v0.30.0

Changelog

• 62f344c Merge pull request #211 from cozystack/feat/talm-extension-points-and-upgrade-sync
• c349a05 fix(upgrade): point-patch node body install.image after successful upgrade
• e052727 feat(charts): expose Talos operator extension points in cozystack + generic presets
• 8d81fc5 fix(modeline): split modeline parts on top-level commas only

v0.29.0

Changelog

• a0bd589 Merge pull request #209 from cozystack/chore/move-bridge-as-gateway-test
• 5d945ac chore(test): relocate bridge-as-gateway no-longer-fails pin to multidoc test file
• 6e914ea Merge pull request #208 from cozystack/feat/chart-cleanup-per-link-and-scope-filter
• c4a07a6 refactor(chart): factor v1.12 multi-doc per-link body into shared talm helper
• c9a4212 fix(chart): legacy default_addresses_by_gateway drops scope=link / nowhere too
• 0c4786a chore(chart): drop redundant int() wrapper around cidrPrefixLen calls
• e8dcbc6 Merge pull request #207 from cozystack/feat/remove-dmesg-redirect-to-logs-kernel
• 320768f docs: merge apply-safety-gates checklist into the manual test plan
• 6e0913c feat(commands): retire talm dmesg ahead of upstream, redirect operators to logs kernel
• fa94120 Merge pull request #206 from cozystack/feat/init-endpoint-and-key-hints
• 31a27cd feat(init): --cluster-endpoint flag and single-endpoint auto-derive for values.yaml
• 352c1e7 fix(init): hint at talm.key recovery path when --decrypt fails
• a0301e7 Merge pull request #204 from cozystack/feat/commands-followups
• 8f17918 chore: strip issue and ticket references from public artifacts
• 43d5f2a feat(commands): rich shell autocompletion for presets, modes, files, talosconfig
• 125948a feat(apply): first -f file anchors project root; later files are patches
• 0b22793 fix(upgrade): take target image from values.yaml, not rendered node body
• 350c6d4 fix(template): preserve operator comments above modeline on in-place rewrite
• e1b0688 feat(engine,template): warn on IP-shaped --set values; document --set-string
• c41aca4 fix(init): drop redundant error wrap when --preset is missing on --update
• 9cdcaeb Merge pull request #203 from cozystack/test/vip-empty-bond-skip-regression-pin
• 333058f test(engine): pin empty-bond skip under VIP-active path

v0.28.2

Note

This release carries forward the -n shorthand drop introduced in v0.28.0. Update scripts using talm <cmd> -n <IP> to talm <cmd> --nodes <IP>. See the v0.28.0 release notes for the rationale.

Changelog

• 92ffd52 Merge pull request #202 from cozystack/fix/talosconfig-honor-endpoints
• 1191b22 fix(commands): honor --endpoints in talosconfig regenerate flow

v0.28.1

Note

This release carries forward the -n shorthand drop introduced in v0.28.0. Update scripts using talm <cmd> -n <IP> to talm <cmd> --nodes <IP>. See the v0.28.0 release notes for the rationale.

Changelog

• a614324 Merge pull request #201 from cozystack/fix/bond-empty-slaves-skip
• 44c6520 fix(charts,commands): skip empty bond config and honor --endpoints in init

v0.28.0

Breaking changes

• Dropped -n shorthand for --nodes (PR #197). The long form --nodes <IP> is unchanged; update scripts and docs that use -n IP to --nodes IP. Reason: as a StringSlice persistent flag on the root command, -n silently absorbed any -n <value> typed after a wrapped talosctl subcommand (e.g. talm get hostnames -n network parsed network as an additional node and failed inside the gRPC resolver with "produced zero addresses"). Operators with kubectl -n <namespace> muscle memory now get a clean flag -n not defined from cobra instead of silent misinterpretation. The pflag merge model does not allow shadowing the inherited persistent shorthand on individual wrapped subcommands.

Changelog

• d3c602c Merge pull request #200 from cozystack/feat/apply-safety-followups
• b68ec42 feat(apply,upgrade): apply-safety follow-ups (#189 + #190 + #191 + #192)
• 020d209 Merge pull request #199 from cozystack/feat/reset-meta-safe-default
• a5d61ea feat(commands): preserve META by default on talm reset (#185)
• f490e39 fix(commands): dedupe stdinIsTTY between init.go and tui_handler.go
• a00581e Merge pull request #173 from cozystack/feat/apply-safety-gates
• 76c5596 Merge pull request #197 from cozystack/feat/wrapper-ux-hardening
• 4ecd2df fix(commands): preserve ShorthandDeprecated in flag clones and dedupe via helper
• c2f3017 feat(commands): wrapper UX hardening — persistent flags, -n drop, crashdump, kubeconfig hint, dmesg cushion, TUI refusal
• 7868946 feat(apply): apply-time safety gates + init --update non-tty UX
• ed3b820 Merge pull request #163 from cozystack/fix/v1.12-vip-on-vlan-child
• 077b800 fix(charts/talm): filter malformed CIDRs in default_addresses_by_gateway
• 6499767 fix(charts): extend floatingIP fail-fast + numeric coercion to legacy v1.11 path
• e4a4e88 test(engine): scope bridge gateway assertion to br0; seed advertisedSubnets in error helper
• f269301 test(engine): add singleton + wrong-link guards to VIPOnBridge
• 1b586ef test(engine): add missing generic-chart mirrors for new contracts
• 444592b fix(charts,test,docs): hoist floatingIP coercion; pin nil-scope + tie-break; restructure README
• 68a55ef fix(charts,test): nil-safe floatingIP validation; replace Russian comment fragment
• 3940ff4 fix(charts,test): filter malformed CIDRs in addresses_by_link; pin stp/vlan independence
• 409d391 fix(charts,test): correct VLAN filtering COSI key; refresh stale bridge docs
• 11cdb2a fix(charts,docs): toString floatingIP before predicate; refresh README bridge prose
• bf5f7cc feat(charts): emit BridgeConfig + gate default-route fallback on configurable set
• 66cc321 docs(charts): drop internal helper name from user-facing values.yaml
• d814077 refactor(engine/helm,charts): ipIsValid returns bool; hoist scope skip-list
• 718afdf docs(engine/helm): correct cidrContains docstring on operator-typo path
• 1f557f8 fix(charts,test): tighten scope filter, strip workflow leakage, pin no-default-route case
• 43d99fd fix(charts,test): tighten doc precision; pin vipLink+invalid validation order
• 5ca3e09 fix(charts,engine): cidrPrefixLen + ipIsValid + scope/generic coverage
• 499a229 docs: describe new VIP-link auto-selection precedence
• 6e774f3 fix(charts/talm): filter, longest-prefix match VIP-link selection
• 2a18464 fix(engine/helm): make cidrContains lenient on parse failures
• e031294 test(engine): pin IPv6 Hetzner topology — VIP on private IPv6 VLAN
• 27311d1 fix(charts): pin VIP to subnet-matching link instead of default route
• 4c71294 feat(charts/talm): add link_name_for_address discovery helper
• a077c0e feat(engine/helm): add cidrContains template function
• 24470bc test(engine): pin Hetzner topology — VIP must land on private VLAN child
• f5540f3 Merge pull request #162 from cozystack/feat/strict-lint
• 3960231 test(engine): assert 2-space indent in encodeYAMLNodeIndented happy path
• 43b8ab3 test(commands): close write-end of pipe in captureStderr defer
• 37e11e4 fix(main): parse applyOptions.timeout in default-string path too
• 4c24050 docs(main): per-line doc comments on completion-related const block
• fa97b28 build: mark pkg/generated as linguist-generated
• ac577a4 docs(engine): correct extractResourceData doc comment
• 4fd0713 refactor(commands): finish cockroachdb/errors migration in stragglers
• f0cdd6e docs(secureperm): explain unsafe.Sizeof→uint32 conversion safety
• 42974c8 fix(main): replace panic on bad applyOptions.timeout with wrapped error
• af628e6 test(commands): pin captureStderr per-call restore semantics
• 363f7a8 test(engine): pin yaml encode/close error wrapping
• e4b4837 fix(test,engine): self-contained captureStderr; surface enc.Close errors
• 33b01ea refactor(charts): wrap AvailablePresets ReadDir error
• 84757c2 refactor(engine): drop unused ctx parameter from FullConfigProcess
• 0f565e7 test(helm): pin Lines() empty-content guard
• 587edae refactor(charts): wrap embedded WalkDir errors with file path
• f3ce867 style(main): use initSubcommandName constant
• cd29111 test(init): pin gitignore report verb against ambiguous stat errors
• 6107ece fix(init): use os.IsNotExist for stat-before-write branch
• 16fc515 refactor(commands): consolidate rotate-ca endpoint normalisation
• 349da55 fix(commands): reset GlobalArgs.Endpoints to empty between files
• c795127 ci(lint): adopt strict golangci-lint config + cross-platform CI gate

v0.27.0

Highlights

Behaviour changes

• talm init now refuses when the current directory is inside an existing talm project. Pass --root . to create a sub-project under CWD anyway, or run from the ancestor root to re-init it. (#156, #157)
• --root <path> on subcommands (apply, template, talosconfig, kubeconfig, rotate-ca) now correctly opts out of the implicit CWD walk-up. Previously the flag was silently ignored on subcommands and walk-up always fired regardless.

Reliability

• RotateKeys is atomic: backup-and-restore on any phase failure, no partial state on disk. (#159)
• talm init is all-or-nothing: every destination is pre-checked before the first write, so a Chart.yaml conflict no longer leaves talosconfig/talm.key/secrets.encrypted.yaml stranded.
• debugPhase tolerates empty patch entries (templates that conditionally emit nothing).
• Encryption helpers write secrets.yaml and encrypted output with mode 0600.
• IPv6 endpoint normalisation preserves brackets.

Validation

• Centralised DNS-1123 subdomain validation across charts and runtime with consistent error messages.

Upgrade notes

The two behaviour changes above can break scripted workflows that:

1. Run talm init from inside an existing project relying on the old walk-up overlay — either move to the parent directory or pass --root ..
2. Pass --root <path> to subcommands and expect walk-up to still fire — the flag is now honored and walk-up is suppressed.

Full changelog: v0.26.1...v0.27.0

v0.26.1

Changelog

• 7cb0ae4 feat(charts): allow overriding of the cluster's name (#148)

v0.26.0

Changelog

• 7a21e6a feat(init): add --image flag to override the preset values.yaml image (#150)
• a2abbf9 test(engine): tighten test-suite hermeticity and parent-aware subtest references (#149)
• 009104b fix(charts): rewrite v1.12 multi-doc network renderer for full link coverage (#147)
• 4b6d47f fix(engine): treat $patch:delete on absent paths as no-op (#146)
• 741f895 fix(charts): filter default-route discovery helpers to IPv4 family (#145)

v0.25.1

Changelog

• 892c543 fix(engine): idempotent talm apply for object-array and merge:replace fields (#139)

v0.25.0

What's Changed

• fix(chart): discovery-based defaults for subnets; required endpoint and VIP by @lexfrei in #130
• fix(commands): apply batch — multi-node, node-file patch merge, error handling by @lexfrei in #128
• fix(network): correct multi-NIC discovery and add per-link helpers by @lexfrei in #127
• fix(windows): CI matrix, zip archives, and NTFS ACL for sensitive files by @lexfrei in #129
• feat(apply): pre-flight Talos version check and decode-error hints by @lexfrei in #133
• chore(deps): bump github.com/moby/spdystream to v0.5.1 (CVE-2026-35469) by @lexfrei in #135
• fix: unbreak talm apply on auth path and harden MergeFileAsPatch round-trips by @lexfrei in #136

Full Changelog: v0.24.0...v0.25.0