chore(deps): update kubectl docker tag to v1.33.3

.github/workflows/ci.yaml

@@ -59,7 +59,12 @@ jobs:
       - name: Run shellcheck
         run: |
           sudo apt-get install -y shellcheck
-          find . -name "*.sh" -print0 | xargs -0 shellcheck
+          shell_files=$(find . -name "*.sh" -print)
+          if [ -n "$shell_files" ]; then
+            echo "$shell_files" | xargs shellcheck
+          else
+            echo "No shell scripts found to check"
+          fi
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -85,7 +90,7 @@ jobs:
           output_file_path: console,results.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4
         with:
           sarif_file: results.sarif
 

aqua.yaml

@@ -15,14 +15,14 @@ packages:
   - name: siderolabs/talos@v1.10.5
   - name: siderolabs/omni/omnictl@v0.52.0
   - name: siderolabs/omni/omni@v0.52.0
-  - name: kubernetes/kubectl@v1.33.2
+  - name: kubernetes/kubectl@v1.33.3
   - name: go-task/task@v3.44.0
   - name: golang/go@go1.24.5
   - name: abiosoft/colima@v0.8.1
-  - name: lima-vm/lima@v1.2.0
+  - name: lima-vm/lima@v1.2.1
   - name: docker/cli@v27.4.1
   - name: docker/compose@v2.38.2
-  - name: aws/aws-cli@2.27.55
+  - name: aws/aws-cli@2.27.58
   - name: helm/helm@v3.18.4
   - name: fluxcd/flux2@v2.6.4
   - name: hashicorp/vault@v1.20.0

contexts/.gitignore

@@ -1 +1 @@
-/_template/
+!/_template/

kustomize/csi/cleanup/pvcs/deployment.yaml

@@ -22,7 +22,7 @@ spec:
       initContainers:
       - name: cleanup
         # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
-        image: bitnami/kubectl:1.33.2
+        image: bitnami/kubectl:1.33.3
         env:
         - name: RESOURCE_WAIT_TIMEOUT
           value: "300"

kustomize/ingress/cleanup/ingresses/deployment.yaml

@@ -22,7 +22,7 @@ spec:
       initContainers:
       - name: cleanup
         # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
-        image: bitnami/kubectl:1.33.2
+        image: bitnami/kubectl:1.33.3
         env:
         - name: RESOURCE_WAIT_TIMEOUT
           value: "300"

kustomize/ingress/cleanup/loadbalancers/deployment.yaml

@@ -22,7 +22,7 @@ spec:
       initContainers:
       - name: cleanup
         # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
-        image: bitnami/kubectl:1.33.2
+        image: bitnami/kubectl:1.33.3
         env:
         - name: RESOURCE_WAIT_TIMEOUT
           value: "300"

kustomize/object-store/resources/common/job.yaml

@@ -15,7 +15,7 @@ spec:
       containers:
       - name: generate-creds
         # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
-        image: bitnami/kubectl:1.33.2
+        image: bitnami/kubectl:1.33.3
         command: ["/bin/bash", "-c"]
         args:
         - |

kustomize/pki/resources/private-issuer/ca/copy-root-cert-job.yaml

@@ -11,7 +11,7 @@ spec:
       containers:
       - name: copy-root-cert
         # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
-        image: bitnami/kubectl:1.33.2
+        image: bitnami/kubectl:1.33.3
         command:
           - /bin/sh
           - -c

kustomize/telemetry/resources/prometheus/flux/helm-release.yaml

@@ -10,7 +10,7 @@ spec:
     spec:
       chart: flux2
       # renovate: datasource=helm depName=flux package=flux2 helmRepo=https://fluxcd-community.github.io/helm-charts
-      version: 2.16.2
+      version: 2.16.3
       sourceRef:
         kind: HelmRepository
         name: fluxcd-community

terraform/cluster/talos/README.md

@@ -11,7 +11,6 @@
 | Name | Version |
 |------|---------|
 | <a name="provider_local"></a> [local](#provider\_local) | 2.5.3 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_talos"></a> [talos](#provider\_talos) | 0.8.1 |
 
 ## Modules
@@ -28,7 +27,6 @@
 |------|------|
 | [local_sensitive_file.kubeconfig](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
 | [local_sensitive_file.talosconfig](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
-| [null_resource.healthcheck](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [talos_cluster_kubeconfig.this](https://registry.terraform.io/providers/siderolabs/talos/0.8.1/docs/resources/cluster_kubeconfig) | resource |
 | [talos_machine_secrets.this](https://registry.terraform.io/providers/siderolabs/talos/0.8.1/docs/resources/machine_secrets) | resource |
 | [talos_client_configuration.this](https://registry.terraform.io/providers/siderolabs/talos/0.8.1/docs/data-sources/client_configuration) | data source |
@@ -43,8 +41,7 @@
 | <a name="input_context_path"></a> [context\_path](#input\_context\_path) | The path to the context folder, where kubeconfig and talosconfig are stored | `string` | `""` | no |
 | <a name="input_controlplane_config_patches"></a> [controlplane\_config\_patches](#input\_controlplane\_config\_patches) | A YAML string of controlplane config patches to apply. Can be an empty string or valid YAML. | `string` | `""` | no |
 | <a name="input_controlplanes"></a> [controlplanes](#input\_controlplanes) | A list of machine configuration details for control planes. | <pre>list(object({<br/>    hostname = optional(string)<br/>    endpoint = string<br/>    node     = string<br/>    disk_selector = optional(object({<br/>      busPath  = optional(string)<br/>      modalias = optional(string)<br/>      model    = optional(string)<br/>      name     = optional(string)<br/>      serial   = optional(string)<br/>      size     = optional(string)<br/>      type     = optional(string)<br/>      uuid     = optional(string)<br/>      wwid     = optional(string)<br/>    }))<br/>    wipe_disk         = optional(bool, true)<br/>    extra_kernel_args = optional(list(string), [])<br/>    config_patches    = optional(string, "")<br/>  }))</pre> | `[]` | no |
-| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | The kubernetes version to deploy. | `string` | `"1.33.2"` | no |
-| <a name="input_os_type"></a> [os\_type](#input\_os\_type) | The operating system type, must be either 'unix' or 'windows' | `string` | `"unix"` | no |
+| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | The kubernetes version to deploy. | `string` | `"1.33.3"` | no |
 | <a name="input_talos_version"></a> [talos\_version](#input\_talos\_version) | The talos version to deploy. | `string` | `"1.10.5"` | no |
 | <a name="input_worker_config_patches"></a> [worker\_config\_patches](#input\_worker\_config\_patches) | A YAML string of worker config patches to apply. Can be an empty string or valid YAML. | `string` | `""` | no |
 | <a name="input_workers"></a> [workers](#input\_workers) | A list of machine configuration details | <pre>list(object({<br/>    hostname = optional(string)<br/>    endpoint = string<br/>    node     = string<br/>    disk_selector = optional(object({<br/>      busPath  = optional(string)<br/>      modalias = optional(string)<br/>      model    = optional(string)<br/>      name     = optional(string)<br/>      serial   = optional(string)<br/>      size     = optional(string)<br/>      type     = optional(string)<br/>      uuid     = optional(string)<br/>      wwid     = optional(string)<br/>    }))<br/>    wipe_disk         = optional(bool, true)<br/>    extra_kernel_args = optional(list(string), [])<br/>    config_patches    = optional(string, "")<br/>  }))</pre> | `[]` | no |

terraform/cluster/talos/main.tf

@@ -50,6 +50,8 @@ module "controlplane_bootstrap" {
   machine_type         = "controlplane"
   endpoint             = var.controlplanes[0].endpoint
   bootstrap            = true // Bootstrap the first control plane node
+  talosconfig_path     = local.talosconfig_path
+  enable_health_check  = true
   config_patches = compact(concat([
     var.common_config_patches,
     var.controlplane_config_patches,
@@ -76,6 +78,8 @@ module "controlplanes" {
   machine_type         = "controlplane"
   endpoint             = var.controlplanes[count.index + 1].endpoint
   bootstrap            = false // Do not bootstrap other control plane nodes
+  talosconfig_path     = local.talosconfig_path
+  enable_health_check  = true
   config_patches = compact(concat([
     var.common_config_patches,
     var.controlplane_config_patches,
@@ -105,6 +109,8 @@ module "workers" {
   talos_version        = var.talos_version
   machine_type         = "worker"
   endpoint             = var.workers[count.index].endpoint
+  talosconfig_path     = local.talosconfig_path
+  enable_health_check  = true
   config_patches = compact(concat([
     var.common_config_patches,
     var.worker_config_patches,
@@ -157,48 +163,4 @@ resource "local_sensitive_file" "talosconfig" {
   }
 }
 
-#-----------------------------------------------------------------------------------------------------------------------
-# Cluster Health
-#-----------------------------------------------------------------------------------------------------------------------
-
-# The following workaround is required until resolution of https://github.com/siderolabs/terraform-provider-talos/issues/221
-
-# data "talos_cluster_health" "this" {
-#   depends_on = [
-#     module.controlplane_bootstrap,
-#     module.controlplanes,
-#     module.workers
-#   ]
 
-#   client_configuration = talos_machine_secrets.this.client_configuration
-#   control_plane_nodes  = var.controlplanes.*.node
-#   worker_nodes         = var.workers.*.node
-#   endpoints            = var.controlplanes.*.endpoint
-# }
-
-locals {
-  healthcheck_command     = var.os_type == "unix" ? "${path.module}/resources/healthcheck.sh" : "& { & '${path.module}/resources/healthcheck.ps1' }"
-  healthcheck_interpreter = var.os_type == "unix" ? ["sh", "-c"] : ["powershell", "-Command"]
-}
-
-resource "null_resource" "healthcheck" {
-  triggers = {
-    always_run = timestamp() // Ensures the resource runs every time
-  }
-
-  depends_on = [
-    local_sensitive_file.kubeconfig,
-    local_sensitive_file.talosconfig
-  ]
-
-  provisioner "local-exec" {
-    command     = local.healthcheck_command
-    interpreter = local.healthcheck_interpreter
-    environment = {
-      KUBECONFIG = local.kubeconfig_path
-      NODE_COUNT = length(var.controlplanes) + length(var.workers)
-      TIMEOUT    = 300 # 5 minutes
-      INTERVAL   = 5   # 5 seconds
-    }
-  }
-}

terraform/cluster/talos/modules/machine/main.tf

@@ -8,6 +8,9 @@ terraform {
     talos = {
       source = "siderolabs/talos"
     }
+    null = {
+      source = "hashicorp/null"
+    }
   }
 }
 
@@ -74,3 +77,30 @@ resource "talos_machine_bootstrap" "bootstrap" {
   endpoint             = var.endpoint
   client_configuration = var.client_configuration
 }
+
+#-----------------------------------------------------------------------------------------------------------------------
+# Node Health Check
+#-----------------------------------------------------------------------------------------------------------------------
+
+locals {
+  # Use hostname if available, otherwise fall back to node address
+  node_name = var.hostname != null && var.hostname != "" ? var.hostname : var.node
+}
+
+resource "null_resource" "node_healthcheck" {
+  triggers = {
+    node_id = var.node
+  }
+
+  depends_on = [
+    talos_machine_configuration_apply.this,
+    talos_machine_bootstrap.bootstrap
+  ]
+
+  provisioner "local-exec" {
+    command = var.enable_health_check ? "windsor check node-health --nodes ${local.node_name} --timeout 5m" : "echo 'Health check disabled for testing'"
+    environment = var.enable_health_check ? {
+      TALOSCONFIG = var.talosconfig_path
+    } : {}
+  }
+}

terraform/cluster/talos/modules/machine/test.tftest.hcl

@@ -4,6 +4,10 @@ mock_provider "talos" {
   mock_resource "talos_machine_bootstrap" {}
 }
 
+mock_provider "null" {
+  mock_resource "null_resource" {}
+}
+
 variables {
   machine_type = "controlplane"
   endpoint     = "dummy"
@@ -47,10 +51,12 @@ variables {
       token = "dummy"
     }
   }
-  cluster_name       = "dummy"
-  cluster_endpoint   = "https://dummy"
-  kubernetes_version = "dummy"
-  talos_version      = "1.10.1"
+  cluster_name        = "dummy"
+  cluster_endpoint    = "https://dummy"
+  kubernetes_version  = "dummy"
+  talos_version       = "1.10.1"
+  talosconfig_path    = "/tmp/dummy-talosconfig"
+  enable_health_check = false
 }
 
 run "machine_config_patch_with_disk_and_hostname" {

terraform/cluster/talos/modules/machine/variables.tf

@@ -112,3 +112,14 @@ variable "bootstrap" {
   type        = bool
   default     = false
 }
+
+variable "talosconfig_path" {
+  description = "Path to the talosconfig file for health checking."
+  type        = string
+}
+
+variable "enable_health_check" {
+  description = "Whether to enable health checking for this node."
+  type        = bool
+  default     = true
+}