Skip to content

Commit 8d52e2d

Browse files
rsmittysmira
rsmitty
authored and
smira
committed
feat: add trusted roots generation to stdpatches
This PR would add the ability to generate a standardized document for trusted roots. Ran into wanting this with the vsphere provider and I generally feel like we should try to extend the available standard patches here over time. Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 10f49ca)
1 parent 6284877 commit 8d52e2d

File tree

2 files changed

+31
-0
lines changed

2 files changed

+31
-0
lines changed

pkg/machinery/config/generate/stdpatches/stdpatches.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@
66
package stdpatches
77

88
import (
9+
"fmt"
10+
911
"github.com/siderolabs/go-pointer"
1012
"go.yaml.in/yaml/v4"
1113

@@ -14,6 +16,7 @@ import (
1416
"github.com/siderolabs/talos/pkg/machinery/config/container"
1517
"github.com/siderolabs/talos/pkg/machinery/config/encoder"
1618
"github.com/siderolabs/talos/pkg/machinery/config/types/network"
19+
"github.com/siderolabs/talos/pkg/machinery/config/types/security"
1720
"github.com/siderolabs/talos/pkg/machinery/nethelpers"
1821
)
1922

@@ -36,6 +39,18 @@ func WithStaticHostname(versionContract *config.VersionContract, hostname string
3639
})
3740
}
3841

42+
// WithTrustedRoots returns a patch that sets trusted roots in the machine configuration.
43+
func WithTrustedRoots(versionContract *config.VersionContract, trustedRoots string) ([]byte, error) {
44+
if versionContract.MultidocNetworkConfigSupported() {
45+
trustedRootsConfig := security.NewTrustedRootsConfigV1Alpha1()
46+
trustedRootsConfig.Certificates = trustedRoots
47+
48+
return patchFromDocument(trustedRootsConfig)
49+
}
50+
51+
return nil, fmt.Errorf("trusted roots patch is not supported for version contract %s", versionContract.String())
52+
}
53+
3954
func patchFromDocument(doc configconfig.Document) ([]byte, error) {
4055
ctr, err := container.New(doc)
4156
if err != nil {

pkg/machinery/config/generate/stdpatches/stdpatches_test.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,22 @@ func TestPatches(t *testing.T) {
4848
assert.Equal(t, "hostname-1", cfg.NetworkHostnameConfig().Hostname())
4949
},
5050
},
51+
{
52+
name: "WithTrustedRoots",
53+
54+
patch: func(vc *config.VersionContract) ([]byte, error) {
55+
return stdpatches.WithTrustedRoots(vc, "trusted-roots-1")
56+
},
57+
58+
versionContracts: []*config.VersionContract{
59+
config.TalosVersion1_12,
60+
},
61+
kubernetesVersion: "1.34.0",
62+
63+
assertion: func(t *testing.T, cfg config.Config) {
64+
assert.Len(t, cfg.TrustedRoots().ExtraTrustedRootCertificates(), 1)
65+
},
66+
},
5167
} {
5268
t.Run(test.name, func(t *testing.T) {
5369
t.Parallel()

0 commit comments

Comments
 (0)