mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 15:39:33 -05:00
write master secret after config verification
This commit is contained in:
Leonard Cohnen
3u13r
parent
6440904865
commit
00e72db5d8
@ -105,7 +105,7 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
serviceAccURI, err := getMarschaledServiceAccountURI(provider, config, fileHandler)
|
serviceAccURI, err := getMarshaledServiceAccountURI(provider, config, fileHandler)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -126,11 +126,16 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
|||||||
return fmt.Errorf("loading Helm charts: %w", err)
|
return fmt.Errorf("loading Helm charts: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
masterSecret, err := readOrGenerateMasterSecret(cmd.OutOrStdout(), fileHandler, flags.masterSecretPath)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("parsing or generating master secret from file %s: %w", flags.masterSecretPath, err)
|
||||||
|
}
|
||||||
|
|
||||||
cmd.Println("Initializing cluster ...")
|
cmd.Println("Initializing cluster ...")
|
||||||
req := &initproto.InitRequest{
|
req := &initproto.InitRequest{
|
||||||
AutoscalingNodeGroups: autoscalingNodeGroups,
|
AutoscalingNodeGroups: autoscalingNodeGroups,
|
||||||
MasterSecret: flags.masterSecret.Key,
|
MasterSecret: masterSecret.Key,
|
||||||
Salt: flags.masterSecret.Salt,
|
Salt: masterSecret.Salt,
|
||||||
KmsUri: kms.ClusterKMSURI,
|
KmsUri: kms.ClusterKMSURI,
|
||||||
StorageUri: kms.NoStoreURI,
|
StorageUri: kms.NoStoreURI,
|
||||||
KeyEncryptionKeyId: "",
|
KeyEncryptionKeyId: "",
|
||||||
@ -253,10 +258,6 @@ func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, erro
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return initFlags{}, fmt.Errorf("parsing master-secret path flag: %w", err)
|
return initFlags{}, fmt.Errorf("parsing master-secret path flag: %w", err)
|
||||||
}
|
}
|
||||||
masterSecret, err := readOrGenerateMasterSecret(cmd.OutOrStdout(), fileHandler, masterSecretPath)
|
|
||||||
if err != nil {
|
|
||||||
return initFlags{}, fmt.Errorf("parsing or generating master mastersecret from file %s: %w", masterSecretPath, err)
|
|
||||||
}
|
|
||||||
endpoint, err := cmd.Flags().GetString("endpoint")
|
endpoint, err := cmd.Flags().GetString("endpoint")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return initFlags{}, fmt.Errorf("parsing endpoint flag: %w", err)
|
return initFlags{}, fmt.Errorf("parsing endpoint flag: %w", err)
|
||||||
@ -277,19 +278,19 @@ func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, erro
|
|||||||
}
|
}
|
||||||
|
|
||||||
return initFlags{
|
return initFlags{
|
||||||
configPath: configPath,
|
configPath: configPath,
|
||||||
endpoint: endpoint,
|
endpoint: endpoint,
|
||||||
autoscale: autoscale,
|
autoscale: autoscale,
|
||||||
masterSecret: masterSecret,
|
masterSecretPath: masterSecretPath,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// initFlags are the resulting values of flag preprocessing.
|
// initFlags are the resulting values of flag preprocessing.
|
||||||
type initFlags struct {
|
type initFlags struct {
|
||||||
configPath string
|
configPath string
|
||||||
masterSecret masterSecret
|
masterSecretPath string
|
||||||
endpoint string
|
endpoint string
|
||||||
autoscale bool
|
autoscale bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// masterSecret holds the master key and salt for deriving keys.
|
// masterSecret holds the master key and salt for deriving keys.
|
||||||
@ -347,7 +348,7 @@ func readIPFromIDFile(fileHandler file.Handler) (string, error) {
|
|||||||
return idFile.IP, nil
|
return idFile.IP, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func getMarschaledServiceAccountURI(provider cloudprovider.Provider, config *config.Config, fileHandler file.Handler) (string, error) {
|
func getMarshaledServiceAccountURI(provider cloudprovider.Provider, config *config.Config, fileHandler file.Handler) (string, error) {
|
||||||
switch provider {
|
switch provider {
|
||||||
case cloudprovider.GCP:
|
case cloudprovider.GCP:
|
||||||
path := config.Provider.GCP.ServiceAccountKeyPath
|
path := config.Provider.GCP.ServiceAccountKeyPath
|
||||||
|
|||||||
@ -68,15 +68,16 @@ func TestInitialize(t *testing.T) {
|
|||||||
someErr := errors.New("failed")
|
someErr := errors.New("failed")
|
||||||
|
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
state *state.ConstellationState
|
state *state.ConstellationState
|
||||||
idFile *clusterIDsFile
|
idFile *clusterIDsFile
|
||||||
configMutator func(*config.Config)
|
configMutator func(*config.Config)
|
||||||
serviceAccKey *gcpshared.ServiceAccountKey
|
serviceAccKey *gcpshared.ServiceAccountKey
|
||||||
helmLoader stubHelmLoader
|
helmLoader stubHelmLoader
|
||||||
initServerAPI *stubInitServer
|
initServerAPI *stubInitServer
|
||||||
endpointFlag string
|
endpointFlag string
|
||||||
setAutoscaleFlag bool
|
masterSecretShouldExist bool
|
||||||
wantErr bool
|
setAutoscaleFlag bool
|
||||||
|
wantErr bool
|
||||||
}{
|
}{
|
||||||
"initialize some gcp instances": {
|
"initialize some gcp instances": {
|
||||||
state: testGcpState,
|
state: testGcpState,
|
||||||
@ -139,12 +140,17 @@ func TestInitialize(t *testing.T) {
|
|||||||
c.Provider.Azure.ResourceGroup = "resourceGroup"
|
c.Provider.Azure.ResourceGroup = "resourceGroup"
|
||||||
c.Provider.Azure.UserAssignedIdentity = "userAssignedIdentity"
|
c.Provider.Azure.UserAssignedIdentity = "userAssignedIdentity"
|
||||||
},
|
},
|
||||||
initServerAPI: &stubInitServer{},
|
initServerAPI: &stubInitServer{},
|
||||||
wantErr: true,
|
masterSecretShouldExist: true,
|
||||||
|
wantErr: true,
|
||||||
},
|
},
|
||||||
"fail to load helm charts": {
|
"fail missing enforced PCR": {
|
||||||
state: testGcpState,
|
state: testGcpState,
|
||||||
helmLoader: stubHelmLoader{loadErr: someErr},
|
idFile: &clusterIDsFile{IP: "192.0.2.1"},
|
||||||
|
configMutator: func(c *config.Config) {
|
||||||
|
c.Provider.GCP.EnforcedMeasurements = append(c.Provider.GCP.EnforcedMeasurements, 10)
|
||||||
|
},
|
||||||
|
serviceAccKey: gcpServiceAccKey,
|
||||||
initServerAPI: &stubInitServer{initResp: testInitResp},
|
initServerAPI: &stubInitServer{initResp: testInitResp},
|
||||||
wantErr: true,
|
wantErr: true,
|
||||||
},
|
},
|
||||||
@ -209,6 +215,10 @@ func TestInitialize(t *testing.T) {
|
|||||||
|
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
assert.Error(err)
|
assert.Error(err)
|
||||||
|
if !tc.masterSecretShouldExist {
|
||||||
|
_, err = fileHandler.Stat(constants.MasterSecretFilename)
|
||||||
|
assert.Error(err)
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
@ -219,6 +229,10 @@ func TestInitialize(t *testing.T) {
|
|||||||
} else {
|
} else {
|
||||||
assert.Len(tc.initServerAPI.activateAutoscalingNodeGroups, 0)
|
assert.Len(tc.initServerAPI.activateAutoscalingNodeGroups, 0)
|
||||||
}
|
}
|
||||||
|
var secret masterSecret
|
||||||
|
assert.NoError(fileHandler.ReadJSON(constants.MasterSecretFilename, &secret))
|
||||||
|
assert.NotEmpty(secret.Key)
|
||||||
|
assert.NotEmpty(secret.Salt)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -303,7 +317,7 @@ func TestInitCompletion(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestReadOrGeneratedMasterSecret(t *testing.T) {
|
func TestReadOrGenerateMasterSecret(t *testing.T) {
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
filename string
|
filename string
|
||||||
createFileFunc func(handler file.Handler) error
|
createFileFunc func(handler file.Handler) error
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user