cozystack · kvaps · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · coderabbitai
diff --git a/main.go b/main.go
@@ -3,7 +3,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -145,7 +144,7 @@ func initConfig() {
 }
 
 func loadConfig(filename string) error {
-	data, err := ioutil.ReadFile(filename)
+	data, err := os.ReadFile(filename)
 	if err != nil {
 		return fmt.Errorf("error reading configuration file: %w", err)
 	}

diff --git a/pkg/age/age.go b/pkg/age/age.go
@@ -420,15 +420,8 @@ func mergeAndEncryptYAMLValues(plain, encrypted interface{}, identity *age.X2551
 				// Values are the same, keep existing encrypted value (idempotent)
 				return encryptedStr, nil
 			}
-			// If decryption fails or values differ, encrypt new value
-		} else if encryptedStr == plainVal {
-			// Both are plain strings and equal, but we need encrypted version
-			// Encrypt the plain value
-		} else {
-			// Values differ, encrypt new value
 		}
-
-		// Encrypt the new value
+		// Encrypt the new value (if decryption fails, values differ, or both are plain)
 		return encryptYAMLValues(plain, identity.Recipient())
 
 	default:

diff --git a/pkg/commands/apply.go b/pkg/commands/apply.go
@@ -15,11 +15,9 @@
 package commands
 
 import (
-	"bufio"
 	"context"
 	"errors"
 	"fmt"
-	"os"
 	"time"
 
 	"github.com/cozystack/talm/pkg/engine"
@@ -188,33 +186,6 @@ func apply(args []string) error {
 	return nil
 }
 
-// readFirstLine reads and returns the first line of the file specified by the filename.
-// It returns an error if opening or reading the file fails.
-func readFirstLine(filename string) (string, error) {
-	// Open the file
-	file, err := os.Open(filename)
-	if err != nil {
-		return "", fmt.Errorf("error opening file: %v", err)
-	}
-	defer file.Close() // Ensure the file is closed after reading
-
-	// Create a scanner to read the file
-	scanner := bufio.NewScanner(file)
-
-	// Read the first line
-	if scanner.Scan() {
-		return scanner.Text(), nil
-	}
-
-	// Check for errors during scanning
-	if err := scanner.Err(); err != nil {
-		return "", fmt.Errorf("error reading file: %v", err)
-	}
-
-	// If no lines in the file, return an empty string
-	return "", nil
-}
-
 func init() {
 	applyCmd.Flags().BoolVarP(&applyCmdFlags.insecure, "insecure", "i", false, "apply using the insecure (encrypted with no auth) maintenance service")
 	applyCmd.Flags().StringSliceVarP(&applyCmdFlags.configFiles, "file", "f", nil, "specify config files or patches in a YAML file (can specify multiple)")

diff --git a/pkg/commands/init.go b/pkg/commands/init.go
@@ -324,10 +324,8 @@ var initCmd = &cobra.Command{
 
 		// If encrypted file exists, decrypt it (don't require key - will generate if needed)
 		if encryptedTalosconfigFileExists && !talosconfigFileExists {
-			_, err := handleTalosconfigEncryption(false)
-			if err != nil {
-				// If decryption fails (e.g., no key), continue to generate
-			}
+			// If decryption fails (e.g., no key), continue to generate
+			_, _ = handleTalosconfigEncryption(false)
 			talosconfigFileExists = fileExists(talosconfigFile)
-			// If decryption fails (e.g., no key), continue to generate
-			_, _ = handleTalosconfigEncryption(false)
-			talosconfigFileExists = fileExists(talosconfigFile)
+			// If decryption fails for any reason other than missing key, return the error
+			if _, err := handleTalosconfigEncryption(false); err != nil {
+				return err
+			}
+			talosconfigFileExists = fileExists(talosconfigFile)
-			// If decryption fails (e.g., no key), continue to generate
-			_, _ = handleTalosconfigEncryption(false)
-			talosconfigFileExists = fileExists(talosconfigFile)
+			// If decryption fails for any reason other than missing key, return the error
+			if _, err := handleTalosconfigEncryption(false); err != nil {
+				return err
+			}
+			talosconfigFileExists = fileExists(talosconfigFile)
 		}
 
@@ -347,7 +345,6 @@ var initCmd = &cobra.Command{
 			if err = writeToDestination(data, talosconfigFile, 0o600); err != nil {
 				return err
 			}
-			talosconfigFileExists = true
 		}
 
 		// Encrypt talosconfig if needed
@@ -385,7 +382,6 @@ var initCmd = &cobra.Command{
 				if err != nil {
 					return fmt.Errorf("failed to generate key: %w", err)
 				}
-				keyFileExists = true // Update flag after creation
 				keyWasCreated = keyCreated
 			}
 
@@ -417,7 +413,7 @@ var initCmd = &cobra.Command{
 			if chartName == initCmdFlags.preset {
 				file := filepath.Join(Config.RootDir, filepath.Join(parts[1:]...))
 				if parts[len(parts)-1] == "Chart.yaml" {
-					writeToDestination([]byte(fmt.Sprintf(content, clusterName, Config.InitOptions.Version)), file, 0o644)
+					err = writeToDestination([]byte(fmt.Sprintf(content, clusterName, Config.InitOptions.Version)), file, 0o644)
 				} else {
 					err = writeToDestination([]byte(content), file, 0o644)
 				}
@@ -429,7 +425,7 @@ var initCmd = &cobra.Command{
 			if chartName == "talm" {
 				file := filepath.Join(Config.RootDir, filepath.Join("charts", path))
 				if parts[len(parts)-1] == "Chart.yaml" {
-					writeToDestination([]byte(fmt.Sprintf(content, "talm", Config.InitOptions.Version)), file, 0o644)
+					err = writeToDestination([]byte(fmt.Sprintf(content, "talm", Config.InitOptions.Version)), file, 0o644)
 				} else {
 					err = writeToDestination([]byte(content), file, 0o644)
 				}
@@ -856,7 +852,6 @@ func handleTalosconfigEncryption(requireKeyForDecrypt bool) (bool, error) {
 			if keyCreated {
 				fmt.Fprintf(os.Stderr, "Generated new encryption key: talm.key\n")
 			}
-			keyFileExists = true
 		}
 
 		// Encrypt talosconfig

diff --git a/pkg/commands/root.go b/pkg/commands/root.go
@@ -30,8 +30,6 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/client"
 )
 
-var kubernetesFlag bool
-
 // GlobalArgs is the common arguments for the root command.
 var GlobalArgs global.Args
 
@@ -72,8 +70,6 @@ var Config struct {
 	}
 }
 
-const pathAutoCompleteLimit = 500
-
 // WithClientNoNodes wraps common code to initialize Talos client and provide cancellable context.
 //
 // WithClientNoNodes doesn't set any node information on the request context.

diff --git a/pkg/commands/rotate_ca_handler.go b/pkg/commands/rotate_ca_handler.go
@@ -0,0 +1,84 @@
+// Copyright Cozystack Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package commands
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+)
+
+// wrapRotateCACommand adds special handling for rotate-ca command:
+// - validates that only one node/endpoint is provided (must be a control-plane node)
+// - updates command description
+func wrapRotateCACommand(wrappedCmd *cobra.Command) {
+	// Update command description to be more helpful
+	wrappedCmd.Long = `Rotates Talos and/or Kubernetes root Certificate Authorities.
+
+This command must be run against a SINGLE control-plane node. The specified node
+will be used to coordinate the CA rotation across the entire cluster.
+
+The command works by:
+1. Auto-discovering all cluster nodes (control-plane and workers)
+2. Generating new CA certificates
+3. Gracefully rolling out the new CAs to all nodes
+4. Updating the talosconfig with new credentials
+
+IMPORTANT: You must specify exactly ONE control-plane node via --endpoints/-e or --nodes/-n
+flags, or through a single config file (-f). The node must be a control-plane node.
+
+By default, both Talos API CA and Kubernetes API CA are rotated. Use --talos=false
+or --kubernetes=false to rotate only one of them.
+
+The command runs in dry-run mode by default. Use --dry-run=false to perform actual rotation.`
+
+	wrappedCmd.Example = `  # Dry-run CA rotation (recommended first step)
+  talm rotate-ca -e 192.168.1.10
+
+  # Rotate CAs using config file (must contain single control-plane node)
+  talm rotate-ca -f nodes/controlplane-1.yaml
+
+  # Actually perform the rotation
+  talm rotate-ca -f nodes/controlplane-1.yaml --dry-run=false
+
+  # Rotate only Talos API CA
+  talm rotate-ca -f nodes/controlplane-1.yaml --kubernetes=false --dry-run=false
+
+  # Rotate only Kubernetes API CA
+  talm rotate-ca -f nodes/controlplane-1.yaml --talos=false --dry-run=false`
+
+	// Store original PreRunE to chain it
+	originalPreRunE := wrappedCmd.PreRunE
+
+	wrappedCmd.PreRunE = func(cmd *cobra.Command, args []string) error {
+		// Run original PreRunE first (processes modeline, syncs GlobalArgs, etc.)
+		if originalPreRunE != nil {
+			if err := originalPreRunE(cmd, args); err != nil {
+				return err
+			}
+		}
+
+		// Validate that only one endpoint/node is provided
+		if len(GlobalArgs.Endpoints) > 1 {
+			return fmt.Errorf("rotate-ca requires exactly one control-plane node, but %d endpoints were provided\n\nThe rotate-ca command coordinates CA rotation across the entire cluster from a single\ncontrol-plane node. Please specify only one endpoint using -e flag or a single config file", len(GlobalArgs.Endpoints))
+		}
+
+		if len(GlobalArgs.Nodes) > 1 {
+			return fmt.Errorf("rotate-ca requires exactly one control-plane node, but %d nodes were provided\n\nThe rotate-ca command coordinates CA rotation across the entire cluster from a single\ncontrol-plane node. Please specify only one node using -n flag or a single config file", len(GlobalArgs.Nodes))
+		}
+
+		return nil
+	}
+}
diff --git a/pkg/commands/talosctl_wrapper.go b/pkg/commands/talosctl_wrapper.go
@@ -94,9 +94,8 @@ func wrapTalosCommand(cmd *cobra.Command, cmdName string) *cobra.Command {
 		}
 		if baseCmdName == "kubeconfig" {
 			if !cmd.Flags().Changed("force") {
-				if err := cmd.Flags().Set("force", "true"); err != nil {
-					// Flag might not exist, ignore error
-				}
+				// Flag might not exist, ignore error
+				_ = cmd.Flags().Set("force", "true")
 			}
 		}
 
@@ -164,6 +163,11 @@ func wrapTalosCommand(cmd *cobra.Command, cmdName string) *cobra.Command {
 		wrapUpgradeCommand(wrappedCmd, originalRunE)
 	}
 
+	// Special handling for rotate-ca command
+	if baseCmdName == "rotate-ca" {
+		wrapRotateCACommand(wrappedCmd)
+	}
+
 	// Copy all subcommands
 	for _, subCmd := range cmd.Commands() {
 		wrappedCmd.AddCommand(wrapTalosCommand(subCmd, subCmd.Name()))

diff --git a/pkg/commands/track.go b/pkg/commands/track.go
diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go
@@ -544,7 +544,7 @@ func applyPatchesAndRenderConfig(ctx context.Context, opts Options, configPatche
 	if err := encoder.Encode(&targetNode); err != nil {
 		return nil, err
 	}
-	encoder.Close()
+	_ = encoder.Close()
 
 	// Append extra documents (like UserVolumeConfig) that are not part of Talos config
 	for _, extraDoc := range extraDocs {

diff --git a/pkg/modeline/modeline.go b/pkg/modeline/modeline.go
@@ -56,7 +56,7 @@ func ReadAndParseModeline(filePath string) (*Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("error opening config file: %v", err)
 	}
-	defer file.Close()
+	defer func() { _ = file.Close() }()
 
 	scanner := bufio.NewScanner(file)
 	if scanner.Scan() {

diff --git a/pkg/yamltools/yamltools.go b/pkg/yamltools/yamltools.go
@@ -77,7 +77,7 @@ func DiffYAMLs(original, modified []byte) ([]byte, error) {
 	if err := encoder.Encode(diff); err != nil {
 		return nil, err
 	}
-	encoder.Close()
+	_ = encoder.Close()
 
 	return buffer.Bytes(), nil
 }