fix: lock down etcd listen address to IPv4 localhost

smira · smira · commit 10918136c633 · 2026-01-21T16:19:42.000+04:00
Use literal IP address instead of `localhost` to make `kube-apiserver` connect to etcd member instead of relying on IPv4/IPv6 resolving of `localhost`. Simplify configuration for listening on 127.0.0.1 only, generate cert SANs uncoditionally for etcd loopback IPs. Fixes #12542 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 35fc520)
diff --git a/internal/app/machined/pkg/controllers/etcd/spec.go b/internal/app/machined/pkg/controllers/etcd/spec.go
@@ -155,18 +155,9 @@ func (ctrl *SpecController) Run(ctx context.Context, r controller.Runtime, _ *za
 			xslices.Map(etcdConfig.TypedSpec().ListenExcludeSubnets, func(cidr string) string { return "!" + cidr }),
 		)
 
-		defaultListenAddress := netip.AddrFrom4([4]byte{0, 0, 0, 0})
+		defaultListenAddress := netip.IPv4Unspecified()
 		loopbackAddress := netip.AddrFrom4([4]byte{127, 0, 0, 1})
 
-		for _, ip := range routedAddrs {
-			if ip.Is6() {
-				defaultListenAddress = netip.IPv6Unspecified()
-				loopbackAddress = netip.MustParseAddr("::1")
-
-				break
-			}
-		}
-
 		var (
 			advertisedIPs   []netip.Addr
 			listenPeerIPs   []netip.Addr
diff --git a/internal/app/machined/pkg/controllers/etcd/spec_test.go b/internal/app/machined/pkg/controllers/etcd/spec_test.go
@@ -92,10 +92,10 @@ func (suite *SpecSuite) TestReconcile() {
 					netip.MustParseAddr("10.0.0.5"),
 				},
 				ListenPeerAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 				ListenClientAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 			},
 		},
@@ -114,10 +114,10 @@ func (suite *SpecSuite) TestReconcile() {
 					netip.MustParseAddr("192.168.1.1"),
 				},
 				ListenPeerAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 				ListenClientAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 			},
 		},
@@ -139,10 +139,10 @@ func (suite *SpecSuite) TestReconcile() {
 					netip.MustParseAddr("1.3.5.7"),
 				},
 				ListenPeerAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 				ListenClientAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 			},
 		},
@@ -165,10 +165,10 @@ func (suite *SpecSuite) TestReconcile() {
 					netip.MustParseAddr("192.168.1.1"),
 				},
 				ListenPeerAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 				ListenClientAddresses: []netip.Addr{
-					netip.IPv6Unspecified(),
+					netip.IPv4Unspecified(),
 				},
 			},
 		},
@@ -197,7 +197,7 @@ func (suite *SpecSuite) TestReconcile() {
 					netip.MustParseAddr("192.168.1.50"),
 				},
 				ListenClientAddresses: []netip.Addr{
-					netip.MustParseAddr("::1"),
+					netip.MustParseAddr("127.0.0.1"),
 					netip.MustParseAddr("192.168.1.1"),
 					netip.MustParseAddr("192.168.1.50"),
 				},
diff --git a/internal/app/machined/pkg/controllers/k8s/control_plane.go b/internal/app/machined/pkg/controllers/k8s/control_plane.go
@@ -192,7 +192,7 @@ func NewControlPlaneAPIServerController() *ControlPlaneAPIServerController {
 					Image:                cfgProvider.Cluster().APIServer().Image(),
 					CloudProvider:        cloudProvider,
 					ControlPlaneEndpoint: cfgProvider.Cluster().Endpoint().String(),
-					EtcdServers:          []string{fmt.Sprintf("https://%s", nethelpers.JoinHostPort("localhost", constants.EtcdClientPort))},
+					EtcdServers:          []string{fmt.Sprintf("https://%s", nethelpers.JoinHostPort("127.0.0.1", constants.EtcdClientPort))},
 					LocalPort:            cfgProvider.Cluster().LocalAPIServerPort(),
 					ServiceCIDRs:         cfgProvider.Cluster().Network().ServiceCIDRs(),
 					ExtraArgs:            cfgProvider.Cluster().APIServer().ExtraArgs(),
diff --git a/internal/app/machined/pkg/controllers/secrets/etcd_test.go b/internal/app/machined/pkg/controllers/secrets/etcd_test.go
@@ -10,11 +10,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/cosi-project/runtime/pkg/resource"
-	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/siderolabs/crypto/x509"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
@@ -26,8 +23,11 @@ import (
 )
 
 func TestEtcdSuite(t *testing.T) {
+	t.Parallel()
+
 	suite.Run(t, &EtcdSuite{
 		DefaultSuite: ctest.DefaultSuite{
+			Timeout: 5 * time.Second,
 			AfterSetup: func(suite *ctest.DefaultSuite) {
 				suite.Require().NoError(suite.Runtime().RegisterController(&secretsctrl.EtcdController{}))
 			},
@@ -52,124 +52,100 @@ func (suite *EtcdSuite) TestReconcile() {
 		Crt: etcdCA.CrtPEM,
 		Key: etcdCA.KeyPEM,
 	}
-	suite.Require().NoError(suite.State().Create(suite.Ctx(), rootSecrets))
+	suite.Create(rootSecrets)
 
 	networkStatus := network.NewStatus(network.NamespaceName, network.StatusID)
 	networkStatus.TypedSpec().AddressReady = true
 	networkStatus.TypedSpec().HostnameReady = true
-	suite.Require().NoError(suite.State().Create(suite.Ctx(), networkStatus))
+	suite.Create(networkStatus)
 
 	hostnameStatus := network.NewHostnameStatus(network.NamespaceName, network.HostnameID)
 	hostnameStatus.TypedSpec().Hostname = "host"
 	hostnameStatus.TypedSpec().Domainname = "domain"
-	suite.Require().NoError(suite.State().Create(suite.Ctx(), hostnameStatus))
+	suite.Create(hostnameStatus)
 
 	nodeAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressAccumulativeID, k8s.NodeAddressFilterNoK8s))
 	nodeAddresses.TypedSpec().Addresses = []netip.Prefix{
 		netip.MustParsePrefix("10.3.4.5/24"),
 		netip.MustParsePrefix("2001:db8::1eaf/64"),
 	}
-	suite.Require().NoError(suite.State().Create(suite.Ctx(), nodeAddresses))
+	suite.Create(nodeAddresses)
 
 	timeSync := timeres.NewStatus()
 	timeSync.TypedSpec().Synced = true
-	suite.Require().NoError(suite.State().Create(suite.Ctx(), timeSync))
-
-	suite.AssertWithin(3*time.Second, 100*time.Millisecond,
-		ctest.WrapRetry(func(assert *assert.Assertions, require *require.Assertions) {
-			certs, err := ctest.Get[*secrets.Etcd](
-				suite,
-				resource.NewMetadata(
-					secrets.NamespaceName,
-					secrets.EtcdType,
-					secrets.EtcdID,
-					resource.VersionUndefined,
-				),
-			)
-			if err != nil {
-				if state.IsNotFoundError(err) {
-					assert.NoError(err)
-				} else {
-					require.NoError(err)
-				}
+	suite.Create(timeSync)
 
-				return
-			}
+	ctest.AssertResource(suite, secrets.EtcdID, func(certs *secrets.Etcd, asrt *assert.Assertions) {
+		etcdCerts := certs.TypedSpec()
 
-			etcdCerts := certs.TypedSpec()
+		serverCert, err := etcdCerts.Etcd.GetCert()
+		if !asrt.NoError(err) {
+			return
+		}
 
-			serverCert, err := etcdCerts.Etcd.GetCert()
-			require.NoError(err)
+		asrt.Equal([]string{"host", "host.domain", "localhost"}, serverCert.DNSNames)
+		asrt.Equal("[10.3.4.5 2001:db8::1eaf 127.0.0.1 ::1]", fmt.Sprintf("%v", serverCert.IPAddresses))
 
-			assert.Equal([]string{"host", "host.domain", "localhost"}, serverCert.DNSNames)
-			assert.Equal("[10.3.4.5 2001:db8::1eaf 127.0.0.1 ::1]", fmt.Sprintf("%v", serverCert.IPAddresses))
+		asrt.Equal("host", serverCert.Subject.CommonName)
 
-			assert.Equal("host", serverCert.Subject.CommonName)
+		peerCert, err := etcdCerts.EtcdPeer.GetCert()
+		if !asrt.NoError(err) {
+			return
+		}
 
-			peerCert, err := etcdCerts.EtcdPeer.GetCert()
-			require.NoError(err)
+		asrt.Equal([]string{"host", "host.domain"}, peerCert.DNSNames)
+		asrt.Equal("[10.3.4.5 2001:db8::1eaf]", fmt.Sprintf("%v", peerCert.IPAddresses))
 
-			assert.Equal([]string{"host", "host.domain"}, peerCert.DNSNames)
-			assert.Equal("[10.3.4.5 2001:db8::1eaf]", fmt.Sprintf("%v", peerCert.IPAddresses))
+		asrt.Equal("host", peerCert.Subject.CommonName)
 
-			assert.Equal("host", peerCert.Subject.CommonName)
+		adminCert, err := etcdCerts.EtcdAdmin.GetCert()
+		if !asrt.NoError(err) {
+			return
+		}
 
-			adminCert, err := etcdCerts.EtcdAdmin.GetCert()
-			require.NoError(err)
+		asrt.Empty(adminCert.DNSNames)
+		asrt.Empty(adminCert.IPAddresses)
 
-			assert.Empty(adminCert.DNSNames)
-			assert.Empty(adminCert.IPAddresses)
+		asrt.Equal("talos", adminCert.Subject.CommonName)
 
-			assert.Equal("talos", adminCert.Subject.CommonName)
+		kubeAPICert, err := etcdCerts.EtcdAPIServer.GetCert()
+		if !asrt.NoError(err) {
+			return
+		}
 
-			kubeAPICert, err := etcdCerts.EtcdAPIServer.GetCert()
-			require.NoError(err)
+		asrt.Empty(kubeAPICert.DNSNames)
+		asrt.Empty(kubeAPICert.IPAddresses)
 
-			assert.Empty(kubeAPICert.DNSNames)
-			assert.Empty(kubeAPICert.IPAddresses)
-
-			assert.Equal("kube-apiserver", kubeAPICert.Subject.CommonName)
-		}))
+		asrt.Equal("kube-apiserver", kubeAPICert.Subject.CommonName)
+	})
 
 	// update node addresses, certs should be updated
 	nodeAddresses.TypedSpec().Addresses = []netip.Prefix{
 		netip.MustParsePrefix("10.3.4.5/24"),
 	}
-	suite.Require().NoError(suite.State().Update(suite.Ctx(), nodeAddresses))
+	suite.Update(nodeAddresses)
 
-	suite.AssertWithin(3*time.Second, 100*time.Millisecond,
-		ctest.WrapRetry(func(assert *assert.Assertions, require *require.Assertions) {
-			certs, err := ctest.Get[*secrets.Etcd](
-				suite,
-				resource.NewMetadata(
-					secrets.NamespaceName,
-					secrets.EtcdType,
-					secrets.EtcdID,
-					resource.VersionUndefined,
-				),
-			)
-			if err != nil {
-				require.NoError(err)
+	ctest.AssertResource(suite, secrets.EtcdID, func(certs *secrets.Etcd, asrt *assert.Assertions) {
+		etcdCerts := certs.TypedSpec()
 
-				return
-			}
+		serverCert, err := etcdCerts.Etcd.GetCert()
+		if !asrt.NoError(err) {
+			return
+		}
 
-			etcdCerts := certs.TypedSpec()
+		asrt.Equal([]string{"host", "host.domain", "localhost"}, serverCert.DNSNames)
+		asrt.Equal("[10.3.4.5 127.0.0.1 ::1]", fmt.Sprintf("%v", serverCert.IPAddresses))
 
-			serverCert, err := etcdCerts.Etcd.GetCert()
-			require.NoError(err)
+		asrt.Equal("host", serverCert.Subject.CommonName)
 
-			assert.Equal([]string{"host", "host.domain", "localhost"}, serverCert.DNSNames)
-			assert.Equal("[10.3.4.5 127.0.0.1]", fmt.Sprintf("%v", serverCert.IPAddresses))
+		peerCert, err := etcdCerts.EtcdPeer.GetCert()
+		if !asrt.NoError(err) {
+			return
+		}
 
-			assert.Equal("host", serverCert.Subject.CommonName)
+		asrt.Equal([]string{"host", "host.domain"}, peerCert.DNSNames)
+		asrt.Equal("[10.3.4.5]", fmt.Sprintf("%v", peerCert.IPAddresses))
 
-			peerCert, err := etcdCerts.EtcdPeer.GetCert()
-			require.NoError(err)
-
-			assert.Equal([]string{"host", "host.domain"}, peerCert.DNSNames)
-			assert.Equal("[10.3.4.5]", fmt.Sprintf("%v", peerCert.IPAddresses))
-
-			assert.Equal("host", peerCert.Subject.CommonName)
-		}))
+		asrt.Equal("host", peerCert.Subject.CommonName)
+	})
 }
diff --git a/internal/pkg/etcd/certs.go b/internal/pkg/etcd/certs.go
@@ -30,15 +30,10 @@ func (gen *CertificateGenerator) buildOptions(autoSANs, includeLocalhost bool) [
 	addresses := gen.NodeAddresses.TypedSpec().IPs()
 
 	if includeLocalhost {
-		addresses = append(addresses, netip.MustParseAddr("127.0.0.1"))
-
-		for _, addr := range addresses {
-			if addr.Is6() {
-				addresses = append(addresses, netip.MustParseAddr("::1"))
-
-				break
-			}
-		}
+		addresses = append(addresses,
+			netip.MustParseAddr("127.0.0.1"),
+			netip.MustParseAddr("::1"),
+		)
 	}
 
 	hostname := gen.HostnameStatus.TypedSpec().Hostname
