diff --git a/bootstrapper/cmd/bootstrapper/test.go b/bootstrapper/cmd/bootstrapper/test.go index 52acb949c..7ad920f7b 100644 --- a/bootstrapper/cmd/bootstrapper/test.go +++ b/bootstrapper/cmd/bootstrapper/test.go @@ -21,7 +21,7 @@ func (c *clusterFake) InitCluster(context.Context, []string, string, string, att } // JoinCluster will fake joining the current node to an existing cluster. -func (c *clusterFake) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, string, role.Role, *zap.Logger) error { +func (c *clusterFake) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, *zap.Logger) error { return nil } diff --git a/bootstrapper/internal/joinclient/client.go b/bootstrapper/internal/joinclient/client.go index 90ae04b77..a1ced9e11 100644 --- a/bootstrapper/internal/joinclient/client.go +++ b/bootstrapper/internal/joinclient/client.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "net" + "path/filepath" "strconv" "sync" "time" @@ -20,6 +21,7 @@ import ( "go.uber.org/zap" "google.golang.org/grpc" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" + kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" "k8s.io/utils/clock" ) @@ -236,6 +238,12 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse) return fmt.Errorf("updating disk passphrase: %w", err) } + if c.role == role.ControlPlane { + if err := c.writeControlePlaneFiles(ticket.ControlPlaneFiles); err != nil { + return fmt.Errorf("writing control plane files: %w", err) + } + } + state := nodestate.NodeState{ Role: c.role, OwnerID: ticket.OwnerId, @@ -250,7 +258,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse) Token: ticket.Token, CACertHashes: []string{ticket.DiscoveryTokenCaCertHash}, } - if err := c.joiner.JoinCluster(ctx, btd, ticket.CertificateKey, c.role, c.log); err != nil { + if err := c.joiner.JoinCluster(ctx, btd, c.role, c.log); err != nil { return fmt.Errorf("joining Kubernetes cluster: %w", err) } @@ -319,6 +327,20 @@ func (c *JoinClient) getControlPlaneIPs() ([]string, error) { return ips, nil } +func (c *JoinClient) writeControlePlaneFiles(files []*joinproto.ControlPlaneCertOrKey) error { + for _, cert := range files { + if err := c.fileHandler.Write( + filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, cert.Name), + cert.Data, + file.OptMkdirAll, + ); err != nil { + return fmt.Errorf("writing control plane files: %w", err) + } + } + + return nil +} + func (c *JoinClient) timeoutCtx() (context.Context, context.CancelFunc) { return context.WithTimeout(context.Background(), c.timeout) } @@ -340,7 +362,6 @@ type ClusterJoiner interface { JoinCluster( ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, - certKey string, peerRole role.Role, logger *zap.Logger, ) error diff --git a/bootstrapper/internal/joinclient/client_test.go b/bootstrapper/internal/joinclient/client_test.go index 6f64f6461..646dbd64a 100644 --- a/bootstrapper/internal/joinclient/client_test.go +++ b/bootstrapper/internal/joinclient/client_test.go @@ -386,7 +386,7 @@ type stubClusterJoiner struct { joinClusterErr error } -func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, string, role.Role, *zap.Logger) error { +func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, *zap.Logger) error { j.joinClusterCalled = true return j.joinClusterErr } diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index ba506d1bc..9303ae91b 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -201,14 +201,14 @@ func (k *KubeadmJoinYAML) SetProviderID(providerID string) { k.KubeletConfiguration.ProviderID = providerID } -func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string, certificateKey string) { +func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) { k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{ LocalAPIEndpoint: kubeadm.APIEndpoint{ AdvertiseAddress: advertiseAddress, BindPort: 6443, }, - CertificateKey: certificateKey, } + k.JoinConfiguration.SkipPhases = []string{"control-plane-prepare/download-certs"} } func (k *KubeadmJoinYAML) Marshal() ([]byte, error) { diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go index 3cc941fa0..bdf5caa4e 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go @@ -68,7 +68,7 @@ func TestJoinConfiguration(t *testing.T) { c.SetToken("token") c.AppendDiscoveryTokenCaCertHash("discovery-token-ca-cert-hash") c.SetProviderID("somecloudprovider://instance-id") - c.SetControlPlane("192.0.2.0", "11111111111111111111111111111111111") + c.SetControlPlane("192.0.2.0") return c }(), }, diff --git a/bootstrapper/internal/kubernetes/kubernetes.go b/bootstrapper/internal/kubernetes/kubernetes.go index cb43cb907..d2b8ccdb4 100644 --- a/bootstrapper/internal/kubernetes/kubernetes.go +++ b/bootstrapper/internal/kubernetes/kubernetes.go @@ -206,7 +206,7 @@ func (k *KubeWrapper) InitCluster( } // JoinCluster joins existing Kubernetes cluster. -func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, certKey string, peerRole role.Role, logger *zap.Logger) error { +func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, peerRole role.Role, logger *zap.Logger) error { // TODO: k8s version should be user input if err := k.clusterUtil.InstallComponents(ctx, "1.23.6"); err != nil { return err @@ -242,7 +242,7 @@ func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTo joinConfig.SetNodeName(nodeName) joinConfig.SetProviderID(providerID) if peerRole == role.ControlPlane { - joinConfig.SetControlPlane(nodeInternalIP, certKey) + joinConfig.SetControlPlane(nodeInternalIP) } joinConfigYAML, err := joinConfig.Marshal() if err != nil { diff --git a/bootstrapper/internal/kubernetes/kubernetes_test.go b/bootstrapper/internal/kubernetes/kubernetes_test.go index 8af243e6c..56f31c852 100644 --- a/bootstrapper/internal/kubernetes/kubernetes_test.go +++ b/bootstrapper/internal/kubernetes/kubernetes_test.go @@ -294,7 +294,6 @@ func TestJoinCluster(t *testing.T) { } privateIP := "192.0.2.1" - certKey := "cert-key" testCases := map[string]struct { clusterUtil stubClusterUtil @@ -390,8 +389,8 @@ func TestJoinCluster(t *testing.T) { AdvertiseAddress: "192.0.2.1", BindPort: 6443, }, - CertificateKey: certKey, }, + SkipPhases: []string{"control-plane-prepare/download-certs"}, }, }, "kubeadm join worker fails when retrieving self metadata": { @@ -426,7 +425,7 @@ func TestJoinCluster(t *testing.T) { getIPAddr: func() (string, error) { return privateIP, nil }, } - err := kube.JoinCluster(context.Background(), joinCommand, certKey, tc.role, zaptest.NewLogger(t)) + err := kube.JoinCluster(context.Background(), joinCommand, tc.role, zaptest.NewLogger(t)) if tc.wantErr { assert.Error(err) return diff --git a/joinservice/internal/kubeadm/keymanager.go b/joinservice/internal/kubeadm/keymanager.go deleted file mode 100644 index ffadccef8..000000000 --- a/joinservice/internal/kubeadm/keymanager.go +++ /dev/null @@ -1,75 +0,0 @@ -package kubeadm - -import ( - "fmt" - "sync" - "time" - - "github.com/edgelesssys/constellation/internal/constants" - "github.com/edgelesssys/constellation/internal/logger" - clientset "k8s.io/client-go/kubernetes" - kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" - "k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts" - "k8s.io/utils/clock" -) - -// certificateKeyTTL is the time a certificate key is valid for. -const certificateKeyTTL = time.Hour - -// keyManager handles creation of certificate encryption keys. -type keyManager struct { - mux sync.Mutex - key string - expirationDate time.Time - clock clock.Clock - client clientset.Interface - log *logger.Logger -} - -func newKeyManager(client clientset.Interface, log *logger.Logger) *keyManager { - return &keyManager{ - clock: clock.RealClock{}, - client: client, - log: log, - } -} - -// getCertificatetKey returns the encryption key to use for uploading PKI certificates to Kubernetes. -// A Key is cached for one hour, but its expiration date is extended by two minutes if a request is made -// within two minutes of the key expiring to avoid just-expired keys. -// This is necessary since uploading a certificate with a different key overwrites any others. -// This means we can no longer decrypt the certificates using an old key. -func (k *keyManager) getCertificatetKey() (string, error) { - k.mux.Lock() - defer k.mux.Unlock() - - switch { - case k.key == "" || k.expirationDate.Before(k.clock.Now()): - // key was not yet generated, or has expired - // generate a new key and set TTL - key, err := copycerts.CreateCertificateKey() - if err != nil { - return "", fmt.Errorf("couldn't create control plane certificate key: %w", err) - } - k.expirationDate = k.clock.Now().Add(certificateKeyTTL) - k.key = key - k.log.Infof("Uploading certs to Kubernetes") - cfg := &kubeadmapi.InitConfiguration{ - ClusterConfiguration: kubeadmapi.ClusterConfiguration{ - CertificatesDir: constants.KubeadmCertificateDir, - }, - } - if err := copycerts.UploadCerts(k.client, cfg, key); err != nil { - return "", fmt.Errorf("uploading certs: %w", err) - } - case k.expirationDate.After(k.clock.Now()): - // key is still valid - // if TTL is less than 2 minutes away, increase it by 2 minutes - // this is to avoid the key expiring too soon when a node uses it to join the cluster - if k.expirationDate.Sub(k.clock.Now()) < 2*time.Minute { - k.expirationDate = k.expirationDate.Add(2 * time.Minute) - } - } - - return k.key, nil -} diff --git a/joinservice/internal/kubeadm/keymanager_test.go b/joinservice/internal/kubeadm/keymanager_test.go deleted file mode 100644 index c524f5bd0..000000000 --- a/joinservice/internal/kubeadm/keymanager_test.go +++ /dev/null @@ -1,96 +0,0 @@ -package kubeadm - -import ( - "testing" - "time" - - "github.com/edgelesssys/constellation/internal/logger" - "github.com/stretchr/testify/assert" - clientset "k8s.io/client-go/kubernetes" - "k8s.io/client-go/kubernetes/fake" - corev1 "k8s.io/client-go/kubernetes/typed/core/v1" - fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake" - "k8s.io/utils/clock" - testclock "k8s.io/utils/clock/testing" -) - -func TestKeyManager(t *testing.T) { - testCases := map[string]struct { - clock clock.Clock - client clientset.Interface - ttl time.Time - key string - shouldReuse bool - wantErr bool - }{ - "no key exists": { - clock: testclock.NewFakeClock(time.Time{}), - client: fake.NewSimpleClientset(), - }, - "key exists and is valid": { - clock: testclock.NewFakeClock(time.Time{}), - client: fake.NewSimpleClientset(), - ttl: time.Time{}.Add(time.Hour), - key: "key", - shouldReuse: true, - }, - "key has expired": { - clock: testclock.NewFakeClock(time.Time{}.Add(time.Hour)), - client: fake.NewSimpleClientset(), - ttl: time.Time{}, - key: "key", - }, - "key expires in the next 30 seconds": { - clock: testclock.NewFakeClock(time.Time{}), - client: fake.NewSimpleClientset(), - ttl: time.Time{}.Add(30 * time.Second), - key: "key", - shouldReuse: true, - }, - "uploading certs fails": { - clock: testclock.NewFakeClock(time.Time{}), - client: &failingClient{ - fake.NewSimpleClientset(), - }, - }, - } - - for name, tc := range testCases { - t.Run(name, func(t *testing.T) { - assert := assert.New(t) - - km := &keyManager{ - expirationDate: tc.ttl, - key: tc.key, - clock: tc.clock, - log: logger.NewTest(t), - client: fake.NewSimpleClientset(), - } - - key, err := km.getCertificatetKey() - if tc.wantErr { - assert.Error(err) - return - } - assert.NoError(err) - assert.True(km.expirationDate.After(tc.clock.Now().Add(2 * time.Minute))) - - if tc.shouldReuse { - assert.Equal(tc.key, key) - } else { - assert.Equal(km.key, key) - assert.NotEqual(tc.key, key) - } - }) - } -} - -type failingClient struct { - *fake.Clientset -} - -func (f *failingClient) CoreV1() corev1.CoreV1Interface { - return &failingCoreV1{ - &fakecorev1.FakeCoreV1{Fake: &f.Clientset.Fake}, - } -} diff --git a/joinservice/internal/kubeadm/kubeadm.go b/joinservice/internal/kubeadm/kubeadm.go index 73d13834c..a2a289fcf 100644 --- a/joinservice/internal/kubeadm/kubeadm.go +++ b/joinservice/internal/kubeadm/kubeadm.go @@ -3,6 +3,7 @@ package kubeadm import ( "errors" "fmt" + "path/filepath" "time" "github.com/edgelesssys/constellation/internal/constants" @@ -17,6 +18,7 @@ import ( bootstraputil "k8s.io/cluster-bootstrap/token/util" bootstraptoken "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" + kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" tokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node" "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig" "k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin" @@ -26,7 +28,6 @@ import ( type Kubeadm struct { apiServerEndpoint string log *logger.Logger - keyManager *keyManager client clientset.Interface file file.Handler } @@ -46,7 +47,6 @@ func New(apiServerEndpoint string, log *logger.Logger) (*Kubeadm, error) { return &Kubeadm{ apiServerEndpoint: apiServerEndpoint, log: log, - keyManager: newKeyManager(client, log), client: client, file: file, }, nil @@ -108,13 +108,39 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov }, nil } -// GetControlPlaneCertificateKey uploads Kubernetes encrypted CA certificates to Kubernetes and returns the decryption key. -// The key can be used by new nodes to join the cluster as a control plane node. -func (k *Kubeadm) GetControlPlaneCertificateKey() (string, error) { - k.log.Infof("Creating new random control plane certificate key (or returning cached key)") - key, err := k.keyManager.getCertificatetKey() - if err != nil { - return "", fmt.Errorf("couldn't create control plane certificate key: %w", err) +// GetControlPlaneCertificatesAndKeys loads the Kubernetes CA certificates and keys. +func (k *Kubeadm) GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) { + k.log.Infof("Loading control plane certificates and keys") + controlPlaneFiles := make(map[string][]byte) + + keyFilenames := []string{ + kubeconstants.CAKeyName, + kubeconstants.ServiceAccountPrivateKeyName, + kubeconstants.FrontProxyCAKeyName, + kubeconstants.EtcdCAKeyName, } - return key, nil + certFilenames := []string{ + kubeconstants.CACertName, + kubeconstants.ServiceAccountPublicKeyName, + kubeconstants.FrontProxyCACertName, + kubeconstants.EtcdCACertName, + } + + for _, keyFilename := range keyFilenames { + key, err := k.file.Read(filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, keyFilename)) + if err != nil { + return nil, err + } + controlPlaneFiles[keyFilename] = key + } + + for _, certFilename := range certFilenames { + cert, err := k.file.Read(filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, certFilename)) + if err != nil { + return nil, err + } + controlPlaneFiles[certFilename] = cert + } + + return controlPlaneFiles, nil } diff --git a/joinservice/internal/kubeadm/kubeadm_test.go b/joinservice/internal/kubeadm/kubeadm_test.go index ef33a1063..13bbd1ffb 100644 --- a/joinservice/internal/kubeadm/kubeadm_test.go +++ b/joinservice/internal/kubeadm/kubeadm_test.go @@ -1,7 +1,7 @@ package kubeadm import ( - "context" + "path/filepath" "testing" "time" @@ -12,12 +12,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" - corev1 "k8s.io/client-go/kubernetes/typed/core/v1" - fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake" - testclock "k8s.io/utils/clock/testing" + kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" ) func TestMain(m *testing.M) { @@ -83,10 +79,9 @@ kind: Config`, require := require.New(t) client := &Kubeadm{ - log: logger.NewTest(t), - keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})}, - file: file.NewHandler(afero.NewMemMapFs()), - client: fake.NewSimpleClientset(), + log: logger.NewTest(t), + file: file.NewHandler(afero.NewMemMapFs()), + client: fake.NewSimpleClientset(), } if tc.adminConf != "" { require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone)) @@ -103,21 +98,70 @@ kind: Config`, } } -type failingCoreV1 struct { - *fakecorev1.FakeCoreV1 -} +func TestGetControlPlaneCertificatesAndKeys(t *testing.T) { + someData := []byte{0x1, 0x2, 0x3} -func (f *failingCoreV1) Secrets(namespace string) corev1.SecretInterface { - return &failingSecretInterface{ - &fakecorev1.FakeSecrets{Fake: f.FakeCoreV1}, + testCases := map[string]struct { + preExistingFiles map[string][]byte + wantErr bool + }{ + "success": { + preExistingFiles: map[string][]byte{ + kubeconstants.CAKeyName: someData, + kubeconstants.ServiceAccountPrivateKeyName: someData, + kubeconstants.FrontProxyCAKeyName: someData, + kubeconstants.EtcdCAKeyName: someData, + kubeconstants.CACertName: someData, + kubeconstants.ServiceAccountPublicKeyName: someData, + kubeconstants.FrontProxyCACertName: someData, + kubeconstants.EtcdCACertName: someData, + }, + }, + "missing key": { + preExistingFiles: map[string][]byte{ + kubeconstants.CACertName: someData, + kubeconstants.ServiceAccountPublicKeyName: someData, + kubeconstants.FrontProxyCACertName: someData, + kubeconstants.EtcdCACertName: someData, + }, + wantErr: true, + }, + "missing cert": { + preExistingFiles: map[string][]byte{ + kubeconstants.CAKeyName: someData, + kubeconstants.ServiceAccountPrivateKeyName: someData, + kubeconstants.FrontProxyCAKeyName: someData, + kubeconstants.EtcdCAKeyName: someData, + }, + wantErr: true, + }, + } + + for name, tc := range testCases { + t.Run(name, func(t *testing.T) { + assert := assert.New(t) + require := require.New(t) + + client := &Kubeadm{ + log: logger.NewTest(t), + file: file.NewHandler(afero.NewMemMapFs()), + client: fake.NewSimpleClientset(), + } + for filename, content := range tc.preExistingFiles { + require.NoError(client.file.Write( + filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, filename), + content, + file.OptNone, + )) + } + + files, err := client.GetControlPlaneCertificatesAndKeys() + if tc.wantErr { + assert.Error(err) + } else { + assert.NoError(err) + assert.NotNil(files) + } + }) } } - -type failingSecretInterface struct { - *fakecorev1.FakeSecrets -} - -// copycerts.UploadCerts will fail if a secret already exists. -func (f *failingSecretInterface) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error) { - return &v1.Secret{}, nil -} diff --git a/joinservice/internal/server/server.go b/joinservice/internal/server/server.go index a61ba57fa..c5548bb14 100644 --- a/joinservice/internal/server/server.go +++ b/joinservice/internal/server/server.go @@ -106,13 +106,20 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err) } - var certKey string + var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey if req.IsControlPlane { log.Infof("Creating control plane certificate key") - certKey, err = s.joinTokenGetter.GetControlPlaneCertificateKey() + filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys() if err != nil { return nil, fmt.Errorf("ActivateControlPlane failed: %w", err) } + + for k, v := range filesMap { + controlPlaneFiles = append(controlPlaneFiles, &joinproto.ControlPlaneCertOrKey{ + Name: k, + Data: v, + }) + } } s.log.Infof("IssueJoinTicket successful") @@ -125,7 +132,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi DiscoveryTokenCaCertHash: kubeArgs.CACertHashes[0], KubeletCert: kubeletCert, KubeletKey: kubeletKey, - CertificateKey: certKey, + ControlPlaneFiles: controlPlaneFiles, }, nil } @@ -133,7 +140,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi type joinTokenGetter interface { // GetJoinToken returns a bootstrap (join) token. GetJoinToken(ttl time.Duration) (*kubeadmv1.BootstrapTokenDiscovery, error) - GetControlPlaneCertificateKey() (string, error) + GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) } // dataKeyGetter interacts with Constellation's key management system to retrieve keys. diff --git a/joinservice/internal/server/server_test.go b/joinservice/internal/server/server_test.go index bf1d781b8..fe9d34f0f 100644 --- a/joinservice/internal/server/server_test.go +++ b/joinservice/internal/server/server_test.go @@ -88,10 +88,13 @@ func TestIssueJoinTicket(t *testing.T) { }, "control plane": { isControlPlane: true, - kubeadm: stubTokenGetter{token: testJoinToken, certificateKey: "test"}, - kms: stubKeyGetter{dataKey: testKey}, - ca: stubCA{cert: testCert, key: testKey}, - id: mustMarshalID(testID), + kubeadm: stubTokenGetter{ + token: testJoinToken, + files: map[string][]byte{"test": {0x1, 0x2, 0x3}}, + }, + kms: stubKeyGetter{dataKey: testKey}, + ca: stubCA{cert: testCert, key: testKey}, + id: mustMarshalID(testID), }, "GetControlPlaneCertificateKey fails": { isControlPlane: true, @@ -145,7 +148,7 @@ func TestIssueJoinTicket(t *testing.T) { assert.Equal(tc.ca.key, resp.KubeletKey) if tc.isControlPlane { - assert.Equal(tc.kubeadm.certificateKey, resp.CertificateKey) + assert.Len(resp.ControlPlaneFiles, len(tc.kubeadm.files)) } }) } @@ -162,7 +165,7 @@ func mustMarshalID(id attestationtypes.ID) []byte { type stubTokenGetter struct { token *kubeadmv1.BootstrapTokenDiscovery getJoinTokenErr error - certificateKey string + files map[string][]byte certificateKeyErr error } @@ -170,8 +173,8 @@ func (f stubTokenGetter) GetJoinToken(time.Duration) (*kubeadmv1.BootstrapTokenD return f.token, f.getJoinTokenErr } -func (f stubTokenGetter) GetControlPlaneCertificateKey() (string, error) { - return f.certificateKey, f.certificateKeyErr +func (f stubTokenGetter) GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) { + return f.files, f.certificateKeyErr } type stubKeyGetter struct { diff --git a/joinservice/joinproto/join.pb.go b/joinservice/joinproto/join.pb.go index b33b8eea3..0a4039b40 100644 --- a/joinservice/joinproto/join.pb.go +++ b/joinservice/joinproto/join.pb.go @@ -88,15 +88,15 @@ type IssueJoinTicketResponse struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` - OwnerId []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"` - ClusterId []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` - KubeletKey []byte `protobuf:"bytes,4,opt,name=kubelet_key,json=kubeletKey,proto3" json:"kubelet_key,omitempty"` - KubeletCert []byte `protobuf:"bytes,5,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"` - ApiServerEndpoint string `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"` - Token string `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"` - DiscoveryTokenCaCertHash string `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"` - CertificateKey string `protobuf:"bytes,9,opt,name=certificate_key,json=certificateKey,proto3" json:"certificate_key,omitempty"` + StateDiskKey []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"` + OwnerId []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"` + ClusterId []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` + KubeletKey []byte `protobuf:"bytes,4,opt,name=kubelet_key,json=kubeletKey,proto3" json:"kubelet_key,omitempty"` + KubeletCert []byte `protobuf:"bytes,5,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"` + ApiServerEndpoint string `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"` + Token string `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"` + DiscoveryTokenCaCertHash string `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"` + ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,9,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"` } func (x *IssueJoinTicketResponse) Reset() { @@ -187,13 +187,68 @@ func (x *IssueJoinTicketResponse) GetDiscoveryTokenCaCertHash() string { return "" } -func (x *IssueJoinTicketResponse) GetCertificateKey() string { +func (x *IssueJoinTicketResponse) GetControlPlaneFiles() []*ControlPlaneCertOrKey { if x != nil { - return x.CertificateKey + return x.ControlPlaneFiles + } + return nil +} + +type ControlPlaneCertOrKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` +} + +func (x *ControlPlaneCertOrKey) Reset() { + *x = ControlPlaneCertOrKey{} + if protoimpl.UnsafeEnabled { + mi := &file_join_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ControlPlaneCertOrKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ControlPlaneCertOrKey) ProtoMessage() {} + +func (x *ControlPlaneCertOrKey) ProtoReflect() protoreflect.Message { + mi := &file_join_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ControlPlaneCertOrKey.ProtoReflect.Descriptor instead. +func (*ControlPlaneCertOrKey) Descriptor() ([]byte, []int) { + return file_join_proto_rawDescGZIP(), []int{2} +} + +func (x *ControlPlaneCertOrKey) GetName() string { + if x != nil { + return x.Name } return "" } +func (x *ControlPlaneCertOrKey) GetData() []byte { + if x != nil { + return x.Data + } + return nil +} + var File_join_proto protoreflect.FileDescriptor var file_join_proto_rawDesc = []byte{ @@ -206,7 +261,7 @@ var file_join_proto_rawDesc = []byte{ 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, - 0x22, 0xec, 0x02, 0x0a, 0x17, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, + 0x22, 0x94, 0x03, 0x0a, 0x17, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b, @@ -226,19 +281,26 @@ var file_join_proto_rawDesc = []byte{ 0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65, - 0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0e, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x32, - 0x55, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, - 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, - 0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, - 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, - 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, - 0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, + 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x09, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72, + 0x5f, 0x6b, 0x65, 0x79, 0x52, 0x11, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, + 0x6e, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x43, 0x0a, 0x19, 0x63, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72, + 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x32, 0x55, 0x0a, 0x03, + 0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, + 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, + 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, 0x73, 0x75, + 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, + 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -253,19 +315,21 @@ func file_join_proto_rawDescGZIP() []byte { return file_join_proto_rawDescData } -var file_join_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_join_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_join_proto_goTypes = []interface{}{ (*IssueJoinTicketRequest)(nil), // 0: join.IssueJoinTicketRequest (*IssueJoinTicketResponse)(nil), // 1: join.IssueJoinTicketResponse + (*ControlPlaneCertOrKey)(nil), // 2: join.control_plane_cert_or_key } var file_join_proto_depIdxs = []int32{ - 0, // 0: join.API.IssueJoinTicket:input_type -> join.IssueJoinTicketRequest - 1, // 1: join.API.IssueJoinTicket:output_type -> join.IssueJoinTicketResponse - 1, // [1:2] is the sub-list for method output_type - 0, // [0:1] is the sub-list for method input_type - 0, // [0:0] is the sub-list for extension type_name - 0, // [0:0] is the sub-list for extension extendee - 0, // [0:0] is the sub-list for field type_name + 2, // 0: join.IssueJoinTicketResponse.control_plane_files:type_name -> join.control_plane_cert_or_key + 0, // 1: join.API.IssueJoinTicket:input_type -> join.IssueJoinTicketRequest + 1, // 2: join.API.IssueJoinTicket:output_type -> join.IssueJoinTicketResponse + 2, // [2:3] is the sub-list for method output_type + 1, // [1:2] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name } func init() { file_join_proto_init() } @@ -298,6 +362,18 @@ func file_join_proto_init() { return nil } } + file_join_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ControlPlaneCertOrKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } type x struct{} out := protoimpl.TypeBuilder{ @@ -305,7 +381,7 @@ func file_join_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_join_proto_rawDesc, NumEnums: 0, - NumMessages: 2, + NumMessages: 3, NumExtensions: 0, NumServices: 1, }, diff --git a/joinservice/joinproto/join.proto b/joinservice/joinproto/join.proto index c1ae614a3..6d809e765 100644 --- a/joinservice/joinproto/join.proto +++ b/joinservice/joinproto/join.proto @@ -24,5 +24,10 @@ message IssueJoinTicketResponse { string api_server_endpoint = 6; string token = 7; string discovery_token_ca_cert_hash = 8; - string certificate_key = 9; + repeated control_plane_cert_or_key control_plane_files = 9; +} + +message control_plane_cert_or_key { + string name = 1; + bytes data = 2; }