Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-14 09:45:34 -04:00
Code Issues Projects Releases Packages Wiki Activity

implement small changes

Browse source
This commit is contained in:
miampf 2025-01-16 16:20:03 +01:00
parent f386dbc95f
commit 21c9cd6a26
No known key found for this signature in database
GPG key ID: EF039364B5B6886C
7 changed files with 27 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

2
bootstrapper/internal/joinclient/joinclient.go
View file

@ -272,7 +272,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse,
}
if err := c.fileHandler.Write(constants.SSHCAKeyPath, ticket.EmergencyCaKey, file.OptMkdirAll); err != nil {
return fmt.Errorf("writing ca key: %w", err)
return fmt.Errorf("writing ssh ca key: %w", err)
}
state := nodestate.NodeState{

22
cli/internal/cmd/ssh.go
View file

@ -25,13 +25,6 @@ import (
"golang.org/x/crypto/ssh"
)
var permissions = ssh.Permissions{
Extensions: map[string]string{
"permit-port-forwarding": "yes",
"permit-pty": "yes",
},
}
// NewSSHCmd returns a new cobra.Command for the ssh command.
func NewSSHCmd() *cobra.Command {
cmd := &cobra.Command{
@ -41,7 +34,7 @@ func NewSSHCmd() *cobra.Command {
Args: cobra.ExactArgs(0),
RunE: runSSH,
}
cmd.Flags().String("key", "", "The path to an existing ssh public key.")
cmd.Flags().String("key", "", "the path to an existing ssh public key.")
must(cmd.MarkFlagRequired("key"))
return cmd
}
@ -72,7 +65,7 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
// NOTE(miampf): Since other KMS aren't fully implemented yet, this commands assumes that the cKMS is used and derives the key accordingly.
var mastersecret uri.MasterSecret
if err = fh.ReadJSON(fmt.Sprintf("%s.json", constants.ConstellationMasterSecretStoreName), &mastersecret); err != nil {
if err = fh.ReadJSON(constants.MasterSecretFilename, &mastersecret); err != nil {
return fmt.Errorf("reading master secret: %s", err)
}
@ -81,12 +74,12 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
if err != nil {
return fmt.Errorf("setting up KMS: %s", err)
}
key, err := kms.GetDEK(ctx, crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
sshCAKeySeed, err := kms.GetDEK(ctx, crypto.DEKPrefix+constants.SSHCAKeySuffix, ed25519.SeedSize)
if err != nil {
return fmt.Errorf("retrieving key from KMS: %s", err)
}
ca, err := crypto.GenerateEmergencySSHCAKey(key)
ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
if err != nil {
return fmt.Errorf("generating ssh emergency CA key: %s", err)
}
@ -109,7 +102,12 @@ func generateKey(ctx context.Context, keyPath string, fh file.Handler, debugLogg
ValidAfter: uint64(time.Now().Unix()),
ValidBefore: uint64(time.Now().Add(24 * time.Hour).Unix()),
ValidPrincipals: []string{"root"},
Permissions: permissions,
Permissions: ssh.Permissions{
Extensions: map[string]string{
"permit-port-forwarding": "yes",
"permit-pty": "yes",
},
},
}
if err := certificate.SignCert(rand.Reader, ca); err != nil {
return fmt.Errorf("signing certificate: %s", err)

4
internal/crypto/crypto.go
View file

@ -65,8 +65,8 @@ func GenerateRandomBytes(length int) ([]byte, error) {
}
// GenerateEmergencySSHCAKey creates a CA that is used to sign keys for emergency ssh access.
func GenerateEmergencySSHCAKey(key []byte) (ssh.Signer, error) {
_, priv, err := ed25519.GenerateKey(bytes.NewReader(key))
func GenerateEmergencySSHCAKey(seed []byte) (ssh.Signer, error) {
_, priv, err := ed25519.GenerateKey(bytes.NewReader(seed))
if err != nil {
return nil, err
}

4
internal/crypto/crypto_test.go
View file

@ -155,9 +155,9 @@ func TestGenerateEmergencySSHCAKey(t *testing.T) {
_, err := GenerateEmergencySSHCAKey(tc.key)
if tc.wantErr {
assert.NotNil(err)
assert.Error(err)
} else {
assert.Nil(err)
assert.NoError(err)
}
})
}

12
joinservice/internal/server/server.go
View file

@ -103,14 +103,14 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
}
log.Info("Requesting emergency SSH CA derivation key")
ssheCADerivationKey, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
sshCAKeySeed, err := s.dataKeyGetter.GetDataKey(ctx, constants.SSHCAKeySuffix, ed25519.SeedSize)
if err != nil {
log.With(slog.Any("error", err)).Error("Failed to get emergency SSH CA derivation key")
return nil, status.Errorf(codes.Internal, "getting emergency SSH CA derivation key: %s", err)
log.With(slog.Any("error", err)).Error("Failed to get seed material to derive SSH CA key")
return nil, status.Errorf(codes.Internal, "getting emergency SSH CA seed material: %s", err)
}
ca, err := crypto.GenerateEmergencySSHCAKey(ssheCADerivationKey)
ca, err := crypto.GenerateEmergencySSHCAKey(sshCAKeySeed)
if err != nil {
log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from derivation key")
log.With(slog.Any("error", err)).Error("Failed to derive ssh CA key from seed material")
return nil, status.Errorf(codes.Internal, "generating ssh emergency CA key: %s", err)
}
@ -181,7 +181,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
KubeletCert: kubeletCert,
ControlPlaneFiles: controlPlaneFiles,
KubernetesComponents: components,
EmergencyCaKey: ssh.MarshalAuthorizedKey(ca.PublicKey()),
AuthorizedCaPublicKey: ssh.MarshalAuthorizedKey(ca.PublicKey()),
}, nil
}

8
joinservice/joinproto/join.pb.go
View file

@ -99,7 +99,7 @@ type IssueJoinTicketResponse struct {
ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,8,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
KubernetesVersion string `protobuf:"bytes,9,opt,name=kubernetes_version,json=kubernetesVersion,proto3" json:"kubernetes_version,omitempty"`
KubernetesComponents []*components.Component `protobuf:"bytes,10,rep,name=kubernetes_components,json=kubernetesComponents,proto3" json:"kubernetes_components,omitempty"`
EmergencyCaKey []byte `protobuf:"bytes,11,opt,name=emergency_ca_key,json=emergencyCaKey,proto3" json:"emergency_ca_key,omitempty"`
EmergencyCaPubkey []byte `protobuf:"bytes,11,opt,name=emergency_ca_pubkey,json=emergencyCaPubkey,proto3" json:"emergency_ca_pubkey,omitempty"`
}
func (x *IssueJoinTicketResponse) Reset() {
@ -202,9 +202,9 @@ func (x *IssueJoinTicketResponse) GetKubernetesComponents() []*components.Compon
return nil
}
func (x *IssueJoinTicketResponse) GetEmergencyCaKey() []byte {
func (x *IssueJoinTicketResponse) GetEmergencyCaPubkey() []byte {
if x != nil {
return x.EmergencyCaKey
return x.EmergencyCaPubkey
}
return nil
}
@ -374,7 +374,7 @@ var file_joinservice_joinproto_join_proto_rawDesc = string([]byte{
0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70,
0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f,
0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x22, 0xb8, 0x04, 0x0a, 0x17, 0x49,
0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x22, 0xbe, 0x04, 0x0a, 0x17, 0x49,
0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f,
0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c,

4
joinservice/joinproto/join.proto
View file

@ -45,8 +45,8 @@ message IssueJoinTicketResponse {
string kubernetes_version = 9;
// kubernetes_components is a list of components to install on the node.
repeated components.Component kubernetes_components = 10;
// emergency_ca_key is an ssh ca key that can be used to connect to a node in case of an emergency.
bytes emergency_ca_key = 11;
// authorized_ca_public_key is an ssh ca key that can be used to connect to a node in case of an emergency.
bytes authorized_ca_public_key = 11;
}
message control_plane_cert_or_key {