test: update talosctl debug air-gapped

While working on another issue, I discovered we can update to use new config format. I couldn't reproduce another issue, so this is the only thing that is left. Signed-off-by: Andrey Smirnov <[email protected]>
siderolabs · Jan 15, 2025 · fab9449 · fab9449
1 parent da2e811
commit fab9449
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 26 deletions.
diff --git a/cmd/talosctl/cmd/mgmt/debug/air-gapped.go b/cmd/talosctl/cmd/mgmt/debug/air-gapped.go
@@ -30,7 +30,9 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/siderolabs/talos/pkg/cli"
+	"github.com/siderolabs/talos/pkg/machinery/config/container"
 	"github.com/siderolabs/talos/pkg/machinery/config/encoder"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/security"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 )
 
@@ -73,21 +75,13 @@ var airgappedCmd = &cobra.Command{
 }
 
 func generateConfigPatch(caPEM []byte) error {
-	patch := &v1alpha1.Config{
+	patch1 := &v1alpha1.Config{
 		MachineConfig: &v1alpha1.MachineConfig{
 			MachineEnv: map[string]string{
 				"http_proxy":  fmt.Sprintf("http://%s", net.JoinHostPort(airgappedFlags.advertisedAddress.String(), strconv.Itoa(airgappedFlags.proxyPort))),
 				"https_proxy": fmt.Sprintf("http://%s", net.JoinHostPort(airgappedFlags.advertisedAddress.String(), strconv.Itoa(airgappedFlags.proxyPort))),
 				"no_proxy":    fmt.Sprintf("%s/24", airgappedFlags.advertisedAddress.String()),
 			},
-			MachineFiles: []*v1alpha1.MachineFile{
-				{
-					FilePath:        "/etc/ssl/certs/ca-certificates",
-					FileContent:     string(caPEM),
-					FilePermissions: 0o644,
-					FileOp:          "append",
-				},
-			},
 		},
 		ClusterConfig: &v1alpha1.ClusterConfig{
 			ExtraManifests: []string{
@@ -96,7 +90,16 @@ func generateConfigPatch(caPEM []byte) error {
 		},
 	}
 
-	patchBytes, err := encoder.NewEncoder(patch, encoder.WithComments(encoder.CommentsDisabled)).Encode()
+	patch2 := security.NewTrustedRootsConfigV1Alpha1()
+	patch2.MetaName = "air-gapped-ca"
+	patch2.Certificates = string(caPEM)
+
+	ctr, err := container.New(patch1, patch2)
+	if err != nil {
+		return err
+	}
+
+	patchBytes, err := ctr.EncodeBytes(encoder.WithComments(encoder.CommentsDisabled))
 	if err != nil {
 		return err
 	}

diff --git a/website/content/v1.10/advanced/developing-talos.md b/website/content/v1.10/advanced/developing-talos.md
@@ -259,29 +259,29 @@ Generated machine configuration patch looks like:
 
 ```yaml
 machine:
-    files:
-        - content: |
-            -----BEGIN CERTIFICATE-----
-            MIIBijCCAS+gAwIBAgIBATAKBggqhkjOPQQDAjAUMRIwEAYDVQQKEwlUZXN0IE9u
-            bHkwHhcNMjIwODA0MTI0MzE0WhcNMjIwODA1MTI0MzE0WjAUMRIwEAYDVQQKEwlU
-            ZXN0IE9ubHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQfOJdaOFSOI1I+EeP1
-            RlMpsDZJaXjFdoo5zYM5VYs3UkLyTAXAmdTi7JodydgLhty0pwLEWG4NUQAEvip6
-            EmzTo3IwcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
-            AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCwxL+BjG0pDwaH8QgKW
-            Ex0J2mVXMA8GA1UdEQQIMAaHBKwUAAEwCgYIKoZIzj0EAwIDSQAwRgIhAJoW0z0D
-            JwpjFcgCmj4zT1SbBFhRBUX64PHJpAE8J+LgAiEAvfozZG8Or6hL21+Xuf1x9oh4
-            /4Hx3jozbSjgDyHOLk4=
-            -----END CERTIFICATE-----
-          permissions: 0o644
-          path: /etc/ssl/certs/ca-certificates
-          op: append
     env:
         http_proxy: http://172.20.0.1:8002
         https_proxy: http://172.20.0.1:8002
         no_proxy: 172.20.0.1/24
 cluster:
     extraManifests:
         - https://172.20.0.1:8001/debug.yaml
+---
+apiVersion: v1alpha1
+kind: TrustedRootsConfig
+name: air-gapped-ca
+certificates: |
+  -----BEGIN CERTIFICATE-----
+  MIIBiTCCAS+gAwIBAgIBATAKBggqhkjOPQQDAjAUMRIwEAYDVQQKEwlUZXN0IE9u
+  bHkwHhcNMjUwMTE1MTE1OTI3WhcNMjUwMTE2MTE1OTI3WjAUMRIwEAYDVQQKEwlU
+  ZXN0IE9ubHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAReznBeEcQFcB/y1yqI
+  HQcP0IWBMvgwGTeaaTBM6rV+AjbnyxgCrXAnmJ0t45Eur27eW9J/1T5tzA6fe24f
+  YyY9o3IwcDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+  AQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEGBbafXsyzxVhVqfjzy
+  7aBmVvtaMA8GA1UdEQQIMAaHBKwUAAEwCgYIKoZIzj0EAwIDSAAwRQIhAPAFm6Lv
+  1Bw+M55Z1SEDLyILJSS0En5F6n8Q9LyGGT4fAiBi+Fm3wSQcvgGPG9OfokFaXmGp
+  Pa6c4ZrarKO8ZxWigA==
+  -----END CERTIFICATE-----
 ```
 
 The first section appends a self-signed certificate of the HTTPS server to the list of trusted certificates,