mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-14 09:45:34 -04:00
implement small changes
This commit is contained in:
miampf
parent
f386dbc95f
commit
21c9cd6a26
7 changed files with 27 additions and 29 deletions
|
|
@ -272,7 +272,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.EmergencyCaKey, file.OptMkdirAll); err != nil {
|
if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.EmergencyCaKey, file.OptMkdirAll); err != nil {
|
||||||
return fmt.Errorf("writing ca key: %w", err)
|
return fmt.Errorf("writing ssh ca key: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
state := nodestate.NodeState{
|
state := nodestate.NodeState{
|
||||||
|
|
|
||||||
|
|
@ -25,13 +25,6 @@ import (
|
||||||
"golang.org/x/crypto/ssh"
|
"golang.org/x/crypto/ssh"
|
||||||
)
|
)
|
||||||
|
|
||||||
var permissions = ssh.Permissions{
|
|
||||||
Extensions: map[string]string{
|
|
||||||
"permit-port-forwarding": "yes",
|
|
||||||
"permit-pty": "yes",
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewSSHCmd returns a new cobra.Command for the ssh command.
|
// NewSSHCmd returns a new cobra.Command for the ssh command.
|
||||||
func NewSSHCmd() *cobra.Command {
|
func NewSSHCmd() *cobra.Command {
|
||||||
cmd := &cobra.Command{
|
cmd := &cobra.Command{
|
||||||
|
|
@ -41,7 +34,7 @@ func NewSSHCmd() *cobra.Command {
|
||||||
Args: cobra.ExactArgs(0),
|
Args: cobra.ExactArgs(0),
|
||||||
RunE: runSSH,
|
RunE: runSSH,
|
||||||
}
|
}
|
||||||
cmd.Flags().String("key", "", "The path to an existing ssh public key.")
|
cmd.Flags().String("key", "", "the path to an existing ssh public key.")
|
||||||
must(cmd.MarkFlagRequired("key"))
|
must(cmd.MarkFlagRequired("key"))
|
||||||
return cmd
|
return cmd
|
||||||
}
|
}
|
||||||
|
|
@ -72,7 +65,7 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
|
||||||
|
|
||||||
// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
|
// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
|
||||||
var mastersecret uri.MasterSecret
|
var mastersecret uri.MasterSecret
|
||||||
if err = fh.ReadJSON(fmt.Sprintf("%s.json", constants.ConstellationMasterSecretStoreName), &mastersecret); err != nil {
|
if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
|
||||||
return fmt.Errorf("reading master secret: %s", err)
|
return fmt.Errorf("reading master secret: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -81,12 +74,12 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("setting up KMS: %s", err)
|
return fmt.Errorf("setting up KMS: %s", err)
|
||||||
}
|
}
|
||||||
key, err := kms.GetDEK(ctx, crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
|
sshCAKeySeed, err := kms.GetDEK(ctx, crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("retrieving key from KMS: %s", err)
|
return fmt.Errorf("retrieving key from KMS: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ca, err := crypto.GenerateEmergencySSHCAKey(key)
|
ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("generating ssh emergency CA key: %s", err)
|
return fmt.Errorf("generating ssh emergency CA key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
@ -109,7 +102,12 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
|
||||||
ValidAfter: uint64(time.Now().Unix()),
|
ValidAfter: uint64(time.Now().Unix()),
|
||||||
ValidBefore: uint64(time.Now().Add(24 * time.Hour).Unix()),
|
ValidBefore: uint64(time.Now().Add(24 * time.Hour).Unix()),
|
||||||
ValidPrincipals: []string{"root"},
|
ValidPrincipals: []string{"root"},
|
||||||
Permissions: permissions,
|
Permissions: ssh.Permissions{
|
||||||
|
Extensions: map[string]string{
|
||||||
|
"permit-port-forwarding": "yes",
|
||||||
|
"permit-pty": "yes",
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
if err := certificate.SignCert(rand.Reader, ca); err != nil {
|
if err := certificate.SignCert(rand.Reader, ca); err != nil {
|
||||||
return fmt.Errorf("signing certificate: %s", err)
|
return fmt.Errorf("signing certificate: %s", err)
|
||||||
|
|
|
||||||
|
|
@ -65,8 +65,8 @@ func GenerateRandomBytes(length int) ([]byte, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// GenerateEmergencySSHCAKey creates a CA that is used to sign keys for emergency ssh access.
|
// GenerateEmergencySSHCAKey creates a CA that is used to sign keys for emergency ssh access.
|
||||||
func GenerateEmergencySSHCAKey(key []byte) (ssh.Signer, error) {
|
func GenerateEmergencySSHCAKey(seed []byte) (ssh.Signer, error) {
|
||||||
_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
|
_, priv, err := ed25519.GenerateKey(bytes.NewReader(seed))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -155,9 +155,9 @@ func TestGenerateEmergencySSHCAKey(t *testing.T) {
|
||||||
|
|
||||||
_, err := GenerateEmergencySSHCAKey(tc.key)
|
_, err := GenerateEmergencySSHCAKey(tc.key)
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
assert.NotNil(err)
|
assert.Error(err)
|
||||||
} else {
|
} else {
|
||||||
assert.Nil(err)
|
assert.NoError(err)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -103,14 +103,14 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Info("Requesting emergency SSH CA derivation key")
|
log.Info("Requesting emergency SSH CA derivation key")
|
||||||
ssheCADerivationKey, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
|
sshCAKeySeed, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.With(slog.Any("error", err)).Error("Failed to get emergency SSH CA derivation key")
|
log.With(slog.Any("error", err)).Error("Failed to get seed material to derive SSH CA key")
|
||||||
return nil, status.Errorf(codes.Internal, "getting emergency SSH CA derivation key: %s", err)
|
return nil, status.Errorf(codes.Internal, "getting emergency SSH CA seed material: %s", err)
|
||||||
}
|
}
|
||||||
ca, err := crypto.GenerateEmergencySSHCAKey(ssheCADerivationKey)
|
ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from derivation key")
|
log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from seed material")
|
||||||
return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err)
|
return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -181,7 +181,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
||||||
KubeletCert: kubeletCert,
|
KubeletCert: kubeletCert,
|
||||||
ControlPlaneFiles: controlPlaneFiles,
|
ControlPlaneFiles: controlPlaneFiles,
|
||||||
KubernetesComponents: components,
|
KubernetesComponents: components,
|
||||||
EmergencyCaKey: ssh.MarshalAuthorizedKey(ca.PublicKey()),
|
AuthorizedCaPublicKey: ssh.MarshalAuthorizedKey(ca.PublicKey()),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -99,7 +99,7 @@ type IssueJoinTicketResponse struct {
|
||||||
ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
|
ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
|
||||||
KubernetesVersion string `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"`
|
KubernetesVersion string `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"`
|
||||||
KubernetesComponents []*components.Component `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"`
|
KubernetesComponents []*components.Component `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"`
|
||||||
EmergencyCaKey []byte `protobuf:"bytes,11,opt,name=emergency_ca_key,json=emergencyCaKey,proto3" json:"emergency_ca_key,omitempty"`
|
EmergencyCaPubkey []byte `protobuf:"bytes,11,opt,name=emergency_ca_pubkey,json=emergencyCaPubkey,proto3" json:"emergency_ca_pubkey,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *IssueJoinTicketResponse) Reset() {
|
func (x *IssueJoinTicketResponse) Reset() {
|
||||||
|
|
@ -202,9 +202,9 @@ func (x *IssueJoinTicketResponse) GetKubernetesComponents() []*components.Compon
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *IssueJoinTicketResponse) GetEmergencyCaKey() []byte {
|
func (x *IssueJoinTicketResponse) GetEmergencyCaPubkey() []byte {
|
||||||
if x != nil {
|
if x != nil {
|
||||||
return x.EmergencyCaKey
|
return x.EmergencyCaPubkey
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
@ -374,7 +374,7 @@ var file_joinservice_joinproto_join_proto_rawDesc = string([]byte{
|
||||||
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
|
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
|
||||||
0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70,
|
0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70,
|
||||||
0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f,
|
0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f,
|
||||||
0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x22, 0xb8, 0x04, 0x0a, 0x17, 0x49,
|
0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x22, 0xbe, 0x04, 0x0a, 0x17, 0x49,
|
||||||
0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
|
0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
|
||||||
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f,
|
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f,
|
||||||
0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c,
|
0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c,
|
||||||
|
|
|
||||||
|
|
@ -45,8 +45,8 @@ message IssueJoinTicketResponse {
|
||||||
string kubernetes_version = 9;
|
string kubernetes_version = 9;
|
||||||
// kubernetes_components is a list of components to install on the node.
|
// kubernetes_components is a list of components to install on the node.
|
||||||
repeated components.Component kubernetes_components = 10;
|
repeated components.Component kubernetes_components = 10;
|
||||||
// emergency_ca_key is an ssh ca key that can be used to connect to a node in case of an emergency.
|
// authorized_ca_public_key is an ssh ca key that can be used to connect to a node in case of an emergency.
|
||||||
bytes emergency_ca_key = 11;
|
bytes authorized_ca_public_key = 11;
|
||||||
}
|
}
|
||||||
|
|
||||||
message control_plane_cert_or_key {
|
message control_plane_cert_or_key {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue