Skip to content

feat: Talos 1.11/1.12+ multi-document configuration migration #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mlinares1998 wants to merge 16 commits into
base: main
Choose a base branch
from
Open

feat: Talos 1.11/1.12+ multi-document configuration migration #293

mlinares1998 wants to merge 16 commits into from

Conversation

@mlinares1998
Copy link
Contributor

@mlinares1998 mlinares1998 commented Jan 5, 2026
edited
Loading

Summary

Hi @M4t7e! 👋

This PR lays the groundwork required to fully upgrade to Talos v1.12+, introducing a modular architecture for the new multi-document YAML configuration.

The goal is to address pending v1.11/v1.12 migrations from the legacy v1alpha1 machine configuration to the new document-based approach.

References:

Architecture Changes

Replaced the monolithic talos_config.tf approach with dedicated files for each document type:

talos_manifest_machineconfig.tf       → v1alpha1 machine config (core settings)
talos_manifest_hostnameconfig.tf      → Hostname configuration
talos_manifest_resolverconfig.tf      → DNS nameserver configuration
talos_manifest_statichostconfig.tf    → Static /etc/hosts entries
talos_manifest_timesyncconfig.tf      → NTP time synchronization
talos_manifest_network.tf             → Network interface configuration
talos_manifest_volumeconfig.tf        → Disk encryption configuration
talos_manifest_oomconfig.tf           → Out of Memory handler configuration
talos_manifest_uservolumeconfig.tf    → User volumes on EPHEMERAL partition
talos_manifest_registries.tf          → Container registry configuration
talos_manifest_trustedroots.tf        → Custom CA certificates

Each file generates standalone configuration documents that are combined in talos_config.tf via the config_patches mechanism.

Current Progress

Feature Status
Disk encryption → VolumeConfig ✅ Done
Hostname configuration → HostnameConfig ✅ Done
DNS nameservers → ResolverConfig ✅ Done
Static /etc/hosts entries → StaticHostConfig ✅ Done
NTP time sync → TimeSyncConfig ✅ Done
Network interfaces → LinkConfig, DHCPv4Config, HCloudVIPConfig ✅ Done
Registry configuration → RegistryMirrorConfig, RegistryTLSConfig, RegistryAuthConfig ✅ Done
UserVolumeConfig with volumeType: directory ✅ Done
OOMConfig document support ✅ Done
TrustedRootsConfig for custom CA certificates ✅ Done

New Features

Directory Volumes (UserVolumeConfig)

Talos 1.12 introduces a new UserVolumeConfig document with directory support. This allows creating bind mounts directly on the ephemeral partition without provisioning new partitions.

Configuration variables:

  • control_plane_directory_volumes - List of volume names for control plane nodes
  • worker_directory_volumes - List of volume names for worker nodes
  • cluster_autoscaler_directory_volumes - List of volume names for autoscaler nodes

Userspace OOM Handler (OOMConfig)

Talos 1.12 introduces a new OOMConfig document to configure the new userspace OOM handler behavior. The OOM handler is always enabled by default with sensible built-in settings.

Configuration variables:

  • talos_custom_oom_enabled - Enable custom OOM configuration (default: false)
  • talos_custom_oom_trigger_expression - Custom trigger CEL expression
  • talos_custom_oom_cgroup_ranking_expression - Custom ranking CEL expression
  • talos_custom_oom_sample_interval - Custom evaluation interval (e.g., "100ms", "500ms")

Custom CA Certificates (TrustedRootsConfig)

New support for adding custom CA certificates to the system trust store beyond Talos defaults.

Configuration variables:

  • talos_trusted_roots_certificates - List of PEM-encoded CA certificates

I hope this approach suits well for the incoming v4 release.

Regards! 🚀

@mlinares1998
feat: migrate disk encryption to VolumeConfig documents (Talos 1.11+)
a97b494 
Refactor Talos configuration to support multi-document YAML architecture, migrating LUKS2 disk encryption from v1alpha1 machineconfig to separate VolumeConfig documents as per Talos 1.11+ specification.

Configuration changes:
- Add talos_manifest_volumeconfig.tf: VolumeConfig documents for STATE
and EPHEMERAL partition encryption with per-node keys
- Add talos_manifest_machineconfig.tf: Extracted v1alpha1 machine configuration patches
- Update talos_config.tf: Combine v1alpha1 configs with VolumeConfig documents using multi-document YAML (--- separator)

This establishes the foundation for incremental migration of additional configuration elements to dedicated document types (DHCPv4Config,ResolverConfig,
StaticHostConfig, etc.) in future commits.
@mlinares1998
refactor: standardize RBAC/OIDC locals with kube_* prefix
271364a
@mlinares1998
feat: upgrade to Talos v1.12.1 with HostnameConfig migration
2089e2c 
Upgrades Talos to v1.12.1 and migrates hostname configuration from deprecated machine.network.hostname to the new HostnameConfig document.

Changes:
- Talos v1.11.6 → v1.12.1
- Talos provider 0.9.0 → 0.10.0
- Hcloud provider 1.57.0 → 1.58.0
- Add HostnameConfig with auto: "stable" (DHCP priority, stable fallback)
- Remove deprecated hostname from machine.network blocks
@mlinares1998
feat: migrate nameservers to ResolverConfig document
d42e712 
Migrates DNS nameserver configuration from deprecated machine.network.nameservers to the new ResolverConfig document introduced in Talos 1.12.
@mlinares1998
feat: migrate static host entries to StaticHostConfig documents
b0494cd 
Migrates extra host entries configuration from deprecated machine.network.extraHostEntries to the new StaticHostConfig documents introduced in Talos 1.12.
@mlinares1998 mlinares1998 force-pushed the feature/talos-1-12-migrations branch from 858e781 to c6b41d8 Compare January 6, 2026 16:03
@mlinares1998
feat: migrate network config to separate documents
4b41db4 
Migrates network interface configuration from deprecated machine.network.interfaces to new LinkConfig, DHCPv4Config, and HCloudVIPConfig documents.

Changes:
- Add talos_manifest_network.tf with separate network documents
- LinkConfig: Interface up/down state and routing
- DHCPv4Config: DHCP client configuration per interface
- HCloudVIPConfig: Hetzner Cloud VIP management (control plane only)
- Add extra validations to talos_extra_routes variable
@mlinares1998
feat: migrate time sync config to TimeSyncConfig document
67981e1 
Migrates NTP server configuration from deprecated machine.time.servers to the new TimeSyncConfig document.
@mlinares1998
refactor: move locals to dedicated config files
748771a
@mlinares1998
refactor: deduplicate talos machine config patches
42dac03
@mlinares1998 mlinares1998 force-pushed the feature/talos-1-12-migrations branch from c6b41d8 to 42dac03 Compare January 6, 2026 16:04
@mlinares1998
feat: add OOMConfig support for Talos 1.12+ userspace OOM handler
5f0a724 
Changes:
- Add talos_manifest_oomconfig.tf to generate OOMConfig documents
- Add talos_custom_oom_* variables with validation
- Update talos_config.tf to include OOMConfig in machine configurations
- Update README.md
@mlinares1998
feat: add directory volumes support
02d5727 
Implement UserVolumeConfig document support for directory type volumes on the EPHEMERAL partition.
@mlinares1998
refactor: migrate registry config to Talos Registry documents
3b8b290 
- Generate RegistryMirrorConfig, RegistryAuthConfig, and RegistryTLSConfig documents
- Remove deprecated machine.registries field from v1alpha1 config
- Add validations for registries
@mlinares1998
feat: add TrustedRootsConfig support for additional custom CA certifi…
9bd2e3a 
…cates
@mlinares1998
refactor: improve code quality and consistency across Talos 1.12 mani…
36ec051 
…fests
@mlinares1998 mlinares1998 marked this pull request as ready for review January 8, 2026 21:29
@mlinares1998
Copy link
Contributor Author

mlinares1998 commented Jan 8, 2026

Hi @M4t7e, PR's ready for your review! 😄
Let me know if anything needs changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mlinares1998