Skip to content

fix(examples): resolve high/medium audit findings#73

Merged
jfreed-dev merged 1 commit into
mainfrom
fix/examples-audit
Jun 21, 2026
Merged

fix(examples): resolve high/medium audit findings#73
jfreed-dev merged 1 commit into
mainfrom
fix/examples-audit

Conversation

@jfreed-dev

Copy link
Copy Markdown
Member

Fixes the high and medium findings from the examples audit (the examples/ configs are not covered by CI Validate jobs, so they had drifted).

High

  • talos-full-stack: missing sbc_overlay = "turingrk1" (RK1 won't boot) — added.
  • both examples: grafana_password defaulted to "admin" (5 chars), failing the monitoring module's >= 8 validation on the default path — default removed (now required).

Medium

  • talos-full-stack: cluster module now receives talos_version (config/image version match).
  • both examples: monitoring depends_on now includes module.ingress (Grafana ingress admission-webhook race).
  • talos-full-stack tfvars: talos_firmware no longer points at a stale local v1.9.1 path (commented out → uses the generated overlay image).
  • both tfvars: example IPs restandardized to 10.10.88.x (v1.6.0 convention).

Low items (120s boot wait, required_version >= 1.0 floor) intentionally left out of scope.

Verified: terraform fmt -check clean and terraform validate passes on both examples. Lands under CHANGELOG [Unreleased].

🤖 Generated with Claude Code

Fix correctness/drift in the full-stack examples (not covered by CI):

- talos-full-stack: add sbc_overlay = "turingrk1" (required for RK1 boot),
  pass talos_version to the cluster module (config/image version match).
- both examples: drop the insecure 5-char grafana_password default "admin"
  that failed the monitoring module's >=8-char validation; add
  module.ingress to the monitoring depends_on (Grafana ingress webhook
  race); restandardize example IPs to 10.10.88.x.
- talos tfvars.example: stop defaulting talos_firmware to a stale local
  v1.9.1 path (commented out so the generated overlay image is used).

Verified: terraform fmt -check, and terraform validate on both examples.
@jfreed-dev jfreed-dev merged commit 16f5b21 into main Jun 21, 2026
19 checks passed
@jfreed-dev jfreed-dev deleted the fix/examples-audit branch June 21, 2026 01:35
@jfreed-dev jfreed-dev mentioned this pull request Jun 21, 2026
jfreed-dev added a commit that referenced this pull request Jun 21, 2026
Rolls up the script-audit low-severity hardening (#72) and the
full-stack examples audit fixes (#73) accumulated under [Unreleased].
Scripts/examples only — no module behavior or input/output changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant