Fixes#6110
I somehow missed the fact that etcd certs were not made fully reactive
to node address changes (I wrongly assume it was already the fact).
This PR refactors etcd certificate generation process to be
resource-based and introduces unit-tests for the controller.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
I would like to rewrite whole cert generation process, but for now a few
fixes:
* client cert doesn't need any SANs
* peer cert should contain only non-localhost SANs
* server cert same as before (localhost + addresses)
See https://etcd.io/docs/v3.5/op-guide/security/ for details.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
As SideroLink addresses are ephemeral and point-to-point, filter them
out for node addresses, Kubelet, etcd, etc.
Fixes#4448
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
ECDSA keys are smaller which decreases Talos config size, they are more
efficient in terms of key generation, signing, etc., so it makes boot
performance better (and config generation as well).
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
Control plane components are running as static pods managed by the
kubelets.
Whole subsystem is managed via resources/controllers from os-runtime.
Many supporting changes/refactoring to enable new code paths.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
