fix(deps): update module github.com/siderolabs/talos/pkg/machinery v1.14.0-alpha.0 → v1.14.0-alpha.1

[truecharts-admin]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/siderolabs/talos/pkg/machinery	v1.14.0-alpha.0 → v1.14.0-alpha.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

siderolabs/talos (github.com/siderolabs/talos/pkg/machinery)

v1.14.0-alpha.1

Compare Source

Talos 1.14.0-alpha.1 (2026-05-28)

Welcome to the v1.14.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

DNS over TLS (DoT) and DNS over HTTPS (DoH) Support

Talos now supports DNS over TLS (DoT) and DNS over HTTPS (DoH) for secure DNS resolution.
These features allow Talos to encrypt DNS queries and responses, enhancing privacy and security for DNS traffic.
The DNS protocol can be configured on a per-name server basis in the ResolverConfig document, allowing for flexible configuration of DNS resolution.

noexec on EPHEMERAL (/var)

The EPHEMERAL volume (/var) is now mounted with noexec in addition to the existing nosuid and nodev,
blocking binary execution from /var.

Workloads that exec binaries placed under /var will break.
For example, Longhorn v1's instance-manager exec's engine binaries the engine-image DaemonSet drops under /var/lib/longhorn/engine-binaries/,
which now fails with permission denied. Affected users can opt out via a VolumeConfig document:

apiVersion: v1alpha1
kind: VolumeConfig
name: EPHEMERAL
mount:
  secure: false

NOTE: Setting secure: false will also disable nosuid and nodev, which may have security implications. Use with caution.

Upgrade note: apply this VolumeConfig patch before upgrading, otherwise affected workloads will fail after the next reboot. Longhorn v2 (SPDK data engine) runs the data plane inside the instance manager process and is not affected.

Btrfs Support

Talos now supports mounting and provisioning btrfs filesystem for user volumes and existing volumes.

Support for btrfs is enabled by installing btrfs system extension.

Default Installer Image

The default installer image has been updated to use the Image Factory.
The ghcr.io/siderolabs/installer image is no longer published with releases; use the Image Factory installer image instead.

DHCP Search Domains

DHCPv4 search domains are now applied to the resolver configuration.

etcd

Talos is now compatible with etcd v3.6.x only (the default version was etcd 3.6.x since Talos v1.11).

Flannel CNI

Talos now configures Flannel with the EnableNFTables option enabled, which uses nftables native backend instead of iptables-nft compatibility layer.

Host DNS Configuration

HostDNS configuration was moved from the v1alpha1 config .machine.features.hostDNS field to the new hostDNS in the ResolverConfig document.

HTTP Probe Support

Talos now supports HTTP network probes, allowing for monitoring of HTTP endpoints.
HTTP responses with status 200-399 are considered successful, while connection and transport errors are treated as failures.

Image Cache Configuration

Talos now supports a new ImageCacheConfig document for configuring the Image Cache feature, replacing the old machine.features.imageCache field in the v1alpha1 config.
Old configuration is still supported for backwards compatibility.

Kubernetes Multi-document Configuration

Talos introduces new multi-document Kubernetes configuration, which allows for more flexible and modular configuration of Kubernetes components.
Talos still supports the old v1alpha1 config for backwards compatibility, but new features and fields will only be available in the new multi-document format.

List of changes:

• Deprecated .cluster.secretboxEncryptionSecret in the v1alpha1 config; use the KubeEtcdEncryptionConfig document for full etcd encryption configuration.
• Deprecated .cluster.controllerManager in the v1alpha1 config; use the KubeControllerManagerConfig document for kube-controller-manager configuration.
• Deprecated .cluster.scheduler in the v1alpha1 config; use the KubeSchedulerConfig document for kube-scheduler configuration.

LVM Status

Talos now provides detailed LVM status information, allowing for better monitoring and management of LVM volumes.
New resources LVMPhysicalVolumeStatus, LVMVolumeGroupStatus, and LVMLogicalVolumeStatus expose PV, VG, and LV details.
DiscoveredVolume resources for logical volumes are listed by their kernel name (e.g. dm-0). To resolve the <vg>/<lv> for a given device, use the Disks or BlockSymlinks resources, which carry the udev-managed symlinks (e.g. /dev/disk/by-id/dm-name-<vg>-<lv>).

LVM Wipe

Talos now provides the ability to securely wipe LVM metadata from logical volumes, volume groups, and physical volumes.
This feature allows for selective wiping of logical volumes, volume groups, and physical volumes.

With talosctl wipe lv/vg/pv <name>, users can wipe LVM metadata from a specific logical volume, volume group, or physical volume.

NTS for Time Synchronization

Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.

NTS is enabled by default (without any configuration sources) for the default time.cloudflare.com time server
NTS can be enabled for custom time servers via the new useNTS field in the TimeServerConfig document.

ICMP send_redirects Disabled by Default

Talos now sets net.ipv4.conf.all.send_redirects=0 and net.ipv4.conf.default.send_redirects=0 by default,
preventing the node from emitting ICMP redirect messages. This aligns with CIS Benchmark recommendations and
does not affect normal Kubernetes pod or service traffic. Nodes that deliberately act as L3 gateways relying
on ICMP redirects can override this via machine.sysctls.

TLS 1.3 Minimum Version

Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.

Component Updates

Linux: 6.18.33
Kubernetes: 1.36.1
containerd: 2.3.1

Talos is built with Go 1.26.3.

Contributors

• Andrey Smirnov
• Noel Georgi
• Mateusz Urbanek
• Utku Ozdemir
• Erwan Leboucher
• Maja Bojarska
• Lukasz Raczylo
• Orzelius
• Dmitrii Sharshakov
• Dmitriy Matrenichev
• Oguz Kilcan
• buckaroo
• immanuwell
• Ansgar Dahlen
• Artem Chernyshev
• Benoît Knecht
• David Orman
• Dharsan Baskar
• Edward Sammut Alessi
• Filip Boye-Kofi
• Kevin Tijssen
• Mickaël Canévet
• Nico Berlee
• YANG JOO WOONG
• Zadkiel AHARONIAN
• appkins
• kastakhov

Changes

220 commits

• @​027c93d release(v1.14.0-alpha.1): prepare release
• @​4eb862d feat: add LVMService for VG/LV/PV removal
• @​b88f16a fix: use POSIX shell idioms for error propagation
• @​5290eb3 fix: suppress ICMP redirects by default
• @​7b4aba2 fix: marshal kube-scheduler config correctly with int types
• @​894be9b fix: touch rootfs files with SOURCE_DATE_EPOCH
• @​cde8222 fix: ignore cgroups with zero rank in OOM handler
• @​bc03724 fix: bring in a change to BCM2712_MIP
• @​f572c33 chore: fail on makefile error
• @​e317d4b fix: drop modprobe path and enforce usermode helper
• @​89e53f6 fix(machined): make built-in mod state always 'permanent'
• @​cfbec9b test: skip UEFI vars wipe if TPM is enabled
• @​1e31ded fix: create parent directories when extracting tar archives
• @​14dc188 chore: verify go-containerregistry preserves symlinks
• @​951922d fix: guard apply config API call
• @​3e173ad feat: move kube-controller-manager config to multi-doc
• @​b5cda34 fix: reset QEMU UEFI variable store when disk is wiped
• @​4a17ac6 chore: script for tracking fixes made in upstream toolchain/tools/pkgs
• @​d71edee feat: add LVM status resource definitions
• @​4aeba1c fix: perform backwards-compatible kernel args cleanup
• @​9b7b2bf feat: implement support for btrfs user volumes
• @​03ee8ee feat(machined): support instance tags on Akamai
• @​d19f9ad fix: memorymodules resource reporting
• @​a6edcf6 chore: move out adv library
• @​40e66ea fix: bump Go golang.org/x modules
• @​e23ca4a chore(ci): add upgrade tests for trustedboot
• @​e3003c0 chore: bump tpm nonce size to match the algorithm used
• @​8fd04da feat: add bnxt_re module to the rootfs
• @​1cfab00 fix: update etcd experimental args
• @​ad96fc6 fix: relax hostname config validation
• @​efd7353 chore(ci): add missing labels, move release metadata check to job
• @​9ec0450 feat: update containerd to 2.3.1
• @​42f4144 feat: introduce new KubeSchedulerConfig
• @​f2b7f39 refactor: move Args type out of config/v1alpha1
• @​b959dcb fix: bump Kubernetes to 1.36.1 in one more place
• @​8ecc77f feat: update default Kubernetes version to 1.36.1
• @​cbd9c37 chore: rekres to secure slack workflows
• @​6a92fc6 test: update Canal version used in the tests
• @​be12d3d feat: support 4k sector size disk images
• @​a7e8f4c chore(ci): fix cloud image upload job name
• @​4319399 feat: introduce more modular Linux kernel
• @​ed5df89 feat(ci): rotate credentials
• @​a6a984f chore(ci): fix the job conditions
• @​ecb7d45 feat: enable Flannel nftables mode
• @​9919ff7 feat: update Linux to 6.18.32
• @​1a7d136 feat: add Azure Secure Boot imager profile
• @​df68e73 feat: implement kernel module status resource
• @​e98ee99 fix: streamline config validation flow
• @​d7f0a2f feat: update Linux to 6.18.31
• @​2b66e25 chore: update image signer
• @​5aa1795 chore: drop e2e step dependencies
• @​d42b3b3 feat: update Linux to 6.18.30
• @​c3f6f35 feat: implement static host resolving via host DNS
• @​2f06a68 refactor: split host DNS handler
• @​e99c5be feat: implement DNS over HTTP(S)
• @​cf60652 chore: stop publishing installer to ghcr
• @​0edabd2 fix: restore some shared (and some lower tier slave) mount propagation
• @​f1578dc fix: image verification issue with registry.k8s.io
• @​46b1f8a fix: rework how scheduler config is marshaled
• @​820a9fa chore: fix typos in comments
• @​649a384 feat: move more kernel stuff to modules
• @​4f3ab20 chore(ci): try fixing homebrew action
• @​600c0ab feat(ci): validate that extensions PKGS and TOOLS sync with talos
• @​7608041 feat: redact more machine config secrets and audit redactors
• @​aabf639 docs: drop controlplane endpoint examples
• @​b48a2be test: relax kernel-default routing rule assertion
• @​d2208b0 refactor(talosctl): propagate command context throughout, handle interrupts
• @​0760b5c fix: normalize source name for syft consistency
• @​c49ac0e docs: document release policy
• @​ec7e6ef feat: bump in-toto indirect dependency
• @​21858a6 feat: update kernel to 6.18.29
• @​5a49dc6 feat: migrate Image Cache config to multi-doc
• @​574298e fix: handle empty GCP operation errors
• @​366b10b feat: dockerfile improvements
• @​9a1d9d0 feat: bump go 1.26.3
• @​6eec1c2 feat: support DNS over TLS for upstream resolvers
• @​dee139a feat: revert update CoreDNS to 1.14.3
• @​087bc4c chore: lint packages under tools
• @​9e7516f fix: clarify documentation for image verification pattern
• @​41c8e9d feat: bump dependencies
• @​2b6c06e feat: update CoreDNS to 1.14.3
• @​6b6f797 feat: update containerd to 2.3.0
• @​f9c4f90 feat(ci): longhorn v2 ublk tests
• @​84d169c fix: make dnsd retry listening
• @​689974b fix: volume mount permissions
• @​ff0f66b fix: skip reserved routing rule priorities
• @​850e2c7 feat: drop fakeroot, use go helper
• @​0c1bd70 feat: add golangci-lint fmt target
• @​53bd669 feat: support conditional start of IPv6 dns servers
• @​b31d93e feat: auto-enroll SecureBoot keys for disk images
• @​849a680 test: update pkgs to test new extensions
• @​c30a6df fix: preserve DHCP DNS servers
• @​5b81b20 feat: apply DHCP search domains
• @​4e5ff8f fix(ci): zfs test
• @​14abe51 fix: handle gateways which are not on-link routes in dhcp4
• @​e1f759a chore: fix lint issues automatically
• @​664c5f6 chore: update tools
• @​c64df2b fix: add missing kernel modules in rootfs
• @​f73c245 feat: run depmod with verification on rootfs build
• @​1371596 fix: provide proper AWS platform metadata
• @​4f11f02 feat: implement etcd encryption config (kube-apiserver)
• @​876f836 feat: add support for HTTP Probes
• @​9b776d5 feat: update etcd to 3.6.11
• @​631a1bc fix: bring in hardened kernel
• @​a349dac fix: stale discovered volume children
• @​13ce018 fix: re-enable kexec on arm64
• @​32539d4 fix: deadlock in the makefs ext4 with populated source
• @​0f3e196 fix: panic in Kubernetes manifest sync
• @​3bae01a fix: do not pick up a system disk from a loop device
• @​dedb7a9 fix(talosctl): protect k8sNames map writes with mutex
• @​cc2be21 fix: drop explicit platform matcher
• @​1dffeba fix: mount throws EPERM on virtiofs with SELinux
• @​48a481c fix: replace Canal manifest with a more recent one
• @​6a44540 fix: make lacp active nilable
• @​0d1d95c fix: bump go-kmsg to fix the timestamp drift
• @​bd344fd fix: reset the ticker when the KubeSpan is disabled/enabled
• @​462015b release(v1.14.0-alpha.0): prepare release
• @​8a037a5 test: fix flaky tests
• @​08c81d8 feat: bump kernel to 6.18.25
• @​fe40b6e fix(ci): fetch empty pr labels
• @​837a9ed feat: move host DNS config into ResolverConfig
• @​96a8ecd feat: default to factory installer image
• @​f19eef7 fix: revert add extraArgs from service-account-issuer
• @​6821225 fix: revert use append instead of prepend in service-account-issuer
• @​b43c3a1 feat: add quirk for talosctl factory downloads
• @​df0b9a8 refactor: make all controller unit-test follow modern patterns
• @​c2948ce feat: support auth for Image Factory in cluster create
• @​560bcf0 feat: enforce TLS 1.3 minmum version for Kubernetes components
• @​3db1430 fix(talosctl): ensure uncordon runs after reboot/upgrade errors
• @​ecf2fa8 feat: update Kubernetes to v1.36.0
• @​71557ea fix(ci): skip misc jobs not on pull request
• @​026313b docs: rename security-insights.yml to lowercase for LFX detection
• @​dc4ffd4 fix(ci): fix jobs not interpolating matrix due to condition
• @​25e2f37 chore: generate comments for fields in resource proto
• @​149592f fix: watch kubelet's kubeconfig and time out for cache sync
• @​1f315e6 feat: update Linux to 6.18.23
• @​0198eed feat: add NTS (Network Time Security) support for NTP time sync
• @​6830a8b fix(ci): matrix jobs cleanups
• @​71aeb34 test: fix OOM test flake
• @​9b9542c test: fix a flake in the manifest sync test
• @​863d882 test: add image verification for factory.talos.dev
• @​bba0b4a chore(ci): nvidia update helm values
• @​3399ff4 fix: propagate route table down to the resource
• @​c684ec6 chore: prepare for Talos 1.14 release
• @​ed9545d chore(ci): bump gpu operator version
• @​4de3e43 fix(ci): cron triggered workflows
• @​212182e chore: bump container registry library
• @​c028db0 fix: do not flip machine stage to rebooting during shutdown
• @​6ce62d9 fix(ci): workflow runs with workflow_run
• @​509cd97 fix: boot entry detection
• @​5e3f301 feat(ci): rework to schedule daily runs after a cron
• @​7fa4d39 fix: zfs extensions test
• @​1ef8e63 test: allow more tests to run in FIPS strict mode
• @​bdcc932 fix: reduce memory dashboard usage
• @​2d177af chore: update Syft to v1.42.4+patches
• @​0d83621 fix: return failed precondition on upgrade when not installed
• @​be58eaf fix: wrong slot of encryption key was logged
• @​015081c feat: update dependencies
• @​9fbb7c9 fix: audit trustd code for security
• @​986e97f feat: update Flannel to 0.28.4
• @​f3817d1 chore: update sign images to support image name suffix
• @​e776721 feat: update Kubernetes 1.36.0-rc.1
• @​f6e7346 fix: encode extra args fields in resources with new id
• @​3c7bb80 chore: bump tools
• @​3ba35c9 chore(ci): nvidia try UKI boot
• @​e3e8f01 chore: bump tools
• @​181584a fix: handle boot failure
• @​c464c7e fix: upgrade API in maintenance mode (legacy)
• @​b7512d9 feat: update Kubernetes to 1.36.0-rc.0
• @​4ba1115 refactor: allow overriding out image name suffix
• @​c81aa12 fix: panic in reading PCR values
• @​6a3ab87 feat(ci): add nvidia arm64 matrix
• @​21f459a fix(talosctl): always use default GRPC dial options
• @​ca208e5 fix: validate hostDNS forwarding requires hostDNS to be enabled
• @​9fcb9e0 feat: bump go to 1.26.2
• @​0bfdf7f fix: create correct blackhole routes for IPv4
• @​52b9200 feat: add client-side Kubernetes node drain to reboot and upgrade commands
• @​968ec1e refactor: propagate NAME properly, allow to set on build
• @​acc69c3 fix: set the minimum TLS version to 1.3
• @​0cfa6e3 chore: bump some tool dependencies
• @​4229bb9 feat: add dis-vulncheck tool
• @​d697f55 fix: don't set xattrs while decompressing extensions
• @​34fb2cb refactor: remove manual shell completion and replace with cobra completion
• @​79fa2e3 feat: allow more nvidia and nvme files from extensions
• @​414f78a feat: allow glibc ld files in etc
• @​1bbba43 feat: update Flannel to v0.28.2
• @​55815e0 fix: handle ISOs with zeroes in volume labels
• @​7b6ab0c feat: add flag to force fallback to legacy upgrade
• @​5e24d52 feat: add resource view to talosctl dashboard
• @​649ab7f fix: add os:meta:writer role to the dashboard
• @​10cdfa9 fix: drop talosctl install
• @​087ced8 fix: unseal with "slow" TPM
• @​11ab0a8 fix: drop unused type from ExternalVolume schema
• @​e2df0f6 fix: always grow disks
• @​919d8c3 chore: drop debug shell
• @​783a358 fix: add metal-agent mode to runtime capabilities
• @​37b2221 docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
• @​bed2bd4 feat: add graceful power off support to QEMU VM launcher
• @​3400059 fix: incorrect route source for on-link routes
• @​b3dfbf7 feat: bump musl to 1.2.6
• @​4227921 test: fix the PKI mismatch test flake
• @​f2bc2dc feat: update NVIDIA production drivers to 595.58.03
• @​aa5946d test: fix cron failures for provision-1 & provision-2
• @​1dd701e fix: allow blockdevice wipe in maintenance mode
• @​786bf00 feat: add --platform=all support to image cache-create
• @​e1f645e feat: validate luks headers for tampering
• @​ad72c73 test: improve maintenance API provision tests
• @​70cefab test: fix the flakes in tests with trusted roots
• @​aacff17 test: bump memory for Flannel netpolicy tests
• @​9c34591 feat: update Linux to 6.18.19, CNI to 1.9.1
• @​038cb87 feat: enforce PID check on connections to services over file sockets
• @​e2b2dd3 chore: update go-kubernetes library
• @​9597714 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
• @​8ac47d6 fix: unset rlimits for extension services
• @​b1a02f3 feat: update Kubernetes to 1.36.0-beta.0
• @​362fdc9 feat: update etcd to 3.6.9
• @​0a47f40 fix(machined): clear stale bond ARP/NS targets on decode
• @​8634463 fix: update diff library to v1.0.1
• @​eff89d1 fix: panics in diff algorithms
• @​8e1c8a7 test: fix the apid test against AWS/GCP

Changes since v1.14.0-alpha.0

116 commits

• @​027c93d release(v1.14.0-alpha.1): prepare release
• @​4eb862d feat: add LVMService for VG/LV/PV removal
• @​b88f16a fix: use POSIX shell idioms for error propagation
• @​5290eb3 fix: suppress ICMP redirects by default
• @​7b4aba2 fix: marshal kube-scheduler config correctly with int types
• @​894be9b fix: touch rootfs files with SOURCE_DATE_EPOCH
• @​cde8222 fix: ignore cgroups with zero rank in OOM handler
• @​bc03724 fix: bring in a change to BCM2712_MIP
• @​f572c33 chore: fail on makefile error
• @​e317d4b fix: drop modprobe path and enforce usermode helper
• @​89e53f6 fix(machined): make built-in mod state always 'permanent'
• @​cfbec9b test: skip UEFI vars wipe if TPM is enabled
• @​1e31ded fix: create parent directories when extracting tar archives
• @​14dc188 chore: verify go-containerregistry preserves symlinks
• @​951922d fix: guard apply config API call
• @​3e173ad feat: move kube-controller-manager config to multi-doc
• @​b5cda34 fix: reset QEMU UEFI variable store when disk is wiped
• @​4a17ac6 chore: script for tracking fixes made in upstream toolchain/tools/pkgs
• @​d71edee feat: add LVM status resource definitions
• @​4aeba1c fix: perform backwards-compatible kernel args cleanup
• @​9b7b2bf feat: implement support for btrfs user volumes
• @​03ee8ee feat(machined): support instance tags on Akamai
• @​d19f9ad fix: memorymodules resource reporting
• @​a6edcf6 chore: move out adv library
• @​40e66ea fix: bump Go golang.org/x modules
• @​e23ca4a chore(ci): add upgrade tests for trustedboot
• @​e3003c0 chore: bump tpm nonce size to match the algorithm used
• @​8fd04da feat: add bnxt_re module to the rootfs
• @​1cfab00 fix: update etcd experimental args
• @​ad96fc6 fix: relax hostname config validation
• @​efd7353 chore(ci): add missing labels, move release metadata check to job
• @​9ec0450 feat: update containerd to 2.3.1
• @​42f4144 feat: introduce new KubeSchedulerConfig
• @​f2b7f39 refactor: move Args type out of config/v1alpha1
• @​b959dcb fix: bump Kubernetes to 1.36.1 in one more place
• @​8ecc77f feat: update default Kubernetes version to 1.36.1
• @​cbd9c37 chore: rekres to secure slack workflows
• @​6a92fc6 test: update Canal version used in the tests
• @​be12d3d feat: support 4k sector size disk images
• @​a7e8f4c chore(ci): fix cloud image upload job name
• @​4319399 feat: introduce more modular Linux kernel
• @​ed5df89 feat(ci): rotate credentials
• @​a6a984f chore(ci): fix the job conditions
• @​ecb7d45 feat: enable Flannel nftables mode
• @​9919ff7 feat: update Linux to 6.18.32
• @​1a7d136 feat: add Azure Secure Boot imager profile
• @​df68e73 feat: implement kernel module status resource
• @​e98ee99 fix: streamline config validation flow
• @​d7f0a2f feat: update Linux to 6.18.31
• @​2b66e25 chore: update image signer
• @​5aa1795 chore: drop e2e step dependencies
• @​d42b3b3 feat: update Linux to 6.18.30
• @​c3f6f35 feat: implement static host resolving via host DNS
• @​2f06a68 refactor: split host DNS handler
• @​e99c5be feat: implement DNS over HTTP(S)
• @​cf60652 chore: stop publishing installer to ghcr
• @​0edabd2 fix: restore some shared (and some lower tier slave) mount propagation
• @​f1578dc fix: image verification issue with registry.k8s.io
• @​46b1f8a fix: rework how scheduler config is marshaled
• @​820a9fa chore: fix typos in comments
• @​649a384 feat: move more kernel stuff to modules
• @​4f3ab20 chore(ci): try fixing homebrew action
• @​600c0ab feat(ci): validate that extensions PKGS and TOOLS sync with talos
• @​7608041 feat: redact more machine config secrets and audit redactors
• @​aabf639 docs: drop controlplane endpoint examples
• @​b48a2be test: relax kernel-default routing rule assertion
• @​d2208b0 refactor(talosctl): propagate command context throughout, handle interrupts
• @​0760b5c fix: normalize source name for syft consistency
• @​c49ac0e docs: document release policy
• @​ec7e6ef feat: bump in-toto indirect dependency
• @​21858a6 feat: update kernel to 6.18.29
• @​5a49dc6 feat: migrate Image Cache config to multi-doc
• @​574298e fix: handle empty GCP operation errors
• @​366b10b feat: dockerfile improvements
• @​9a1d9d0 feat: bump go 1.26.3
• @​6eec1c2 feat: support DNS over TLS for upstream resolvers
• @​dee139a feat: revert update CoreDNS to 1.14.3
• @​087bc4c chore: lint packages under tools
• @​9e7516f fix: clarify documentation for image verification pattern
• @​41c8e9d feat: bump dependencies
• @​2b6c06e feat: update CoreDNS to 1.14.3
• @​6b6f797 feat: update containerd to 2.3.0
• @​f9c4f90 feat(ci): longhorn v2 ublk tests
• @​84d169c fix: make dnsd retry listening
• @​689974b fix: volume mount permissions
• @​ff0f66b fix: skip reserved routing rule priorities
• @​850e2c7 feat: drop fakeroot, use go helper
• @​0c1bd70 feat: add golangci-lint fmt target
• @​53bd669 feat: support conditional start of IPv6 dns servers
• @​b31d93e feat: auto-enroll SecureBoot keys for disk images
• @​849a680 test: update pkgs to test new extensions
• @​c30a6df fix: preserve DHCP DNS servers
• @​5b81b20 feat: apply DHCP search domains
• @​4e5ff8f fix(ci): zfs test
• @​14abe51 fix: handle gateways which are not on-link routes in dhcp4
• @​e1f759a chore: fix lint issues automatically
• @​664c5f6 chore: update tools
• @​c64df2b fix: add missing kernel modules in rootfs
• @​f73c245 feat: run depmod with verification on rootfs build
• @​1371596 fix: provide proper AWS platform metadata
• @​4f11f02 feat: implement etcd encryption config (kube-apiserver)
• @​876f836 feat: add support for HTTP Probes
• @​9b776d5 feat: update etcd to 3.6.11
• @​631a1bc fix: bring in hardened kernel
• @​a349dac fix: stale discovered volume children
• @​13ce018 fix: re-enable kexec on arm64
• @​32539d4 fix: deadlock in the makefs ext4 with populated source
• @​0f3e196 fix: panic in Kubernetes manifest sync
• @​3bae01a fix: do not pick up a system disk from a loop device
• @​dedb7a9 fix(talosctl): protect k8sNames map writes with mutex
• @​cc2be21 fix: drop explicit platform matcher
• @​1dffeba fix: mount throws EPERM on virtiofs with SELinux
• @​48a481c fix: replace Canal manifest with a more recent one
• @​6a44540 fix: make lacp active nilable
• @​0d1d95c fix: bump go-kmsg to fix the timestamp drift
• @​bd344fd fix: reset the ticker when the KubeSpan is disabled/enabled

Changes from siderolabs/go-adv

2 commits

• siderolabs/go-adv@3818a65 feat: initial implementation
• siderolabs/go-adv@95e583c Initial commit

Changes from siderolabs/go-kmsg

1 commit

• siderolabs/go-kmsg@65e97cb fix: boot time offset calculation

Changes from siderolabs/go-kubeconfig

2 commits

• siderolabs/go-kubeconfig@d0b8f82 chore: rekres and bump deps
• siderolabs/go-kubeconfig@c356eeb fix: fix context conflict detection add New() constructor

Changes from siderolabs/go-kubernetes

2 commits

• siderolabs/go-kubernetes@38c182f fix: normalize the changeset to be keyed without apiVersion
• siderolabs/go-kubernetes@ca35008 feat: update k8s api to 0.36.0

Changes from siderolabs/go-smbios

1 commit

• siderolabs/go-smbios@063f5dc chore: rekres + new testdata

Changes from siderolabs/grpc-proxy

3 commits

• siderolabs/grpc-proxy@d670c42 chore: bump dependencies
• siderolabs/grpc-proxy@8614c71 chore: bump deps
• siderolabs/grpc-proxy@80677e0 fix: propagate the headers before the message

Changes from siderolabs/pkgs

71 commits

• siderolabs/pkgs@f9134e5 fix: enable CONFIG_BCM2712_MIP as built-in in arm64 kernel config
• siderolabs/pkgs@285c6ae fix: set usermode static helper to machine
• siderolabs/pkgs@bd2a754 feat: pre-generate drbd patches using spatch out of tree
• siderolabs/pkgs@898844e feat: update Linux to 6.18.33
• siderolabs/pkgs@a8dfbf7 fix: disable kernel modprobe path
• siderolabs/pkgs@c542950 fix: pull in tools with zstd sbom
• siderolabs/pkgs@c0ec8f3 feat: enable PPP and INFINIBAND_BNXT_RE
• siderolabs/pkgs@c62c4e1 feat: update containerd to 2.3.1
• siderolabs/pkgs@270f9f8 chore: update deps
• siderolabs/pkgs@4f7feb4 feat: enable more options for CRI-U checkpoint/restore
• siderolabs/pkgs@87994f7 feat: move autoloadable stuff as modules
• siderolabs/pkgs@80c27f3 fix: drop legacy network protocols
• siderolabs/pkgs@fbb7360 feat: drop legacy iptables/ebtables support
• siderolabs/pkgs@eac5f86 feat: bump kernel 6.18.32
• siderolabs/pkgs@d616f6c feat: update Linux to 6.18.31
• siderolabs/pkgs@02bcfce fix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)
• siderolabs/pkgs@12ca698 feat: update ZFS & NVIDIA LTS
• siderolabs/pkgs@9fff943 feat: update Linux to 6.18.30
• siderolabs/pkgs@c5a1685 feat: move HWMON as modules
• siderolabs/pkgs@b2a45fb feat: move CONFIG_INTEL_IOATDMA as a module
• siderolabs/pkgs@ea8d35f feat: move ACPI device drivers as modules
• siderolabs/pkgs@501ba58 feat: move HID quirks as modules
• siderolabs/pkgs@b35312c feat: move PS/2 mouse drivers as modules
• siderolabs/pkgs@3a5d9d7 feat: move IPMI driver to be a module
• siderolabs/pkgs@792a69a feat: disable AGP drivers
• siderolabs/pkgs@99990b4 feat: move Hyper-V drivers as modules
• siderolabs/pkgs@fb697d6 feat: move Xen frontend drivers as modules
• siderolabs/pkgs@1df1713 feat: move ATA / MMC controllers as modules
• siderolabs/pkgs@f7f9341 feat: move USB class drivers as modules
• siderolabs/pkgs@ba873e9 feat: move USB host controllers as modules
• siderolabs/pkgs@8f25baa feat: move virtio bus stuff as modules
• siderolabs/pkgs@d0c5480 feat: bump kernel to 6.18.29

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[truecharts-admin]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
github.com/cosi-project/runtime	v1.14.1 -> v1.16.1
golang.org/x/net	v0.54.0 -> v0.55.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260504160031-60b97b32f348
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260427160629-7cedc36a6bc4 -> v0.0.0-20260504160031-60b97b32f348

[Crow-Control]

Auto approved automated PR