Skip to content

Commit

Permalink
fix: pass TTL when generating client certificate
Browse files Browse the repository at this point in the history
Pass the TTL to the talosconfig generation function.

Signed-off-by: Henno Schooljan <github@sfynx.nl>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
  • Loading branch information
sfynx authored and smira committed Feb 5, 2024
1 parent 3fe8c12 commit a04cc80
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2092,7 +2092,7 @@ func (s *Server) GenerateClientConfiguration(ctx context.Context, in *machine.Ge

secretsBundle := secrets.NewBundleFromConfig(secrets.NewFixedClock(time.Now()), s.Controller.Runtime().Config())

cert, err := secretsBundle.GenerateTalosAPIClientCertificate(roles)
cert, err := secretsBundle.GenerateTalosAPIClientCertificateWithTTL(roles, crtTTL)
if err != nil {
return nil, err
}
Expand Down
14 changes: 14 additions & 0 deletions internal/integration/cli/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,20 @@ func (suite *TalosconfigSuite) TestMerge() {
suite.Require().NotNil(c.Contexts["foo-1"])
}

// TestNewTTL checks `talosctl config new --crt-ttl`.
func (suite *TalosconfigSuite) TestNewTTL() {
tempDir := suite.T().TempDir()

node := suite.RandomDiscoveredNodeInternalIP(machine.TypeControlPlane)

talosconfig := filepath.Join(tempDir, "talosconfig")
suite.RunCLI([]string{"--nodes", node, "config", "new", "--roles", "os:reader", talosconfig, "--crt-ttl", "17520h"},
base.StdoutEmpty())

suite.RunCLI([]string{"config", "info", "--talosconfig", talosconfig},
base.StdoutShouldMatch(regexp.MustCompile(`2 years from now`)))
}

// TestNew checks `talosctl config new`.
func (suite *TalosconfigSuite) TestNew() {
stdout, _ := suite.RunCLI([]string{"version", "--json", "--nodes", suite.RandomDiscoveredNodeInternalIP()})
Expand Down
8 changes: 7 additions & 1 deletion pkg/machinery/config/generate/secrets/bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"fmt"
"os"
"path/filepath"
"time"

"github.com/siderolabs/crypto/x509"
"gopkg.in/yaml.v3"
Expand Down Expand Up @@ -358,10 +359,15 @@ func (bundle *Bundle) populate(versionContract *config.VersionContract) error {

// GenerateTalosAPIClientCertificate generates the admin certificate.
func (bundle *Bundle) GenerateTalosAPIClientCertificate(roles role.Set) (*x509.PEMEncodedCertificateAndKey, error) {
return bundle.GenerateTalosAPIClientCertificateWithTTL(roles, constants.TalosAPIDefaultCertificateValidityDuration)
}

// GenerateTalosAPIClientCertificateWithTTL generates the admin certificate with specified TTL.
func (bundle *Bundle) GenerateTalosAPIClientCertificateWithTTL(roles role.Set, crtTTL time.Duration) (*x509.PEMEncodedCertificateAndKey, error) {
return NewAdminCertificateAndKey(
bundle.Clock.Now(),
bundle.Certs.OS,
roles,
constants.TalosAPIDefaultCertificateValidityDuration,
crtTTL,
)
}

0 comments on commit a04cc80

Please sign in to comment.