From fa15a6687fc56820fbc5566d494bedbc1a5f600f Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Thu, 17 Jun 2021 16:54:51 +0300 Subject: [PATCH] fix: don't enable RBAC feature in the config for Talos < 0.11 This makes sure that if config is generated for older version of Talos, RBAC feature is not enabled by default. We do this to ensure that there's no surprise if Talos 0.10 is upgraded to 0.11 and RBAC is enabled while the user is not ready for that. Signed-off-by: Andrey Smirnov --- pkg/machinery/config/contract.go | 7 ++++ pkg/machinery/config/contract_test.go | 17 ++++++++ .../types/v1alpha1/generate/generate.go | 4 +- .../types/v1alpha1/generate/generate_test.go | 42 ++++++++++++++++--- .../config/types/v1alpha1/generate/init.go | 8 ++-- .../config/types/v1alpha1/generate/join.go | 8 ++-- 6 files changed, 73 insertions(+), 13 deletions(-) diff --git a/pkg/machinery/config/contract.go b/pkg/machinery/config/contract.go index 2ceda0671..7764c4a37 100644 --- a/pkg/machinery/config/contract.go +++ b/pkg/machinery/config/contract.go @@ -24,6 +24,8 @@ type VersionContract struct { // Well-known Talos version contracts. var ( TalosVersionCurrent = (*VersionContract)(nil) + TalosVersion0_11 = &VersionContract{0, 11} + TalosVersion0_10 = &VersionContract{0, 10} TalosVersion0_9 = &VersionContract{0, 9} TalosVersion0_8 = &VersionContract{0, 8} ) @@ -72,3 +74,8 @@ func (contract *VersionContract) SupportsAggregatorCA() bool { func (contract *VersionContract) SupportsServiceAccount() bool { return contract.Greater(TalosVersion0_8) } + +// SupportsRBACFeature returns true if version of Talos supports RBAC feature gate. +func (contract *VersionContract) SupportsRBACFeature() bool { + return contract.Greater(TalosVersion0_10) +} diff --git a/pkg/machinery/config/contract_test.go b/pkg/machinery/config/contract_test.go index 823364c22..8f7f97e8b 100644 --- a/pkg/machinery/config/contract_test.go +++ b/pkg/machinery/config/contract_test.go @@ -47,16 +47,33 @@ func TestContractCurrent(t *testing.T) { assert.True(t, config.TalosVersionCurrent.SupportsAggregatorCA()) assert.True(t, config.TalosVersionCurrent.SupportsECDSAKeys()) assert.True(t, config.TalosVersionCurrent.SupportsServiceAccount()) + assert.True(t, config.TalosVersionCurrent.SupportsRBACFeature()) +} + +func TestContract0_11(t *testing.T) { + assert.True(t, config.TalosVersion0_11.SupportsAggregatorCA()) + assert.True(t, config.TalosVersion0_11.SupportsECDSAKeys()) + assert.True(t, config.TalosVersion0_11.SupportsServiceAccount()) + assert.True(t, config.TalosVersion0_11.SupportsRBACFeature()) +} + +func TestContract0_10(t *testing.T) { + assert.True(t, config.TalosVersion0_10.SupportsAggregatorCA()) + assert.True(t, config.TalosVersion0_10.SupportsECDSAKeys()) + assert.True(t, config.TalosVersion0_10.SupportsServiceAccount()) + assert.False(t, config.TalosVersion0_10.SupportsRBACFeature()) } func TestContract0_9(t *testing.T) { assert.True(t, config.TalosVersion0_9.SupportsAggregatorCA()) assert.True(t, config.TalosVersion0_9.SupportsECDSAKeys()) assert.True(t, config.TalosVersion0_9.SupportsServiceAccount()) + assert.False(t, config.TalosVersion0_9.SupportsRBACFeature()) } func TestContract0_8(t *testing.T) { assert.False(t, config.TalosVersion0_8.SupportsAggregatorCA()) assert.False(t, config.TalosVersion0_8.SupportsECDSAKeys()) assert.False(t, config.TalosVersion0_8.SupportsServiceAccount()) + assert.False(t, config.TalosVersion0_9.SupportsRBACFeature()) } diff --git a/pkg/machinery/config/types/v1alpha1/generate/generate.go b/pkg/machinery/config/types/v1alpha1/generate/generate.go index 0c5cee1d5..38ce5b1a9 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/generate.go +++ b/pkg/machinery/config/types/v1alpha1/generate/generate.go @@ -52,7 +52,8 @@ func Config(t machine.Type, in *Input) (c *v1alpha1.Config, err error) { // //nolint:maligned type Input struct { - Certs *Certs + Certs *Certs + VersionContract *config.VersionContract // ControlplaneEndpoint is the canonical address of the kubernetes control // plane. It can be a DNS name, the IP address of a load balancer, or @@ -453,6 +454,7 @@ func NewInput(clustername, endpoint, kubernetesVersion string, secrets *SecretsB input = &Input{ Certs: secrets.Certs, + VersionContract: options.VersionContract, ControlPlaneEndpoint: endpoint, PodNet: []string{podNet}, ServiceNet: []string{serviceNet}, diff --git a/pkg/machinery/config/types/v1alpha1/generate/generate_test.go b/pkg/machinery/config/types/v1alpha1/generate/generate_test.go index 4309c824c..76139b0ac 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/generate_test.go +++ b/pkg/machinery/config/types/v1alpha1/generate/generate_test.go @@ -23,6 +23,8 @@ type GenerateSuite struct { input *genv1alpha1.Input genOptions []genv1alpha1.GenOption + + versionContract *config.VersionContract } func TestGenerateSuite(t *testing.T) { @@ -33,6 +35,14 @@ func TestGenerateSuite(t *testing.T) { { label: "current", }, + { + label: "0.11", + genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_11)}, + }, + { + label: "0.10", + genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_10)}, + }, { label: "0.9", genOptions: []genv1alpha1.GenOption{genv1alpha1.WithVersionContract(config.TalosVersion0_9)}, @@ -58,30 +68,50 @@ func (suite *GenerateSuite) SetupSuite() { suite.Require().NoError(err) suite.input, err = genv1alpha1.NewInput("test", "10.0.1.5", constants.DefaultKubernetesVersion, secrets, suite.genOptions...) suite.Require().NoError(err) + + var opts genv1alpha1.GenOptions + + for _, opt := range suite.genOptions { + suite.Require().NoError(opt(&opts)) + } + + suite.versionContract = opts.VersionContract } func (suite *GenerateSuite) TestGenerateInitSuccess() { cfg, err := genv1alpha1.Config(machine.TypeInit, suite.input) suite.Require().NoError(err) - suite.True(cfg.MachineConfig.Features().RBACEnabled()) - suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + if suite.versionContract.SupportsRBACFeature() { + suite.True(cfg.MachineConfig.Features().RBACEnabled()) + suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + } else { + suite.False(cfg.MachineConfig.Features().RBACEnabled()) + } } func (suite *GenerateSuite) TestGenerateControlPlaneSuccess() { cfg, err := genv1alpha1.Config(machine.TypeControlPlane, suite.input) suite.Require().NoError(err) - suite.True(cfg.MachineConfig.Features().RBACEnabled()) - suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + if suite.versionContract.SupportsRBACFeature() { + suite.True(cfg.MachineConfig.Features().RBACEnabled()) + suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + } else { + suite.False(cfg.MachineConfig.Features().RBACEnabled()) + } } func (suite *GenerateSuite) TestGenerateWorkerSuccess() { cfg, err := genv1alpha1.Config(machine.TypeJoin, suite.input) suite.Require().NoError(err) - suite.True(cfg.MachineConfig.Features().RBACEnabled()) - suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + if suite.versionContract.SupportsRBACFeature() { + suite.True(cfg.MachineConfig.Features().RBACEnabled()) + suite.True(*cfg.MachineConfig.MachineFeatures.RBAC) + } else { + suite.False(cfg.MachineConfig.Features().RBACEnabled()) + } } func (suite *GenerateSuite) TestGenerateTalosconfigSuccess() { diff --git a/pkg/machinery/config/types/v1alpha1/generate/init.go b/pkg/machinery/config/types/v1alpha1/generate/init.go index 4a8942b33..91479bcb5 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/init.go +++ b/pkg/machinery/config/types/v1alpha1/generate/init.go @@ -51,9 +51,11 @@ func initUd(in *Input) (*v1alpha1.Config, error) { }, MachineDisks: in.MachineDisks, MachineSystemDiskEncryption: in.SystemDiskEncryptionConfig, - MachineFeatures: &v1alpha1.FeaturesConfig{ - RBAC: pointer.ToBool(true), - }, + MachineFeatures: &v1alpha1.FeaturesConfig{}, + } + + if in.VersionContract.SupportsRBACFeature() { + machine.MachineFeatures.RBAC = pointer.ToBool(true) } certSANs := in.GetAPIServerSANs() diff --git a/pkg/machinery/config/types/v1alpha1/generate/join.go b/pkg/machinery/config/types/v1alpha1/generate/join.go index 68eb03642..c349ebcca 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/join.go +++ b/pkg/machinery/config/types/v1alpha1/generate/join.go @@ -51,9 +51,11 @@ func workerUd(in *Input) (*v1alpha1.Config, error) { }, MachineDisks: in.MachineDisks, MachineSystemDiskEncryption: in.SystemDiskEncryptionConfig, - MachineFeatures: &v1alpha1.FeaturesConfig{ - RBAC: pointer.ToBool(true), - }, + MachineFeatures: &v1alpha1.FeaturesConfig{}, + } + + if in.VersionContract.SupportsRBACFeature() { + machine.MachineFeatures.RBAC = pointer.ToBool(true) } controlPlaneURL, err := url.Parse(in.ControlPlaneEndpoint)