kubernetes: support for certKey request / support for control-plane join

Signed-off-by: Benedict Schlueter <bs@edgeless.systems>

coordinator/kubernetes/k8sapi/joinargs.go

@@ -32,6 +32,7 @@ func ParseJoinCommand(joinCommand string) (*kubeadm.BootstrapTokenDiscovery, err
 	flags.StringVar(&result.Token, "token", "", "")
 	flags.StringVar(&caCertHash, "discovery-token-ca-cert-hash", "", "")
 	flags.Bool("control-plane", false, "")
+	flags.String("certificate-key", "", "")
 	if err := flags.Parse(argv[3:]); err != nil {
 		return nil, fmt.Errorf("parsing flag arguments failed: %v %w", argv, err)
 	}

coordinator/kubernetes/k8sapi/kubeadm_config.go

@@ -179,6 +179,16 @@ func (k *KubeadmJoinYAML) SetProviderID(providerID string) {
 	k.KubeletConfiguration.ProviderID = providerID
 }
 
+func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string, certificateKey string) {
+	k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{
+		LocalAPIEndpoint: kubeadm.APIEndpoint{
+			AdvertiseAddress: advertiseAddress,
+			BindPort:         6443,
+		},
+		CertificateKey: certificateKey,
+	}
+}
+
 func (k *KubeadmJoinYAML) Marshal() ([]byte, error) {
 	return resources.MarshalK8SResources(k)
 }

coordinator/kubernetes/k8sapi/kubeadm_config_test.go

@@ -103,6 +103,7 @@ func TestJoinConfiguration(t *testing.T) {
 				c.SetToken("token")
 				c.AppendDiscoveryTokenCaCertHash("discovery-token-ca-cert-hash")
 				c.SetProviderID("somecloudprovider://instance-id")
+				c.SetControlPlane("192.0.2.0", "11111111111111111111111111111111111")
 				return c
 			}(),
 		},

coordinator/kubernetes/k8sapi/util.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 
 	"github.com/edgelesssys/constellation/coordinator/kubernetes/k8sapi/resources"
@@ -29,6 +30,7 @@ type ClusterUtil interface {
 	SetupCloudControllerManager(kubectl Client, cloudControllerManagerConfiguration resources.Marshaler, configMaps resources.Marshaler, secrets resources.Marshaler) error
 	SetupCloudNodeManager(kubectl Client, cloudNodeManagerConfiguration resources.Marshaler) error
 	RestartKubelet() error
+	GetControlPlaneJoinCertificateKey() (string, error)
 }
 
 type KubernetesUtil struct{}
@@ -167,3 +169,29 @@ func (k *KubernetesUtil) JoinCluster(joinConfig []byte) error {
 func (k *KubernetesUtil) RestartKubelet() error {
 	return RestartSystemdUnit("kubelet.service")
 }
+
+// GetControlPlaneJoinCertificateKey return the key which can be used in combination with the joinArgs
+// to join the Cluster as control-plane.
+func (k *KubernetesUtil) GetControlPlaneJoinCertificateKey() (string, error) {
+	// Key will be valid for 1h (no option to reduce the duration).
+	// https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-upload-certs
+	output, err := exec.Command("kubeadm", "init", "phase", "upload-certs", "--upload-certs").Output()
+	if err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			return "", fmt.Errorf("kubeadm upload-certs failed (code %v) with: %s", exitErr.ExitCode(), exitErr.Stderr)
+		}
+		return "", fmt.Errorf("kubeadm upload-certs failed: %w", err)
+	}
+	// Example output:
+	/*
+		[upload-certs] Storing the certificates in ConfigMap "kubeadm-certs" in the "kube-system" Namespace
+		[upload-certs] Using certificate key:
+		9555b74008f24687eb964bd90a164ecb5760a89481d9c55a77c129b7db438168
+	*/
+	key := regexp.MustCompile("[a-f0-9]{64}").FindString(string(output))
+	if key == "" {
+		return "", fmt.Errorf("failed to parse kubeadm output: %s", string(output))
+	}
+	return key, nil
+}