mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-25 23:06:08 -05:00
Distribute k8s CA certificates and key over join-service
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
260d2571c1
commit
2bcf001d52
@ -21,7 +21,7 @@ func (c *clusterFake) InitCluster(context.Context, []string, string, string, att
|
|||||||
}
|
}
|
||||||
|
|
||||||
// JoinCluster will fake joining the current node to an existing cluster.
|
// JoinCluster will fake joining the current node to an existing cluster.
|
||||||
func (c *clusterFake) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, string, role.Role, *zap.Logger) error {
|
func (c *clusterFake) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, *zap.Logger) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -5,6 +5,7 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"path/filepath"
|
||||||
"strconv"
|
"strconv"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
@ -20,6 +21,7 @@ import (
|
|||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||||
|
kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
"k8s.io/utils/clock"
|
"k8s.io/utils/clock"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -236,6 +238,12 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse)
|
|||||||
return fmt.Errorf("updating disk passphrase: %w", err)
|
return fmt.Errorf("updating disk passphrase: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.role == role.ControlPlane {
|
||||||
|
if err := c.writeControlePlaneFiles(ticket.ControlPlaneFiles); err != nil {
|
||||||
|
return fmt.Errorf("writing control plane files: %w", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
state := nodestate.NodeState{
|
state := nodestate.NodeState{
|
||||||
Role: c.role,
|
Role: c.role,
|
||||||
OwnerID: ticket.OwnerId,
|
OwnerID: ticket.OwnerId,
|
||||||
@ -250,7 +258,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse)
|
|||||||
Token: ticket.Token,
|
Token: ticket.Token,
|
||||||
CACertHashes: []string{ticket.DiscoveryTokenCaCertHash},
|
CACertHashes: []string{ticket.DiscoveryTokenCaCertHash},
|
||||||
}
|
}
|
||||||
if err := c.joiner.JoinCluster(ctx, btd, ticket.CertificateKey, c.role, c.log); err != nil {
|
if err := c.joiner.JoinCluster(ctx, btd, c.role, c.log); err != nil {
|
||||||
return fmt.Errorf("joining Kubernetes cluster: %w", err)
|
return fmt.Errorf("joining Kubernetes cluster: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -319,6 +327,20 @@ func (c *JoinClient) getControlPlaneIPs() ([]string, error) {
|
|||||||
return ips, nil
|
return ips, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *JoinClient) writeControlePlaneFiles(files []*joinproto.ControlPlaneCertOrKey) error {
|
||||||
|
for _, cert := range files {
|
||||||
|
if err := c.fileHandler.Write(
|
||||||
|
filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, cert.Name),
|
||||||
|
cert.Data,
|
||||||
|
file.OptMkdirAll,
|
||||||
|
); err != nil {
|
||||||
|
return fmt.Errorf("writing control plane files: %w", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func (c *JoinClient) timeoutCtx() (context.Context, context.CancelFunc) {
|
func (c *JoinClient) timeoutCtx() (context.Context, context.CancelFunc) {
|
||||||
return context.WithTimeout(context.Background(), c.timeout)
|
return context.WithTimeout(context.Background(), c.timeout)
|
||||||
}
|
}
|
||||||
@ -340,7 +362,6 @@ type ClusterJoiner interface {
|
|||||||
JoinCluster(
|
JoinCluster(
|
||||||
ctx context.Context,
|
ctx context.Context,
|
||||||
args *kubeadm.BootstrapTokenDiscovery,
|
args *kubeadm.BootstrapTokenDiscovery,
|
||||||
certKey string,
|
|
||||||
peerRole role.Role,
|
peerRole role.Role,
|
||||||
logger *zap.Logger,
|
logger *zap.Logger,
|
||||||
) error
|
) error
|
||||||
|
@ -386,7 +386,7 @@ type stubClusterJoiner struct {
|
|||||||
joinClusterErr error
|
joinClusterErr error
|
||||||
}
|
}
|
||||||
|
|
||||||
func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, string, role.Role, *zap.Logger) error {
|
func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, *zap.Logger) error {
|
||||||
j.joinClusterCalled = true
|
j.joinClusterCalled = true
|
||||||
return j.joinClusterErr
|
return j.joinClusterErr
|
||||||
}
|
}
|
||||||
|
@ -201,14 +201,14 @@ func (k *KubeadmJoinYAML) SetProviderID(providerID string) {
|
|||||||
k.KubeletConfiguration.ProviderID = providerID
|
k.KubeletConfiguration.ProviderID = providerID
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string, certificateKey string) {
|
func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) {
|
||||||
k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{
|
k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{
|
||||||
LocalAPIEndpoint: kubeadm.APIEndpoint{
|
LocalAPIEndpoint: kubeadm.APIEndpoint{
|
||||||
AdvertiseAddress: advertiseAddress,
|
AdvertiseAddress: advertiseAddress,
|
||||||
BindPort: 6443,
|
BindPort: 6443,
|
||||||
},
|
},
|
||||||
CertificateKey: certificateKey,
|
|
||||||
}
|
}
|
||||||
|
k.JoinConfiguration.SkipPhases = []string{"control-plane-prepare/download-certs"}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k *KubeadmJoinYAML) Marshal() ([]byte, error) {
|
func (k *KubeadmJoinYAML) Marshal() ([]byte, error) {
|
||||||
|
@ -68,7 +68,7 @@ func TestJoinConfiguration(t *testing.T) {
|
|||||||
c.SetToken("token")
|
c.SetToken("token")
|
||||||
c.AppendDiscoveryTokenCaCertHash("discovery-token-ca-cert-hash")
|
c.AppendDiscoveryTokenCaCertHash("discovery-token-ca-cert-hash")
|
||||||
c.SetProviderID("somecloudprovider://instance-id")
|
c.SetProviderID("somecloudprovider://instance-id")
|
||||||
c.SetControlPlane("192.0.2.0", "11111111111111111111111111111111111")
|
c.SetControlPlane("192.0.2.0")
|
||||||
return c
|
return c
|
||||||
}(),
|
}(),
|
||||||
},
|
},
|
||||||
|
@ -206,7 +206,7 @@ func (k *KubeWrapper) InitCluster(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// JoinCluster joins existing Kubernetes cluster.
|
// JoinCluster joins existing Kubernetes cluster.
|
||||||
func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, certKey string, peerRole role.Role, logger *zap.Logger) error {
|
func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, peerRole role.Role, logger *zap.Logger) error {
|
||||||
// TODO: k8s version should be user input
|
// TODO: k8s version should be user input
|
||||||
if err := k.clusterUtil.InstallComponents(ctx, "1.23.6"); err != nil {
|
if err := k.clusterUtil.InstallComponents(ctx, "1.23.6"); err != nil {
|
||||||
return err
|
return err
|
||||||
@ -242,7 +242,7 @@ func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTo
|
|||||||
joinConfig.SetNodeName(nodeName)
|
joinConfig.SetNodeName(nodeName)
|
||||||
joinConfig.SetProviderID(providerID)
|
joinConfig.SetProviderID(providerID)
|
||||||
if peerRole == role.ControlPlane {
|
if peerRole == role.ControlPlane {
|
||||||
joinConfig.SetControlPlane(nodeInternalIP, certKey)
|
joinConfig.SetControlPlane(nodeInternalIP)
|
||||||
}
|
}
|
||||||
joinConfigYAML, err := joinConfig.Marshal()
|
joinConfigYAML, err := joinConfig.Marshal()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -294,7 +294,6 @@ func TestJoinCluster(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
privateIP := "192.0.2.1"
|
privateIP := "192.0.2.1"
|
||||||
certKey := "cert-key"
|
|
||||||
|
|
||||||
testCases := map[string]struct {
|
testCases := map[string]struct {
|
||||||
clusterUtil stubClusterUtil
|
clusterUtil stubClusterUtil
|
||||||
@ -390,8 +389,8 @@ func TestJoinCluster(t *testing.T) {
|
|||||||
AdvertiseAddress: "192.0.2.1",
|
AdvertiseAddress: "192.0.2.1",
|
||||||
BindPort: 6443,
|
BindPort: 6443,
|
||||||
},
|
},
|
||||||
CertificateKey: certKey,
|
|
||||||
},
|
},
|
||||||
|
SkipPhases: []string{"control-plane-prepare/download-certs"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"kubeadm join worker fails when retrieving self metadata": {
|
"kubeadm join worker fails when retrieving self metadata": {
|
||||||
@ -426,7 +425,7 @@ func TestJoinCluster(t *testing.T) {
|
|||||||
getIPAddr: func() (string, error) { return privateIP, nil },
|
getIPAddr: func() (string, error) { return privateIP, nil },
|
||||||
}
|
}
|
||||||
|
|
||||||
err := kube.JoinCluster(context.Background(), joinCommand, certKey, tc.role, zaptest.NewLogger(t))
|
err := kube.JoinCluster(context.Background(), joinCommand, tc.role, zaptest.NewLogger(t))
|
||||||
if tc.wantErr {
|
if tc.wantErr {
|
||||||
assert.Error(err)
|
assert.Error(err)
|
||||||
return
|
return
|
||||||
|
@ -1,75 +0,0 @@
|
|||||||
package kubeadm
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"sync"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/internal/constants"
|
|
||||||
"github.com/edgelesssys/constellation/internal/logger"
|
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts"
|
|
||||||
"k8s.io/utils/clock"
|
|
||||||
)
|
|
||||||
|
|
||||||
// certificateKeyTTL is the time a certificate key is valid for.
|
|
||||||
const certificateKeyTTL = time.Hour
|
|
||||||
|
|
||||||
// keyManager handles creation of certificate encryption keys.
|
|
||||||
type keyManager struct {
|
|
||||||
mux sync.Mutex
|
|
||||||
key string
|
|
||||||
expirationDate time.Time
|
|
||||||
clock clock.Clock
|
|
||||||
client clientset.Interface
|
|
||||||
log *logger.Logger
|
|
||||||
}
|
|
||||||
|
|
||||||
func newKeyManager(client clientset.Interface, log *logger.Logger) *keyManager {
|
|
||||||
return &keyManager{
|
|
||||||
clock: clock.RealClock{},
|
|
||||||
client: client,
|
|
||||||
log: log,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// getCertificatetKey returns the encryption key to use for uploading PKI certificates to Kubernetes.
|
|
||||||
// A Key is cached for one hour, but its expiration date is extended by two minutes if a request is made
|
|
||||||
// within two minutes of the key expiring to avoid just-expired keys.
|
|
||||||
// This is necessary since uploading a certificate with a different key overwrites any others.
|
|
||||||
// This means we can no longer decrypt the certificates using an old key.
|
|
||||||
func (k *keyManager) getCertificatetKey() (string, error) {
|
|
||||||
k.mux.Lock()
|
|
||||||
defer k.mux.Unlock()
|
|
||||||
|
|
||||||
switch {
|
|
||||||
case k.key == "" || k.expirationDate.Before(k.clock.Now()):
|
|
||||||
// key was not yet generated, or has expired
|
|
||||||
// generate a new key and set TTL
|
|
||||||
key, err := copycerts.CreateCertificateKey()
|
|
||||||
if err != nil {
|
|
||||||
return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
|
|
||||||
}
|
|
||||||
k.expirationDate = k.clock.Now().Add(certificateKeyTTL)
|
|
||||||
k.key = key
|
|
||||||
k.log.Infof("Uploading certs to Kubernetes")
|
|
||||||
cfg := &kubeadmapi.InitConfiguration{
|
|
||||||
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
|
||||||
CertificatesDir: constants.KubeadmCertificateDir,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
if err := copycerts.UploadCerts(k.client, cfg, key); err != nil {
|
|
||||||
return "", fmt.Errorf("uploading certs: %w", err)
|
|
||||||
}
|
|
||||||
case k.expirationDate.After(k.clock.Now()):
|
|
||||||
// key is still valid
|
|
||||||
// if TTL is less than 2 minutes away, increase it by 2 minutes
|
|
||||||
// this is to avoid the key expiring too soon when a node uses it to join the cluster
|
|
||||||
if k.expirationDate.Sub(k.clock.Now()) < 2*time.Minute {
|
|
||||||
k.expirationDate = k.expirationDate.Add(2 * time.Minute)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return k.key, nil
|
|
||||||
}
|
|
@ -1,96 +0,0 @@
|
|||||||
package kubeadm
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/internal/logger"
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
|
||||||
"k8s.io/client-go/kubernetes/fake"
|
|
||||||
corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
||||||
fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
|
|
||||||
"k8s.io/utils/clock"
|
|
||||||
testclock "k8s.io/utils/clock/testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestKeyManager(t *testing.T) {
|
|
||||||
testCases := map[string]struct {
|
|
||||||
clock clock.Clock
|
|
||||||
client clientset.Interface
|
|
||||||
ttl time.Time
|
|
||||||
key string
|
|
||||||
shouldReuse bool
|
|
||||||
wantErr bool
|
|
||||||
}{
|
|
||||||
"no key exists": {
|
|
||||||
clock: testclock.NewFakeClock(time.Time{}),
|
|
||||||
client: fake.NewSimpleClientset(),
|
|
||||||
},
|
|
||||||
"key exists and is valid": {
|
|
||||||
clock: testclock.NewFakeClock(time.Time{}),
|
|
||||||
client: fake.NewSimpleClientset(),
|
|
||||||
ttl: time.Time{}.Add(time.Hour),
|
|
||||||
key: "key",
|
|
||||||
shouldReuse: true,
|
|
||||||
},
|
|
||||||
"key has expired": {
|
|
||||||
clock: testclock.NewFakeClock(time.Time{}.Add(time.Hour)),
|
|
||||||
client: fake.NewSimpleClientset(),
|
|
||||||
ttl: time.Time{},
|
|
||||||
key: "key",
|
|
||||||
},
|
|
||||||
"key expires in the next 30 seconds": {
|
|
||||||
clock: testclock.NewFakeClock(time.Time{}),
|
|
||||||
client: fake.NewSimpleClientset(),
|
|
||||||
ttl: time.Time{}.Add(30 * time.Second),
|
|
||||||
key: "key",
|
|
||||||
shouldReuse: true,
|
|
||||||
},
|
|
||||||
"uploading certs fails": {
|
|
||||||
clock: testclock.NewFakeClock(time.Time{}),
|
|
||||||
client: &failingClient{
|
|
||||||
fake.NewSimpleClientset(),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for name, tc := range testCases {
|
|
||||||
t.Run(name, func(t *testing.T) {
|
|
||||||
assert := assert.New(t)
|
|
||||||
|
|
||||||
km := &keyManager{
|
|
||||||
expirationDate: tc.ttl,
|
|
||||||
key: tc.key,
|
|
||||||
clock: tc.clock,
|
|
||||||
log: logger.NewTest(t),
|
|
||||||
client: fake.NewSimpleClientset(),
|
|
||||||
}
|
|
||||||
|
|
||||||
key, err := km.getCertificatetKey()
|
|
||||||
if tc.wantErr {
|
|
||||||
assert.Error(err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
assert.NoError(err)
|
|
||||||
assert.True(km.expirationDate.After(tc.clock.Now().Add(2 * time.Minute)))
|
|
||||||
|
|
||||||
if tc.shouldReuse {
|
|
||||||
assert.Equal(tc.key, key)
|
|
||||||
} else {
|
|
||||||
assert.Equal(km.key, key)
|
|
||||||
assert.NotEqual(tc.key, key)
|
|
||||||
}
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
type failingClient struct {
|
|
||||||
*fake.Clientset
|
|
||||||
}
|
|
||||||
|
|
||||||
func (f *failingClient) CoreV1() corev1.CoreV1Interface {
|
|
||||||
return &failingCoreV1{
|
|
||||||
&fakecorev1.FakeCoreV1{Fake: &f.Clientset.Fake},
|
|
||||||
}
|
|
||||||
}
|
|
@ -3,6 +3,7 @@ package kubeadm
|
|||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"path/filepath"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/internal/constants"
|
"github.com/edgelesssys/constellation/internal/constants"
|
||||||
@ -17,6 +18,7 @@ import (
|
|||||||
bootstraputil "k8s.io/cluster-bootstrap/token/util"
|
bootstraputil "k8s.io/cluster-bootstrap/token/util"
|
||||||
bootstraptoken "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1"
|
bootstraptoken "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1"
|
||||||
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
|
||||||
|
kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
tokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node"
|
tokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
|
"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin"
|
"k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin"
|
||||||
@ -26,7 +28,6 @@ import (
|
|||||||
type Kubeadm struct {
|
type Kubeadm struct {
|
||||||
apiServerEndpoint string
|
apiServerEndpoint string
|
||||||
log *logger.Logger
|
log *logger.Logger
|
||||||
keyManager *keyManager
|
|
||||||
client clientset.Interface
|
client clientset.Interface
|
||||||
file file.Handler
|
file file.Handler
|
||||||
}
|
}
|
||||||
@ -46,7 +47,6 @@ func New(apiServerEndpoint string, log *logger.Logger) (*Kubeadm, error) {
|
|||||||
return &Kubeadm{
|
return &Kubeadm{
|
||||||
apiServerEndpoint: apiServerEndpoint,
|
apiServerEndpoint: apiServerEndpoint,
|
||||||
log: log,
|
log: log,
|
||||||
keyManager: newKeyManager(client, log),
|
|
||||||
client: client,
|
client: client,
|
||||||
file: file,
|
file: file,
|
||||||
}, nil
|
}, nil
|
||||||
@ -108,13 +108,39 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov
|
|||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetControlPlaneCertificateKey uploads Kubernetes encrypted CA certificates to Kubernetes and returns the decryption key.
|
// GetControlPlaneCertificatesAndKeys loads the Kubernetes CA certificates and keys.
|
||||||
// The key can be used by new nodes to join the cluster as a control plane node.
|
func (k *Kubeadm) GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) {
|
||||||
func (k *Kubeadm) GetControlPlaneCertificateKey() (string, error) {
|
k.log.Infof("Loading control plane certificates and keys")
|
||||||
k.log.Infof("Creating new random control plane certificate key (or returning cached key)")
|
controlPlaneFiles := make(map[string][]byte)
|
||||||
key, err := k.keyManager.getCertificatetKey()
|
|
||||||
|
keyFilenames := []string{
|
||||||
|
kubeconstants.CAKeyName,
|
||||||
|
kubeconstants.ServiceAccountPrivateKeyName,
|
||||||
|
kubeconstants.FrontProxyCAKeyName,
|
||||||
|
kubeconstants.EtcdCAKeyName,
|
||||||
|
}
|
||||||
|
certFilenames := []string{
|
||||||
|
kubeconstants.CACertName,
|
||||||
|
kubeconstants.ServiceAccountPublicKeyName,
|
||||||
|
kubeconstants.FrontProxyCACertName,
|
||||||
|
kubeconstants.EtcdCACertName,
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, keyFilename := range keyFilenames {
|
||||||
|
key, err := k.file.Read(filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, keyFilename))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
|
return nil, err
|
||||||
}
|
}
|
||||||
return key, nil
|
controlPlaneFiles[keyFilename] = key
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, certFilename := range certFilenames {
|
||||||
|
cert, err := k.file.Read(filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, certFilename))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
controlPlaneFiles[certFilename] = cert
|
||||||
|
}
|
||||||
|
|
||||||
|
return controlPlaneFiles, nil
|
||||||
}
|
}
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
package kubeadm
|
package kubeadm
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"path/filepath"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
@ -12,12 +12,8 @@ import (
|
|||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"go.uber.org/goleak"
|
"go.uber.org/goleak"
|
||||||
v1 "k8s.io/api/core/v1"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
"k8s.io/client-go/kubernetes/fake"
|
"k8s.io/client-go/kubernetes/fake"
|
||||||
corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
|
kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
|
|
||||||
testclock "k8s.io/utils/clock/testing"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestMain(m *testing.M) {
|
func TestMain(m *testing.M) {
|
||||||
@ -84,7 +80,6 @@ kind: Config`,
|
|||||||
|
|
||||||
client := &Kubeadm{
|
client := &Kubeadm{
|
||||||
log: logger.NewTest(t),
|
log: logger.NewTest(t),
|
||||||
keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})},
|
|
||||||
file: file.NewHandler(afero.NewMemMapFs()),
|
file: file.NewHandler(afero.NewMemMapFs()),
|
||||||
client: fake.NewSimpleClientset(),
|
client: fake.NewSimpleClientset(),
|
||||||
}
|
}
|
||||||
@ -103,21 +98,70 @@ kind: Config`,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
type failingCoreV1 struct {
|
func TestGetControlPlaneCertificatesAndKeys(t *testing.T) {
|
||||||
*fakecorev1.FakeCoreV1
|
someData := []byte{0x1, 0x2, 0x3}
|
||||||
|
|
||||||
|
testCases := map[string]struct {
|
||||||
|
preExistingFiles map[string][]byte
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
"success": {
|
||||||
|
preExistingFiles: map[string][]byte{
|
||||||
|
kubeconstants.CAKeyName: someData,
|
||||||
|
kubeconstants.ServiceAccountPrivateKeyName: someData,
|
||||||
|
kubeconstants.FrontProxyCAKeyName: someData,
|
||||||
|
kubeconstants.EtcdCAKeyName: someData,
|
||||||
|
kubeconstants.CACertName: someData,
|
||||||
|
kubeconstants.ServiceAccountPublicKeyName: someData,
|
||||||
|
kubeconstants.FrontProxyCACertName: someData,
|
||||||
|
kubeconstants.EtcdCACertName: someData,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"missing key": {
|
||||||
|
preExistingFiles: map[string][]byte{
|
||||||
|
kubeconstants.CACertName: someData,
|
||||||
|
kubeconstants.ServiceAccountPublicKeyName: someData,
|
||||||
|
kubeconstants.FrontProxyCACertName: someData,
|
||||||
|
kubeconstants.EtcdCACertName: someData,
|
||||||
|
},
|
||||||
|
wantErr: true,
|
||||||
|
},
|
||||||
|
"missing cert": {
|
||||||
|
preExistingFiles: map[string][]byte{
|
||||||
|
kubeconstants.CAKeyName: someData,
|
||||||
|
kubeconstants.ServiceAccountPrivateKeyName: someData,
|
||||||
|
kubeconstants.FrontProxyCAKeyName: someData,
|
||||||
|
kubeconstants.EtcdCAKeyName: someData,
|
||||||
|
},
|
||||||
|
wantErr: true,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *failingCoreV1) Secrets(namespace string) corev1.SecretInterface {
|
for name, tc := range testCases {
|
||||||
return &failingSecretInterface{
|
t.Run(name, func(t *testing.T) {
|
||||||
&fakecorev1.FakeSecrets{Fake: f.FakeCoreV1},
|
assert := assert.New(t)
|
||||||
|
require := require.New(t)
|
||||||
|
|
||||||
|
client := &Kubeadm{
|
||||||
|
log: logger.NewTest(t),
|
||||||
|
file: file.NewHandler(afero.NewMemMapFs()),
|
||||||
|
client: fake.NewSimpleClientset(),
|
||||||
}
|
}
|
||||||
|
for filename, content := range tc.preExistingFiles {
|
||||||
|
require.NoError(client.file.Write(
|
||||||
|
filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, filename),
|
||||||
|
content,
|
||||||
|
file.OptNone,
|
||||||
|
))
|
||||||
}
|
}
|
||||||
|
|
||||||
type failingSecretInterface struct {
|
files, err := client.GetControlPlaneCertificatesAndKeys()
|
||||||
*fakecorev1.FakeSecrets
|
if tc.wantErr {
|
||||||
|
assert.Error(err)
|
||||||
|
} else {
|
||||||
|
assert.NoError(err)
|
||||||
|
assert.NotNil(files)
|
||||||
|
}
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
// copycerts.UploadCerts will fail if a secret already exists.
|
|
||||||
func (f *failingSecretInterface) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error) {
|
|
||||||
return &v1.Secret{}, nil
|
|
||||||
}
|
}
|
||||||
|
@ -106,13 +106,20 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
|||||||
return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err)
|
return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
var certKey string
|
var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey
|
||||||
if req.IsControlPlane {
|
if req.IsControlPlane {
|
||||||
log.Infof("Creating control plane certificate key")
|
log.Infof("Creating control plane certificate key")
|
||||||
certKey, err = s.joinTokenGetter.GetControlPlaneCertificateKey()
|
filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("ActivateControlPlane failed: %w", err)
|
return nil, fmt.Errorf("ActivateControlPlane failed: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for k, v := range filesMap {
|
||||||
|
controlPlaneFiles = append(controlPlaneFiles, &joinproto.ControlPlaneCertOrKey{
|
||||||
|
Name: k,
|
||||||
|
Data: v,
|
||||||
|
})
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
s.log.Infof("IssueJoinTicket successful")
|
s.log.Infof("IssueJoinTicket successful")
|
||||||
@ -125,7 +132,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
|||||||
DiscoveryTokenCaCertHash: kubeArgs.CACertHashes[0],
|
DiscoveryTokenCaCertHash: kubeArgs.CACertHashes[0],
|
||||||
KubeletCert: kubeletCert,
|
KubeletCert: kubeletCert,
|
||||||
KubeletKey: kubeletKey,
|
KubeletKey: kubeletKey,
|
||||||
CertificateKey: certKey,
|
ControlPlaneFiles: controlPlaneFiles,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -133,7 +140,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
|
|||||||
type joinTokenGetter interface {
|
type joinTokenGetter interface {
|
||||||
// GetJoinToken returns a bootstrap (join) token.
|
// GetJoinToken returns a bootstrap (join) token.
|
||||||
GetJoinToken(ttl time.Duration) (*kubeadmv1.BootstrapTokenDiscovery, error)
|
GetJoinToken(ttl time.Duration) (*kubeadmv1.BootstrapTokenDiscovery, error)
|
||||||
GetControlPlaneCertificateKey() (string, error)
|
GetControlPlaneCertificatesAndKeys() (map[string][]byte, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// dataKeyGetter interacts with Constellation's key management system to retrieve keys.
|
// dataKeyGetter interacts with Constellation's key management system to retrieve keys.
|
||||||
|
@ -88,7 +88,10 @@ func TestIssueJoinTicket(t *testing.T) {
|
|||||||
},
|
},
|
||||||
"control plane": {
|
"control plane": {
|
||||||
isControlPlane: true,
|
isControlPlane: true,
|
||||||
kubeadm: stubTokenGetter{token: testJoinToken, certificateKey: "test"},
|
kubeadm: stubTokenGetter{
|
||||||
|
token: testJoinToken,
|
||||||
|
files: map[string][]byte{"test": {0x1, 0x2, 0x3}},
|
||||||
|
},
|
||||||
kms: stubKeyGetter{dataKey: testKey},
|
kms: stubKeyGetter{dataKey: testKey},
|
||||||
ca: stubCA{cert: testCert, key: testKey},
|
ca: stubCA{cert: testCert, key: testKey},
|
||||||
id: mustMarshalID(testID),
|
id: mustMarshalID(testID),
|
||||||
@ -145,7 +148,7 @@ func TestIssueJoinTicket(t *testing.T) {
|
|||||||
assert.Equal(tc.ca.key, resp.KubeletKey)
|
assert.Equal(tc.ca.key, resp.KubeletKey)
|
||||||
|
|
||||||
if tc.isControlPlane {
|
if tc.isControlPlane {
|
||||||
assert.Equal(tc.kubeadm.certificateKey, resp.CertificateKey)
|
assert.Len(resp.ControlPlaneFiles, len(tc.kubeadm.files))
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
@ -162,7 +165,7 @@ func mustMarshalID(id attestationtypes.ID) []byte {
|
|||||||
type stubTokenGetter struct {
|
type stubTokenGetter struct {
|
||||||
token *kubeadmv1.BootstrapTokenDiscovery
|
token *kubeadmv1.BootstrapTokenDiscovery
|
||||||
getJoinTokenErr error
|
getJoinTokenErr error
|
||||||
certificateKey string
|
files map[string][]byte
|
||||||
certificateKeyErr error
|
certificateKeyErr error
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -170,8 +173,8 @@ func (f stubTokenGetter) GetJoinToken(time.Duration) (*kubeadmv1.BootstrapTokenD
|
|||||||
return f.token, f.getJoinTokenErr
|
return f.token, f.getJoinTokenErr
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f stubTokenGetter) GetControlPlaneCertificateKey() (string, error) {
|
func (f stubTokenGetter) GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) {
|
||||||
return f.certificateKey, f.certificateKeyErr
|
return f.files, f.certificateKeyErr
|
||||||
}
|
}
|
||||||
|
|
||||||
type stubKeyGetter struct {
|
type stubKeyGetter struct {
|
||||||
|
@ -96,7 +96,7 @@ type IssueJoinTicketResponse struct {
|
|||||||
ApiServerEndpoint string `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
|
ApiServerEndpoint string `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
|
||||||
Token string `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"`
|
Token string `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"`
|
||||||
DiscoveryTokenCaCertHash string `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
|
DiscoveryTokenCaCertHash string `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
|
||||||
CertificateKey string `protobuf:"bytes,9,opt,name=certificate_key,json=certificateKey,proto3" json:"certificate_key,omitempty"`
|
ControlPlaneFiles []*ControlPlaneCertOrKey `protobuf:"bytes,9,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *IssueJoinTicketResponse) Reset() {
|
func (x *IssueJoinTicketResponse) Reset() {
|
||||||
@ -187,13 +187,68 @@ func (x *IssueJoinTicketResponse) GetDiscoveryTokenCaCertHash() string {
|
|||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func (x *IssueJoinTicketResponse) GetCertificateKey() string {
|
func (x *IssueJoinTicketResponse) GetControlPlaneFiles() []*ControlPlaneCertOrKey {
|
||||||
if x != nil {
|
if x != nil {
|
||||||
return x.CertificateKey
|
return x.ControlPlaneFiles
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
type ControlPlaneCertOrKey struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
|
||||||
|
Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ControlPlaneCertOrKey) Reset() {
|
||||||
|
*x = ControlPlaneCertOrKey{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_join_proto_msgTypes[2]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ControlPlaneCertOrKey) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*ControlPlaneCertOrKey) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *ControlPlaneCertOrKey) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_join_proto_msgTypes[2]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use ControlPlaneCertOrKey.ProtoReflect.Descriptor instead.
|
||||||
|
func (*ControlPlaneCertOrKey) Descriptor() ([]byte, []int) {
|
||||||
|
return file_join_proto_rawDescGZIP(), []int{2}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ControlPlaneCertOrKey) GetName() string {
|
||||||
|
if x != nil {
|
||||||
|
return x.Name
|
||||||
}
|
}
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (x *ControlPlaneCertOrKey) GetData() []byte {
|
||||||
|
if x != nil {
|
||||||
|
return x.Data
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
var File_join_proto protoreflect.FileDescriptor
|
var File_join_proto protoreflect.FileDescriptor
|
||||||
|
|
||||||
var file_join_proto_rawDesc = []byte{
|
var file_join_proto_rawDesc = []byte{
|
||||||
@ -206,7 +261,7 @@ var file_join_proto_rawDesc = []byte{
|
|||||||
0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e,
|
0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e,
|
||||||
0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08,
|
0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08,
|
||||||
0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65,
|
0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65,
|
||||||
0x22, 0xec, 0x02, 0x0a, 0x17, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69,
|
0x22, 0x94, 0x03, 0x0a, 0x17, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69,
|
||||||
0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e,
|
0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e,
|
||||||
0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01,
|
0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01,
|
||||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b,
|
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b,
|
||||||
@ -226,19 +281,26 @@ var file_join_proto_rawDesc = []byte{
|
|||||||
0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72,
|
0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72,
|
||||||
0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69,
|
0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69,
|
||||||
0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65,
|
0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65,
|
||||||
0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
|
0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f,
|
||||||
0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52,
|
0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x09, 0x20,
|
||||||
0x0e, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x32,
|
0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72,
|
||||||
0x55, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a,
|
0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72,
|
||||||
0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e,
|
0x5f, 0x6b, 0x65, 0x79, 0x52, 0x11, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61,
|
||||||
0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74,
|
0x6e, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x43, 0x0a, 0x19, 0x63, 0x6f, 0x6e, 0x74, 0x72,
|
||||||
0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49,
|
0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72,
|
||||||
0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
|
0x5f, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
|
||||||
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
|
0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61,
|
||||||
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73,
|
0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x32, 0x55, 0x0a, 0x03,
|
||||||
0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a,
|
0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e,
|
||||||
0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70,
|
0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73,
|
||||||
0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71,
|
||||||
|
0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, 0x73, 0x75,
|
||||||
|
0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
|
||||||
|
0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
|
||||||
|
0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f,
|
||||||
|
0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x6f, 0x69, 0x6e,
|
||||||
|
0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74,
|
||||||
|
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -253,19 +315,21 @@ func file_join_proto_rawDescGZIP() []byte {
|
|||||||
return file_join_proto_rawDescData
|
return file_join_proto_rawDescData
|
||||||
}
|
}
|
||||||
|
|
||||||
var file_join_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
var file_join_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
|
||||||
var file_join_proto_goTypes = []interface{}{
|
var file_join_proto_goTypes = []interface{}{
|
||||||
(*IssueJoinTicketRequest)(nil), // 0: join.IssueJoinTicketRequest
|
(*IssueJoinTicketRequest)(nil), // 0: join.IssueJoinTicketRequest
|
||||||
(*IssueJoinTicketResponse)(nil), // 1: join.IssueJoinTicketResponse
|
(*IssueJoinTicketResponse)(nil), // 1: join.IssueJoinTicketResponse
|
||||||
|
(*ControlPlaneCertOrKey)(nil), // 2: join.control_plane_cert_or_key
|
||||||
}
|
}
|
||||||
var file_join_proto_depIdxs = []int32{
|
var file_join_proto_depIdxs = []int32{
|
||||||
0, // 0: join.API.IssueJoinTicket:input_type -> join.IssueJoinTicketRequest
|
2, // 0: join.IssueJoinTicketResponse.control_plane_files:type_name -> join.control_plane_cert_or_key
|
||||||
1, // 1: join.API.IssueJoinTicket:output_type -> join.IssueJoinTicketResponse
|
0, // 1: join.API.IssueJoinTicket:input_type -> join.IssueJoinTicketRequest
|
||||||
1, // [1:2] is the sub-list for method output_type
|
1, // 2: join.API.IssueJoinTicket:output_type -> join.IssueJoinTicketResponse
|
||||||
0, // [0:1] is the sub-list for method input_type
|
2, // [2:3] is the sub-list for method output_type
|
||||||
0, // [0:0] is the sub-list for extension type_name
|
1, // [1:2] is the sub-list for method input_type
|
||||||
0, // [0:0] is the sub-list for extension extendee
|
1, // [1:1] is the sub-list for extension type_name
|
||||||
0, // [0:0] is the sub-list for field type_name
|
1, // [1:1] is the sub-list for extension extendee
|
||||||
|
0, // [0:1] is the sub-list for field type_name
|
||||||
}
|
}
|
||||||
|
|
||||||
func init() { file_join_proto_init() }
|
func init() { file_join_proto_init() }
|
||||||
@ -298,6 +362,18 @@ func file_join_proto_init() {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
file_join_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*ControlPlaneCertOrKey); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
type x struct{}
|
type x struct{}
|
||||||
out := protoimpl.TypeBuilder{
|
out := protoimpl.TypeBuilder{
|
||||||
@ -305,7 +381,7 @@ func file_join_proto_init() {
|
|||||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||||
RawDescriptor: file_join_proto_rawDesc,
|
RawDescriptor: file_join_proto_rawDesc,
|
||||||
NumEnums: 0,
|
NumEnums: 0,
|
||||||
NumMessages: 2,
|
NumMessages: 3,
|
||||||
NumExtensions: 0,
|
NumExtensions: 0,
|
||||||
NumServices: 1,
|
NumServices: 1,
|
||||||
},
|
},
|
||||||
|
@ -24,5 +24,10 @@ message IssueJoinTicketResponse {
|
|||||||
string api_server_endpoint = 6;
|
string api_server_endpoint = 6;
|
||||||
string token = 7;
|
string token = 7;
|
||||||
string discovery_token_ca_cert_hash = 8;
|
string discovery_token_ca_cert_hash = 8;
|
||||||
string certificate_key = 9;
|
repeated control_plane_cert_or_key control_plane_files = 9;
|
||||||
|
}
|
||||||
|
|
||||||
|
message control_plane_cert_or_key {
|
||||||
|
string name = 1;
|
||||||
|
bytes data = 2;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user