diff --git a/cmd/talosctl/cmd/mgmt/gen.go b/cmd/talosctl/cmd/mgmt/gen.go index 6f81197f33..894b049ebe 100644 --- a/cmd/talosctl/cmd/mgmt/gen.go +++ b/cmd/talosctl/cmd/mgmt/gen.go @@ -18,6 +18,7 @@ import ( "github.com/talos-systems/crypto/x509" "github.com/talos-systems/talos/pkg/cli" + "github.com/talos-systems/talos/pkg/machinery/constants" ) var ( @@ -124,6 +125,7 @@ var csrCmd = &cobra.Command{ } ips := []net.IP{parsed} + opts = append(opts, x509.Organization(constants.RoleAdmin)) opts = append(opts, x509.IPAddresses(ips)) opts = append(opts, x509.NotAfter(time.Now().Add(time.Duration(crtHours)*time.Hour))) diff --git a/pkg/machinery/config/types/v1alpha1/generate/generate.go b/pkg/machinery/config/types/v1alpha1/generate/generate.go index 7fc57bf7be..d0fff6bb70 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/generate.go +++ b/pkg/machinery/config/types/v1alpha1/generate/generate.go @@ -381,11 +381,12 @@ func NewTalosCA(currentTime time.Time) (ca *x509.CertificateAuthority, err error return x509.NewSelfSignedCertificateAuthority(opts...) } -// NewAdminCertificateAndKey generates the admin Talos certifiate and key. +// NewAdminCertificateAndKey generates the admin Talos certificate and key. func NewAdminCertificateAndKey(currentTime time.Time, ca *x509.PEMEncodedCertificateAndKey, loopback string) (p *x509.PEMEncodedCertificateAndKey, err error) { ips := []net.IP{net.ParseIP(loopback)} opts := []x509.Option{ + x509.Organization(constants.RoleAdmin), x509.IPAddresses(ips), x509.NotAfter(currentTime.Add(87600 * time.Hour)), x509.NotBefore(currentTime), diff --git a/pkg/machinery/config/types/v1alpha1/generate/generate_test.go b/pkg/machinery/config/types/v1alpha1/generate/generate_test.go index 4f7aa81fed..c7c1cd7425 100644 --- a/pkg/machinery/config/types/v1alpha1/generate/generate_test.go +++ b/pkg/machinery/config/types/v1alpha1/generate/generate_test.go @@ -5,10 +5,12 @@ package generate_test import ( + "crypto/x509" "testing" "github.com/stretchr/testify/suite" + "github.com/talos-systems/talos/pkg/machinery/client" "github.com/talos-systems/talos/pkg/machinery/config" genv1alpha1 "github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/generate" "github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/machine" @@ -73,6 +75,16 @@ func (suite *GenerateSuite) TestGenerateWorkerSuccess() { } func (suite *GenerateSuite) TestGenerateTalosconfigSuccess() { - _, err := genv1alpha1.Talosconfig(suite.input) + cfg, err := genv1alpha1.Talosconfig(suite.input) suite.Require().NoError(err) + + creds, err := client.CredentialsFromConfigContext(cfg.Contexts[cfg.Context]) + suite.Require().NoError(err) + suite.Require().Nil(creds.Crt.Leaf) + suite.Require().Len(creds.Crt.Certificate, 1) + + cert, err := x509.ParseCertificate(creds.Crt.Certificate[0]) + suite.Require().NoError(err) + + suite.Equal([]string{constants.RoleAdmin}, cert.Subject.Organization) } diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index 7b5ad41c40..9a0f7f1270 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -418,6 +418,9 @@ const ( // TODO: Once we get naming sorted we need to apply for a project specific address // https://manage.ntppool.org/manage/vendor DefaultNTPServer = "pool.ntp.org" + + // RoleAdmin defines Talos role for admins. It matches Organization value of Talos client certificate. + RoleAdmin = "os:admin" ) // See https://linux.die.net/man/3/klogctl