diff --git a/internal/app/machined/pkg/controllers/secrets/api.go b/internal/app/machined/pkg/controllers/secrets/api.go index 72791fa2ba9..1d2a0c931df 100644 --- a/internal/app/machined/pkg/controllers/secrets/api.go +++ b/internal/app/machined/pkg/controllers/secrets/api.go @@ -337,7 +337,7 @@ func (ctrl *APIController) generateControlPlane(ctx context.Context, r controlle func (ctrl *APIController) generateWorker(ctx context.Context, r controller.Runtime, logger *zap.Logger, rootSpec *secrets.OSRootSpec, endpointsStr []string, certSANs *secrets.CertSANSpec, ) error { - remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr, rootSpec.IssuingCA) + remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr, rootSpec.AcceptedCAs) if err != nil { return fmt.Errorf("failed creating trustd client: %w", err) } diff --git a/pkg/grpc/gen/remote.go b/pkg/grpc/gen/remote.go index 1797c658037..533d811f4d0 100644 --- a/pkg/grpc/gen/remote.go +++ b/pkg/grpc/gen/remote.go @@ -28,7 +28,7 @@ type RemoteGenerator struct { } // NewRemoteGenerator initializes a RemoteGenerator with a preconfigured grpc.ClientConn. -func NewRemoteGenerator(token string, endpoints []string, ca *x509.PEMEncodedCertificateAndKey) (g *RemoteGenerator, err error) { +func NewRemoteGenerator(token string, endpoints []string, acceptedCAs []*x509.PEMEncodedCertificate) (g *RemoteGenerator, err error) { if len(endpoints) == 0 { return nil, errors.New("at least one root of trust endpoint is required") } @@ -37,7 +37,7 @@ func NewRemoteGenerator(token string, endpoints []string, ca *x509.PEMEncodedCer g = &RemoteGenerator{} - conn, err := basic.NewConnection(fmt.Sprintf("%s:///%s", resolver.RoundRobinResolverScheme, strings.Join(endpoints, ",")), basic.NewTokenCredentials(token), ca) + conn, err := basic.NewConnection(fmt.Sprintf("%s:///%s", resolver.RoundRobinResolverScheme, strings.Join(endpoints, ",")), basic.NewTokenCredentials(token), acceptedCAs) if err != nil { return nil, err } diff --git a/pkg/grpc/middleware/auth/basic/basic.go b/pkg/grpc/middleware/auth/basic/basic.go index 0b6aae60839..1dee1fe4cce 100644 --- a/pkg/grpc/middleware/auth/basic/basic.go +++ b/pkg/grpc/middleware/auth/basic/basic.go @@ -5,10 +5,12 @@ package basic import ( + "bytes" "crypto/tls" stdx509 "crypto/x509" "github.com/siderolabs/crypto/x509" + "github.com/siderolabs/gen/xslices" "google.golang.org/grpc" "google.golang.org/grpc/credentials" ) @@ -22,15 +24,19 @@ type Credentials interface { // NewConnection initializes a grpc.ClientConn configured for basic // authentication. -func NewConnection(address string, creds credentials.PerRPCCredentials, ca *x509.PEMEncodedCertificateAndKey) (conn *grpc.ClientConn, err error) { +func NewConnection(address string, creds credentials.PerRPCCredentials, acceptedCAs []*x509.PEMEncodedCertificate) (conn *grpc.ClientConn, err error) { tlsConfig := &tls.Config{} - if ca == nil { - tlsConfig.InsecureSkipVerify = true - } else { - tlsConfig.RootCAs = stdx509.NewCertPool() - tlsConfig.RootCAs.AppendCertsFromPEM(ca.Crt) - } + tlsConfig.RootCAs = stdx509.NewCertPool() + tlsConfig.RootCAs.AppendCertsFromPEM(bytes.Join( + xslices.Map( + acceptedCAs, + func(cert *x509.PEMEncodedCertificate) []byte { + return cert.Crt + }, + ), + nil, + )) grpcOpts := []grpc.DialOption{ grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)), diff --git a/pkg/machinery/config/container/container_test.go b/pkg/machinery/config/container/container_test.go index e34dd16e226..a9f30968ba8 100644 --- a/pkg/machinery/config/container/container_test.go +++ b/pkg/machinery/config/container/container_test.go @@ -8,6 +8,7 @@ import ( "net/url" "testing" + "github.com/siderolabs/crypto/x509" "github.com/siderolabs/gen/xtesting/must" "github.com/siderolabs/go-pointer" "github.com/stretchr/testify/assert" @@ -137,6 +138,9 @@ func TestValidate(t *testing.T) { }, MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("cert"), + }, }, } diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go index bdf4978e344..e3d70681cbe 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go @@ -131,12 +131,21 @@ func (c *Config) Validate(mode validation.RuntimeMode, options ...validation.Opt warnings = append(warnings, fmt.Sprintf("use %q instead of %q for machine type", t.String(), c.MachineConfig.MachineType)) } + if c.Machine().Security().IssuingCA() == nil && len(c.Machine().Security().AcceptedCAs()) == 0 { + result = multierror.Append(result, errors.New("issuing CA or some accepted CAs are required (.machine.ca, machine.acceptedCAs)")) + } + switch c.Machine().Type() { case machine.TypeInit, machine.TypeControlPlane: warn, err := ValidateCNI(c.Cluster().Network().CNI()) warnings = append(warnings, warn...) result = multierror.Append(result, err) + if c.Machine().Security().IssuingCA() == nil { + result = multierror.Append(result, errors.New("issuing CA is required (.machine.ca)")) + } else if len(c.Machine().Security().IssuingCA().Key) == 0 { + result = multierror.Append(result, errors.New("issuing CA key is required for controlplane nodes (.machine.ca.key)")) + } case machine.TypeWorker: for _, d := range c.Machine().Network().Devices() { if d.VIPConfig() != nil { @@ -150,8 +159,14 @@ func (c *Config) Validate(mode validation.RuntimeMode, options ...validation.Opt } } - if c.Machine().Security().IssuingCA() != nil && len(c.Machine().Security().IssuingCA().Key) > 0 { - result = multierror.Append(result, errors.New("issuing Talos API CA key is not allowed on non-controlplane nodes (.machine.ca)")) + if c.Machine().Security().IssuingCA() != nil { + if len(c.Machine().Security().IssuingCA().Key) > 0 { + result = multierror.Append(result, errors.New("issuing Talos API CA key is not allowed on non-controlplane nodes (.machine.ca)")) + } + + if len(c.Machine().Security().IssuingCA().Crt) == 0 && len(c.Machine().Security().AcceptedCAs()) == 0 { + result = multierror.Append(result, errors.New("trusted CA certificates are required on non-controlplane nodes (.machine.ca.crt, .machine.acceptedCAs)")) + } } if c.Cluster().IssuingCA() != nil && len(c.Cluster().IssuingCA().Key) > 0 { diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go index 249714357eb..b665bac9ef2 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go @@ -61,7 +61,11 @@ func TestValidate(t *testing.T) { name: "NoMachineType", config: &v1alpha1.Config{ ConfigVersion: "v1alpha1", - MachineConfig: &v1alpha1.MachineConfig{}, + MachineConfig: &v1alpha1.MachineConfig{ + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, + }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ Endpoint: &v1alpha1.Endpoint{ @@ -80,6 +84,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "join", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -97,7 +104,11 @@ func TestValidate(t *testing.T) { name: "NoMachineTypeStrict", config: &v1alpha1.Config{ ConfigVersion: "v1alpha1", - MachineConfig: &v1alpha1.MachineConfig{}, + MachineConfig: &v1alpha1.MachineConfig{ + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, + }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ Endpoint: &v1alpha1.Endpoint{ @@ -109,12 +120,77 @@ func TestValidate(t *testing.T) { strict: true, expectedError: "1 error occurred:\n\t* warning: use \"worker\" instead of \"\" for machine type\n\n", }, + { + name: "WorkerNoAcceptedCAs", + config: &v1alpha1.Config{ + ConfigVersion: "v1alpha1", + MachineConfig: &v1alpha1.MachineConfig{ + MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{}, + }, + ClusterConfig: &v1alpha1.ClusterConfig{ + ControlPlane: &v1alpha1.ControlPlaneConfig{ + Endpoint: &v1alpha1.Endpoint{ + endpointURL, + }, + }, + }, + }, + strict: true, + expectedError: "1 error occurred:\n\t* trusted CA certificates are required on non-controlplane nodes (.machine.ca.crt, .machine.acceptedCAs)\n\n", + }, + { + name: "WorkerOnlyAcceptedCAs", + config: &v1alpha1.Config{ + ConfigVersion: "v1alpha1", + MachineConfig: &v1alpha1.MachineConfig{ + MachineType: "worker", + MachineAcceptedCAs: []*x509.PEMEncodedCertificate{ + { + Crt: []byte("foo"), + }, + }, + }, + ClusterConfig: &v1alpha1.ClusterConfig{ + ControlPlane: &v1alpha1.ControlPlaneConfig{ + Endpoint: &v1alpha1.Endpoint{ + endpointURL, + }, + }, + }, + }, + strict: true, + }, + { + name: "ControlplaneNoCAKey", + config: &v1alpha1.Config{ + ConfigVersion: "v1alpha1", + MachineConfig: &v1alpha1.MachineConfig{ + MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, + }, + ClusterConfig: &v1alpha1.ClusterConfig{ + ControlPlane: &v1alpha1.ControlPlaneConfig{ + Endpoint: &v1alpha1.Endpoint{ + endpointURL, + }, + }, + }, + }, + strict: true, + expectedError: "1 error occurred:\n\t* issuing CA key is required for controlplane nodes (.machine.ca.key)\n\n", + }, { name: "NoMachineInstall", config: &v1alpha1.Config{ ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -131,6 +207,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -149,6 +228,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineInstall: &v1alpha1.InstallConfig{ InstallDisk: "/dev/vda", }, @@ -169,6 +251,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineInstall: &v1alpha1.InstallConfig{ InstallDisk: "/dev/vda", InstallExtensions: []v1alpha1.InstallExtensionConfig{ @@ -201,6 +286,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -224,6 +312,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -243,6 +334,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -260,6 +354,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -283,6 +380,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -306,6 +406,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -337,6 +441,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -354,6 +462,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -380,6 +492,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -409,6 +525,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -438,6 +558,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -468,6 +592,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -502,6 +630,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -535,6 +667,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -559,6 +695,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -593,6 +733,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -628,6 +772,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -667,6 +815,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -724,6 +876,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -763,6 +919,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -799,6 +959,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -838,6 +1002,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -884,6 +1052,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -943,6 +1115,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkKubeSpan: &v1alpha1.NetworkKubeSpan{ KubeSpanEnabled: pointer.To(true), @@ -967,6 +1143,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ClusterID: "foo", @@ -994,6 +1174,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -1014,6 +1198,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -1032,6 +1220,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -1050,6 +1241,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -1078,6 +1273,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{ @@ -1104,6 +1303,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineKubelet: &v1alpha1.KubeletConfig{ KubeletNodeIP: &v1alpha1.KubeletNodeIPConfig{ KubeletNodeIPValidSubnets: []string{ @@ -1130,6 +1332,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineKubelet: &v1alpha1.KubeletConfig{ KubeletNodeIP: &v1alpha1.KubeletNodeIPConfig{ KubeletNodeIPValidSubnets: []string{ @@ -1158,6 +1363,11 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineAcceptedCAs: []*x509.PEMEncodedCertificate{ + { + Crt: []byte("foo"), + }, + }, MachineKubelet: &v1alpha1.KubeletConfig{ KubeletExtraConfig: v1alpha1.Unstructured{ Object: map[string]interface{}{ @@ -1182,6 +1392,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ {}, @@ -1204,6 +1418,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -1231,6 +1449,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkInterfaces: []*v1alpha1.Device{ { @@ -1255,6 +1477,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineFeatures: &v1alpha1.FeaturesConfig{ KubernetesTalosAPIAccessConfig: &v1alpha1.KubernetesTalosAPIAccessConfig{ AccessEnabled: pointer.To(true), @@ -1277,6 +1503,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineFeatures: &v1alpha1.FeaturesConfig{ RBAC: pointer.To(true), KubernetesTalosAPIAccessConfig: &v1alpha1.KubernetesTalosAPIAccessConfig{ @@ -1300,6 +1529,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, MachineFeatures: &v1alpha1.FeaturesConfig{ RBAC: pointer.To(true), KubernetesTalosAPIAccessConfig: &v1alpha1.KubernetesTalosAPIAccessConfig{ @@ -1331,6 +1564,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineNodeLabels: map[string]string{ "/foo": "bar", "key": "value", @@ -1356,6 +1592,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkKubeSpan: &v1alpha1.NetworkKubeSpan{ KubeSpanEnabled: pointer.To(true), @@ -1390,6 +1629,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkKubeSpan: &v1alpha1.NetworkKubeSpan{ KubeSpanEnabled: pointer.To(true), @@ -1423,6 +1665,9 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "worker", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + }, MachineNetwork: &v1alpha1.NetworkConfig{ NetworkKubeSpan: &v1alpha1.NetworkKubeSpan{ KubeSpanEnabled: pointer.To(true), @@ -1451,6 +1696,10 @@ func TestValidate(t *testing.T) { ConfigVersion: "v1alpha1", MachineConfig: &v1alpha1.MachineConfig{ MachineType: "controlplane", + MachineCA: &x509.PEMEncodedCertificateAndKey{ + Crt: []byte("foo"), + Key: []byte("bar"), + }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ControlPlane: &v1alpha1.ControlPlaneConfig{