From f863498ff6cc1e18237a7bde3d59c314c3f40242 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Date: Thu, 27 Jul 2023 16:26:38 +0400
Subject: [PATCH] fix: always override APIServer audit policy

Fixes #7537

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
---
 .../config/configpatcher/apply_test.go        | 40 +++++++++++++++++++
 .../testdata/auditpolicy/config.yaml          | 13 ++++++
 .../testdata/auditpolicy/expected.yaml        | 16 ++++++++
 .../testdata/auditpolicy/patch1.yaml          |  7 ++++
 .../config/types/v1alpha1/v1alpha1_types.go   |  2 +-
 .../talos-guides/configuration/patching.md    |  1 +
 6 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml
 create mode 100644 pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml
 create mode 100644 pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml

diff --git a/pkg/machinery/config/configpatcher/apply_test.go b/pkg/machinery/config/configpatcher/apply_test.go
index 2787228d3..23b844775 100644
--- a/pkg/machinery/config/configpatcher/apply_test.go
+++ b/pkg/machinery/config/configpatcher/apply_test.go
@@ -130,3 +130,43 @@ func TestApplyMultiDoc(t *testing.T) {
 		})
 	}
 }
+
+//go:embed testdata/auditpolicy/config.yaml
+var configAudit []byte
+
+//go:embed testdata/auditpolicy/expected.yaml
+var expectedAudit []byte
+
+func TestApplyAuditPolicy(t *testing.T) {
+	patches, err := configpatcher.LoadPatches([]string{
+		"@testdata/auditpolicy/patch1.yaml",
+	})
+	require.NoError(t, err)
+
+	cfg, err := configloader.NewFromBytes(configAudit)
+	require.NoError(t, err)
+
+	for _, tt := range []struct {
+		name  string
+		input configpatcher.Input
+	}{
+		{
+			name:  "WithConfig",
+			input: configpatcher.WithConfig(cfg),
+		},
+		{
+			name:  "WithBytes",
+			input: configpatcher.WithBytes(configAudit),
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			out, err := configpatcher.Apply(tt.input, patches)
+			require.NoError(t, err)
+
+			bytes, err := out.Bytes()
+			require.NoError(t, err)
+
+			assert.Equal(t, string(expectedAudit), string(bytes))
+		})
+	}
+}
diff --git a/pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml b/pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml
new file mode 100644
index 000000000..65eb90f90
--- /dev/null
+++ b/pkg/machinery/config/configpatcher/testdata/auditpolicy/config.yaml
@@ -0,0 +1,13 @@
+version: v1alpha1
+machine:
+  network:
+    hostname: hostname-foo
+cluster:
+  apiServer:
+    auditPolicy:
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+        - level: Metadata
+  controlPlane:
+    endpoint: https://localhost:6443
diff --git a/pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml b/pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml
new file mode 100644
index 000000000..11c115963
--- /dev/null
+++ b/pkg/machinery/config/configpatcher/testdata/auditpolicy/expected.yaml
@@ -0,0 +1,16 @@
+version: v1alpha1
+machine:
+    type: ""
+    token: ""
+    certSANs: []
+    network:
+        hostname: hostname-foo
+cluster:
+    controlPlane:
+        endpoint: https://localhost:6443
+    apiServer:
+        auditPolicy:
+            apiVersion: audit.k8s.io/v1
+            kind: Policy
+            rules:
+                - level: None
diff --git a/pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml b/pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml
new file mode 100644
index 000000000..5d358af61
--- /dev/null
+++ b/pkg/machinery/config/configpatcher/testdata/auditpolicy/patch1.yaml
@@ -0,0 +1,7 @@
+cluster:
+  apiServer:
+    auditPolicy:
+      apiVersion: audit.k8s.io/v1
+      kind: Policy
+      rules:
+        - level: None
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
index 4606cfbe5..994aa0c3c 100644
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
@@ -1693,7 +1693,7 @@ type APIServerConfig struct {
 	//     - value: APIServerDefaultAuditPolicy
 	//   schema:
 	//     type: object
-	AuditPolicyConfig Unstructured `yaml:"auditPolicy,omitempty"`
+	AuditPolicyConfig Unstructured `yaml:"auditPolicy,omitempty" merge:"replace"`
 	//   description: |
 	//     Configure the API server resources.
 	//   schema:
diff --git a/website/content/v1.5/talos-guides/configuration/patching.md b/website/content/v1.5/talos-guides/configuration/patching.md
index a111fcaff..0b2c33d43 100644
--- a/website/content/v1.5/talos-guides/configuration/patching.md
+++ b/website/content/v1.5/talos-guides/configuration/patching.md
@@ -49,6 +49,7 @@ There are some special rules:
   - values of the fields `cluster.network.podSubnets` and `cluster.network.serviceSubnets` are overwritten on merge
   - `network.interfaces` section is merged with the value in the machine config if there is a match on `interface:` or `deviceSelector:` keys
   - `network.interfaces.vlans` section is merged with the value in the machine config if there is a match on the `vlanId:` key
+  - `cluster.apiServer.auditPolicy` value is replaced on merge
 
 When patching a multi-document machine configuration, following rules apply: