feat: rewrite install disk selector to use CEL expressions

Rewrite matcher to take out old go-blockdevice library out of the way,
implementing translation from go-blockdevice format to CEL.

Implement facilities to build CEL expressions programmatically.

Now we can add a machine config disk match expression (CEL) easily.

Signed-off-by: Andrey Smirnov <[email protected]>

Author: smira

Diff for: hack/release.toml

@@ -18,11 +18,11 @@ preface = """
     [notes.updates]
         title = "Component Updates"
         description = """\
-Linux: 6.6.59
-containerd: 2.0.0
-Flannel: 0.26.0
-Kubernetes: 1.32.0-beta.0
-runc: 1.2.1
+* Linux: 6.6.59
+* containerd: 2.0.0
+* Flannel: 0.26.0
+* Kubernetes: 1.32.0-beta.0
+* runc: 1.2.1
 
 Talos is built with Go 1.23.2.
 """
@@ -68,7 +68,7 @@ This command allows you to view the cgroup resource consumption and limits for a
     [notes.udevd]
         title = "udevd"
         description = """\
-Talos previously used `udevd` to provide `udevd`, now it uses `systemd-udevd` instead.
+Talos previously used `eudev` to provide `udevd`, now it uses `systemd-udevd` instead.
 """
 
 [make_deps]

Diff for: internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go

@@ -179,16 +179,23 @@ func (s *Server) ApplyConfiguration(ctx context.Context, in *machine.ApplyConfig
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}
 
-	warnings, err := cfgProvider.Validate(
-		modeWrapper{
-			Mode:      s.Controller.Runtime().State().Platform().Mode(),
-			installed: s.Controller.Runtime().State().Machine().Installed(),
-		},
-	)
+	validationMode := modeWrapper{
+		Mode:      s.Controller.Runtime().State().Platform().Mode(),
+		installed: s.Controller.Runtime().State().Machine().Installed(),
+	}
+
+	warnings, err := cfgProvider.Validate(validationMode)
 	if err != nil {
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}
 
+	warningsRuntime, err := cfgProvider.RuntimeValidate(ctx, s.Controller.Runtime().State().V1Alpha2().Resources(), validationMode)
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	warnings = slices.Concat(warnings, warningsRuntime)
+
 	//nolint:exhaustive
 	switch in.Mode {
 	// --mode=try

Diff for: internal/app/machined/pkg/controllers/block/volume_manager.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/block/internal/volumes"
 	blockpb "github.com/siderolabs/talos/pkg/machinery/api/resource/definitions/block"
+	"github.com/siderolabs/talos/pkg/machinery/proto"
 	"github.com/siderolabs/talos/pkg/machinery/resources/block"
 	"github.com/siderolabs/talos/pkg/machinery/resources/hardware"
 	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
@@ -164,7 +165,7 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 		discoveredVolumesSpecs, err := safe.Map(discoveredVolumes, func(dv *block.DiscoveredVolume) (*blockpb.DiscoveredVolumeSpec, error) {
 			spec := &blockpb.DiscoveredVolumeSpec{}
 
-			return spec, volumes.ResourceSpecToProto(dv, spec)
+			return spec, proto.ResourceSpecToProto(dv, spec)
 		})
 		if err != nil {
 			return fmt.Errorf("error mapping discovered volumes: %w", err)
@@ -204,7 +205,7 @@ func (ctrl *VolumeManagerController) Run(ctx context.Context, r controller.Runti
 		diskSpecs, err := safe.Map(disks, func(d *block.Disk) (volumes.DiskContext, error) {
 			spec := &blockpb.DiskSpec{}
 
-			if err := volumes.ResourceSpecToProto(d, spec); err != nil {
+			if err := proto.ResourceSpecToProto(d, spec); err != nil {
 				return volumes.DiskContext{}, err
 			}
 

Diff for: internal/app/machined/pkg/controllers/config/acquire.go

@@ -14,6 +14,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/cosi-project/runtime/pkg/controller"
@@ -68,6 +69,7 @@ type AcquireController struct {
 	EventPublisher        talosruntime.Publisher
 	ValidationMode        validation.RuntimeMode
 	ConfigPath            string
+	ResourceState         state.State
 
 	configSourcesUsed []string
 }
@@ -345,7 +347,12 @@ func (ctrl *AcquireController) loadFromPlatform(ctx context.Context, logger *zap
 		return nil, fmt.Errorf("failed to validate config acquired via platform %s: %w", platformName, err)
 	}
 
-	for _, warning := range warnings {
+	warningsRuntime, err := cfg.RuntimeValidate(ctx, ctrl.ResourceState, ctrl.ValidationMode)
+	if err != nil {
+		return nil, fmt.Errorf("failed to runtime validate config acquired via platform %s: %w", platformName, err)
+	}
+
+	for _, warning := range slices.Concat(warnings, warningsRuntime) {
 		logger.Warn("config validation warning", zap.String("platform", platformName), zap.String("warning", warning))
 	}
 
@@ -364,7 +371,7 @@ func (ctrl *AcquireController) stateCmdline(ctx context.Context, r controller.Ru
 		return ctrl.stateMaintenanceEnter, nil, nil
 	}
 
-	cfg, err := ctrl.loadFromCmdline(logger)
+	cfg, err := ctrl.loadFromCmdline(ctx, logger)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -386,7 +393,9 @@ func (ctrl *AcquireController) stateCmdline(ctx context.Context, r controller.Ru
 }
 
 // loadFromCmdline is a helper function for stateCmdline.
-func (ctrl *AcquireController) loadFromCmdline(logger *zap.Logger) (config.Provider, error) {
+//
+//nolint:gocyclo
+func (ctrl *AcquireController) loadFromCmdline(ctx context.Context, logger *zap.Logger) (config.Provider, error) {
 	cmdline := ctrl.CmdlineGetter()
 
 	param := cmdline.Get(constants.KernelParamConfigInline)
@@ -435,7 +444,12 @@ func (ctrl *AcquireController) loadFromCmdline(logger *zap.Logger) (config.Provi
 		return nil, fmt.Errorf("failed to validate config acquired via cmdline %s: %w", constants.KernelParamConfigInline, err)
 	}
 
-	for _, warning := range warnings {
+	warningsRuntime, err := cfg.RuntimeValidate(ctx, ctrl.ResourceState, ctrl.ValidationMode)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate config acquired via cmdline %s: %w", constants.KernelParamConfigInline, err)
+	}
+
+	for _, warning := range slices.Concat(warnings, warningsRuntime) {
 		logger.Warn("config validation warning", zap.String("cmdline", constants.KernelParamConfigInline), zap.String("warning", warning))
 	}
 

Diff for: internal/app/machined/pkg/controllers/config/acquire_test.go

@@ -199,6 +199,7 @@ func TestAcquireSuite(t *testing.T) {
 			EventPublisher:        s.eventPublisher,
 			ValidationMode:        validationModeMock{},
 			ConfigPath:            s.configPath,
+			ResourceState:         s.State(),
 		}))
 	}
 

Diff for: internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -71,6 +71,7 @@ import (
 	"github.com/siderolabs/talos/pkg/kubernetes"
 	machineapi "github.com/siderolabs/talos/pkg/machinery/api/machine"
 	"github.com/siderolabs/talos/pkg/machinery/config/machine"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/block/blockhelpers"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	metamachinery "github.com/siderolabs/talos/pkg/machinery/meta"
 	blockres "github.com/siderolabs/talos/pkg/machinery/resources/block"
@@ -2015,16 +2016,36 @@ func Install(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 
 			var disk string
 
-			disk, err = r.Config().Machine().Install().Disk()
+			matchExpr, err := r.Config().Machine().Install().DiskMatchExpression()
 			if err != nil {
-				return err
+				return fmt.Errorf("failed to get disk match expression: %w", err)
+			}
+
+			switch {
+			case matchExpr != nil:
+				logger.Printf("using disk match expression: %s", matchExpr)
+
+				matchedDisks, err := blockhelpers.MatchDisks(ctx, r.State().V1Alpha2().Resources(), matchExpr)
+				if err != nil {
+					return err
+				}
+
+				if len(matchedDisks) == 0 {
+					return fmt.Errorf("no disks matched the expression: %s", matchExpr)
+				}
+
+				disk = matchedDisks[0].TypedSpec().DevPath
+			case r.Config().Machine().Install().Disk() != "":
+				disk = r.Config().Machine().Install().Disk()
 			}
 
 			disk, err = filepath.EvalSymlinks(disk)
 			if err != nil {
 				return err
 			}
 
+			logger.Printf("installing Talos to disk %s", disk)
+
 			err = install.RunInstallerContainer(
 				disk,
 				r.State().Platform().Name(),

Diff for: internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go

@@ -125,6 +125,7 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
 			ConfigSetter:   ctrl.v1alpha1Runtime,
 			EventPublisher: ctrl.v1alpha1Runtime.Events(),
 			ValidationMode: ctrl.v1alpha1Runtime.State().Platform().Mode(),
+			ResourceState:  ctrl.v1alpha1Runtime.State().V1Alpha2().Resources(),
 		},
 		&config.MachineTypeController{},
 		&cri.SeccompProfileController{},

Diff for: internal/app/maintenance/server.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io/fs"
 	"log"
+	"slices"
 	"strings"
 
 	cosiv1alpha1 "github.com/cosi-project/runtime/api/v1alpha1"
@@ -75,7 +76,7 @@ func (s *Server) Register(obj *grpc.Server) {
 }
 
 // ApplyConfiguration implements [machine.MachineServiceServer].
-func (s *Server) ApplyConfiguration(_ context.Context, in *machine.ApplyConfigurationRequest) (*machine.ApplyConfigurationResponse, error) {
+func (s *Server) ApplyConfiguration(ctx context.Context, in *machine.ApplyConfigurationRequest) (*machine.ApplyConfigurationResponse, error) {
 	if s.mode.IsAgent() {
 		return nil, status.Error(codes.Unimplemented, "API is not implemented in agent mode")
 	}
@@ -102,10 +103,15 @@ func (s *Server) ApplyConfiguration(_ context.Context, in *machine.ApplyConfigur
 		return nil, status.Errorf(codes.InvalidArgument, "configuration validation failed: %s", err)
 	}
 
+	warningsRuntime, err := cfgProvider.RuntimeValidate(ctx, s.controller.Runtime().State().V1Alpha2().Resources(), s.controller.Runtime().State().Platform().Mode())
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "runtime configuration validation failed: %s", err)
+	}
+
 	reply := &machine.ApplyConfigurationResponse{
 		Messages: []*machine.ApplyConfiguration{
 			{
-				Warnings: warnings,
+				Warnings: slices.Concat(warnings, warningsRuntime),
 			},
 		},
 	}

Diff for: internal/integration/api/generate-config.go

@@ -95,9 +95,6 @@ func (suite *GenerateConfigSuite) TestGenerate() {
 
 	suite.Require().NoError(err)
 
-	disk, err := config.Machine().Install().Disk()
-	suite.Require().NoError(err)
-
 	suite.Require().EqualValues(request.MachineConfig.Type, config.Machine().Type())
 	suite.Require().EqualValues(request.ClusterConfig.Name, config.Cluster().Name())
 	suite.Require().EqualValues(request.ClusterConfig.ControlPlane.Endpoint, config.Cluster().Endpoint().String())
@@ -114,7 +111,7 @@ func (suite *GenerateConfigSuite) TestGenerate() {
 		fmt.Sprintf("%s:v%s", constants.KubeletImage, request.MachineConfig.KubernetesVersion),
 		config.Machine().Kubelet().Image(),
 	)
-	suite.Require().EqualValues(request.MachineConfig.InstallConfig.InstallDisk, disk)
+	suite.Require().EqualValues(request.MachineConfig.InstallConfig.InstallDisk, config.Machine().Install().Disk())
 	suite.Require().EqualValues(request.MachineConfig.InstallConfig.InstallImage, config.Machine().Install().Image())
 	suite.Require().EqualValues(request.MachineConfig.NetworkConfig.Hostname, config.Machine().Network().Hostname())
 	suite.Require().EqualValues(request.MachineConfig.NetworkConfig.Hostname, config.Machine().Network().Hostname())
@@ -149,9 +146,6 @@ func (suite *GenerateConfigSuite) TestGenerate() {
 
 	suite.Require().NoError(err)
 
-	disk, err = config.Machine().Install().Disk()
-	suite.Require().NoError(err)
-
 	suite.Require().EqualValues(request.MachineConfig.Type, joinedConfig.Machine().Type())
 	suite.Require().EqualValues(request.ClusterConfig.Name, joinedConfig.Cluster().Name())
 	suite.Require().EqualValues(request.ClusterConfig.ControlPlane.Endpoint, joinedConfig.Cluster().Endpoint().String())
@@ -163,7 +157,7 @@ func (suite *GenerateConfigSuite) TestGenerate() {
 		fmt.Sprintf("%s:v%s", constants.KubeletImage, request.MachineConfig.KubernetesVersion),
 		joinedConfig.Machine().Kubelet().Image(),
 	)
-	suite.Require().EqualValues(request.MachineConfig.InstallConfig.InstallDisk, disk)
+	suite.Require().EqualValues(request.MachineConfig.InstallConfig.InstallDisk, config.Machine().Install().Disk())
 	suite.Require().EqualValues(
 		request.MachineConfig.InstallConfig.InstallImage,
 		joinedConfig.Machine().Install().Image(),

Diff for: pkg/machinery/cel/build.go

@@ -0,0 +1,66 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package cel
+
+import (
+	"fmt"
+
+	"github.com/google/cel-go/cel"
+	"github.com/google/cel-go/common"
+	"github.com/google/cel-go/common/ast"
+	"github.com/google/cel-go/common/types"
+)
+
+// Builder allows building CEL expressions programmatically.
+type Builder struct {
+	ast.ExprFactory
+	env    *cel.Env
+	nextID int64
+}
+
+// NewBuilder creates a new builder.
+func NewBuilder(env *cel.Env) *Builder {
+	return &Builder{
+		ExprFactory: ast.NewExprFactory(),
+		env:         env,
+	}
+}
+
+// NextID returns the next unique ID.
+func (b *Builder) NextID() int64 {
+	b.nextID++
+
+	return b.nextID
+}
+
+// ToBooleanExpression converts the AST to a boolean expression.
+func (b *Builder) ToBooleanExpression(expr ast.Expr) (*Expression, error) {
+	rawAst := ast.NewAST(expr, nil)
+
+	pbAst, err := ast.ToProto(rawAst)
+	if err != nil {
+		return nil, err
+	}
+
+	celAst, err := cel.CheckedExprToAstWithSource(pbAst, common.NewTextSource(""))
+	if err != nil {
+		return nil, err
+	}
+
+	var issues *cel.Issues
+
+	celAst, issues = b.env.Check(celAst)
+	if issues != nil && issues.Err() != nil {
+		return nil, issues.Err()
+	}
+
+	if outputType := celAst.OutputType(); !outputType.IsExactType(types.BoolType) {
+		return nil, fmt.Errorf("expression output type is %s, expected bool", outputType)
+	}
+
+	return &Expression{
+		ast: celAst,
+	}, nil
+}

Diff for: pkg/machinery/cel/build_test.go

@@ -0,0 +1,32 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package cel_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/pkg/machinery/cel"
+	"github.com/siderolabs/talos/pkg/machinery/cel/celenv"
+)
+
+func TestBuildDiskExpression(t *testing.T) {
+	t.Parallel()
+
+	builder := cel.NewBuilder(celenv.DiskLocator())
+
+	expr := builder.NewSelect(
+		builder.NextID(),
+		builder.NewIdent(builder.NextID(), "disk"),
+		"rotational",
+	)
+
+	out, err := builder.ToBooleanExpression(expr)
+	require.NoError(t, err)
+
+	assert.Equal(t, "disk.rotational", out.String())
+}