fix: set correct (1 year) talosconfig expiration

Fixes #7698 Also fix `talosctl config info` for `talosconfig` without a client certificate (e.g. Omni-generated one). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
siderolabs · Sep 4, 2023 · c918c08 · c918c08
1 parent 79bbdf4
commit c918c08
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 24 deletions.
diff --git a/cmd/talosctl/cmd/talos/config.go b/cmd/talosctl/cmd/talos/config.go
@@ -448,35 +448,50 @@ var configInfoCmdTemplate = template.Must(template.New("configInfoCmdTemplate").
 Current context:     {{ .Context }}
 Nodes:               {{ .Nodes }}
 Endpoints:           {{ .Endpoints }}
-Roles:               {{ .Roles }}
-Certificate expires: {{ .CertTTL }} ({{ .CertNotAfter }})
+{{- if .Roles }}
+Roles:               {{ .Roles }}{{ end }}
+{{- if .CertTTL }}
+Certificate expires: {{ .CertTTL }} ({{ .CertNotAfter }}){{ end }}
 `)))
 
 // configInfoCommand implements `config info` command logic.
-//
-//nolint:goconst
 func configInfoCommand(config *clientconfig.Config, now time.Time) (string, error) {
 	cfgContext, err := getContextData(config)
 	if err != nil {
 		return "", err
 	}
 
-	b, err := base64.StdEncoding.DecodeString(cfgContext.Crt)
-	if err != nil {
-		return "", err
-	}
+	var (
+		certTTL, certNotAfter string
+		roles                 role.Set
+		rolesS                string
+	)
 
-	block, _ := pem.Decode(b)
-	if block == nil {
-		return "", fmt.Errorf("error decoding PEM")
-	}
+	if cfgContext.Crt != "" {
+		var b []byte
 
-	crt, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return "", err
-	}
+		b, err = base64.StdEncoding.DecodeString(cfgContext.Crt)
+		if err != nil {
+			return "", err
+		}
+
+		block, _ := pem.Decode(b)
+		if block == nil {
+			return "", fmt.Errorf("error decoding PEM")
+		}
 
-	roles, _ := role.Parse(crt.Subject.Organization)
+		var crt *x509.Certificate
+
+		crt, err = x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return "", err
+		}
+
+		roles, _ = role.Parse(crt.Subject.Organization)
+
+		certTTL = humanize.RelTime(crt.NotAfter, now, "ago", "from now")
+		certNotAfter = crt.NotAfter.UTC().Format("2006-01-02")
+	}
 
 	nodesS := "not defined"
 	if len(cfgContext.Nodes) > 0 {
@@ -488,7 +503,6 @@ func configInfoCommand(config *clientconfig.Config, now time.Time) (string, erro
 		endpointsS = strings.Join(cfgContext.Endpoints, ", ")
 	}
 
-	rolesS := "not defined"
 	if s := roles.Strings(); len(s) > 0 {
 		rolesS = strings.Join(s, ", ")
 	}
@@ -499,8 +513,8 @@ func configInfoCommand(config *clientconfig.Config, now time.Time) (string, erro
 		"Nodes":        nodesS,
 		"Endpoints":    endpointsS,
 		"Roles":        rolesS,
-		"CertTTL":      humanize.RelTime(crt.NotAfter, now, "ago", "from now"),
-		"CertNotAfter": crt.NotAfter.UTC().Format("2006-01-02"),
+		"CertTTL":      certTTL,
+		"CertNotAfter": certNotAfter,
 	})
 
 	return res.String() + "\n", err

diff --git a/cmd/talosctl/cmd/talos/config_test.go b/cmd/talosctl/cmd/talos/config_test.go
@@ -66,7 +66,6 @@ contexts:
 Current context:     no-roles
 Nodes:               not defined
 Endpoints:           172.20.1.2
-Roles:               not defined
 Certificate expires: 10 years from now (2031-07-03)
 `) + "\n",
 		},

diff --git a/internal/app/machined/pkg/adapters/cluster/identity_test.go b/internal/app/machined/pkg/adapters/cluster/identity_test.go
@@ -25,7 +25,7 @@ func TestIdentityGenerate(t *testing.T) {
 	length := len(spec1.NodeID)
 
 	assert.GreaterOrEqual(t, length, 43)
-	assert.LessOrEqual(t, length, 44)
+	assert.LessOrEqual(t, length, 45)
 }
 
 func TestIdentityConvertMachineID(t *testing.T) {

diff --git a/internal/app/machined/pkg/controllers/runtime/maintenance_service_test.go b/internal/app/machined/pkg/controllers/runtime/maintenance_service_test.go
@@ -78,7 +78,11 @@ func (suite *MaintenanceServiceSuite) TestRunService() {
 
 	// wait for the service to be up
 	suite.AssertWithin(time.Second, 10*time.Millisecond, func() error {
-		c, err := net.Dial("tcp", maintenanceConfig.TypedSpec().ListenAddress)
+		c, err := tls.Dial("tcp", maintenanceConfig.TypedSpec().ListenAddress,
+			&tls.Config{
+				InsecureSkipVerify: true,
+			},
+		)
 
 		if c != nil {
 			c.Close() //nolint:errcheck

diff --git a/internal/integration/cli/config.go b/internal/integration/cli/config.go
@@ -35,6 +35,12 @@ func (suite *TalosconfigSuite) TestList() {
 		base.StdoutShouldMatch(regexp.MustCompile(`CURRENT`)))
 }
 
+// TestInfo checks `talosctl config info`.
+func (suite *TalosconfigSuite) TestInfo() {
+	suite.RunCLI([]string{"config", "info"}, // TODO: remove 10 years once the CABPT & TF providers are updated to 1.5.2+
+		base.StdoutShouldMatch(regexp.MustCompile(`(1 year|10 years) from now`)))
+}
+
 // TestMerge checks `talosctl config merge`.
 func (suite *TalosconfigSuite) TestMerge() {
 	tempDir := suite.T().TempDir()

diff --git a/pkg/machinery/config/generate/secrets/bundle.go b/pkg/machinery/config/generate/secrets/bundle.go
@@ -351,6 +351,6 @@ func (bundle *Bundle) GenerateTalosAPIClientCertificate(roles role.Set) (*x509.P
 		bundle.Clock.Now(),
 		bundle.Certs.OS,
 		roles,
-		CAValidityTime,
+		constants.TalosAPIDefaultCertificateValidityDuration,
 	)
 }
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -911,6 +911,9 @@ const (
 
 	// KubePrismHealthCheckTimeout is the timeout for health checks for the KubePrism loadbalancer.
 	KubePrismHealthCheckTimeout = 15 * time.Second
+
+	// TalosAPIDefaultCertificateValidityDuration specifies default certificate duration for Talos API generated client certificates.
+	TalosAPIDefaultCertificateValidityDuration = time.Hour * 24 * 365
 )
 
 // See https://linux.die.net/man/3/klogctl