Skip to content

chore(deps): update dependency talos to v1.13.2#1664

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/talos-1.x
Open

chore(deps): update dependency talos to v1.13.2#1664
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/talos-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 25, 2026
edited
Loading

This PR contains the following updates:

Package Update Change
talos minor 1.12.61.13.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

siderolabs/talos (talos)

v1.13.2

Compare Source

Talos 1.13.2 (2026-05-12)

Welcome to the v1.13.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Etcd: 3.6.11
Linux: 6.18.29

Talos is built with Go 1.26.3.

Contributors
  • Noel Georgi
Changes
1 commit

Dependency Changes
  • github.com/siderolabs/talos/pkg/machinery v1.13.1 -> v1.13.2

Previous release can be found at v1.13.1

Images

ghcr.io/siderolabs/flannel:v0.28.4
registry.k8s.io/coredns/coredns:v1.14.2
registry.k8s.io/etcd:v3.6.11
registry.k8s.io/pause:3.10.1
registry.k8s.io/kube-apiserver:v1.36.0
registry.k8s.io/kube-controller-manager:v1.36.0
registry.k8s.io/kube-scheduler:v1.36.0
registry.k8s.io/kube-proxy:v1.36.0
ghcr.io/siderolabs/kubelet:v1.36.0
registry.k8s.io/networking/kube-network-policies:v1.0.0
ghcr.io/siderolabs/installer:v1.13.2
ghcr.io/siderolabs/installer-base:v1.13.2
ghcr.io/siderolabs/imager:v1.13.2
ghcr.io/siderolabs/talos:v1.13.2
ghcr.io/siderolabs/talosctl-all:v1.13.2
ghcr.io/siderolabs/overlays:v1.13.2
ghcr.io/siderolabs/extensions:v1.13.2

v1.13.0

Compare Source

Welcome to the v1.14.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Default Installer Image

The default installer image has been updated to use the Image Factory.

Host DNS Configuration

HostDNS configuration was moved from the v1alpha1 config .machine.features.hostDNS field to the new hostDNS in the ResolverConfig document.

NTS for Time Synchronization

Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.

NTS is enabled by default (without any configuration sources) for the default time.cloudflare.com time server
NTS can be enabled for custom time servers via the new useNTS field in the TimeServerConfig document.

TLS 1.3 Minimum Version

Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.

Component Updates

Linux: 6.18.25
Kubernetes: 1.36.0

Talos is built with Go 1.26.2.

Contributors
  • Andrey Smirnov
  • Noel Georgi
  • Mateusz Urbanek
  • Utku Ozdemir
  • Orzelius
  • Oguz Kilcan
  • buckaroo
  • Ansgar Dahlen
  • Benoît Knecht
  • David Orman
  • Dharsan Baskar
  • Dmitrii Sharshakov
  • Dmitriy Matrenichev
  • Edward Sammut Alessi
  • Erwan Leboucher
  • Kevin Tijssen
  • Nico Berlee
  • Zadkiel AHARONIAN
Changes
103 commits

  • 8a037a56e test: fix flaky tests
  • 08c81d838 feat: bump kernel to 6.18.25
  • fe40b6e58 fix(ci): fetch empty pr labels
  • 837a9ed07 feat: move host DNS config into ResolverConfig
  • 96a8ecd1e feat: default to factory installer image
  • f19eef78b fix: revert add extraArgs from service-account-issuer
  • 6821225b6 fix: revert use append instead of prepend in service-account-issuer
  • b43c3a124 feat: add quirk for talosctl factory downloads
  • df0b9a8da refactor: make all controller unit-test follow modern patterns
  • c2948cef2 feat: support auth for Image Factory in cluster create
  • 560bcf0ca feat: enforce TLS 1.3 minmum version for Kubernetes components
  • 3db14309e fix(talosctl): ensure uncordon runs after reboot/upgrade errors
  • ecf2fa855 feat: update Kubernetes to v1.36.0
  • 71557eadd fix(ci): skip misc jobs not on pull request
  • 026313b7c docs: rename security-insights.yml to lowercase for LFX detection
  • dc4ffd490 fix(ci): fix jobs not interpolating matrix due to condition
  • 25e2f37e2 chore: generate comments for fields in resource proto
  • 149592fa5 fix: watch kubelet's kubeconfig and time out for cache sync
  • 1f315e6e9 feat: update Linux to 6.18.23
  • 0198eedc2 feat: add NTS (Network Time Security) support for NTP time sync
  • 6830a8b97 fix(ci): matrix jobs cleanups
  • 71aeb347f test: fix OOM test flake
  • 9b9542cc5 test: fix a flake in the manifest sync test
  • 863d882b6 test: add image verification for factory.talos.dev
  • bba0b4aee chore(ci): nvidia update helm values
  • 3399ff4de fix: propagate route table down to the resource
  • c684ec60e chore: prepare for Talos 1.14 release
  • ed9545d0d chore(ci): bump gpu operator version
  • 4de3e4393 fix(ci): cron triggered workflows
  • 212182e6f chore: bump container registry library
  • c028db0b8 fix: do not flip machine stage to rebooting during shutdown
  • 6ce62d9e8 fix(ci): workflow runs with workflow_run
  • 509cd9733 fix: boot entry detection
  • 5e3f30188 feat(ci): rework to schedule daily runs after a cron
  • 7fa4d3919 fix: zfs extensions test
  • 1ef8e630a test: allow more tests to run in FIPS strict mode
  • bdcc9321b fix: reduce memory dashboard usage
  • 2d177af82 chore: update Syft to v1.42.4+patches
  • 0d8362119 fix: return failed precondition on upgrade when not installed
  • be58eafab fix: wrong slot of encryption key was logged
  • 015081c76 feat: update dependencies
  • 9fbb7c95d fix: audit trustd code for security
  • 986e97fc7 feat: update Flannel to 0.28.4
  • f3817d1d1 chore: update sign images to support image name suffix
  • e776721f3 feat: update Kubernetes 1.36.0-rc.1
  • f6e7346fa fix: encode extra args fields in resources with new id
  • 3c7bb80ba chore: bump tools
  • 3ba35c9b9 chore(ci): nvidia try UKI boot
  • e3e8f01ca chore: bump tools
  • 181584a5f fix: handle boot failure
  • c464c7e88 fix: upgrade API in maintenance mode (legacy)
  • b7512d912 feat: update Kubernetes to 1.36.0-rc.0
  • 4ba11156f refactor: allow overriding out image name suffix
  • c81aa125c fix: panic in reading PCR values
  • 6a3ab87c5 feat(ci): add nvidia arm64 matrix
  • 21f459aab fix(talosctl): always use default GRPC dial options
  • ca208e514 fix: validate hostDNS forwarding requires hostDNS to be enabled
  • 9fcb9e05b feat: bump go to 1.26.2
  • 0bfdf7f70 fix: create correct blackhole routes for IPv4
  • 52b920032 feat: add client-side Kubernetes node drain to reboot and upgrade commands
  • 968ec1e0c refactor: propagate NAME properly, allow to set on build
  • acc69c346 fix: set the minimum TLS version to 1.3
  • 0cfa6e302 chore: bump some tool dependencies
  • 4229bb9d2 feat: add dis-vulncheck tool
  • d697f5538 fix: don't set xattrs while decompressing extensions
  • 34fb2cbe5 refactor: remove manual shell completion and replace with cobra completion
  • 79fa2e300 feat: allow more nvidia and nvme files from extensions
  • 414f78a29 feat: allow glibc ld files in etc
  • 1bbba4301 feat: update Flannel to v0.28.2
  • 55815e0fa fix: handle ISOs with zeroes in volume labels
  • 7b6ab0c1c feat: add flag to force fallback to legacy upgrade
  • 5e24d5265 feat: add resource view to talosctl dashboard
  • 649ab7fe4 fix: add os:meta:writer role to the dashboard
  • 10cdfa909 fix: drop talosctl install
  • 087ced85f fix: unseal with "slow" TPM
  • 11ab0a8c5 fix: drop unused type from ExternalVolume schema
  • e2df0f6ce fix: always grow disks
  • 919d8c365 chore: drop debug shell
  • 783a35851 fix: add metal-agent mode to runtime capabilities
  • 37b2221cc docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
  • bed2bd414 feat: add graceful power off support to QEMU VM launcher
  • 3400059cc fix: incorrect route source for on-link routes
  • b3dfbf743 feat: bump musl to 1.2.6
  • 4227921b3 test: fix the PKI mismatch test flake
  • f2bc2dcc6 feat: update NVIDIA production drivers to 595.58.03
  • aa5946dd3 test: fix cron failures for provision-1 & provision-2
  • 1dd701efa fix: allow blockdevice wipe in maintenance mode
  • 786bf00ab feat: add --platform=all support to image cache-create
  • e1f645e3c feat: validate luks headers for tampering
  • ad72c7300 test: improve maintenance API provision tests
  • 70cefab6a test: fix the flakes in tests with trusted roots
  • aacff17f4 test: bump memory for Flannel netpolicy tests
  • 9c3459114 feat: update Linux to 6.18.19, CNI to 1.9.1
  • 038cb8735 feat: enforce PID check on connections to services over file sockets
  • e2b2dd3ea chore: update go-kubernetes library
  • 9597714f6 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
  • 8ac47d677 fix: unset rlimits for extension services
  • b1a02f368 feat: update Kubernetes to 1.36.0-beta.0
  • 362fdc9ec feat: update etcd to 3.6.9
  • 0a47f40b3 fix(machined): clear stale bond ARP/NS targets on decode
  • 86344639f fix: update diff library to v1.0.1
  • eff89d1ed fix: panics in diff algorithms
  • 8e1c8a7a9 test: fix the apid test against AWS/GCP

Changes from siderolabs/go-kubeconfig
2 commits

  • d0b8f82 chore: rekres and bump deps
  • c356eeb fix: fix context conflict detection add New() constructor

Changes from siderolabs/grpc-proxy
3 commits

  • d670c42 chore: bump dependencies
  • 8614c71 chore: bump deps
  • 80677e0 fix: propagate the headers before the message

Changes from siderolabs/pkgs
22 commits

  • 6a53a93 feat: bump kernel to 6.18.25
  • f567bce feat: disable more stuff in Kconfig
  • ffd9790 feat: bump kernel to 6.18.24
  • b7c709a feat: bump deps
  • e5e5b3c feat: update Linux to 6.18.23
  • 1a4cd20 fix: renovate config
  • d0ed6ed feat: update dependencies
  • 6ea49c7 fix: support disabling module signature verification
  • 6520ec4 feat: update containerd to 2.2.3
  • 37ce992 feat: enable CONFIG_UHID and CONFIG_INPUT_JOYDEV as modules
  • cddd934 feat: update backportable dependencies
  • 32e4077 feat: update OpenSSL
  • 2d241e7 feat: update Go to 1.26.2 and small deps updates
  • 7f540ce feat: disable dynamic SCS
  • 3bef043 feat: update runc to 1.4.2
  • c6e6f10 feat: update Linux to 6.18.21
  • a9e8afa fix: libarchive install prefix
  • e4d0113 feat: update for musl 1.2.6
  • 9142603 feat: update NVIDIA production to 595.58.03
  • 22fa669 feat: update Linux to 6.18.19
  • 03680ae feat: update containerd patch verifier role
  • bdc239e feat: enable CHECKPOINT_RESTORE option

Changes from siderolabs/proto-codec
1 commit

Changes from siderolabs/siderolink
1 commit

Changes from siderolabs/tools
7 commits

Dependency Changes
  • github.com/aws/aws-sdk-go-v2/config v1.32.12 -> v1.32.14
  • github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.20 -> v1.18.21
  • github.com/aws/aws-sdk-go-v2/service/acm v1.37.22 -> v1.38.1
  • github.com/aws/aws-sdk-go-v2/service/kms v1.50.3 -> v1.50.4
  • github.com/aws/smithy-go v1.24.2 -> v1.25.0
  • github.com/beevik/nts v0.3.0 new
  • github.com/containerd/containerd/v2 v2.2.2 -> v2.2.3
  • github.com/fatih/color v1.18.0 -> v1.19.0
  • github.com/florianl/go-tc v0.4.7 -> v0.4.8
  • github.com/hetznercloud/hcloud-go/v2 v2.36.0 -> v2.37.0
  • github.com/insomniacslk/dhcp 5adc3eb -> 11b94ed
  • github.com/mdlayher/genetlink v1.3.2 -> v1.4.0
  • github.com/mdlayher/netlink v1.9.0 -> v1.11.0
  • github.com/pelletier/go-toml/v2 v2.2.4 -> v2.3.0
  • github.com/siderolabs/go-kubeconfig v0.1.1 -> v0.1.2
  • github.com/siderolabs/grpc-proxy v0.5.1 -> v0.5.2
  • github.com/siderolabs/pkgs v1.13.0 -> v1.14.0-alpha.0-20-g6a53a93
  • github.com/siderolabs/proto-codec v0.1.3 -> v0.1.4
  • github.com/siderolabs/siderolink v0.3.15 -> v0.3.16
  • github.com/siderolabs/talos/pkg/machinery v1.13.0 -> v1.13.0-beta.0
  • github.com/siderolabs/tools v1.13.0 -> v1.14.0-alpha.0-6-g44ad18c
  • github.com/sigstore/cosign/v3 v3.0.5 -> v3.0.6
  • go.etcd.io/etcd/api/v3 v3.6.9 -> v3.6.10
  • go.etcd.io/etcd/client/pkg/v3 v3.6.9 -> v3.6.10
  • go.etcd.io/etcd/client/v3 v3.6.9 -> v3.6.10
  • go.etcd.io/etcd/etcdutl/v3 v3.6.9 -> v3.6.10
  • google.golang.org/grpc v1.79.3 -> v1.80.0
  • k8s.io/api v0.35.3 -> v0.35.4
  • k8s.io/apiextensions-apiserver v0.35.3 -> v0.35.4
  • k8s.io/apimachinery v0.35.3 -> v0.35.4
  • k8s.io/apiserver v0.35.3 -> v0.35.4
  • k8s.io/client-go v0.35.3 -> v0.35.4
  • k8s.io/component-base v0.35.3 -> v0.35.4
  • k8s.io/cri-api v0.35.3 -> v0.35.4
  • k8s.io/kube-scheduler v0.35.3 -> v0.35.4
  • k8s.io/kubectl v0.35.3 -> v0.35.4
  • k8s.io/kubelet v0.35.3 -> v0.35.4
  • k8s.io/pod-security-admission v0.35.3 -> v0.35.4
  • kernel.org/pub/linux/libs/security/libcap/cap v1.2.77 -> v1.2.78

Previous release can be found at v1.13.0

v1.12.7

Compare Source

Talos 1.12.7 (2026-04-24)

Welcome to the v1.12.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.18.24
containerd: 2.1.7
etcd: 3.6.9
Kubernetes: v1.35.4

Talos is built with Go 1.25.9.

Contributors
  • Noel Georgi
  • Andrey Smirnov
  • Mateusz Urbanek
  • Orzelius
  • Utku Ozdemir
Changes
19 commits

Changes from siderolabs/pkgs
8 commits

Changes from siderolabs/tools
3 commits

Dependency Changes
  • github.com/siderolabs/go-blockdevice/v2 v2.0.26 -> v2.0.28
  • github.com/siderolabs/pkgs v1.12.0-50-ga92bed5 -> v1.12.0-58-g86d6af1
  • github.com/siderolabs/talos/pkg/machinery v1.12.6 -> v1.12.7
  • github.com/siderolabs/tools v1.12.0-7-g57916cb -> v1.12.0-10-gbbd753d
  • go.etcd.io/etcd/api/v3 v3.6.6 -> v3.6.9
  • go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.9
  • go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.9
  • go.etcd.io/etcd/etcdutl/v3 v3.6.6 -> v3.6.9
  • k8s.io/api v0.35.2 -> v0.35.4
  • k8s.io/apiextensions-apiserver v0.35.2 -> v0.35.4
  • k8s.io/apimachinery v0.35.2 -> v0.35.4
  • k8s.io/apiserver v0.35.2 -> v0.35.4
  • k8s.io/client-go v0.35.2 -> v0.35.4
  • k8s.io/component-base v0.35.2 -> v0.35.4
  • k8s.io/cri-api v0.35.2 -> v0.35.4
  • k8s.io/kube-scheduler v0.35.2 -> v0.35.4
  • k8s.io/kubectl v0.35.2 -> v0.35.4
  • k8s.io/kubelet v0.35.2 -> v0.35.4
  • k8s.io/pod-security-admission v0.35.2 -> v0.35.4

Previous release can be found at v1.12.6

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.9
registry.k8s.io/kube-apiserver:v1.35.4
registry.k8s.io/kube-controller-manager:v1.35.4
registry.k8s.io/kube-scheduler:v1.35.4
registry.k8s.io/kube-proxy:v1.35.4
ghcr.io/siderolabs/kubelet:v1.35.4
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.7
ghcr.io/siderolabs/installer-base:v1.12.7
ghcr.io/siderolabs/imager:v1.12.7
ghcr.io/siderolabs/talos:v1.12.7
ghcr.io/siderolabs/talosctl-all:v1.12.7
ghcr.io/siderolabs/overlays:v1.12.7
ghcr.io/siderolabs/extensions:v1.12.7

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 25, 2026
edited
Loading

Caution

🩺 Integration diagnosis — mode: upgrade, phase: upgrade

Commit: 8192023 · Run: #26267417141

Likely cause: The kube-prometheus-stack-prometheus-node-exporter pod is stuck in a permanent InvalidImageName state due to a chart rendering bug in kube-prometheus-stack@85.1.3, and the windsor check node-health Terraform provisioner fails immediately on this pre-existing broken pod when run after the Talos 1.12.6 → 1.13.2 upgrade.

Evidence: The pod kube-prometheus-stack-prometheus-node-exporter-ftts9 in system-telemetry has status InvalidImageName with event Failed to apply default image tag "quay.io/prometheus/node-exporter:v1.11.1@sha256:0f422f62c15f154af8d8572b23d623aebfb10cec73a5c654d18f911f3f9df241-distroless": couldn't parse image name: invalid reference format. The chart's prometheus-node-exporter subchart appends -distroless as an OS variant suffix to the digest hash, producing an unparseable OCI reference. The Windsor Up step completed in 19 seconds — far too short to have hit the --timeout 5m health check ceiling — consistent with windsor check node-health returning immediately on a non-transient pod failure. The Talos upgrade itself succeeded: the node now reports Talos (v1.13.2) / v1.35.4, and the Talos API is healthy at 10.5.0.10:50000. The failure only surfaces in the upgrade path because baseline Flux reconciliation pre-deploys kube-prometheus-stack (including the broken node-exporter DaemonSet) before the HEAD Windsor Up health check runs; in a fresh install the health check executes before Flux reaches the telemetry kustomization.

Suggested next step: Fix the pre-existing node-exporter rendering bug in kustomize/telemetry/base/prometheus/helm-release.yaml by adding os.name: "" (or os.name: linux) under prometheus-node-exporter.image so the subchart stops appending -distroless to the image tag — this unblocks both this PR's upgrade test and any future upgrade runs against this chart version.

Live read-only inspection by Claude. Support bundle attached to the run artifacts.

@renovate renovate Bot force-pushed the renovate/talos-1.x branch 15 times, most recently from 595e008 to e37c180 Compare April 27, 2026 12:31
@renovate renovate Bot changed the title chore(deps): update dependency talos to v1.12.7 chore(deps): update dependency talos to v1.13.0 Apr 27, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 27, 2026
edited
Loading

Caution

🩺 Integration diagnosis — mode: fresh, phase: install

Commit: 154c119 · Run: #25755718956

Likely cause: The local quay.test:5000 registry mirror returns 500 Internal Server Error when kubelet attempts to pull the Grafana sidecar image from quay.io, causing the Grafana pod to stay in ImagePullBackOff and windsor up to time out.

Evidence: Pod grafana-647844db59-jrt2b in system-observability is 1/2 Ready — the grafana container (docker.io) started fine, but the k8s-sidecar container is stuck: Failed to pull image "quay.io/kiwigrid/k8s-sidecar:2.7.1@sha256:2670f251f80d990635460c0116497a9cc3202069e8826f1a279af300ecd9f75e": unexpected status from HEAD request to http://quay.test:5000/v2/kiwigrid/k8s-sidecar/manifests/sha256:2670f251f80d990635460c0116497a9cc3202069e8826f1a279af300ecd9f75e?ns=quay.io: 500 Internal Server Error. This stalls the observability kustomization (status Unknown / Reconciliation in progress for 13 min) and the grafana HelmRelease (status Running 'install' action with timeout of 15m0s). The PR only changes two lines (Talos 1.12.6 → 1.13.0) and does not touch the Grafana HelmRelease; the upgrade job's baseline (main / Talos 1.12.6) also failed at Windsor Up, pointing to a shared quay.test proxy error rather than a regression from this PR.

Suggested next step: Re-run the integration job to rule out a transient quay.io proxy error; if it fails again, investigate why quay.test:5000 returns 500 for kiwigrid/k8s-sidecar (the mirror may not have this image cached and is failing to fetch it from upstream quay.io).

Live read-only inspection by Claude. Support bundle attached to the run artifacts.

@renovate renovate Bot force-pushed the renovate/talos-1.x branch 11 times, most recently from a1bb73e to ba81275 Compare April 28, 2026 13:51
@renovate renovate Bot force-pushed the renovate/talos-1.x branch 29 times, most recently from 6da3435 to 64f5eea Compare May 4, 2026 02:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants