CA certificate cannot be provided without key property

[Sapp00]

Talos does not support that workers are being provided CA keys (even if they are empty). Since Talhelper provides a default .ca.key: "", it throws an error.

Fix would be straightforward to allow .ca.crt: "some_value" without setting .ca.key: "". This is the case for both machine.ca and cluster.ca.

Respective errors: 10.10.10.22: user: warning: [2024-09-04T10:16:08.516395052Z]: * cluster CA key is not allowed on non-controlplane nodes (.cluster.ca) 10.10.10.22: user: warning: [2024-09-04T10:16:08.517132052Z]: * issuing Talos API CA key is not allowed on non-controlplane nodes (.machine.ca) 10.10.10.22: user: warning: [2024-09-04T10:16:08.517960052Z]: * issuing Kubernetes API CA key is not allowed on non-controlplane nodes (.cluster.ca)

[budimanjojo]

I'll look into this tomorrow, thank you for reporting!

[budimanjojo]

I just tried generating config using talosctl gen config and it also generates machine.ca with the key being empty string so it is an expected behavior. This is the line from upstream that does this: https://github.com/siderolabs/talos/blob/bc8bf9e8a865473011dcf5ad2df08c8ff1af5110/pkg/machinery/config/generate/worker.go#L44.

I don't know how you get that error message and I can't test it out because I don't have worker node in my cluster. But you'll need to report to upstream (Talos) because this should be fixed there (if it's a real issue).

[budimanjojo]

I'm going to close this issue because of inactivity. Feel free to re open if you are not satisfied with my answer. Thank you.