genconfig generates new certificates each time
Opened this issue · 7 comments
When building the cluster initially and then running talhelper genconfig it all works fine.
If you delete the talosconfig generated and run talhelper genconfig again you get a different ca, crt and key from the same configuration.
Reproduction steps:
- Have a talconfig.yaml, talenv.sops.yaml and talsecrets.sops.yaml
- Run
talhelper genconfig --env-file talenv.sops.yaml --secret-file talsecret.sops.yaml --config-file talconfig.yaml - Copy the clusterconfig folder
- Delete the clusterconfig foler
- Run Step 2 again
- Run diff clusterconfig/talosconfig /tmp/old/talosconfig
They are different, making me lose access to Talos API
Are u sure the ca is different? The crt and key are expected to be different everytime u generate a new one because it's using the time you run the command but not the ca. And you will still get to access to Talos API as long as the ca is correct and used to get the crt and key.
I can't reproduce it on my test though:
diff clusterconfig/talosconfig clusterconfig-old/talosconfig
6,7c6,7
< crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBalhOTSt5Q05sZ0tlVjZick9EUUxsREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXhNVE13TVRVeE56UXhXaGNOTWpReE1USTVNVFV4TnpReFdqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRs
Y0FNaEFGb2RmelU0YUdJQ1B2VElSMlNGemRNTGpNMWZXQXYzCmhGTU5BczZVdFFwSm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVHbkh2YVpOL0RtTzEweDdmZi9kMFU4N21wZFF3QlFZREsyVndBMEVBUisvRgpiNjNlMkRhcEgwMG1HSDVjWmY1bDJtQ3RjNDA2YXV
zcm5xQnRScytQWnhqQ0twQ2NNRDdyZE93Y2J3SUxjNGNRCmlKTWg2OEFzWEI1L0pFcE1Ddz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
< key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJRXNzNkprOG9kcGJjeWw4aGFWWWsxMGpVWWI4eG1ScjMzSm0zcjZPbnFYMAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
---
> crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBeWVzclljbDZWSlhETW81eU1ITHJYakFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qTXhNVE13TVRVeE56STFXaGNOTWpReE1USTVNVFV4TnpJMVdqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRs
Y0FNaEFHUWpFTTBTdDlLVEpzZXFFWDZHYTJGM3lkL05KMGFQCnExRzRaZEVpODVTcm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVHbkh2YVpOL0RtTzEweDdmZi9kMFU4N21wZFF3QlFZREsyVndBMEVBbXVwOQpXelYza3IwS0syQ2ZJa25RaVlaNXNCbGkwUDBYQ0F
ERFNlMFJMM3VGU0xuRkhyZ0JiS3VDOThFNm1OTmZYU2dUCngzclprSERjRmt2RUEyQWZEUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
> key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJSTVtd2hLYktGU2sxNXRYQlFBZkpDQitPQWdyaW16a1NGWnZpRDdZdVlRYQotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
Odd, I've just reproduced it again and put in a git repo https://github.com/lewis-green/talhelper-diff-issue.
The key/crt are different only. It's weird as when I re-generate I no longer get into Talos
The repo above also shows only the crt and key are different and it's expected to be different.
Are u sure your problem is related to talosconfig can't be used to do talosctl command? And I see that you're using the example talconfig.yaml without changing anything. The example is just for example and most things inside are not reasonable/doesn't make any sense and just for example of keys you can use with it.
@lewis-green I encountered a similar problem due to having the wrong name on the secrets file, and so it was actually regenerating the CA each time it ran. If you run the genconfig command with -d it should output if it's generating new secrets, similar to the snippets I posted on this issue.
@bluevulpine Seems like the issue is not the same because the linked repo above shows that it was using talsecret.yaml. But thanks for the information!