From fab94494ba5bb8f4685266090d067cb81383e05e Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Wed, 15 Jan 2025 16:20:43 +0400 Subject: [PATCH] test: update `talosctl debug air-gapped` While working on another issue, I discovered we can update to use new config format. I couldn't reproduce another issue, so this is the only thing that is left. Signed-off-by: Andrey Smirnov --- cmd/talosctl/cmd/mgmt/debug/air-gapped.go | 23 +++++++------ .../v1.10/advanced/developing-talos.md | 32 +++++++++---------- 2 files changed, 29 insertions(+), 26 deletions(-) diff --git a/cmd/talosctl/cmd/mgmt/debug/air-gapped.go b/cmd/talosctl/cmd/mgmt/debug/air-gapped.go index 8560a32f22..f24fb73a48 100644 --- a/cmd/talosctl/cmd/mgmt/debug/air-gapped.go +++ b/cmd/talosctl/cmd/mgmt/debug/air-gapped.go @@ -30,7 +30,9 @@ import ( "golang.org/x/sync/errgroup" "github.com/siderolabs/talos/pkg/cli" + "github.com/siderolabs/talos/pkg/machinery/config/container" "github.com/siderolabs/talos/pkg/machinery/config/encoder" + "github.com/siderolabs/talos/pkg/machinery/config/types/security" "github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1" ) @@ -73,21 +75,13 @@ var airgappedCmd = &cobra.Command{ } func generateConfigPatch(caPEM []byte) error { - patch := &v1alpha1.Config{ + patch1 := &v1alpha1.Config{ MachineConfig: &v1alpha1.MachineConfig{ MachineEnv: map[string]string{ "http_proxy": fmt.Sprintf("http://%s", net.JoinHostPort(airgappedFlags.advertisedAddress.String(), strconv.Itoa(airgappedFlags.proxyPort))), "https_proxy": fmt.Sprintf("http://%s", net.JoinHostPort(airgappedFlags.advertisedAddress.String(), strconv.Itoa(airgappedFlags.proxyPort))), "no_proxy": fmt.Sprintf("%s/24", airgappedFlags.advertisedAddress.String()), }, - MachineFiles: []*v1alpha1.MachineFile{ - { - FilePath: "/etc/ssl/certs/ca-certificates", - FileContent: string(caPEM), - FilePermissions: 0o644, - FileOp: "append", - }, - }, }, ClusterConfig: &v1alpha1.ClusterConfig{ ExtraManifests: []string{ @@ -96,7 +90,16 @@ func generateConfigPatch(caPEM []byte) error { }, } - patchBytes, err := encoder.NewEncoder(patch, encoder.WithComments(encoder.CommentsDisabled)).Encode() + patch2 := security.NewTrustedRootsConfigV1Alpha1() + patch2.MetaName = "air-gapped-ca" + patch2.Certificates = string(caPEM) + + ctr, err := container.New(patch1, patch2) + if err != nil { + return err + } + + patchBytes, err := ctr.EncodeBytes(encoder.WithComments(encoder.CommentsDisabled)) if err != nil { return err } diff --git a/website/content/v1.10/advanced/developing-talos.md b/website/content/v1.10/advanced/developing-talos.md index 19b0184438..621d446072 100644 --- a/website/content/v1.10/advanced/developing-talos.md +++ b/website/content/v1.10/advanced/developing-talos.md @@ -259,22 +259,6 @@ Generated machine configuration patch looks like: ```yaml machine: - files: - - content: | - -----BEGIN CERTIFICATE----- - MIIBijCCAS+gAwIBAgIBATAKBggqhkjOPQQDAjAUMRIwEAYDVQQKEwlUZXN0IE9u - bHkwHhcNMjIwODA0MTI0MzE0WhcNMjIwODA1MTI0MzE0WjAUMRIwEAYDVQQKEwlU - ZXN0IE9ubHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQfOJdaOFSOI1I+EeP1 - RlMpsDZJaXjFdoo5zYM5VYs3UkLyTAXAmdTi7JodydgLhty0pwLEWG4NUQAEvip6 - EmzTo3IwcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG - AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCwxL+BjG0pDwaH8QgKW - Ex0J2mVXMA8GA1UdEQQIMAaHBKwUAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJoW0z0D - JwpjFcgCmj4zT1SbBFhRBUX64PHJpAE8J+LgAiEAvfozZG8Or6hL21+Xuf1x9oh4 - /4Hx3jozbSjgDyHOLk4= - -----END CERTIFICATE----- - permissions: 0o644 - path: /etc/ssl/certs/ca-certificates - op: append env: http_proxy: http://172.20.0.1:8002 https_proxy: http://172.20.0.1:8002 @@ -282,6 +266,22 @@ machine: cluster: extraManifests: - https://172.20.0.1:8001/debug.yaml +--- +apiVersion: v1alpha1 +kind: TrustedRootsConfig +name: air-gapped-ca +certificates: | + -----BEGIN CERTIFICATE----- + MIIBiTCCAS+gAwIBAgIBATAKBggqhkjOPQQDAjAUMRIwEAYDVQQKEwlUZXN0IE9u + bHkwHhcNMjUwMTE1MTE1OTI3WhcNMjUwMTE2MTE1OTI3WjAUMRIwEAYDVQQKEwlU + ZXN0IE9ubHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAReznBeEcQFcB/y1yqI + HQcP0IWBMvgwGTeaaTBM6rV+AjbnyxgCrXAnmJ0t45Eur27eW9J/1T5tzA6fe24f + YyY9o3IwcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG + AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEGBbafXsyzxVhVqfjzy + 7aBmVvtaMA8GA1UdEQQIMAaHBKwUAAEwCgYIKoZIzj0EAwIDSAAwRQIhAPAFm6Lv + 1Bw+M55Z1SEDLyILJSS0En5F6n8Q9LyGGT4fAiBi+Fm3wSQcvgGPG9OfokFaXmGp + Pa6c4ZrarKO8ZxWigA== + -----END CERTIFICATE----- ``` The first section appends a self-signed certificate of the HTTPS server to the list of trusted certificates,