From ce8c86d640949d24107d9057358b39c860fc1e70 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Tue, 21 May 2024 17:37:50 +0400
Subject: [PATCH] fix: panic in osroot controller

Fixes #8753

There seems to be a problem in the machine config anyways, as
`machine.ca.crt` is missing for the worker (this should break `apid`
connectivity), but still Talos controller shouldn't enter a panic loop.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
---
 internal/app/machined/pkg/controllers/secrets/root.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/app/machined/pkg/controllers/secrets/root.go b/internal/app/machined/pkg/controllers/secrets/root.go
index ac7d4c5a11..230f0d332a 100644
--- a/internal/app/machined/pkg/controllers/secrets/root.go
+++ b/internal/app/machined/pkg/controllers/secrets/root.go
@@ -165,11 +165,11 @@ func NewRootOSController() *RootOSController {
 					osSecrets.AcceptedCAs = append(osSecrets.AcceptedCAs, &x509.PEMEncodedCertificate{
 						Crt: osSecrets.IssuingCA.Crt,
 					})
-				}
 
-				if len(osSecrets.IssuingCA.Key) == 0 {
-					// drop incomplete issuing CA, as the machine config for workers contains just the cert
-					osSecrets.IssuingCA = nil
+					if len(osSecrets.IssuingCA.Key) == 0 {
+						// drop incomplete issuing CA, as the machine config for workers contains just the cert
+						osSecrets.IssuingCA = nil
+					}
 				}
 
 				osSecrets.CertSANIPs = nil