chore(deps): update module github.com/siderolabs/talos/pkg/machinery to v1.13.0-beta.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/siderolabs/talos/pkg/machinery	v1.13.0-beta.0 → v1.13.0-beta.1

---

Release Notes

siderolabs/talos (github.com/siderolabs/talos/pkg/machinery)

v1.13.0-beta.1

Compare Source

Talos 1.13.0-beta.1 (2026-03-27)

Welcome to the v1.13.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Clang built kernel and ThinLTO

Talos now uses a kernel built using Clang compiler, and optimized using ThinLTO. This should bring a small performance improvement,
alongside some hardening features, such as BTI on supported ARM systems.

Container Device Interface

Talos now enables CDI by default and extension/extension services can bring in dynamic
CDI spec files under /run/cdi.

talosctl debug

Talos Linux now provides a way to run and attach to the privileged debug container with a user-provided container image.
The debug container might be used for troubleshooting and debugging purposes.

Environment Configuration Document

A new EnvironmentConfig document has been introduced to allow users to specify environment variables for Talos components.
It replaces and deprecates the previous method of setting environment variables via the .machine.env field.

Multiple values for the same environment variable will replace previous values, with the last one taking precedence.

To remove an environment variable, remove it from the EnvironmentConfig document and restart the node.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Extra Arguments accept slices in addition to strings

Several Talos configuration fields that previously accepted single string values for extra arguments have been updated to accept slices of strings as well.
This includes fields such as .cluster.apiServer.extraArgs.

BREAKING: If you were relying on the resources EtcdConfigs, KubeletConfigs, ControllerManagerConfigs, SchedulerConfigs or APIServerConfigs, the protobuf format has changed from map<string,string> to map<string,message>.

Container Image Signature Verification

Talos now supports machine-wide container image signature verification via the new ImageVerificationConfig machine config document.

Any image which gets pulled on the node will be verified against the configured rules, and if no rule matches, it will be pulled without verification.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Image APIs Updated

Talos Linux provides new APIs to manage container images on the node: listing, pulling, importing and removing images.
The new pull API provides pull progress notifications.

The CLI commands talosctl image pull, talosctl image list and talosctl image remove have been updated to interact with the new APIs.

Talosctl images k8s-bundle subcommand accepts version parameter

The talosctl images k8s-bundle command now accepts an optional argument to override Talos version.

Install and Upgrade API

Talos now exposes install and upgrade operations via the LifecycleService API, enabling programmatic installs and upgrades through a single, consistent interface.
The legacy upgrade API is deprecated; new integrations should migrate to LifecycleService for future compatibility.

Kubernetes server-side apply

Talos now uses inventory backed server-side apply when applying bootstrap manifests (including extraManifests and inlineManifests).
Purging of unneeded manifests is automatically performed.
The switch and inventory backfill is automatic and no action is needed from the user.

Dynamic Linux Kernel Preemption Model

Talos Linux now defaults to dynamic Linux kernel preemption model, the default value none matches
previous version, but now with kernel argument preempt= the preemption model can be changed.

See Linux kernel documentation for more
information on supported values.

This change only applies to amd64 (x86_64) architecture.

KubeSpan Configuration

A new KubeSpanConfig document has been introduced to configure KubeSpan settings.
It replaces and deprecates the previous method of configuring KubeSpan via the .machine.network.kubespan field.

The old configuration field will continue to work for backward compatibility.

KubeSpan Advertised Network Filters

KubeSpan now supports filtering of advertised networks using the excludeAdvertisedNetworks field in the KubeSpanConfig document.
This allows users to specify a list of CIDRs to exclude from the advertised networks. Please note that routing must be symmetric for any
pair of peers, so if one peer excludes a certain network, the other peer must also exclude it. In other words, for any given pair of peers,
and any pair of their addresses, the traffic should either go through KubeSpan or not, but not one way or the other.

LinkAliasConfig Pattern-Based Multi-Alias

LinkAliasConfig now supports pattern-based alias names using %d format verb (e.g. net%d).

When the alias name contains a %d format verb, the selector is allowed to match multiple links.
Each matched link receives a sequential alias (e.g. net0, net1, ...) based on hardware address order
of the links. Links already aliased by a previous config are automatically skipped.

This enables creating stable aliases from any N links using a single config document,
useful for BondConfig and BridgeConfig member interfaces on varying hardware.

Negative Max Volume Size

Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example:
* a max size of "-10GiB" means the volume can grow to the available space minus 10GiB.
* a max size of "-25%" means the volume can grow to the available space minus 25%.

Flannel CNI with Network Policy Support

Talos Linux now supports optionally deploying Flannel CNI with network policy support enabled.
The network policy implementation is kube-network-policies.

To enable Flannel CNI with network policy support, use the following machine configuration patch:

cluster:
  network:
    cni:
      name: flannel
      flannel:
        kubeNetworkPoliciesEnabled: true

(If the cluster is already running, sync the bootstrap manifests after applying the patch to deploy the new CNI configuration.)

NVIDIA GPU Support

Talos switched to using CDI and now supports configuring NVIDIA GPU via the gpu-operator helm chart.
See the documentation on upgrade notes
for more details on how to configure NVIDIA GPU support in Talos.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

ProbeConfig

The TCPProbeConfig configuration document allows to configure TCP probes for network reachability checks.
This allows to define a custom connectivity condition.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

ResolverConfig

The nameservers configuration in machine configuration now overwrites any previous layers (defaults, platform, etc.) when specified.
Previously a smart merge was performed to keep IPv4/IPv6 nameservers from lower layers if the machine configuration specified only one type.

Routing Rules Support

Talos now supports routing rules via the new RoutingRuleConfig machine config document.

Service Account Issuer configuration

In API Server, passing extra args with service-account-issuer will append them after default value.
This allows easy migration, e.g. by changing .cluster.controlPlane.endpoint to new value, and keeping the old value in
.cluster.apiServer.extraArgs["service-account-issuer"].

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --overlays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Lifecycle Upgrade in talosctl

talosctl upgrades now route through LifecycleService, aligning CLI behavior with the new install/upgrade API and unifying the upgrade path.
This change is transparent to users but standardizes the backend used for upgrades.

Component Updates

Linux: 6.18.19
containerd: 2.2.2
etcd: 3.6.9
CoreDNS: 1.14.2
Kubernetes: 1.36.0-beta.0
CNI: 1.9.1
Flannel CNI plugin: v1.9.0-flannel1
Flannel: 0.28.1
LVM2: 2_03_38
runc: 1.4.1
systemd: 259.5
cryptsetup: 2.8.3
Tenstorrent: 2.7.0
iptables: 1.8.12
musl: 1.2.6

Talos is built with Go 1.26.1.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

VRF Support

Talos now supports VRF (Virtual Routing and Forwarding) via the new VRFConfig machine config document.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Orzelius
• Mickaël Canévet
• Dmitrii Sharshakov
• Laura Brehm
• Artem Chernyshev
• Edward Sammut Alessi
• Fritz Schaal
• Max Makarov
• Andreas Freund
• Bryan Lee
• Justin Garrison
• Nico Berlee
• Pranav Patil
• Spencer Smith
• Utku Ozdemir
• Zadkiel AHARONIAN
• Alexis La Goutte
• Andras BALI
• Andreas Lüdeke
• Andrei Kvapil
• Birger Johan Nordølum
• Camillo Rossi
• Christopher Puschmann
• Daniil Kivenko
• David Orman
• Dmitrii Sharshakov
• Dominik Pitz
• Florian Ströger
• Gregor Gruener
• Jaakko Sirén
• Jan Paul
• Jean-Francois Roy
• Joakim Nohlgård
• Jonas Lammler
• Kai Zhang
• Kevin Tijssen
• Lennard Klein
• Matthew Sanabria
• Michal Baumgartner
• Olav Thoresen
• Serge van Ginderachter
• Skye Soss
• Stanley Chan
• Sébastien Masset
• Tim Jones
• arita
• dataprolet
• drew
• eseiker
• greenpsi
• lmacka
• pranav767
• pythoner6

Changes

305 commits

• @​213ecf2 release(v1.13.0-beta.1): prepare release
• @​abc0ddf feat: bump musl to 1.2.6
• @​fcdfeab fix: incorrect route source for on-link routes
• @​a8f2a0a feat: update NVIDIA production drivers to 595.58.03
• @​ccf1e0c test: fix the PKI mismatch test flake
• @​7a94673 test: fix cron failures for provision-1 & provision-2
• @​7978152 fix: allow blockdevice wipe in maintenance mode
• @​efc76f0 test: fix the flakes in tests with trusted roots
• @​7fa16b4 test: bump memory for Flannel netpolicy tests
• @​576c269 feat: add --platform=all support to image cache-create
• @​ceec42f feat: update Linux to 6.18.19, CNI to 1.9.1
• @​902c78a test: improve maintenance API provision tests
• @​a4b0cbc feat: validate luks headers for tampering
• @​281584b chore: update go-kubernetes library
• @​b863607 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
• @​d82fada fix: unset rlimits for extension services
• @​76931f4 feat: enforce PID check on connections to services over file sockets
• @​df4e0e7 feat: update etcd to 3.6.9
• @​08ba425 feat: update Kubernetes to 1.36.0-beta.0
• @​1cb2a8b fix: update diff library to v1.0.1
• @​5e171a3 test: fix the apid test against AWS/GCP
• @​f98e76f fix: panics in diff algorithms
• @​a544aea release(v1.13.0-beta.0): prepare release
• @​f36f6ef chore: update pkgs and tools
• @​b7d70cf feat: unify maintenance and regular APIs
• @​13d6b4a fix: trim down cosign dependencies
• @​5c39a85 fix: drop aws & azure KMS APIs from the machined build
• @​3d05975 fix: accept image cache volume encryption config
• @​d2661d2 fix: apparmor parser config files
• @​13ef0cf fix: unmount pseudo-late recursively
• @​e9d4567 fix: panic in hardware.SystemInfoController
• @​a728bbd fix: validate missing apiVersion in config document decoder
• @​c8a674a fix: pull in a fix for dmesg timestamps
• @​e7e21fe feat: bump dependencies
• @​6bb5cf5 feat: implement routing rules support
• @​a0b9d6e feat: bump kernel with uhci_hcd driver
• @​1f0d2da feat: update containerd to 2.2.2
• @​cff0f57 fix(machined): support USERDATA legacy fallback in OpenNebula driver
• @​5d3a326 feat(machined): add ONEGATE proxy route and deterministic interface iteration for OpenNebula
• @​3bec5cc feat(machined): inherit IP6_METHOD from METHOD in OpenNebula driver
• @​4f4ec98 fix(machined): align OpenNebula hostname precedence with reference
• @​4d0244d feat(machined): add IPv6 alias address support for OpenNebula (ETH_ALIAS_IP6)
• @​5bb8962 feat(machined): support ETH*_IP6_METHOD (static/dhcp/auto/disable) for OpenNebula
• @​469db18 refactor(machined): extract per-interface IPv4 helper in OpenNebula driver
• @​ae61f5a fix(machined): use ParseFQDN for hostname parsing in OpenNebula
• @​7adbbd2 feat(machined): support per-interface route metric for OpenNebula (ETH*_METRIC)
• @​196658c feat(machined): add network alias support for OpenNebula (ETH_ALIAS)
• @​e96766e feat(machined): merge global and per-interface DNS for OpenNebula
• @​23c99a3 feat(machined): add static routes support via ETH*_ROUTES for OpenNebula
• @​ad3c59a fix: prevent stale discovered volumes reads
• @​fc9749b feat: pull in kernel with preemptible kernel
• @​c14179e chore(ci): update nvidia test to use gpu-operator
• @​da70ced refactor: drop apid file socket
• @​ee53a18 fix: stop pulling wrong platform for images
• @​1733510 fix: use non-sensitive resource for health check precondition
• @​2fb6f6a feat: add symlinks needed by gpu-operator
• @​f2bae55 feat: enable container device interface
• @​451b13c feat: update Linux to 6.18.16
• @​a02d578 feat: add support for mirroring image signatures
• @​57599fb fix: skip some readiness checks when the CNI is disabled
• @​e6d8669 feat: update Go to 1.26.1
• @​7f2eb48 feat: add image verification endpoint
• @​1e4cd20 feat: add talosctl install command and upgrade via LifecycleService
• @​275fa35 test: add integration tests for LifecycleService upgrade path
• @​15a5ec9 feat: implement new install/upgrade API
• @​720a214 fix: correctly calculate end ranges for nftables sets
• @​95287d2 fix: environment suite failures
• @​10f49ca feat: add trusted roots generation to stdpatches
• @​55b8721 fix: use correct dhcp option for unicast dhcp renewal
• @​58e0064 feat: update Kubernetes to 1.36.0-alpha.2
• @​ebcfafd feat: update Linux to 6.18.15
• @​0ab84c2 fix: ignore image digest when doing upgrade-k8s
• @​d417d68 feat: bring in new ssa logic
• @​0bb6413 fix: do not fail on RO virtiofs
• @​bf2cd0a feat: update Linux to 6.18.14
• @​ad29417 fix(machined): opennebula: process ETH*_ vars regardless of NETWORK context flag
• @​b551cb9 feat: allow dashboard mouse support
• @​bfb98a9 feat: bump kube-network-policy to v1.0.0
• @​000c18d feat: implement blackhole route config
• @​cc636f1 fix: image cache test fails with 'no space left on device'
• @​f0c51b2 feat: implement correct config patching for extraArgs fields
• @​1da2b63 feat: multi-doc support for configuring vrfs
• @​c1d0a33 fix: patch with delete for LinkConfigs
• @​59311a7 release(v1.13.0-alpha.2): prepare release
• @​009f0d6 chore: update pkgs
• @​ba56b02 feat: include hid-multitouch.ko kernel module in rootfs
• @​ae29a0d feat: update Linux to 6.18.13
• @​7cf1de2 fix: bring in new version of go-cmd and go-blockdevice
• @​c8800b4 fix: update path handling on talosctl cgroups
• @​0a7b6eb chore: test extensions
• @​8b1c974 refactor: drop termui-widgets library
• @​5baa002 fix: add owning inventory annotation to talos manifests
• @​d3e793d fix: stop Kubernetes client from dynamically reloading the certs
• @​6a5a0e3 feat: support pattern link aliases
• @​9758bd4 feat: update Go to 1.26
• @​e00aed0 feat: update Kubernetes v1.36.0-alpha.1
• @​f20445a chore: improve logging of disk encryption handling
• @​f018fbe fix: handle raw encryption keys with \n properly
• @​e5b0eb0 fix: hold user volumes root mountpoint
• @​8a0e797 refactor: split locate and provision
• @​a59db0e fix: improve OpenStack bare metal network configuration reliability
• @​659009a fix: remove stale endpoints
• @​dab0d47 fix: allow static hosts in /etc/hosts without hostname
• @​45f2141 feat: update go-kubernetes to use new Myers diff
• @​35ad044 fix: switch to better Myers algorithm implementation
• @​0048464 feat: update etcd to v3.6.8
• @​5df10f2 fix: use mcopy instead of diskfs to populate VFAT
• @​ce53ffa fix: disks flag parsing and handling in create qemu command
• @​3bd3dd7 fix: memory overuse in imager VFAT
• @​f118ee4 fix: read multi-doc machine config with newer talosctl
• @​70c6c21 feat: add filter for KubeSpan advertised networks
• @​daf18ab fix: fix talosctl debug in enforcing mode
• @​33b5b25 fix: ignore volumes in wave calculation without provisioning
• @​a163925 feat: add explicit service account support to Talos client
• @​4d53188 chore: update dependencies
• @​406b8c8 feat: update doc links to docs.siderolabs.com
• @​87615f5 feat: implement network policies with Flannel CNI
• @​6995bc1 chore: update homebrew formula on release
• @​7942d5a fix: image gc controller config
• @​52e8727 feat: add IPv6 GRE support
• @​9690dba chore: bump tools (including linter)
• @​2628eb2 fix: typo with rpi_5 profile name
• @​d5ebcd7 fix: stop building talosctl debug on Windows
• @​8b85c7c chore: update deps
• @​d905035 fix: swap volume configuration for min/max size
• @​d43a01c feat: implement talosctl debug
• @​34a31c9 feat: add mount options support for existing volumes
• @​1bf95ee feat: improve dashboard uptime display
• @​055add7 release(v1.13.0-alpha.1): prepare release
• @​900516e chore: update image signer
• @​938de56 feat: bump kernel
• @​388cec7 feat(overlays): add new overlays
• @​9f2dd63 refactor: api tests
• @​a907831 feat: add a helper module to generate standard patches
• @​1fec5b2 fix: implement merger for PercentageSize
• @​8b245b8 feat: implement new image service APIs
• @​d90c775 chore: rename internal talosctl debug air-gapped
• @​2165280 refactor: change the way one2many proxying is picked
• @​b1b703d chore: move sync logging code to go-kubernetes package
• @​e48c6d7 fix: allow to expose a port multiple times in Docker
• @​410d8cb fix: undo CRLF on Windows (talosctl edit)
• @​859d3f0 feat: add RPi5 to the list of supported SBCs
• @​0bd48bb fix(talosctl): pass --k8s-endpoint flag to rotate-ca kubernetes rotation
• @​b9e27eb feat: update Linux kernel with dm-integrity
• @​6aa9b06 fix: skip empty documents on config decoding
• @​4944924 fix: always set advertised peer URLs
• @​782cc50 fix: open the filesystem as read-only
• @​28e61a7 fix: set GRUB prefix correctly on arm64
• @​a4f1c52 feat: update GRUB to 2.14
• @​5629207 fix: use node podCIDRs for kubespan advertiseKubernetesNetworks
• @​3946036 feat: implement layering for ProbeSpec
• @​b5c760f feat: add ProbeConfig for network connectivity probes
• @​4b274f7 feat: support aws cert manager in imager
• @​4172095 fix: fallback to /proc/meminfo for memory modules
• @​7f1147b fix: add warnings to 802.3ad bond
• @​ddd6b18 refactor: generate GRUB images
• @​c7aa266 fix: overwrite resolver config with machine config
• @​cf70f05 fix: oracle platform file format
• @​8c7b8f5 feat: add support for negative max size
• @​77bc3d2 fix: marshal of FailOverMac property
• @​38e280c fix: make OOM expression a bit less sensitive
• @​3d13016 fix: wipe the first/last 1MiB in addition to wiping by signatures
• @​1aa6528 fix: make OOM controller more precise by considering separate cgroup PSI
• @​f7072c0 fix: check if the device is not mounted when wiping
• @​743c3b9 fix: use correct containerd import path
• @​f2dd085 feat: report image pull progress in the console
• @​72fe98a fix: boot with GRUB
• @​d4ed13d fix: add talos version to Hetzner Cloud client user agent
• @​150c41c feat: update Linux to 6.18.5
• @​01a3678 fix: use append instead of prepend in service-account-issuer
• @​d195427 feat: add extraArgs from service-account-issuer
• @​91b88f7 feat: support multiple values for extraArgs
• @​96e6048 fix: add hostname to endpoints
• @​7033275 refactor: move BootloaderKind into machinery
• @​71adaf0 fix: sort mirrors and tls configs when generating the machine config
• @​34f09a3 feat: add VLAN support to OpenStack platform
• @​5127ef7 fix: wipe disk by signatures
• @​415bfae fix: panic in configpatcher when the whole section is missing
• @​e5aca71 fix: fix healthcheck timeout
• @​634b71e docs: move talosctl pcap example to Example Block
• @​8184927 feat: implement KubeSpan multi-document configuration
• @​4d0604b chore: remove unrelated machineconfig
• @​e368634 feat: add it87 hwmon module
• @​308c750 fix: resolve SideroLink Wireguard endpoint on reconnect
• @​e4ef494 fix: drop the persist config flag from gen config
• @​c3176ad feat: add EnvironmentConfig document
• @​c839b38 feat: expose more SSA options in the upgrade-k8s command
• @​b8ff967 fix: handle correctly incomplete RegistryTLSConfig
• @​99f2dda fix: bond config via platform
• @​2449ffe fix: allow HostnameConfig to be used with incomplete machine config
• @​35fc520 fix: lock down etcd listen address to IPv4 localhost
• @​27253d7 feat: use new xfs config file
• @​c9d84ae fix: generate OCI-compliant image config
• @​7a4b2b3 fix: update VIP config example
• @​080efcb feat: add k8s-version parameter to k8s-bundle
• @​b764f5f fix: skip sync test when kube-proxy is disabled
• @​70e6778 feat: imager: populate filesystems with root owned files
• @​7416dca fix: print talosctl images to release notes
• @​dc2009e chore: use context when creating filesystems
• @​85f7be6 chore: update slack links
• @​1549521 fix: disable swap for system services
• @​d98b415 fix: drop more non-overlay SBC stuff
• @​226cd6b fix: do not allocate for the actual disk image file
• @​53f5bf8 fix: overlay installers
• @​10d0cfd fix: overlay install in image mode
• @​7708669 fix: partition data population
• @​4d5657b fix: drop SBC board code
• @​c4f3f6d feat: implement kubernetes server-side apply
• @​f12fd2b test: bump Image Factory tests
• @​c76484e release(v1.13.0-alpha.0): prepare release
• @​f0d8a68 test: skip the source bundle on exact tag
• @​c57701d fix: remove interactive installer
• @​43937c1 feat: update Linux and systemd
• @​72a194d feat: add VM CPU hot-add rules
• @​f09ae1e fix: probe small images correctly
• @​8f2b337 feat: imager support rootless builds
• @​c7525a9 feat: support creating filesystems from folder
• @​e2bffb5 chore: refactor imager code so it's more clear
• @​0fb50db fix: invalid versions check in talos-bundle
• @​b5dd560 test: upgrade versions in upgrade tests
• @​3dfa4d6 fix: make upgrade work with SELinux enforcing=1
• @​786c8e2 feat: ship pigz/igzip in rootfs to speed up image decompression
• @​48d2429 feat: update containerd to 2.2.1
• @​536541a fix: mount volume mount/unmount race
• @​39117d4 feat: update dependencies
• @​f0f4207 fix: bond setting change detection
• @​8d6a7a8 feat: update Kubernetes to 1.35.0
• @​845a0d0 feat: update etcd 3.6.7, CoreDNS 1.13.2
• @​b95912e feat: enforce proc_mem.force_override=never by default
• @​681f3e8 test: run virtiofs tests only when virtiofsd is running
• @​0592ff0 fix: drop the Omni API URL check on IP address
• @​a4879a5 feat: update Linux to 6.18.1
• @​43b43ff docs: split talosctl commands into groups
• @​6d17c18 feat: enable Powercap and Intel RAPL
• @​884e766 docs: fix the talosctl cluster create help output
• @​6dc31be fix: exclude new Virtual IPs configured with new config
• @​94905c7 feat(talosctl): support running qemu x86 on Mac
• @​f871ab2 fix: provide json support in nft binary
• @​694f454 feat: external volumes
• @​39feb16 fix: update containerd 2.2.0 with cgroups patch
• @​82027eb fix: bond configuration with new settings
• @​121b13b fix: disable kexec on arm64
• @​7eaa725 fix: selection of boot entry
• @​949bdb9 feat: add Secure Boot to CloudStack platform config
• @​798143a fix: discard better klog message from Kubernetes client
• @​008cd09 fix: disable kexec in talosctl cluster create on arm64
• @​bb62b29 chore: prepare talos for 1.13
• @​c093503 chore: fork reference docs for 1.13.x
• @​e387e48 fix: do not override DNS on MacOS
• @​1e7e87f fix: rework NFT rules for KubeSpan
• @​51bcfb5 feat: rename image default and source bundle
• @​585abe9 feat: update Kubernetes to v1.35.0-rc.1
• @​f301e3e fix: update KubeSpan MSS clamping
• @​74c1df6 test: propagate MTU size to QEMU in talosctl cluster create
• @​d347ca1 fix: update CNI plugins to 1.9.0
• @​e3f8196 chore: update Grype and Syft
• @​e1b8ab3 docs: add misssing period
• @​cd04c3d docs: update release notes
• @​fc8ae32 docs: add omni join token example to create qemu command
• @​9fa0077 chore: update go-blockdevice
• @​ba13b67 fix: correct condition to use UKI cmdline in GRUB
• @​d2ce3f4 docs: drop machine.network example
• @​cf087c1 test: bird2 extension
• @​13df943 fix: adapt SELinuxSuite.TestNoPtrace to new strace version
• @​861787c fix: mark secureboot as supported for metal
• @​04e3e87 fix: clean up kubelet mounts
• @​2105790 fix: clear provisioning data on SideroLink config change
• @​0f9f4c0 feat: update Kubernetes to 1.35.0-rc.0
• @​d4309d7 fix: add a timeout for DNS resolving for NTP
• @​dd6c108 feat: update Linux to 6.18.0
• @​e9a30bf test: revert add direct connectivity CA rotation test
• @​cc95562 fix: don't disable LACP by default
• @​c9fe467 test: add platform acquire/not valid config unit-test
• @​5a03a7a chore: fix longhorn test
• @​a0cfc35 feat: implement logs persistence
• @​51b732b fix: selection of boot entry
• @​18f8ac3 feat: update Kubernetes to 1.35.0-beta.0
• @​92fa7c5 chore: update pkgs for NVIDIA 580.105.08
• @​f489299 chore: correct condition for running k8s integration tests
• @​ab14975 chore: update tools/pkgs to 1.13.0-alpha.0
• @​87ff9f8 test: fix the image-factory test to pass IF endpoint
• @​2ffe538 test: add direct connectivity CA rotation test
• @​70f6b80 chore(ci): skip multipath extension tests
• @​561cfb6 chore: update pkgs and tools version
• @​2f42202 fix: simplify OOM expression
• @​7b06ae8 test: fix flaky LinkSpec/Wireguard test
• @​e715f38 feat: present kernel log as talosctl logs kernel
• @​e2ee39b fix: support specifying patch file without '@​' symbol
• @​e202b1f fix: trim trailing dots from certificate SANs
• @​7f7079f fix: assign value of multicast setting properly
• @​eba9614 feat: update etcd to 3.6.6
• @​9945cee docs: add API Server Cipher Suites changelog
• @​9ed488d feat: update TLS cipher suites for API server
• @​f1c04e4 feat: generate mirrors patch
• @​a891089 fix: add CA subject to generated certificate
• @​35dd612 fix: add more resilient move
• @​8367583 feat: extend flags of cache-cert-gen
• @​80ab7a0 chore: remove spammy 'clean up unused volumes' logs
• @​74d3590 chore: disable k8s integration tests for 1GiB worker nodes
• @​4f62186 feat: support TALOS_HOME env var
• @​0c59b3e feat: add multicast to linkconfig
• @​6db06f4 feat: implement multicast setting
• @​eeded98 fix: add riscv64 talosctl to release artifacts
• @​a6bbae9 fix: fix typos across the project
• @​83f2bdb feat: support relative voume size

Changes since v1.13.0-beta.0

22 commits

• @​213ecf2 release(v1.13.0-beta.1): prepare release
• @​abc0ddf feat: bump musl to 1.2.6
• @​fcdfeab fix: incorrect route source for on-link routes
• @​a8f2a0a feat: update NVIDIA production drivers to 595.58.03
• @​ccf1e0c test: fix the PKI mismatch test flake
• @​7a94673 test: fix cron failures for provision-1 & provision-2
• @​7978152 fix: allow blockdevice wipe in maintenance mode
• @​efc76f0 test: fix the flakes in tests with trusted roots
• @​7fa16b4 test: bump memory for Flannel netpolicy tests
• @​576c269 feat: add --platform=all support to image cache-create
• @​ceec42f feat: update Linux to 6.18.19, CNI to 1.9.1
• @​902c78a test: improve maintenance API provision tests
• @​a4b0cbc feat: validate luks headers for tampering
• @​281584b chore: update go-kubernetes library
• @​b863607 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
• @​d82fada fix: unset rlimits for extension services
• @​76931f4 feat: enforce PID check on connections to services over file sockets
• @​df4e0e7 feat: update etcd to 3.6.9
• @​08ba425 feat: update Kubernetes to 1.36.0-beta.0
• @​1cb2a8b fix: update diff library to v1.0.1
• @​5e171a3 test: fix the apid test against AWS/GCP
• @​f98e76f fix: panics in diff algorithms

Changes from siderolabs/discovery-api

2 commits

• siderolabs/discovery-api@9c06846 feat: change the way excluded addresses are specified
• siderolabs/discovery-api@f71a14a feat: add advertised filters to discovery data

Changes from siderolabs/discovery-client

2 commits

• siderolabs/discovery-client@854400f feat: bump discovery API to v0.1.8
• siderolabs/discovery-client@0a4c6fd chore: update dependencies and rekres

Changes from siderolabs/go-cmd

2 commits

• siderolabs/go-cmd@5f31ba9 chore: rekres and update
• siderolabs/go-cmd@fff5698 feat: allow capturing full output to stdout, modernize API

Changes from siderolabs/go-debug

1 commit

• siderolabs/go-debug@47fce68 feat: support Go 1.26, rekres

Changes from siderolabs/go-kmsg

3 commits

• siderolabs/go-kmsg@b53b36d chore: rekres and update
• siderolabs/go-kmsg@6f7d20b feat: calculate boot time correctly if the time jumps
• siderolabs/go-kmsg@47655ee feat: support PRINTK_CALLER kmsg logs

Changes from siderolabs/go-kubernetes

17 commits

• siderolabs/go-kubernetes@503792d chore: add retry to main kubernetes operations
• siderolabs/go-kubernetes@6a00c4f feat: handle CR defined alongside thei

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.26.0 -> 1.26.1
github.com/ProtonMail/go-crypto	v1.3.0 -> v1.4.1
github.com/ProtonMail/gopenpgp/v2	v2.9.0 -> v2.10.0
github.com/cosi-project/runtime	v1.14.0 -> v1.14.1
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.8 -> v2.28.0
github.com/jsimonetti/rtnetlink/v2	v2.2.0 -> v2.2.1-0.20260317095713-310581b9c6ac
github.com/klauspost/compress	v1.18.4 -> v1.18.5
github.com/mdlayher/netlink	v1.8.0 -> v1.9.0
github.com/neticdk/go-stdlib	v1.0.0 -> v1.0.1
golang.org/x/time	v0.14.0 -> v0.15.0