2e64e9e4e0
Note: this issue never happens with default Talos worker configuration (generated by Omni, `talosctl gen config` or CABPT). Before change https://github.com/siderolabs/talos/pull/4294 3 years ago, worker nodes connected to trustd in "insecure" mode (without validating the trustd server certificate). The change kept backwards compatibility, so it still allowed insecure mode on upgrades. Now it's time to break this compatibility promise, and require accepted CAs to be always present. Adds validation for machine configuration, so if upgrade is attempeted, it would not validate the machine config without accepted CAs. Now lack of accepted CAs would lead to failure to connect to trustd. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>