Skip to content

Commit

Permalink
feat: provide machine config document to update trusted CA roots
Browse files Browse the repository at this point in the history
Fixes #8867

Signed-off-by: Andrey Smirnov <[email protected]>
  • Loading branch information
smira committed Jul 12, 2024
1 parent f14c479 commit b07338f
Show file tree
Hide file tree
Showing 29 changed files with 4,325 additions and 21 deletions.
14 changes: 8 additions & 6 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,7 @@ COPY --from=go-generate /src/pkg/machinery/nethelpers/ /pkg/machinery/nethelpers
COPY --from=go-generate /src/pkg/machinery/extensions/ /pkg/machinery/extensions/
COPY --from=ipxe-generate / /pkg/provision/providers/vm/internal/ipxe/data/ipxe/
COPY --from=embed-abbrev / /
COPY --from=pkg-ca-certificates /etc/ssl/certs/ca-certificates /internal/app/machined/pkg/controllers/secrets/data/

# The base target provides a container that can be used to build all Talos
# assets.
Expand All @@ -343,6 +344,7 @@ COPY ./internal ./internal
COPY --from=generate /pkg/flannel/ ./pkg/flannel/
COPY --from=generate /pkg/imager/ ./pkg/imager/
COPY --from=generate /pkg/machinery/ ./pkg/machinery/
COPY --from=generate /internal/app/machined/pkg/controllers/secrets/data/ ./internal/app/machined/pkg/controllers/secrets/data/
COPY --from=embed / ./
RUN --mount=type=cache,target=/.cache go list all >/dev/null
WORKDIR /src/pkg/machinery
Expand Down Expand Up @@ -561,7 +563,6 @@ COPY --from=depmod-arm64 /build/lib/modules /lib/modules
# The rootfs target provides the Talos rootfs.
FROM build AS rootfs-base-amd64
COPY --link --from=pkg-fhs / /rootfs
COPY --link --from=pkg-ca-certificates / /rootfs
COPY --link --from=pkg-apparmor-amd64 / /rootfs
COPY --link --from=pkg-cryptsetup-amd64 / /rootfs
COPY --link --from=pkg-containerd-amd64 / /rootfs
Expand Down Expand Up @@ -604,7 +605,7 @@ COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
RUN <<END
cleanup.sh /rootfs
mkdir -pv /rootfs/{boot/EFI,etc/cri/conf.d/hosts,lib/firmware,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
END
COPY --chmod=0644 hack/zoneinfo/Etc/UTC /rootfs/usr/share/zoneinfo/Etc/UTC
Expand All @@ -616,7 +617,7 @@ COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d
COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
RUN <<END
ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part}
touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part,ssl/certs/ca-certificates}
ln -s ca-certificates /rootfs/etc/ssl/certs/ca-certificates.crt
ln -s /etc/ssl /rootfs/etc/pki
ln -s /etc/ssl /rootfs/usr/share/ca-certificates
Expand All @@ -626,7 +627,6 @@ END

FROM build AS rootfs-base-arm64
COPY --link --from=pkg-fhs / /rootfs
COPY --link --from=pkg-ca-certificates / /rootfs
COPY --link --from=pkg-apparmor-arm64 / /rootfs
COPY --link --from=pkg-cryptsetup-arm64 / /rootfs
COPY --link --from=pkg-containerd-arm64 / /rootfs
Expand Down Expand Up @@ -669,7 +669,7 @@ COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
RUN <<END
cleanup.sh /rootfs
mkdir -pv /rootfs/{boot/EFI,etc/cri/conf.d/hosts,lib/firmware,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
END
COPY --chmod=0644 hack/zoneinfo/Etc/UTC /rootfs/usr/share/zoneinfo/Etc/UTC
Expand All @@ -681,7 +681,7 @@ COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d
COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
RUN <<END
ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part}
touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,os-release,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part,ssl/certs/ca-certificates}
ln -s /etc/ssl /rootfs/etc/pki
ln -s ca-certificates /rootfs/etc/ssl/certs/ca-certificates.crt
ln -s /etc/ssl /rootfs/usr/share/ca-certificates
Expand Down Expand Up @@ -867,6 +867,7 @@ FROM --platform=${BUILDPLATFORM} iso-${TARGETARCH} AS iso
FROM base AS unit-tests-runner
RUN unlink /etc/ssl
COPY --from=rootfs / /
COPY --from=pkg-ca-certificates / /
ARG TESTPKGS
ENV PLATFORM=container
ARG GO_LDFLAGS
Expand All @@ -881,6 +882,7 @@ COPY --from=unit-tests-runner /src/coverage.txt /coverage.txt
FROM base AS unit-tests-race
RUN unlink /etc/ssl
COPY --from=rootfs / /
COPY --from=pkg-ca-certificates / /
ARG TESTPKGS
ENV PLATFORM=container
ENV CGO_ENABLED=1
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ ARTIFACTS := _out
TOOLS ?= ghcr.io/siderolabs/tools:v1.8.0-alpha.0-6-g31ad71b

PKGS_PREFIX ?= ghcr.io/siderolabs
PKGS ?= v1.8.0-alpha.0-34-gce49757
PKGS ?= v1.8.0-alpha.0-36-g25f3a99
EXTRAS ?= v1.8.0-alpha.0-3-gcab51d8

KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
Expand Down
5 changes: 5 additions & 0 deletions cmd/talosctl/cmd/docs.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/siderolabs/talos/pkg/machinery/config/types/network"
"github.com/siderolabs/talos/pkg/machinery/config/types/runtime"
"github.com/siderolabs/talos/pkg/machinery/config/types/runtime/extensions"
"github.com/siderolabs/talos/pkg/machinery/config/types/security"
"github.com/siderolabs/talos/pkg/machinery/config/types/siderolink"
v1alpha1 "github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
)
Expand Down Expand Up @@ -125,6 +126,10 @@ var docsCmd = &cobra.Command{
name: "extensions",
fileDoc: extensions.GetFileDoc(),
},
{
name: "security",
fileDoc: security.GetFileDoc(),
},
} {
path := filepath.Join(dir, pkg.name)

Expand Down
6 changes: 6 additions & 0 deletions hack/release.toml
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,12 @@ Talos Linux now support configuring 'vlan_filtering' for bridge interfaces.
title = "kube-proxy"
description = """\
Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by default.
"""

[notes.trusted-roots]
title = "Custom Trusted Roots"
description = """\
Talos Linux now supports adding [custom trusted roots](https://www.talos.dev/v1.8/talos-guides/configuration/certificate-authorities/) (CA certificates) via `TrustedRootsConfig` configuration documents.
"""

[make_deps]
Expand Down
Loading

0 comments on commit b07338f

Please sign in to comment.