diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go index 2ceda0671..7764c4a37 100644 --- a/pkg/machinery/config/contract.go +++ b/pkg/machinery/config/contract.go @@ -24,6 +24,8 @@ type VersionContract struct { // Well-known Talos version contracts. var ( TalosVersionCurrent = (*VersionContract)(nil) + TalosVersion0_11 = &VersionContract{0, 11} + TalosVersion0_10 = &VersionContract{0, 10} TalosVersion0_9 = &VersionContract{0, 9} TalosVersion0_8 = &VersionContract{0, 8} ) @@ -72,3 +74,8 @@ func (contract *VersionContract) SupportsAggregatorCA() bool { func (contract *VersionContract) SupportsServiceAccount() bool { return contract.Greater(TalosVersion0_8) } + +// SupportsRBACFeature returns true if version of Talos supports RBAC feature gate. +func (contract *VersionContract) SupportsRBACFeature() bool { + return contract.Greater(TalosVersion0_10) +} diff --git a/pkg/machinery/config/contract_test.go b/pkg/machinery/config/contract_test.go index 823364c22..8f7f97e8b 100644 --- a/pkg/machinery/config/contract_test.go +++ b/pkg/machinery/config/contract_test.go @@ -47,16 +47,33 @@ func TestContractCurrent(t *testing.T) { assert.True(t, config.TalosVersionCurrent.SupportsAggregatorCA()) assert.True(t, config.TalosVersionCurrent.SupportsECDSAKeys()) assert.True(t, config.TalosVersionCurrent.SupportsServiceAccount()) + assert.True(t, config.TalosVersionCurrent.SupportsRBACFeature()) +} + +func TestContract0_11(t *testing.T) { + assert.True(t, config.TalosVersion0_11.SupportsAggregatorCA()) + assert.True(t, config.TalosVersion0_11.SupportsECDSAKeys()) + assert.True(t, config.TalosVersion0_11.SupportsServiceAccount()) + assert.True(t, config.TalosVersion0_11.SupportsRBACFeature()) +} + +func TestContract0_10(t *testing.T) { + assert.True(t, config.TalosVersion0_10.SupportsAggregatorCA()) + assert.True(t, config.TalosVersion0_10.SupportsECDSAKeys()) + assert.True(t, config.TalosVersion0_10.SupportsServiceAccount()) + assert.False(t, config.TalosVersion0_10.SupportsRBACFeature()) } func TestContract0_9(t *testing.T) { assert.True(t, config.TalosVersion0_9.SupportsAggregatorCA()) assert.True(t, config.TalosVersion0_9.SupportsECDSAKeys()) assert.True(t, config.TalosVersion0_9.SupportsServiceAccount()) + assert.False(t, config.TalosVersion0_9.SupportsRBACFeature()) } func TestContract0_8(t *testing.T) { assert.False(t, config.TalosVersion0_8.SupportsAggregatorCA()) assert.False(t, config.TalosVersion0_8.SupportsECDSAKeys()) assert.False(t, config.TalosVersion0_8.SupportsServiceAccount()) + assert.False(t, config.TalosVersion0_9.SupportsRBACFeature()) } diff --git a/pkg/machinery/config/types/v1alpha1/generate/generate.go b/pkg/machinery/config/types/v1alpha1/generate/generate.go index 0c5cee1d5..38ce5b1a9 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/generate.go +++ b/pkg/machinery/config/types/v1alpha1/generate/generate.go @@ -52,7 +52,8 @@ func Config(t machine.Type, in *Input) (c *v1alpha1.Config, err error) { // //nolint:maligned type Input struct { - Certs *Certs + Certs *Certs + VersionContract *config.VersionContract // ControlplaneEndpoint is the canonical address of the kubernetes control // plane. It can be a DNS name, the IP address of a load balancer, or @@ -453,6 +454,7 @@ func NewInput(clustername, endpoint, kubernetesVersion string, secrets *SecretsB input = &Input{ Certs: secrets.Certs, + VersionContract: options.VersionContract, ControlPlaneEndpoint: endpoint, PodNet: []string{podNet}, ServiceNet: []string{serviceNet}, diff --git a/pkg/machinery/config/types/v1alpha1/generate/generate_test.go b/pkg/machinery/config/types/v1alpha1/generate/generate_test.go index 4309c824c..76139b0ac 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/generate_test.go +++ b/pkg/machinery/config/types/v1alpha1/generate/generate_test.go @@ -23,6 +23,8 @@ type GenerateSuite struct { input *genv1alpha1.Input genOptions []genv1alpha1.GenOption + + versionContract *config.VersionContract } func TestGenerateSuite(t *testing.T) { @@ -33,6 +35,14 @@ func TestGenerateSuite(t *testing.T) { { label: "current", }, + { + label: "0.11", + genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_11)}, + }, + { + label: "0.10", + genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_10)}, + }, { label: "0.9", genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_9)}, @@ -58,30 +68,50 @@ func (suite *GenerateSuite) SetupSuite() { suite.Require().NoError(err) suite.input, err = genv1alpha1.NewInput("test", "10.0.1.5", constants.DefaultKubernetesVersion, secrets, suite.genOptions...) suite.Require().NoError(err) + + var opts genv1alpha1.GenOptions + + for _, opt := range suite.genOptions { + suite.Require().NoError(opt(&opts)) + } + + suite.versionContract = opts.VersionContract } func (suite *GenerateSuite) TestGenerateInitSuccess() { cfg, err := genv1alpha1.Config(machine.TypeInit, suite.input) suite.Require().NoError(err) - suite.True(cfg.MachineConfig.Features().RBACEnabled()) - suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + if suite.versionContract.SupportsRBACFeature() { + suite.True(cfg.MachineConfig.Features().RBACEnabled()) + suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + } else { + suite.False(cfg.MachineConfig.Features().RBACEnabled()) + } } func (suite *GenerateSuite) TestGenerateControlPlaneSuccess() { cfg, err := genv1alpha1.Config(machine.TypeControlPlane, suite.input) suite.Require().NoError(err) - suite.True(cfg.MachineConfig.Features().RBACEnabled()) - suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + if suite.versionContract.SupportsRBACFeature() { + suite.True(cfg.MachineConfig.Features().RBACEnabled()) + suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + } else { + suite.False(cfg.MachineConfig.Features().RBACEnabled()) + } } func (suite *GenerateSuite) TestGenerateWorkerSuccess() { cfg, err := genv1alpha1.Config(machine.TypeJoin, suite.input) suite.Require().NoError(err) - suite.True(cfg.MachineConfig.Features().RBACEnabled()) - suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + if suite.versionContract.SupportsRBACFeature() { + suite.True(cfg.MachineConfig.Features().RBACEnabled()) + suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + } else { + suite.False(cfg.MachineConfig.Features().RBACEnabled()) + } } func (suite *GenerateSuite) TestGenerateTalosconfigSuccess() { diff --git a/pkg/machinery/config/types/v1alpha1/generate/init.go b/pkg/machinery/config/types/v1alpha1/generate/init.go index 4a8942b33..91479bcb5 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/init.go +++ b/pkg/machinery/config/types/v1alpha1/generate/init.go @@ -51,9 +51,11 @@ func initUd(in *Input) (*v1alpha1.Config, error) { }, MachineDisks: in.MachineDisks, MachineSystemDiskEncryption: in.SystemDiskEncryptionConfig, - MachineFeatures: &v1alpha1.FeaturesConfig{ - RBAC: pointer.ToBool(true), - }, + MachineFeatures: &v1alpha1.FeaturesConfig{}, + } + + if in.VersionContract.SupportsRBACFeature() { + machine.MachineFeatures.RBAC = pointer.ToBool(true) } certSANs := in.GetAPIServerSANs() diff --git a/pkg/machinery/config/types/v1alpha1/generate/join.go b/pkg/machinery/config/types/v1alpha1/generate/join.go index 68eb03642..c349ebcca 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/join.go +++ b/pkg/machinery/config/types/v1alpha1/generate/join.go @@ -51,9 +51,11 @@ func workerUd(in *Input) (*v1alpha1.Config, error) { }, MachineDisks: in.MachineDisks, MachineSystemDiskEncryption: in.SystemDiskEncryptionConfig, - MachineFeatures: &v1alpha1.FeaturesConfig{ - RBAC: pointer.ToBool(true), - }, + MachineFeatures: &v1alpha1.FeaturesConfig{}, + } + + if in.VersionContract.SupportsRBACFeature() { + machine.MachineFeatures.RBAC = pointer.ToBool(true) } controlPlaneURL, err := url.Parse(in.ControlPlaneEndpoint)