Create internal package for joinservice

joinservice/internal/kubeadm/kubeadm.go

@@ -0,0 +1,127 @@
+package kubeadm
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/edgelesssys/constellation/internal/constants"
+	"github.com/edgelesssys/constellation/internal/file"
+	"github.com/edgelesssys/constellation/internal/logger"
+	"github.com/spf13/afero"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	certutil "k8s.io/client-go/util/cert"
+	bootstraputil "k8s.io/cluster-bootstrap/token/util"
+	bootstraptoken "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1"
+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
+	tokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node"
+	"k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
+	"k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin"
+)
+
+// Kubeadm manages joining of new nodes.
+type Kubeadm struct {
+	log    *logger.Logger
+	client clientset.Interface
+	file   file.Handler
+}
+
+// New creates a new Kubeadm instance.
+func New(log *logger.Logger) (*Kubeadm, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get in-cluster config: %w", err)
+	}
+	client, err := clientset.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create client: %w", err)
+	}
+	file := file.NewHandler(afero.NewOsFs())
+
+	return &Kubeadm{
+		log:    log,
+		client: client,
+		file:   file,
+	}, nil
+}
+
+// GetJoinToken creates a new bootstrap (join) token, which a node can use to join the cluster.
+func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscovery, error) {
+	k.log.Infof("Generating new random bootstrap token")
+	rawToken, err := bootstraputil.GenerateBootstrapToken()
+	if err != nil {
+		return nil, fmt.Errorf("couldn't generate random token: %w", err)
+	}
+	tokenStr, err := bootstraptoken.NewBootstrapTokenString(rawToken)
+	if err != nil {
+		return nil, fmt.Errorf("invalid token: %w", err)
+	}
+	token := bootstraptoken.BootstrapToken{
+		Token:       tokenStr,
+		Description: "Bootstrap token generated by Constellation's Activation service",
+		TTL:         &metav1.Duration{Duration: ttl},
+	}
+
+	// create the token in Kubernetes
+	k.log.Infof("Creating bootstrap token in Kubernetes")
+	if err := tokenphase.CreateNewTokens(k.client, []bootstraptoken.BootstrapToken{token}); err != nil {
+		return nil, fmt.Errorf("creating bootstrap token: %w", err)
+	}
+
+	// parse Kubernetes CA certs
+	k.log.Infof("Preparing join token for new node")
+	rawConfig, err := k.file.Read(constants.CoreOSAdminConfFilename)
+	if err != nil {
+		return nil, fmt.Errorf("loading kubeconfig file: %w", err)
+	}
+	config, err := clientcmd.Load(rawConfig)
+	if err != nil {
+		return nil, fmt.Errorf("loading kubeconfig file: %w", err)
+	}
+	clusterConfig := kubeconfig.GetClusterFromKubeConfig(config)
+	if clusterConfig == nil {
+		return nil, errors.New("couldn't get cluster config from kubeconfig file")
+	}
+	caCerts, err := certutil.ParseCertsPEM(clusterConfig.CertificateAuthorityData)
+	if err != nil {
+		return nil, fmt.Errorf("parsing CA certs: %w", err)
+	}
+	publicKeyPins := make([]string, 0, len(caCerts))
+	for _, caCert := range caCerts {
+		publicKeyPins = append(publicKeyPins, pubkeypin.Hash(caCert))
+	}
+
+	k.log.Infof("Join token creation successful")
+	return &kubeadm.BootstrapTokenDiscovery{
+		Token:             tokenStr.String(),
+		APIServerEndpoint: "10.118.0.1:6443", // This is not HA and should be replaced with the IP of the node issuing the token
+		CACertHashes:      publicKeyPins,
+	}, nil
+}
+
+// GetControlPlaneCertificateKey uploads Kubernetes encrypted CA certificates to Kubernetes and returns the decryption key.
+// The key can be used by new nodes to join the cluster as a control plane node.
+func (k *Kubeadm) GetControlPlaneCertificateKey() (string, error) {
+	k.log.Infof("Creating new random control plane certificate key")
+	key, err := copycerts.CreateCertificateKey()
+	if err != nil {
+		return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
+	}
+
+	k.log.Infof("Uploading certs to Kubernetes")
+	cfg := &kubeadmapi.InitConfiguration{
+		ClusterConfiguration: kubeadmapi.ClusterConfiguration{
+			CertificatesDir: constants.KubeadmCertificateDir,
+		},
+	}
+	if err := copycerts.UploadCerts(k.client, cfg, key); err != nil {
+		return "", fmt.Errorf("uploading certs: %w", err)
+	}
+
+	return key, nil
+}

joinservice/internal/kubeadm/kubeadm_test.go

@@ -0,0 +1,168 @@
+package kubeadm
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/constellation/internal/constants"
+	"github.com/edgelesssys/constellation/internal/file"
+	"github.com/edgelesssys/constellation/internal/logger"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/goleak"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
+)
+
+func TestMain(m *testing.M) {
+	goleak.VerifyTestMain(m)
+}
+
+func TestGetJoinToken(t *testing.T) {
+	validConf := `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXpNREE0TWpJd01Gb1hEVE15TURVeU56QTRNakl3TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmV5CnNubVJQbDYxaXZGWWRIUjFJUjdyRS9PNjNSOVhpVERwM1V4T2tMQzdMaW94bFA0SmRINzdHMUJ4Y2NCSjVISDIKZHBUTklzcjNxMEZ3ckdtK1JVYzdoRjBmZjgwdUtyUVVMN3UrYWlIRU5HSExVSFVnc3V4Tmd1bUxRdnlrRTUzNQp4dWRVSWpVV0g5M3NuRU5GempuWkRZM09SWVdNQ253OVlxMk5CZDdBRktKY1o3WDc3U1I3eStNK3czdGkvQlZpCmNtR1BvRW1WTTV3V0VReFQwYlpxNjcxTXltcmhEenFwbEZ2dkpranFIdVp6dUFhZ0pXWW9nejNsYjZLbCtmdmgKTjBjbFBDMjJyUUJJY01JWDVHdG40bzJ5U2JvQnBoRWNEWkx6TjIyU0tZZ2ViSGQwOU9lcktWdGw5bDl6cmQvVApBWm5jOTNQVCtvWTFsSmdldUE4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZOVmNPNUZZY2NUTVN1SHpJWFZMYlppUnZRVVZNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBTDBsRERnbEsvY1JCNHVoQXJBRwpRSDhOeGtCSnhGNXYrVWMyZVFGa3dRTlB5SkU3QTRMV2p1eEVLN25meWVrTk91c2N2Wm1DQzVJNFhVZHAzb0ptCnZzSVlsN2YvMEFaMUt3d1RvQSt3cFF2QVB1NHlhM251MkZkMC9DVkViazNUZTV1MzRmQkxvL0YzK0Q2dFZLb2gKbVpGYmdoVjdMZms5SlQ4UzZjbGxyYjZkT3dCdGViUDBMQWZJd0hWaDBZNEsyY0thc3ZtU2xtMktpRXdURlBrbgpTSkNWWnI1aUJ3eGFadk1mYlpEaDk1bGZCbEtCVkdMNm5CcWs2TEpKM0VVd0tocTFGZEoyT0lSTkF0em14Z0R3CnNkOWd0SE4rK0pUcnhDa0ZBUTdwVWptdXBjZmpDOWhRRk1HOTRzTzk5elhZd2svTEdhV3FlS0pBYlRiNVdoRWcKYU5ZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    server: https://127.0.0.1:16443
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubernetes-admin
+  name: kubernetes-admin@kubernetes
+current-context: kubernetes-admin@kubernetes`
+
+	missingCA := `apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: https://127.0.0.1:16443
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubernetes-admin
+  name: kubernetes-admin@kubernetes
+current-context: kubernetes-admin@kubernetes`
+
+	testCases := map[string]struct {
+		adminConf string
+		wantErr   bool
+	}{
+		"success": {
+			adminConf: validConf,
+		},
+		"no certificate-authority-data": {
+			adminConf: missingCA,
+			wantErr:   true,
+		},
+		"no cluster config": {
+			adminConf: `apiVersion: v1
+kind: Config`,
+			wantErr: true,
+		},
+		"invalid config": {
+			adminConf: "not a config",
+			wantErr:   true,
+		},
+		"config does not exist": {
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			client := &Kubeadm{
+				log:    logger.NewTest(t),
+				file:   file.NewHandler(afero.NewMemMapFs()),
+				client: fake.NewSimpleClientset(),
+			}
+			if tc.adminConf != "" {
+				require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone))
+			}
+
+			res, err := client.GetJoinToken(time.Minute)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.NotNil(res)
+			}
+		})
+	}
+}
+
+func TestGetControlPlaneCertificateKey(t *testing.T) {
+	testCases := map[string]struct {
+		wantErr bool
+		client  clientset.Interface
+	}{
+		"success": {
+			client:  fake.NewSimpleClientset(),
+			wantErr: false,
+		},
+		"failure": {
+			client: &failingClient{
+				fake.NewSimpleClientset(),
+			},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			client := &Kubeadm{
+				log:    logger.NewTest(t),
+				client: tc.client,
+			}
+
+			_, err := client.GetControlPlaneCertificateKey()
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+			}
+		})
+	}
+}
+
+type failingClient struct {
+	*fake.Clientset
+}
+
+func (f *failingClient) CoreV1() corev1.CoreV1Interface {
+	return &failingCoreV1{
+		&fakecorev1.FakeCoreV1{Fake: &f.Clientset.Fake},
+	}
+}
+
+type failingCoreV1 struct {
+	*fakecorev1.FakeCoreV1
+}
+
+func (f *failingCoreV1) Secrets(namespace string) corev1.SecretInterface {
+	return &failingSecretInterface{
+		&fakecorev1.FakeSecrets{Fake: f.FakeCoreV1},
+	}
+}
+
+type failingSecretInterface struct {
+	*fakecorev1.FakeSecrets
+}
+
+// copycerts.UploadCerts will fail if a secret already exists.
+func (f *failingSecretInterface) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error) {
+	return &v1.Secret{}, nil
+}