From c347683670d489230a2e87e4f04f05009173aca0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Se=C3=A1n=20C=20McCord?= <ulexus@gmail.com>
Date: Sat, 5 Feb 2022 15:30:15 -0500
Subject: [PATCH] fix: disable auto-tls for etcd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

While we use properly-generated certs, it is (according to STIG 242379)
possible to allow a client to downgrade to self-signed acceptance without explicitly
disabling `auto-tls`.
This patch sets `auto-tls` to `false`, preventing the downgrade.

Signed-off-by: Seán C McCord <ulexus@gmail.com>
---
 internal/app/machined/pkg/system/services/etcd.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go
index 3e017c52b..08401ac93 100644
--- a/internal/app/machined/pkg/system/services/etcd.go
+++ b/internal/app/machined/pkg/system/services/etcd.go
@@ -456,6 +456,8 @@ func (e *Etcd) argsForInit(ctx context.Context, r runtime.Runtime) error {
 	// TODO(scm): see issue #2121 and description below in argsForControlPlane.
 	denyListArgs := argsbuilder.Args{
 		"name":                  hostname,
+		"auto-tls":              "false",
+		"peer-auto-tls":         "false",
 		"data-dir":              constants.EtcdDataPath,
 		"listen-peer-urls":      "https://" + net.FormatAddress(listenAddress) + ":2380",
 		"listen-client-urls":    "https://" + net.FormatAddress(listenAddress) + ":2379",
@@ -539,6 +541,8 @@ func (e *Etcd) argsForControlPlane(ctx context.Context, r runtime.Runtime) error
 
 	denyListArgs := argsbuilder.Args{
 		"name":                  hostname,
+		"auto-tls":              "false",
+		"peer-auto-tls":         "false",
 		"data-dir":              constants.EtcdDataPath,
 		"listen-peer-urls":      "https://" + net.FormatAddress(listenAddress) + ":2380",
 		"listen-client-urls":    "https://" + net.FormatAddress(listenAddress) + ":2379",