Admin cert should be generated in `gen secrets`

[james-callahan]

Feature Request

Currently the admin cert is generated during gen config at https://github.com/siderolabs/talos/blob/96aa9638f724d81ba8ef64db0ed7032694e7da5d/pkg/machinery/config/types/v1alpha1/generate/generate.go#L632 As a secret, it should be generated during talosctl gen secrets instead.

[smira]

Admin cert is actually Talos API client certificate, it's not a secret, as it can be derived from the API CA.

As client cert has expiration set, it should be refreshed in time, so it's not a good candidate for gen secrets.

[james-callahan]

As client cert has expiration set, it should be refreshed in time, so it's not a good candidate for gen secrets.

The other certificates created by gen secrets also have an expiration set. e.g.

$ yq -r '.certs.os.crt | @base64d' secrets.yaml  | openssl x509 -noout -text | grep -A 2 Validity
        Validity
            Not Before: Dec  8 22:45:03 2022 GMT
            Not After : Dec  5 22:45:03 2032 GMT

I'm trying to generate an admin certificate at cluster bootstrap time, but I don't want to run talosctl gen config.

[smira]

Other secrets are not certificates, they are CAs.

talosctl gen config in Talos 1.3.0 has support for generating a single file, including talosconfig.

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[james-callahan]

.