE_NAMESPACE=siderolabs/image-factory +IF_ENTERPRISE_SPDX_CACHE_REGISTRY=ghcr.io +IF_ENTERPRISE_SPDX_CACHE_REPOSITORY=spdx-cache +IF_ENTERPRISE_VEX_CACHE_CAPACITY=65536 +IF_ENTERPRISE_VEX_CACHE_TTL=15m0s +IF_ENTERPRISE_VEX_DATA_INSECURE=false +IF_ENTERPRISE_VEX_DATA_NAMESPACE=siderolabs/talos-vex +IF_ENTERPRISE_VEX_DATA_REGISTRY=ghcr.io +IF_ENTERPRISE_VEX_DATA_REPOSITORY=talos-vex-data +IF_HTTP_ALLOWEDORIGINS=["*"] IF_HTTP_CERTFILE= IF_HTTP_EXTERNALPXEURL= IF_HTTP_EXTERNALURL=https://localhost/ IF_HTTP_HTTPLISTENADDR=:8080 IF_HTTP_KEYFILE= IF_METRICS_ADDR=:2122 +IF_REGISTRY_DEBUG=false +IF_REGISTRY_JOBS=64 IF_SECUREBOOT_AWSKMS_CERTARN= IF_SECUREBOOT_AWSKMS_CERTPATH= IF_SECUREBOOT_AWSKMS_KEYID= @@ -719,4 +1030,4 @@ IF_SECUREBOOT_ENABLED=false IF_SECUREBOOT_FILE_PCRKEYPATH= IF_SECUREBOOT_FILE_SIGNINGCERTPATH= IF_SECUREBOOT_FILE_SIGNINGKEYPATH= -``` +``` \ No newline at end of file diff --git a/public/snippets/custom-variables.mdx b/public/snippets/custom-variables.mdx index ab6194a5..e7be0633 100644 --- a/public/snippets/custom-variables.mdx +++ b/public/snippets/custom-variables.mdx @@ -9,7 +9,7 @@ export const omni_helm_chart_release = '2.5.10' export const image_factory_release = 'v1.3.3' {/* latest stable Talos release version */} -export const release = 'v1.13.4' +export const release = 'v1.13.5' export const release_branch = 'release-1.13' export const version = 'v1.13' export const nvidia_container_toolkit_release = 'v1.19.0' @@ -65,7 +65,7 @@ export const nvidia_container_toolkit_release_v1_12 = "v1.18.0" export const nvidia_driver_release_v1_12 = "580.105.08" {/* 1.13 talos release */} -export const release_v1_13 = 'v1.13.4' +export const release_v1_13 = 'v1.13.5' export const release_branch_v1_13 = 'release-1.13' export const version_v1_13 = 'v1.13' export const nvidia_container_toolkit_release_v1_13 = "v1.19.0"