alt-orchestra/talos
1
0
Fork 0
Code Issues Pull Requests Actions 29 Packages Projects Releases Wiki Activity

fix: pass TTL when generating client certificate

Browse Source 
Pass the TTL to the talosconfig generation function.

Signed-off-by: Henno Schooljan <github@sfynx.nl>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit is contained in:
Henno Schooljan 2024-02-04 00:31:54 +01:00 committed by Andrey Smirnov
parent 3fe8c12ca6
commit a04cc80154
No known key found for this signature in database
GPG Key ID: FE042E3D4085A811
3 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/app/machined/internal/server/v1alpha1/v1alpha1_server.go
View File

@ -2092,7 +2092,7 @@ func (s *Server) GenerateClientConfiguration(ctx context.Context, in *machine.Ge
secretsBundle := secrets.NewBundleFromConfig(secrets.NewFixedClock(time.Now()), s.Controller.Runtime().Config())
cert, err := secretsBundle.GenerateTalosAPIClientCertificate(roles)
cert, err := secretsBundle.GenerateTalosAPIClientCertificateWithTTL(roles, crtTTL)
if err != nil {
return nil, err
}

14
internal/integration/cli/config.go
View File

@ -125,6 +125,20 @@ func (suite *TalosconfigSuite) TestMerge() {
suite.Require().NotNil(c.Contexts["foo-1"])
}
// TestNewTTL checks `talosctl config new --crt-ttl`.
func (suite *TalosconfigSuite) TestNewTTL() {
tempDir := suite.T().TempDir()
node := suite.RandomDiscoveredNodeInternalIP(machine.TypeControlPlane)
talosconfig := filepath.Join(tempDir, "talosconfig")
suite.RunCLI([]string{"--nodes", node, "config", "new", "--roles", "os:reader", talosconfig, "--crt-ttl", "17520h"},
base.StdoutEmpty())
suite.RunCLI([]string{"config", "info", "--talosconfig", talosconfig},
base.StdoutShouldMatch(regexp.MustCompile(`2 years from now`)))
}
// TestNew checks `talosctl config new`.
func (suite *TalosconfigSuite) TestNew() {
stdout, _ := suite.RunCLI([]string{"version", "--json", "--nodes", suite.RandomDiscoveredNodeInternalIP()})

8
pkg/machinery/config/generate/secrets/bundle.go
View File

@ -9,6 +9,7 @@ import (
"fmt"
"os"
"path/filepath"
"time"
"github.com/siderolabs/crypto/x509"
"gopkg.in/yaml.v3"
@ -358,10 +359,15 @@ func (bundle *Bundle) populate(versionContract *config.VersionContract) error {
// GenerateTalosAPIClientCertificate generates the admin certificate.
func (bundle *Bundle) GenerateTalosAPIClientCertificate(roles role.Set) (*x509.PEMEncodedCertificateAndKey, error) {
return bundle.GenerateTalosAPIClientCertificateWithTTL(roles, constants.TalosAPIDefaultCertificateValidityDuration)
}
// GenerateTalosAPIClientCertificateWithTTL generates the admin certificate with specified TTL.
func (bundle *Bundle) GenerateTalosAPIClientCertificateWithTTL(roles role.Set, crtTTL time.Duration) (*x509.PEMEncodedCertificateAndKey, error) {
return NewAdminCertificateAndKey(
bundle.Clock.Now(),
bundle.Certs.OS,
roles,
constants.TalosAPIDefaultCertificateValidityDuration,
crtTTL,
)
}