-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: check trustd API CA on worker nodes #4294
Conversation
/approve |
04bedf0
to
e628f84
Compare
After this PR, Talos machined can starts at boot time (as control-plane) with self-sign cert. |
not sure I follow that. it doesn't change the way control plane works |
I meat, it can be a new PR. |
This distributes API CA (just the certificate, not the key) to the worker nodes on config generation, and if the CA cert is present on the worker node, it verifies TLS connection to the trustd with the CA certificate. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
e628f84
to
62acd62
Compare
/m --ff |
Note: this issue never happens with default Talos worker configuration (generated by Omni, `talosctl gen config` or CABPT). Before change siderolabs#4294 3 years ago, worker nodes connected to trustd in "insecure" mode (without validating the trustd server certificate). The change kept backwards compatibility, so it still allowed insecure mode on upgrades. Now it's time to break this compatibility promise, and require accepted CAs to be always present. Adds validation for machine configuration, so if upgrade is attempeted, it would not validate the machine config without accepted CAs. Now lack of accepted CAs would lead to failure to connect to trustd. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Note: this issue never happens with default Talos worker configuration (generated by Omni, `talosctl gen config` or CABPT). Before change siderolabs#4294 3 years ago, worker nodes connected to trustd in "insecure" mode (without validating the trustd server certificate). The change kept backwards compatibility, so it still allowed insecure mode on upgrades. Now it's time to break this compatibility promise, and require accepted CAs to be always present. Adds validation for machine configuration, so if upgrade is attempeted, it would not validate the machine config without accepted CAs. Now lack of accepted CAs would lead to failure to connect to trustd. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This distributes API CA (just the certificate, not the key) to the
worker nodes on config generation, and if the CA cert is present on the
worker node, it verifies TLS connection to the trustd with the CA
certificate.
Signed-off-by: Andrey Smirnov andrey.smirnov@talos-systems.com
This change is