alt-orchestra/talos
1
0
Fork 0
Code Issues Pull Requests Actions 27 Packages Projects Releases Wiki Activity

fix: validate that workers don't get cluster CA key

Browse Source 
Only the cert should be present on worker nodes, enforce this via
validation.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit is contained in:
Andrey Smirnov 2024-04-08 19:49:49 +04:00
parent 3735add87c
commit c6ad0fcceb
No known key found for this signature in database
GPG Key ID: FE042E3D4085A811
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go
View File

@ -374,6 +374,10 @@ func (c *ClusterConfig) Validate(isControlPlane bool) error {
}
}
if c.ClusterCA != nil && !isControlPlane && len(c.ClusterCA.Key) > 0 {
result = multierror.Append(result, errors.New("cluster CA key is not allowed on non-controlplane nodes (.cluster.ca)"))
}
result = multierror.Append(
result,
c.ClusterInlineManifests.Validate(),