fix: validate that workers don't get cluster CA key

Only the cert should be present on worker nodes, enforce this via validation. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit c6ad0fc)
siderolabs · Apr 12, 2024 · 09ef5b3 · 09ef5b3
1 parent 4f7cb9c
commit 09ef5b3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go
@@ -374,6 +374,10 @@ func (c *ClusterConfig) Validate(isControlPlane bool) error {
 		}
 	}
 
+	if c.ClusterCA != nil && !isControlPlane && len(c.ClusterCA.Key) > 0 {
+		result = multierror.Append(result, errors.New("cluster CA key is not allowed on non-controlplane nodes (.cluster.ca)"))
+	}
+
 	result = multierror.Append(
 		result,
 		c.ClusterInlineManifests.Validate(),