constellation/bootstrapper/internal/joinclient/client.go

434 lines
12 KiB
Go
Raw Normal View History

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
2022-06-21 11:59:12 -04:00
package joinclient
import (
"context"
"errors"
"fmt"
"net"
"path/filepath"
2022-06-21 11:59:12 -04:00
"strconv"
"sync"
"time"
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/bootstrapper/internal/diskencryption"
"github.com/edgelesssys/constellation/v2/bootstrapper/internal/kubelet"
"github.com/edgelesssys/constellation/v2/internal/attestation"
"github.com/edgelesssys/constellation/v2/internal/cloud/metadata"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/internal/nodestate"
"github.com/edgelesssys/constellation/v2/internal/role"
"github.com/edgelesssys/constellation/v2/joinservice/joinproto"
2022-06-21 11:59:12 -04:00
"github.com/spf13/afero"
"go.uber.org/zap"
"google.golang.org/grpc"
2022-06-28 12:33:27 -04:00
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
2022-06-21 11:59:12 -04:00
"k8s.io/utils/clock"
)
const (
2022-07-05 08:14:11 -04:00
interval = 30 * time.Second
timeout = 30 * time.Second
joinTimeout = 5 * time.Minute
2022-06-21 11:59:12 -04:00
)
2022-07-05 04:36:31 -04:00
// JoinClient is a client for requesting the needed information and
// joining an existing Kubernetes cluster.
2022-06-21 11:59:12 -04:00
type JoinClient struct {
nodeLock locker
2022-06-21 11:59:12 -04:00
diskUUID string
nodeName string
role role.Role
validIPs []net.IP
2022-06-28 12:33:27 -04:00
disk encryptedDisk
2022-06-21 11:59:12 -04:00
fileHandler file.Handler
2022-07-05 08:14:11 -04:00
timeout time.Duration
joinTimeout time.Duration
interval time.Duration
clock clock.WithTicker
2022-06-21 11:59:12 -04:00
dialer grpcDialer
joiner ClusterJoiner
cleaner cleaner
2022-06-28 12:33:27 -04:00
metadataAPI MetadataAPI
2022-06-21 11:59:12 -04:00
log *logger.Logger
2022-06-21 11:59:12 -04:00
mux sync.Mutex
stopC chan struct{}
stopDone chan struct{}
}
2022-07-05 04:36:31 -04:00
// New creates a new JoinClient.
func New(lock locker, dial grpcDialer, joiner ClusterJoiner, meta MetadataAPI, log *logger.Logger) *JoinClient {
2022-06-21 11:59:12 -04:00
return &JoinClient{
2022-07-05 08:14:11 -04:00
nodeLock: lock,
2022-06-21 11:59:12 -04:00
disk: diskencryption.New(),
fileHandler: file.NewHandler(afero.NewOsFs()),
timeout: timeout,
2022-07-05 08:14:11 -04:00
joinTimeout: joinTimeout,
2022-06-21 11:59:12 -04:00
interval: interval,
clock: clock.RealClock{},
dialer: dial,
joiner: joiner,
metadataAPI: meta,
2022-07-05 08:13:19 -04:00
log: log.Named("join-client"),
2022-06-21 11:59:12 -04:00
}
}
2022-07-05 04:36:31 -04:00
// Start starts the client routine. The client will make the needed API calls to join
// the cluster with the role it receives from the metadata API.
// After receiving the needed information, the node will join the cluster.
2022-06-21 11:59:12 -04:00
// Multiple calls of start on the same client won't start a second routine if there is
// already a routine running.
func (c *JoinClient) Start(cleaner cleaner) {
2022-06-21 11:59:12 -04:00
c.mux.Lock()
defer c.mux.Unlock()
if c.stopC != nil { // daemon already running
return
}
c.log.Infof("Starting")
2022-06-21 11:59:12 -04:00
c.stopC = make(chan struct{}, 1)
c.stopDone = make(chan struct{}, 1)
c.cleaner = cleaner
2022-06-21 11:59:12 -04:00
ticker := c.clock.NewTicker(c.interval)
go func() {
defer ticker.Stop()
defer func() { c.stopDone <- struct{}{} }()
defer c.log.Infof("Client stopped")
2022-06-21 11:59:12 -04:00
2022-06-28 12:33:27 -04:00
diskUUID, err := c.getDiskUUID()
2022-06-21 11:59:12 -04:00
if err != nil {
c.log.With(zap.Error(err)).Errorf("Failed to get disk UUID")
2022-06-21 11:59:12 -04:00
return
}
c.diskUUID = diskUUID
for {
err := c.getNodeMetadata()
if err == nil {
c.log.With(zap.String("role", c.role.String()), zap.String("name", c.nodeName)).Infof("Received own instance metadata")
2022-06-21 11:59:12 -04:00
break
}
c.log.With(zap.Error(err)).Errorf("Failed to retrieve instance metadata")
2022-06-21 11:59:12 -04:00
c.log.With(zap.Duration("interval", c.interval)).Infof("Sleeping")
2022-06-21 11:59:12 -04:00
select {
case <-c.stopC:
return
case <-ticker.C():
}
}
for {
2022-07-05 08:13:19 -04:00
err := c.tryJoinWithAvailableServices()
2022-06-21 11:59:12 -04:00
if err == nil {
c.log.Infof("Joined successfully. Client is shutting down")
2022-06-21 11:59:12 -04:00
return
2022-06-28 12:33:27 -04:00
} else if isUnrecoverable(err) {
c.log.With(zap.Error(err)).Errorf("Unrecoverable error occurred")
2022-06-28 12:33:27 -04:00
return
2022-06-21 11:59:12 -04:00
}
c.log.With(zap.Error(err)).Warnf("Join failed for all available endpoints")
2022-06-21 11:59:12 -04:00
c.log.With(zap.Duration("interval", c.interval)).Infof("Sleeping")
2022-06-21 11:59:12 -04:00
select {
case <-c.stopC:
return
case <-ticker.C():
}
}
}()
}
// Stop stops the client and blocks until the client's routine is stopped.
func (c *JoinClient) Stop() {
c.mux.Lock()
defer c.mux.Unlock()
if c.stopC == nil { // daemon not running
return
}
c.log.Infof("Stopping")
2022-06-21 11:59:12 -04:00
c.stopC <- struct{}{}
<-c.stopDone
c.stopC = nil
c.stopDone = nil
c.log.Infof("Stopped")
2022-06-21 11:59:12 -04:00
}
2022-07-05 08:13:19 -04:00
func (c *JoinClient) tryJoinWithAvailableServices() error {
ips, err := c.getControlPlaneIPs()
2022-06-21 11:59:12 -04:00
if err != nil {
return err
}
if len(ips) == 0 {
return errors.New("no control plane IPs found")
2022-06-21 11:59:12 -04:00
}
for _, ip := range ips {
2022-07-05 05:41:31 -04:00
err = c.join(net.JoinHostPort(ip, strconv.Itoa(constants.JoinServiceNodePort)))
2022-06-21 11:59:12 -04:00
if err == nil {
return nil
}
2022-07-05 05:41:31 -04:00
if isUnrecoverable(err) {
return err
}
2022-06-21 11:59:12 -04:00
}
return err
}
func (c *JoinClient) join(serviceEndpoint string) error {
ctx, cancel := c.timeoutCtx()
defer cancel()
certificateRequest, kubeletKey, err := kubelet.GetCertificateRequest(c.nodeName, c.validIPs)
if err != nil {
return err
}
2022-06-21 11:59:12 -04:00
conn, err := c.dialer.Dial(ctx, serviceEndpoint)
if err != nil {
c.log.With(zap.String("endpoint", serviceEndpoint), zap.Error(err)).Errorf("Join service unreachable")
2022-07-05 05:41:31 -04:00
return fmt.Errorf("dialing join service endpoint: %w", err)
2022-06-21 11:59:12 -04:00
}
defer conn.Close()
2022-07-05 05:41:31 -04:00
protoClient := joinproto.NewAPIClient(conn)
req := &joinproto.IssueJoinTicketRequest{
DiskUuid: c.diskUUID,
CertificateRequest: certificateRequest,
IsControlPlane: c.role == role.ControlPlane,
2022-06-21 11:59:12 -04:00
}
2022-07-05 05:41:31 -04:00
ticket, err := protoClient.IssueJoinTicket(ctx, req)
2022-06-21 11:59:12 -04:00
if err != nil {
c.log.With(zap.String("endpoint", serviceEndpoint), zap.Error(err)).Errorf("Issuing join ticket failed")
2022-07-05 05:41:31 -04:00
return fmt.Errorf("issuing join ticket: %w", err)
2022-06-21 11:59:12 -04:00
}
return c.startNodeAndJoin(ticket, kubeletKey)
2022-06-21 11:59:12 -04:00
}
func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse, kubeletKey []byte) (retErr error) {
2022-07-05 08:14:11 -04:00
ctx, cancel := context.WithTimeout(context.Background(), c.joinTimeout)
defer cancel()
2022-06-28 12:33:27 -04:00
// If an error occurs in this func, the client cannot continue.
defer func() {
if retErr != nil {
retErr = unrecoverableError{retErr}
}
}()
clusterID, err := attestation.DeriveClusterID(ticket.MeasurementSecret, ticket.MeasurementSalt)
if err != nil {
return err
}
nodeLockAcquired, err := c.nodeLock.TryLockOnce(clusterID)
if err != nil {
c.log.With(zap.Error(err)).Errorf("Acquiring node lock failed")
return fmt.Errorf("acquiring node lock: %w", err)
}
if !nodeLockAcquired {
2022-06-28 12:33:27 -04:00
// There is already a cluster initialization in progress on
// this node, so there is no need to also join the cluster,
// as the initializing node is automatically part of the cluster.
2022-06-21 11:59:12 -04:00
return errors.New("node is already being initialized")
}
c.cleaner.Clean()
2022-07-05 05:41:31 -04:00
if err := c.updateDiskPassphrase(string(ticket.StateDiskKey)); err != nil {
2022-06-21 11:59:12 -04:00
return fmt.Errorf("updating disk passphrase: %w", err)
}
if c.role == role.ControlPlane {
if err := c.writeControlPlaneFiles(ticket.ControlPlaneFiles); err != nil {
return fmt.Errorf("writing control plane files: %w", err)
}
}
if err := c.fileHandler.Write(kubelet.CertificateFilename, ticket.KubeletCert, file.OptMkdirAll); err != nil {
return fmt.Errorf("writing kubelet certificate: %w", err)
}
if err := c.fileHandler.Write(kubelet.KeyFilename, kubeletKey, file.OptMkdirAll); err != nil {
return fmt.Errorf("writing kubelet key: %w", err)
}
2022-06-21 11:59:12 -04:00
state := nodestate.NodeState{
Role: c.role,
MeasurementSalt: ticket.MeasurementSalt,
2022-06-21 11:59:12 -04:00
}
if err := state.ToFile(c.fileHandler); err != nil {
return fmt.Errorf("persisting node state: %w", err)
}
btd := &kubeadm.BootstrapTokenDiscovery{
2022-07-05 05:41:31 -04:00
APIServerEndpoint: ticket.ApiServerEndpoint,
2022-07-05 08:14:11 -04:00
Token: ticket.Token,
2022-07-05 05:41:31 -04:00
CACertHashes: []string{ticket.DiscoveryTokenCaCertHash},
2022-06-21 11:59:12 -04:00
}
if err := c.joiner.JoinCluster(ctx, btd, c.role, ticket.KubernetesVersion, c.log); err != nil {
2022-06-21 11:59:12 -04:00
return fmt.Errorf("joining Kubernetes cluster: %w", err)
}
return nil
}
func (c *JoinClient) getNodeMetadata() error {
ctx, cancel := c.timeoutCtx()
defer cancel()
c.log.Debugf("Requesting node metadata from metadata API")
2022-06-21 11:59:12 -04:00
inst, err := c.metadataAPI.Self(ctx)
if err != nil {
return err
}
c.log.With(zap.Any("instance", inst)).Debugf("Received node metadata")
2022-06-21 11:59:12 -04:00
if inst.Name == "" {
return errors.New("got instance metadata with empty name")
}
if inst.Role == role.Unknown {
return errors.New("got instance metadata with unknown role")
}
var ips []net.IP
if inst.VPCIP != "" {
ips = append(ips, net.ParseIP(inst.VPCIP))
}
2022-06-21 11:59:12 -04:00
c.nodeName = inst.Name
c.role = inst.Role
c.validIPs = ips
2022-06-21 11:59:12 -04:00
return nil
}
func (c *JoinClient) updateDiskPassphrase(passphrase string) error {
if err := c.disk.Open(); err != nil {
return fmt.Errorf("opening disk: %w", err)
}
defer c.disk.Close()
return c.disk.UpdatePassphrase(passphrase)
}
2022-06-28 12:33:27 -04:00
func (c *JoinClient) getDiskUUID() (string, error) {
2022-06-21 11:59:12 -04:00
if err := c.disk.Open(); err != nil {
return "", fmt.Errorf("opening disk: %w", err)
}
defer c.disk.Close()
return c.disk.UUID()
}
func (c *JoinClient) getControlPlaneIPs() ([]string, error) {
2022-06-21 11:59:12 -04:00
ctx, cancel := c.timeoutCtx()
defer cancel()
instances, err := c.metadataAPI.List(ctx)
if err != nil {
c.log.With(zap.Error(err)).Errorf("Failed to list instances from metadata API")
2022-06-21 11:59:12 -04:00
return nil, fmt.Errorf("listing instances from metadata API: %w", err)
}
ips := []string{}
for _, instance := range instances {
if instance.Role == role.ControlPlane && instance.VPCIP != "" {
ips = append(ips, instance.VPCIP)
2022-06-21 11:59:12 -04:00
}
}
c.log.With(zap.Strings("IPs", ips)).Infof("Received control plane endpoints")
2022-06-21 11:59:12 -04:00
return ips, nil
}
func (c *JoinClient) writeControlPlaneFiles(files []*joinproto.ControlPlaneCertOrKey) error {
for _, cert := range files {
if err := c.fileHandler.Write(
filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, cert.Name),
cert.Data,
file.OptMkdirAll,
); err != nil {
return fmt.Errorf("writing control plane files: %w", err)
}
}
return nil
}
2022-06-21 11:59:12 -04:00
func (c *JoinClient) timeoutCtx() (context.Context, context.CancelFunc) {
return context.WithTimeout(context.Background(), c.timeout)
}
2022-06-28 12:33:27 -04:00
type unrecoverableError struct{ error }
func isUnrecoverable(err error) bool {
2022-07-05 07:33:03 -04:00
_, ok := err.(unrecoverableError)
2022-06-28 12:33:27 -04:00
return ok
}
2022-06-21 11:59:12 -04:00
type grpcDialer interface {
Dial(ctx context.Context, target string) (*grpc.ClientConn, error)
}
2022-06-28 12:33:27 -04:00
// ClusterJoiner has the ability to join a new node to an existing cluster.
2022-06-21 11:59:12 -04:00
type ClusterJoiner interface {
2022-06-28 12:33:27 -04:00
// JoinCluster joins a new node to an existing cluster.
2022-06-21 11:59:12 -04:00
JoinCluster(
ctx context.Context,
args *kubeadm.BootstrapTokenDiscovery,
peerRole role.Role,
k8sVersion string,
log *logger.Logger,
2022-06-21 11:59:12 -04:00
) error
}
2022-06-28 12:33:27 -04:00
// MetadataAPI provides information about the instances.
type MetadataAPI interface {
2022-06-21 11:59:12 -04:00
// List retrieves all instances belonging to the current constellation.
List(ctx context.Context) ([]metadata.InstanceMetadata, error)
// Self retrieves the current instance.
Self(ctx context.Context) (metadata.InstanceMetadata, error)
}
2022-06-28 12:33:27 -04:00
type encryptedDisk interface {
2022-06-21 11:59:12 -04:00
// Open prepares the underlying device for disk operations.
Open() error
// Close closes the underlying device.
Close() error
// UUID gets the device's UUID.
UUID() (string, error)
// UpdatePassphrase switches the initial random passphrase of the encrypted disk to a permanent passphrase.
UpdatePassphrase(passphrase string) error
}
type cleaner interface {
Clean()
}
type locker interface {
// TryLockOnce tries to lock the node. If the node is already locked, it
// returns false. If the node is unlocked, it locks it and returns true.
TryLockOnce(clusterID []byte) (bool, error)
}