fix: do not mark SAML and Auth0 config sections as mutually exclusive

Unix4ever · Unix4ever · commit 742faec7001b · 2025-06-16T14:10:41.000+03:00
Auth0 has some configs defined by default, but is disabled.
They clash with each other when SAML is enabled.

Make the check more fine-grained: only fail if both `Auth0.Enabled` and
`SAML.Enabled` are set.

Signed-off-by: Artem Chernyshev &lt;artem.chernyshev@talos-systems.com&gt;
diff --git a/internal/pkg/config/auth.go b/internal/pkg/config/auth.go
@@ -15,11 +15,11 @@ import (
 //nolint:govet
 type Auth struct {
 	// Auth0 auth type configuration.
-	Auth0 Auth0 `yaml:"auth0" validate:"excluded_with=SAML"`
+	Auth0 Auth0 `yaml:"auth0" validate:"excluded_if=SAML.Enabled true"`
 	// WebAuthn auth type configuration.
 	WebAuthn WebAuthn `yaml:"webauthn"`
 	// SAML auth type configuration.
-	SAML SAML `yaml:"saml" validate:"excluded_with=Auth0"`
+	SAML SAML `yaml:"saml"  validate:"excluded_if=Auth0.Enabled true"`
 
 	// KeyPruner automatically removes the unused public keys registered in Omni.
 	KeyPruner KeyPrunerConfig `yaml:"keyPruner"`
diff --git a/internal/pkg/config/testdata/config-full.yaml b/internal/pkg/config/testdata/config-full.yaml
@@ -60,6 +60,8 @@ auth:
     domain: TODO
     initialUsers:
       - test-user@siderolabs.com
+  saml:
+    enabled: false
   initialServiceAccount:
     enabled: true
     role: Admin
diff --git a/internal/pkg/config/testdata/config-no-tls-certs.yaml b/internal/pkg/config/testdata/config-no-tls-certs.yaml
@@ -1,31 +1,31 @@
 account:
-  id:  some-id 
-  name:  some-name 
+  id:  some-id
+  name:  some-name
 
 services:
   api:
-    endpoint:  localhost:8080 
+    endpoint:  localhost:8080
   siderolink:
-    joinTokensMode:  strict 
+    joinTokensMode: strict
   kubernetesProxy:
     endpoint: 0.0.0.0:8095
 
 auth:
   keyPruner:
-    interval:  10m 
+    interval:  10m
 
 logs:
   audit:
-    path:  _out/audit 
+    path:  _out/audit
 
 storage:
   secondary:
-    path:  _out/secondary-storage/bolt.db 
+    path:  _out/secondary-storage/bolt.db
   default:
-    kind:  etcd 
+    kind:  etcd
     etcd:
       privateKeySource: some-source
 registries:
-  talos:  factory.talos.dev 
-  kubernetes:  registry.k8s.io 
-  imageFactoryBaseURL:  https://factory.talos.dev 
+  talos:  factory.talos.dev
+  kubernetes:  registry.k8s.io
+  imageFactoryBaseURL:  https://factory.talos.dev
diff --git a/internal/pkg/config/testdata/conflicting-auth.yaml b/internal/pkg/config/testdata/conflicting-auth.yaml
@@ -10,6 +10,8 @@ services:
     endpoint: 0.0.0.0:8095
     certFile: certFile
     keyFile: keyFile
+  siderolink:
+    joinTokensMode: strict
 
 auth:
   keyPruner:
