fix: don't enable RBAC feature in the config for Talos < 0.11

This makes sure that if config is generated for older version of Talos,
RBAC feature is not enabled by default.

We do this to ensure that there's no surprise if Talos 0.10 is upgraded
to 0.11 and RBAC is enabled while the user is not ready for that.

Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>

pkg/machinery/config/contract.go

@@ -24,6 +24,8 @@ type VersionContract struct {
 // Well-known Talos version contracts.
 var (
 	TalosVersionCurrent = (*VersionContract)(nil)
+	TalosVersion0_11    = &VersionContract{0, 11}
+	TalosVersion0_10    = &VersionContract{0, 10}
 	TalosVersion0_9     = &VersionContract{0, 9}
 	TalosVersion0_8     = &VersionContract{0, 8}
 )
@@ -72,3 +74,8 @@ func (contract *VersionContract) SupportsAggregatorCA() bool {
 func (contract *VersionContract) SupportsServiceAccount() bool {
 	return contract.Greater(TalosVersion0_8)
 }
+
+// SupportsRBACFeature returns true if version of Talos supports RBAC feature gate.
+func (contract *VersionContract) SupportsRBACFeature() bool {
+	return contract.Greater(TalosVersion0_10)
+}

pkg/machinery/config/contract_test.go

@@ -47,16 +47,33 @@ func TestContractCurrent(t *testing.T) {
 	assert.True(t, config.TalosVersionCurrent.SupportsAggregatorCA())
 	assert.True(t, config.TalosVersionCurrent.SupportsECDSAKeys())
 	assert.True(t, config.TalosVersionCurrent.SupportsServiceAccount())
+	assert.True(t, config.TalosVersionCurrent.SupportsRBACFeature())
+}
+
+func TestContract0_11(t *testing.T) {
+	assert.True(t, config.TalosVersion0_11.SupportsAggregatorCA())
+	assert.True(t, config.TalosVersion0_11.SupportsECDSAKeys())
+	assert.True(t, config.TalosVersion0_11.SupportsServiceAccount())
+	assert.True(t, config.TalosVersion0_11.SupportsRBACFeature())
+}
+
+func TestContract0_10(t *testing.T) {
+	assert.True(t, config.TalosVersion0_10.SupportsAggregatorCA())
+	assert.True(t, config.TalosVersion0_10.SupportsECDSAKeys())
+	assert.True(t, config.TalosVersion0_10.SupportsServiceAccount())
+	assert.False(t, config.TalosVersion0_10.SupportsRBACFeature())
 }
 
 func TestContract0_9(t *testing.T) {
 	assert.True(t, config.TalosVersion0_9.SupportsAggregatorCA())
 	assert.True(t, config.TalosVersion0_9.SupportsECDSAKeys())
 	assert.True(t, config.TalosVersion0_9.SupportsServiceAccount())
+	assert.False(t, config.TalosVersion0_9.SupportsRBACFeature())
 }
 
 func TestContract0_8(t *testing.T) {
 	assert.False(t, config.TalosVersion0_8.SupportsAggregatorCA())
 	assert.False(t, config.TalosVersion0_8.SupportsECDSAKeys())
 	assert.False(t, config.TalosVersion0_8.SupportsServiceAccount())
+	assert.False(t, config.TalosVersion0_9.SupportsRBACFeature())
 }

pkg/machinery/config/types/v1alpha1/generate/generate.go

@@ -52,7 +52,8 @@ func Config(t machine.Type, in *Input) (c *v1alpha1.Config, err error) {
 //
 //nolint:maligned
 type Input struct {
-	Certs *Certs
+	Certs           *Certs
+	VersionContract *config.VersionContract
 
 	// ControlplaneEndpoint is the canonical address of the kubernetes control
 	// plane.  It can be a DNS name, the IP address of a load balancer, or
@@ -453,6 +454,7 @@ func NewInput(clustername, endpoint, kubernetesVersion string, secrets *SecretsB
 
 	input = &Input{
 		Certs:                      secrets.Certs,
+		VersionContract:            options.VersionContract,
 		ControlPlaneEndpoint:       endpoint,
 		PodNet:                     []string{podNet},
 		ServiceNet:                 []string{serviceNet},

pkg/machinery/config/types/v1alpha1/generate/generate_test.go

@@ -23,6 +23,8 @@ type GenerateSuite struct {
 
 	input      *genv1alpha1.Input
 	genOptions []genv1alpha1.GenOption
+
+	versionContract *config.VersionContract
 }
 
 func TestGenerateSuite(t *testing.T) {
@@ -33,6 +35,14 @@ func TestGenerateSuite(t *testing.T) {
 		{
 			label: "current",
 		},
+		{
+			label:      "0.11",
+			genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_11)},
+		},
+		{
+			label:      "0.10",
+			genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_10)},
+		},
 		{
 			label:      "0.9",
 			genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_9)},
@@ -58,30 +68,50 @@ func (suite *GenerateSuite) SetupSuite() {
 	suite.Require().NoError(err)
 	suite.input, err = genv1alpha1.NewInput("test", "10.0.1.5", constants.DefaultKubernetesVersion, secrets, suite.genOptions...)
 	suite.Require().NoError(err)
+
+	var opts genv1alpha1.GenOptions
+
+	for _, opt := range suite.genOptions {
+		suite.Require().NoError(opt(&opts))
+	}
+
+	suite.versionContract = opts.VersionContract
 }
 
 func (suite *GenerateSuite) TestGenerateInitSuccess() {
 	cfg, err := genv1alpha1.Config(machine.TypeInit, suite.input)
 	suite.Require().NoError(err)
 
-	suite.True(cfg.MachineConfig.Features().RBACEnabled())
-	suite.True(*cfg.MachineConfig.MachineFeatures.RBAC)
+	if suite.versionContract.SupportsRBACFeature() {
+		suite.True(cfg.MachineConfig.Features().RBACEnabled())
+		suite.True(*cfg.MachineConfig.MachineFeatures.RBAC)
+	} else {
+		suite.False(cfg.MachineConfig.Features().RBACEnabled())
+	}
 }
 
 func (suite *GenerateSuite) TestGenerateControlPlaneSuccess() {
 	cfg, err := genv1alpha1.Config(machine.TypeControlPlane, suite.input)
 	suite.Require().NoError(err)
 
-	suite.True(cfg.MachineConfig.Features().RBACEnabled())
-	suite.True(*cfg.MachineConfig.MachineFeatures.RBAC)
+	if suite.versionContract.SupportsRBACFeature() {
+		suite.True(cfg.MachineConfig.Features().RBACEnabled())
+		suite.True(*cfg.MachineConfig.MachineFeatures.RBAC)
+	} else {
+		suite.False(cfg.MachineConfig.Features().RBACEnabled())
+	}
 }
 
 func (suite *GenerateSuite) TestGenerateWorkerSuccess() {
 	cfg, err := genv1alpha1.Config(machine.TypeJoin, suite.input)
 	suite.Require().NoError(err)
 
-	suite.True(cfg.MachineConfig.Features().RBACEnabled())
-	suite.True(*cfg.MachineConfig.MachineFeatures.RBAC)
+	if suite.versionContract.SupportsRBACFeature() {
+		suite.True(cfg.MachineConfig.Features().RBACEnabled())
+		suite.True(*cfg.MachineConfig.MachineFeatures.RBAC)
+	} else {
+		suite.False(cfg.MachineConfig.Features().RBACEnabled())
+	}
 }
 
 func (suite *GenerateSuite) TestGenerateTalosconfigSuccess() {

pkg/machinery/config/types/v1alpha1/generate/init.go

@@ -51,9 +51,11 @@ func initUd(in *Input) (*v1alpha1.Config, error) {
 		},
 		MachineDisks:                in.MachineDisks,
 		MachineSystemDiskEncryption: in.SystemDiskEncryptionConfig,
-		MachineFeatures: &v1alpha1.FeaturesConfig{
-			RBAC: pointer.ToBool(true),
-		},
+		MachineFeatures:             &v1alpha1.FeaturesConfig{},
+	}
+
+	if in.VersionContract.SupportsRBACFeature() {
+		machine.MachineFeatures.RBAC = pointer.ToBool(true)
 	}
 
 	certSANs := in.GetAPIServerSANs()

pkg/machinery/config/types/v1alpha1/generate/join.go

@@ -51,9 +51,11 @@ func workerUd(in *Input) (*v1alpha1.Config, error) {
 		},
 		MachineDisks:                in.MachineDisks,
 		MachineSystemDiskEncryption: in.SystemDiskEncryptionConfig,
-		MachineFeatures: &v1alpha1.FeaturesConfig{
-			RBAC: pointer.ToBool(true),
-		},
+		MachineFeatures:             &v1alpha1.FeaturesConfig{},
+	}
+
+	if in.VersionContract.SupportsRBACFeature() {
+		machine.MachineFeatures.RBAC = pointer.ToBool(true)
 	}
 
 	controlPlaneURL, err := url.Parse(in.ControlPlaneEndpoint)