mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2026-05-05 20:36:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: disable auto-tls for etcd

Browse Source 
While we use properly-generated certs, it is (according to STIG 242379)
possible to allow a client to downgrade to self-signed acceptance without explicitly
disabling `auto-tls`.
This patch sets `auto-tls` to `false`, preventing the downgrade.

Signed-off-by: Seán C McCord <ulexus@gmail.com>
This commit is contained in:
Seán C McCord 2022-02-05 15:30:15 -05:00
parent 9bffc7e8d5
commit c347683670
No known key found for this signature in database
GPG Key ID: F6EB911089C33F61
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/app/machined/pkg/system/services/etcd.go
View File

@ -456,6 +456,8 @@ func (e *Etcd) argsForInit(ctx context.Context, r runtime.Runtime) error {
// TODO(scm): see issue #2121 and description below in argsForControlPlane.
denyListArgs := argsbuilder.Args{
"name": hostname,
"auto-tls": "false",
"peer-auto-tls": "false",
"data-dir": constants.EtcdDataPath,
"listen-peer-urls": "https://" + net.FormatAddress(listenAddress) + ":2380",
"listen-client-urls": "https://" + net.FormatAddress(listenAddress) + ":2379",
@ -539,6 +541,8 @@ func (e *Etcd) argsForControlPlane(ctx context.Context, r runtime.Runtime) error
denyListArgs := argsbuilder.Args{
"name": hostname,
"auto-tls": "false",
"peer-auto-tls": "false",
"data-dir": constants.EtcdDataPath,
"listen-peer-urls": "https://" + net.FormatAddress(listenAddress) + ":2380",
"listen-client-urls": "https://" + net.FormatAddress(listenAddress) + ":2379",