fix: don't write incomplete <cluster>-ca secret for configtype none

smira · smira · commit 8c7fec8e373b · 2021-09-28T22:13:14.000+03:00
Fixes #97 Skip creating the secret if the supplied user config doesn't have full cluster CA. Cluster secret will be created once the controlplane machine configuration is passed in. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
diff --git a/controllers/talosconfig_controller.go b/controllers/talosconfig_controller.go
@@ -324,8 +324,11 @@ func (r *TalosConfigReconciler) userConfigs(ctx context.Context, scope *TalosCon
 	}
 
 	// Create the secret with kubernetes certs so a kubeconfig can be generated
-	if err = r.writeK8sCASecret(ctx, scope, userConfig.Cluster().CA()); err != nil {
-		return retBundle, err
+	// but do this only when machineconfig contains full Kubernetes CA secret (controlplane nodes)
+	if userConfig.Cluster().CA() != nil && len(userConfig.Cluster().CA().Crt) > 0 && len(userConfig.Cluster().CA().Key) > 0 {
+		if err = r.writeK8sCASecret(ctx, scope, userConfig.Cluster().CA()); err != nil {
+			return retBundle, err
+		}
 	}
 
 	userConfigStr, err := userConfig.String()
diff --git a/internal/integration/integration_test.go b/internal/integration/integration_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	bootstrapv1alpha3 "github.com/talos-systems/cluster-api-bootstrap-provider-talos/api/v1alpha3"
+	"github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/generate"
 	talosmachine "github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/machine"
 	corev1 "k8s.io/api/core/v1"
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -218,6 +219,84 @@ func TestIntegration(t *testing.T) {
 		assert.Equal(t, "-----BEGIN CERTIFICATE-----\nMIIBPzCB8qADAgECAhEArv8iYjWXC8Mataa8e2pezDAFBgMrZXAwEDEOMAwGA1UE\nChMFdGFsb3MwHhcNMjEwOTIwMTg0MTQ5WhcNMzEwOTE4MTg0MTQ5WjAQMQ4wDAYD\nVQQKEwV0YWxvczAqMAUGAytlcAMhAOCRMlGNjsdQmgls2PCSgMdMeAIB8fAKsnCp\naXX3rfUKo2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0lBBYwFAYIKwYBBQUHAwEG\nCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIDgT1HeMDtWHHXl\nmVhYqUPDU0JoMAUGAytlcANBAD2GLO2vG9MHGxt9658X4xZLSYNldAgDy2tHmZ7l\nnAjAR0npZoQXBVhorrQEcea7g6To9BDmtzrF0StW895d0Ak=\n-----END CERTIFICATE-----\n", string(provider.Machine().Security().CA().Crt))
 	})
 
+	t.Run("ConfigTypeNone", func(t *testing.T) {
+		t.Parallel()
+
+		namespaceName := setupTest(ctx, t, c)
+		cluster := createCluster(ctx, t, c, namespaceName, nil)
+
+		secretsBundle, err := generate.NewSecretsBundle(generate.NewClock())
+		require.NoError(t, err)
+
+		input, err := generate.NewInput(cluster.Name, "https://example.com:6443/", "v1.22.2", secretsBundle)
+		require.NoError(t, err)
+
+		workers := []*bootstrapv1alpha3.TalosConfig{}
+
+		for i := 0; i < 4; i++ {
+			machine := createMachine(ctx, t, c, cluster)
+
+			machineconfig, err := generate.Config(talosmachine.TypeWorker, input)
+			require.NoError(t, err)
+
+			configdata, err := machineconfig.Bytes()
+			require.NoError(t, err)
+
+			workers = append(workers, createTalosConfig(ctx, t, c, machine, bootstrapv1alpha3.TalosConfigSpec{
+				GenerateType: "none",
+				Data:         string(configdata),
+			}))
+		}
+
+		controlplanes := []*bootstrapv1alpha3.TalosConfig{}
+
+		for i := 0; i < 3; i++ {
+			machine := createMachine(ctx, t, c, cluster)
+
+			machineType := talosmachine.TypeInit
+
+			if i > 0 {
+				machineType = talosmachine.TypeControlPlane
+			}
+
+			machineconfig, err := generate.Config(machineType, input)
+			require.NoError(t, err)
+
+			configdata, err := machineconfig.Bytes()
+			require.NoError(t, err)
+
+			controlplanes = append(controlplanes, createTalosConfig(ctx, t, c, machine, bootstrapv1alpha3.TalosConfigSpec{
+				GenerateType: "none",
+				Data:         string(configdata),
+			}))
+		}
+
+		for i, talosConfig := range append(append([]*bootstrapv1alpha3.TalosConfig{}, controlplanes...), workers...) {
+			waitForReady(ctx, t, c, talosConfig)
+
+			// Note, for config type none we don't generate talosconfig (why?)
+
+			provider := assertMachineConfiguration(ctx, t, c, talosConfig)
+
+			switch {
+			case i == 0:
+				assert.Equal(t, talosmachine.TypeInit, provider.Machine().Type())
+			case i < len(controlplanes):
+				assert.Equal(t, talosmachine.TypeControlPlane, provider.Machine().Type())
+			default:
+				assert.Equal(t, talosmachine.TypeWorker, provider.Machine().Type())
+			}
+		}
+
+		assertClusterCA(ctx, t, c, cluster, assertMachineConfiguration(ctx, t, c, controlplanes[0]))
+
+		// compare control plane secrets completely
+		assertSameMachineConfigSecrets(ctx, t, c, controlplanes...)
+
+		// compare all configs in more relaxed mode
+		assertCompatibleMachineConfigs(ctx, t, c, append(append([]*bootstrapv1alpha3.TalosConfig{}, controlplanes...), workers...)...)
+	})
+
 }
 
 // legacy cluster secret format

Original file line number	Diff line number	Diff line change
`@@ -324,8 +324,11 @@ func (r TalosConfigReconciler) userConfigs(ctx context.Context, scope TalosCon`
`324`	`324`	`}`
`325`	`325`
`326`	`326`	`// Create the secret with kubernetes certs so a kubeconfig can be generated`
`327`		`- if err = r.writeK8sCASecret(ctx, scope, userConfig.Cluster().CA()); err != nil {`
`328`		`- return retBundle, err`
	`327`	`+ // but do this only when machineconfig contains full Kubernetes CA secret (controlplane nodes)`
	`328`	`+ if userConfig.Cluster().CA() != nil && len(userConfig.Cluster().CA().Crt) > 0 && len(userConfig.Cluster().CA().Key) > 0 {`
	`329`	`+ if err = r.writeK8sCASecret(ctx, scope, userConfig.Cluster().CA()); err != nil {`
	`330`	`+ return retBundle, err`
	`331`	`+ }`
`329`	`332`	`}`
`330`	`333`
`331`	`334`	`userConfigStr, err := userConfig.String()`