Skip to content

Commit

Permalink
feat: create certificates with os:admin role
Browse files Browse the repository at this point in the history
Minimal change for backporting into 0.10.

Refs siderolabs#3421.

Signed-off-by: Alexey Palazhchenko <alexey.palazhchenko@gmail.com>
  • Loading branch information
AlekSi committed May 25, 2021
1 parent 1db301e commit c768d27
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 2 deletions.
2 changes: 2 additions & 0 deletions cmd/talosctl/cmd/mgmt/gen.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/talos-systems/crypto/x509"

"github.com/talos-systems/talos/pkg/cli"
"github.com/talos-systems/talos/pkg/machinery/constants"
)

var (
Expand Down Expand Up @@ -124,6 +125,7 @@ var csrCmd = &cobra.Command{
}

ips := []net.IP{parsed}
opts = append(opts, x509.Organization(constants.RoleAdmin))
opts = append(opts, x509.IPAddresses(ips))
opts = append(opts, x509.NotAfter(time.Now().Add(time.Duration(crtHours)*time.Hour)))

Expand Down
3 changes: 2 additions & 1 deletion pkg/machinery/config/types/v1alpha1/generate/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -381,11 +381,12 @@ func NewTalosCA(currentTime time.Time) (ca *x509.CertificateAuthority, err error
return x509.NewSelfSignedCertificateAuthority(opts...)
}

// NewAdminCertificateAndKey generates the admin Talos certifiate and key.
// NewAdminCertificateAndKey generates the admin Talos certificate and key.
func NewAdminCertificateAndKey(currentTime time.Time, ca *x509.PEMEncodedCertificateAndKey, loopback string) (p *x509.PEMEncodedCertificateAndKey, err error) {
ips := []net.IP{net.ParseIP(loopback)}

opts := []x509.Option{
x509.Organization(constants.RoleAdmin),
x509.IPAddresses(ips),
x509.NotAfter(currentTime.Add(87600 * time.Hour)),
x509.NotBefore(currentTime),
Expand Down
14 changes: 13 additions & 1 deletion pkg/machinery/config/types/v1alpha1/generate/generate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,12 @@
package generate_test

import (
"crypto/x509"
"testing"

"github.com/stretchr/testify/suite"

"github.com/talos-systems/talos/pkg/machinery/client"
"github.com/talos-systems/talos/pkg/machinery/config"
genv1alpha1 "github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/generate"
"github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/machine"
Expand Down Expand Up @@ -73,6 +75,16 @@ func (suite *GenerateSuite) TestGenerateWorkerSuccess() {
}

func (suite *GenerateSuite) TestGenerateTalosconfigSuccess() {
_, err := genv1alpha1.Talosconfig(suite.input)
cfg, err := genv1alpha1.Talosconfig(suite.input)
suite.Require().NoError(err)

creds, err := client.CredentialsFromConfigContext(cfg.Contexts[cfg.Context])
suite.Require().NoError(err)
suite.Require().Nil(creds.Crt.Leaf)
suite.Require().Len(creds.Crt.Certificate, 1)

cert, err := x509.ParseCertificate(creds.Crt.Certificate[0])
suite.Require().NoError(err)

suite.Equal([]string{constants.RoleAdmin}, cert.Subject.Organization)
}
3 changes: 3 additions & 0 deletions pkg/machinery/constants/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -418,6 +418,9 @@ const (
// TODO: Once we get naming sorted we need to apply for a project specific address
// https://manage.ntppool.org/manage/vendor
DefaultNTPServer = "pool.ntp.org"

// RoleAdmin defines Talos role for admins. It matches Organization value of Talos client certificate.
RoleAdmin = "os:admin"
)

// See https://linux.die.net/man/3/klogctl
Expand Down

0 comments on commit c768d27

Please sign in to comment.