feat(commands): add rotate-ca command for CA rotation

[kvaps]

Summary

• Add new rotate-ca command for Talos and Kubernetes CA rotation
• Discovers all cluster nodes via Kubernetes API
• Verifies connectivity to all nodes via Talos API before rotation
• Updates talosconfig, secrets.yaml, and kubeconfig after rotation
• Automatically updates encrypted versions of config files (SOPS)

Refactoring

• Extract encryption logic into encryption_helpers.go:
  • SaveTalosconfigWithEncryption()
  • SaveSecretsBundleWithEncryption()
  • UpdateKubeconfigEncryption()

Test plan

• Test talm rotate-ca --talos for Talos CA rotation
• Test talm rotate-ca --kubernetes for Kubernetes CA rotation
• Verify encrypted config files are updated correctly
• Test on cluster with multiple nodes

Summary by CodeRabbit

• New Features

  • Global --skip-verify flag to disable TLS certificate verification across commands.
  • Enhanced CA rotation flow: auto-discovery of cluster nodes, automatic post-rotation updates (configs, kubeconfig), and non-interactive kubeconfig handling.

• Bug Fixes / Improvements

  • Automatic re-encryption/updating of talosconfig, kubeconfig, and secrets when encrypted artifacts and keys are present.

• Chores

  • Broad dependency upgrades and module replacement adjustments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

Failed to post review comments

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Introduces a global --skip-verify flag and client-wrapper helpers, refactors apply flow, adds encryption helpers and rotate-ca orchestration, updates kubeconfig/talosconfig encryption handling, and upgrades many Go module dependencies including two replace directives for talos modules.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Broad version bumps across AWS SDK v2, Kubernetes/etcd/protobuf/grpc/otel/prometheus/container tooling, and others. Adds replace directives routing github.com/siderolabs/talos and .../pkg/machinery to the cozystack/talos fork.
Global Flag & Wiring main.go, pkg/commands/talosctl_wrapper.go	Adds persistent --skip-verify flag bound to commands.GlobalArgs.SkipVerify; documents support in PreRunE and special-cases rotate-ca command wrapping.
Client Wrapper Helpers pkg/commands/root.go	Adds WithClientSkipVerify and WithClientAuto helpers to select client initialization paths based on SkipVerify and node presence.
Command Integration & Apply Refactor pkg/commands/apply.go, pkg/commands/template.go	Reworks apply to return error directly and loops per-file; integrates WithClientSkipVerify/WithClientAuto selection; template uses skip-verify wrapper when set.
Encryption Utilities pkg/commands/encryption_helpers.go	New file with exported helpers: SaveTalosconfigWithEncryption, UpdateKubeconfigEncryption, UpdateTalosconfigEncryption, and SaveSecretsBundleWithEncryption to centralize age-based encryption flows.
Kubeconfig Handling Update pkg/commands/kubeconfig_handler.go	Replaces inline kubeconfig encryption logic with call to UpdateKubeconfigEncryption, logs warnings on error instead of failing, removes direct age import.
rotate-ca Orchestration pkg/commands/rotate_ca_handler.go	New complex handler wrapping rotate-ca: auto-discovers cluster nodes, extracts kubeconfig, updates secrets.yaml with rotated CA data, invokes kubeconfig subcommand, and persists encrypted artifacts; includes utilities for tar.gz extraction and node discovery.
Talosconfig Encryption Flow pkg/commands/talosconfig.go	Calls UpdateTalosconfigEncryption() after regenerating talosconfig and before existing encryption handling to refresh encrypted talosconfig if present.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant CLI as rgba(64,128,255,0.5)
  participant GlobalArgs as rgba(32,192,128,0.5)
  participant CmdWrappers as rgba(255,160,64,0.5)
  participant TalosClient as rgba(200,64,128,0.5)
  participant K8sAPI as rgba(128,64,200,0.5)
  participant FS as rgba(64,200,160,0.5)

  CLI->>GlobalArgs: parse flags (--skip-verify)
  CLI->>CmdWrappers: invoke rotate-ca / apply / template
  GlobalArgs->>CmdWrappers: provide SkipVerify
  alt SkipVerify == true
    CmdWrappers->>TalosClient: WithClientSkipVerify(ctx)
  else
    CmdWrappers->>TalosClient: WithClientAuto(ctx)
  end
  TalosClient->>K8sAPI: list nodes / fetch CA / kubeconfig
  K8sAPI-->>TalosClient: node list, certs, kubeconfig
  TalosClient->>FS: write/update `secrets.yaml`, `talosconfig`
  FS->>FS: call age encryption helpers (if encrypted files present)
  FS-->>CLI: report results

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I found a flag beneath a log,

Skip verification—what a jog!
I hopped through modules, tweaked the flow,
Rotated CAs and watched things grow,
Encrypted crumbs tucked safe in a bog.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims to add a rotate-ca command, but the actual primary objective is to add a --skip-verify flag for TLS certificate verification across all commands.	Update the title to reflect the main feature: 'feat(commands): add --skip-verify flag to skip TLS certificate verification' or similar, since the rotate-ca command appears to be a secondary implementation detail enabling CA rotation functionality.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 87.50% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the talm command-line tool by adding a --skip-verify flag. This flag addresses connectivity challenges in environments like NAT or VPNs where node IP addresses might not align with server certificate SANs, by allowing users to bypass TLS server certificate verification. The change ensures that client authentication is still enforced, providing a balanced approach to security and flexibility. The new functionality is specifically enabled for apply and template commands, with clear warnings for other commands where it is not applicable.

Highlights

• New Global Flag: Introduced a new global --skip-verify flag that allows users to disable TLS server certificate verification.
• Preserved Client Authentication: The --skip-verify flag ensures that client certificate authentication remains active, maintaining a level of security despite skipping server verification.
• Command Integration: The --skip-verify functionality has been integrated into the apply and template commands, enabling its use in relevant scenarios.
• Unsupported Command Warning: A warning message is now displayed when the --skip-verify flag is used with wrapped talosctl commands that do not support this option.
• Client Initialization Logic: A new WithClientSkipVerify function was implemented to handle the custom client initialization logic, including loading client certificates and configuring TLS to skip server verification.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a --skip-verify flag to disable TLS certificate verification, which is useful in certain networking scenarios. The implementation correctly adds the flag and integrates it into the apply and template commands. It also correctly warns users when the flag is used with unsupported wrapped talosctl commands.

My main feedback is about the implementation of WithClientSkipVerify in pkg/commands/root.go. This function contains a large amount of code that duplicates client setup logic from the talos library. This poses a significant maintainability risk. I've left a detailed comment with a suggestion to refactor this to improve maintainability by reusing more of the existing talos code.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/commands/template.go (1)

194-200: Missing --skip-verify handling in templateWithFiles.

The templateWithFiles function (used when --file is specified) doesn't check GlobalArgs.SkipVerify. This means --skip-verify won't work when running talm template --skip-verify -f node.yaml, which is inconsistent with the top-level RunE and contradicts the test plan in the PR objectives.

🔧 Proposed fix

 			if templateCmdFlags.offline {
 				err = template(args)(context.Background(), nil)
 			} else if templateCmdFlags.insecure {
 				err = WithClientMaintenance(nil, template(args))
+			} else if GlobalArgs.SkipVerify {
+				err = WithClientSkipVerify(template(args))
 			} else {
 				err = WithClient(template(args))
 			}