Distribute k8s CA certificates and key over join-service

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2024-09-19 15:56:03 +00:00 · 2022-07-11 13:29:22 +02:00 · 2022-07-11 13:29:22 +02:00 · 2bcf001d52
commit 2bcf001d52
parent 260d2571c1
15 changed files with 275 additions and 265 deletions
--- a/bootstrapper/cmd/bootstrapper/test.go
+++ b/bootstrapper/cmd/bootstrapper/test.go
@ -21,7 +21,7 @@ func (c *clusterFake) InitCluster(context.Context, []string, string, string, att
 }

 // JoinCluster will fake joining the current node to an existing cluster.
-func (c *clusterFake) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, string, role.Role, *zap.Logger) error {
+func (c *clusterFake) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, *zap.Logger) error {
 	return nil
 }

--- a/bootstrapper/internal/joinclient/client.go
+++ b/bootstrapper/internal/joinclient/client.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"path/filepath"
 	"strconv"
 	"sync"
 	"time"
@ -20,6 +21,7 @@ import (
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
+	kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/utils/clock"
 )

@ -236,6 +238,12 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse)
 		return fmt.Errorf("updating disk passphrase: %w", err)
 	}

+	if c.role == role.ControlPlane {
+		if err := c.writeControlePlaneFiles(ticket.ControlPlaneFiles); err != nil {
+			return fmt.Errorf("writing control plane files: %w", err)
+		}
+	}
+
 	state := nodestate.NodeState{
 		Role:      c.role,
 		OwnerID:   ticket.OwnerId,
@ -250,7 +258,7 @@ func (c *JoinClient) startNodeAndJoin(ticket *joinproto.IssueJoinTicketResponse)
 		Token:             ticket.Token,
 		CACertHashes:      []string{ticket.DiscoveryTokenCaCertHash},
 	}
-	if err := c.joiner.JoinCluster(ctx, btd, ticket.CertificateKey, c.role, c.log); err != nil {
+	if err := c.joiner.JoinCluster(ctx, btd, c.role, c.log); err != nil {
 		return fmt.Errorf("joining Kubernetes cluster: %w", err)
 	}

@ -319,6 +327,20 @@ func (c *JoinClient) getControlPlaneIPs() ([]string, error) {
 	return ips, nil
 }

+func (c *JoinClient) writeControlePlaneFiles(files []*joinproto.ControlPlaneCertOrKey) error {
+	for _, cert := range files {
+		if err := c.fileHandler.Write(
+			filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, cert.Name),
+			cert.Data,
+			file.OptMkdirAll,
+		); err != nil {
+			return fmt.Errorf("writing control plane files: %w", err)
+		}
+	}
+
+	return nil
+}
+
 func (c *JoinClient) timeoutCtx() (context.Context, context.CancelFunc) {
 	return context.WithTimeout(context.Background(), c.timeout)
 }
@ -340,7 +362,6 @@ type ClusterJoiner interface {
 	JoinCluster(
 		ctx context.Context,
 		args *kubeadm.BootstrapTokenDiscovery,
-		certKey string,
 		peerRole role.Role,
 		logger *zap.Logger,
 	) error
--- a/bootstrapper/internal/joinclient/client_test.go
+++ b/bootstrapper/internal/joinclient/client_test.go
@ -386,7 +386,7 @@ type stubClusterJoiner struct {
 	joinClusterErr    error
 }

-func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, string, role.Role, *zap.Logger) error {
+func (j *stubClusterJoiner) JoinCluster(context.Context, *kubeadm.BootstrapTokenDiscovery, role.Role, *zap.Logger) error {
 	j.joinClusterCalled = true
 	return j.joinClusterErr
 }
--- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
@ -201,14 +201,14 @@ func (k *KubeadmJoinYAML) SetProviderID(providerID string) {
 	k.KubeletConfiguration.ProviderID = providerID
 }

-func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string, certificateKey string) {
+func (k *KubeadmJoinYAML) SetControlPlane(advertiseAddress string) {
 	k.JoinConfiguration.ControlPlane = &kubeadm.JoinControlPlane{
 		LocalAPIEndpoint: kubeadm.APIEndpoint{
 			AdvertiseAddress: advertiseAddress,
 			BindPort:         6443,
 		},
-		CertificateKey: certificateKey,
 	}
+	k.JoinConfiguration.SkipPhases = []string{"control-plane-prepare/download-certs"}
 }

 func (k *KubeadmJoinYAML) Marshal() ([]byte, error) {
--- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go
@ -68,7 +68,7 @@ func TestJoinConfiguration(t *testing.T) {
 				c.SetToken("token")
 				c.AppendDiscoveryTokenCaCertHash("discovery-token-ca-cert-hash")
 				c.SetProviderID("somecloudprovider://instance-id")
-				c.SetControlPlane("192.0.2.0", "11111111111111111111111111111111111")
+				c.SetControlPlane("192.0.2.0")
 				return c
 			}(),
 		},
--- a/bootstrapper/internal/kubernetes/kubernetes.go
+++ b/bootstrapper/internal/kubernetes/kubernetes.go
@ -206,7 +206,7 @@ func (k *KubeWrapper) InitCluster(
 }

 // JoinCluster joins existing Kubernetes cluster.
-func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, certKey string, peerRole role.Role, logger *zap.Logger) error {
+func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, peerRole role.Role, logger *zap.Logger) error {
 	// TODO: k8s version should be user input
 	if err := k.clusterUtil.InstallComponents(ctx, "1.23.6"); err != nil {
 		return err
@ -242,7 +242,7 @@ func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTo
 	joinConfig.SetNodeName(nodeName)
 	joinConfig.SetProviderID(providerID)
 	if peerRole == role.ControlPlane {
-		joinConfig.SetControlPlane(nodeInternalIP, certKey)
+		joinConfig.SetControlPlane(nodeInternalIP)
 	}
 	joinConfigYAML, err := joinConfig.Marshal()
 	if err != nil {
--- a/bootstrapper/internal/kubernetes/kubernetes_test.go
+++ b/bootstrapper/internal/kubernetes/kubernetes_test.go
@ -294,7 +294,6 @@ func TestJoinCluster(t *testing.T) {
 	}

 	privateIP := "192.0.2.1"
-	certKey := "cert-key"

 	testCases := map[string]struct {
 		clusterUtil            stubClusterUtil
@ -390,8 +389,8 @@ func TestJoinCluster(t *testing.T) {
 						AdvertiseAddress: "192.0.2.1",
 						BindPort:         6443,
 					},
-					CertificateKey: certKey,
 				},
+				SkipPhases: []string{"control-plane-prepare/download-certs"},
 			},
 		},
 		"kubeadm join worker fails when retrieving self metadata": {
@ -426,7 +425,7 @@ func TestJoinCluster(t *testing.T) {
 				getIPAddr:              func() (string, error) { return privateIP, nil },
 			}

-			err := kube.JoinCluster(context.Background(), joinCommand, certKey, tc.role, zaptest.NewLogger(t))
+			err := kube.JoinCluster(context.Background(), joinCommand, tc.role, zaptest.NewLogger(t))
 			if tc.wantErr {
 				assert.Error(err)
 				return
--- a/joinservice/internal/kubeadm/keymanager.go
+++ b/joinservice/internal/kubeadm/keymanager.go
@ -1,75 +0,0 @@
-package kubeadm
-
-import (
-	"fmt"
-	"sync"
-	"time"
-
-	"github.com/edgelesssys/constellation/internal/constants"
-	"github.com/edgelesssys/constellation/internal/logger"
-	clientset "k8s.io/client-go/kubernetes"
-	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
-	"k8s.io/kubernetes/cmd/kubeadm/app/phases/copycerts"
-	"k8s.io/utils/clock"
-)
-
-// certificateKeyTTL is the time a certificate key is valid for.
-const certificateKeyTTL = time.Hour
-
-// keyManager handles creation of certificate encryption keys.
-type keyManager struct {
-	mux            sync.Mutex
-	key            string
-	expirationDate time.Time
-	clock          clock.Clock
-	client         clientset.Interface
-	log            *logger.Logger
-}
-
-func newKeyManager(client clientset.Interface, log *logger.Logger) *keyManager {
-	return &keyManager{
-		clock:  clock.RealClock{},
-		client: client,
-		log:    log,
-	}
-}
-
-// getCertificatetKey returns the encryption key to use for uploading PKI certificates to Kubernetes.
-// A Key is cached for one hour, but its expiration date is extended by two minutes if a request is made
-// within two minutes of the key expiring to avoid just-expired keys.
-// This is necessary since uploading a certificate with a different key overwrites any others.
-// This means we can no longer decrypt the certificates using an old key.
-func (k *keyManager) getCertificatetKey() (string, error) {
-	k.mux.Lock()
-	defer k.mux.Unlock()
-
-	switch {
-	case k.key == "" || k.expirationDate.Before(k.clock.Now()):
-		// key was not yet generated, or has expired
-		// generate a new key and set TTL
-		key, err := copycerts.CreateCertificateKey()
-		if err != nil {
-			return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
-		}
-		k.expirationDate = k.clock.Now().Add(certificateKeyTTL)
-		k.key = key
-		k.log.Infof("Uploading certs to Kubernetes")
-		cfg := &kubeadmapi.InitConfiguration{
-			ClusterConfiguration: kubeadmapi.ClusterConfiguration{
-				CertificatesDir: constants.KubeadmCertificateDir,
-			},
-		}
-		if err := copycerts.UploadCerts(k.client, cfg, key); err != nil {
-			return "", fmt.Errorf("uploading certs: %w", err)
-		}
-	case k.expirationDate.After(k.clock.Now()):
-		// key is still valid
-		// if TTL is less than 2 minutes away, increase it by 2 minutes
-		// this is to avoid the key expiring too soon when a node uses it to join the cluster
-		if k.expirationDate.Sub(k.clock.Now()) < 2*time.Minute {
-			k.expirationDate = k.expirationDate.Add(2 * time.Minute)
-		}
-	}
-
-	return k.key, nil
-}
--- a/joinservice/internal/kubeadm/keymanager_test.go
+++ b/joinservice/internal/kubeadm/keymanager_test.go
@ -1,96 +0,0 @@
-package kubeadm
-
-import (
-	"testing"
-	"time"
-
-	"github.com/edgelesssys/constellation/internal/logger"
-	"github.com/stretchr/testify/assert"
-	clientset "k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/fake"
-	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
-	"k8s.io/utils/clock"
-	testclock "k8s.io/utils/clock/testing"
-)
-
-func TestKeyManager(t *testing.T) {
-	testCases := map[string]struct {
-		clock       clock.Clock
-		client      clientset.Interface
-		ttl         time.Time
-		key         string
-		shouldReuse bool
-		wantErr     bool
-	}{
-		"no key exists": {
-			clock:  testclock.NewFakeClock(time.Time{}),
-			client: fake.NewSimpleClientset(),
-		},
-		"key exists and is valid": {
-			clock:       testclock.NewFakeClock(time.Time{}),
-			client:      fake.NewSimpleClientset(),
-			ttl:         time.Time{}.Add(time.Hour),
-			key:         "key",
-			shouldReuse: true,
-		},
-		"key has expired": {
-			clock:  testclock.NewFakeClock(time.Time{}.Add(time.Hour)),
-			client: fake.NewSimpleClientset(),
-			ttl:    time.Time{},
-			key:    "key",
-		},
-		"key expires in the next 30 seconds": {
-			clock:       testclock.NewFakeClock(time.Time{}),
-			client:      fake.NewSimpleClientset(),
-			ttl:         time.Time{}.Add(30 * time.Second),
-			key:         "key",
-			shouldReuse: true,
-		},
-		"uploading certs fails": {
-			clock: testclock.NewFakeClock(time.Time{}),
-			client: &failingClient{
-				fake.NewSimpleClientset(),
-			},
-		},
-	}
-
-	for name, tc := range testCases {
-		t.Run(name, func(t *testing.T) {
-			assert := assert.New(t)
-
-			km := &keyManager{
-				expirationDate: tc.ttl,
-				key:            tc.key,
-				clock:          tc.clock,
-				log:            logger.NewTest(t),
-				client:         fake.NewSimpleClientset(),
-			}
-
-			key, err := km.getCertificatetKey()
-			if tc.wantErr {
-				assert.Error(err)
-				return
-			}
-			assert.NoError(err)
-			assert.True(km.expirationDate.After(tc.clock.Now().Add(2 * time.Minute)))
-
-			if tc.shouldReuse {
-				assert.Equal(tc.key, key)
-			} else {
-				assert.Equal(km.key, key)
-				assert.NotEqual(tc.key, key)
-			}
-		})
-	}
-}
-
-type failingClient struct {
-	*fake.Clientset
-}
-
-func (f *failingClient) CoreV1() corev1.CoreV1Interface {
-	return &failingCoreV1{
-		&fakecorev1.FakeCoreV1{Fake: &f.Clientset.Fake},
-	}
-}
--- a/joinservice/internal/kubeadm/kubeadm.go
+++ b/joinservice/internal/kubeadm/kubeadm.go
@ -3,6 +3,7 @@ package kubeadm
 import (
 	"errors"
 	"fmt"
+	"path/filepath"
 	"time"

 	"github.com/edgelesssys/constellation/internal/constants"
@ -17,6 +18,7 @@ import (
 	bootstraputil "k8s.io/cluster-bootstrap/token/util"
 	bootstraptoken "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1"
 	kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3"
+	kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	tokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin"
@ -26,7 +28,6 @@ import (
 type Kubeadm struct {
 	apiServerEndpoint string
 	log               *logger.Logger
-	keyManager        *keyManager
 	client            clientset.Interface
 	file              file.Handler
 }
@ -46,7 +47,6 @@ func New(apiServerEndpoint string, log *logger.Logger) (*Kubeadm, error) {
 	return &Kubeadm{
 		apiServerEndpoint: apiServerEndpoint,
 		log:               log,
-		keyManager:        newKeyManager(client, log),
 		client:            client,
 		file:              file,
 	}, nil
@ -108,13 +108,39 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov
 	}, nil
 }

-// GetControlPlaneCertificateKey uploads Kubernetes encrypted CA certificates to Kubernetes and returns the decryption key.
-// The key can be used by new nodes to join the cluster as a control plane node.
-func (k *Kubeadm) GetControlPlaneCertificateKey() (string, error) {
-	k.log.Infof("Creating new random control plane certificate key (or returning cached key)")
-	key, err := k.keyManager.getCertificatetKey()
-	if err != nil {
-		return "", fmt.Errorf("couldn't create control plane certificate key: %w", err)
+// GetControlPlaneCertificatesAndKeys loads the Kubernetes CA certificates and keys.
+func (k *Kubeadm) GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) {
+	k.log.Infof("Loading control plane certificates and keys")
+	controlPlaneFiles := make(map[string][]byte)
+
+	keyFilenames := []string{
+		kubeconstants.CAKeyName,
+		kubeconstants.ServiceAccountPrivateKeyName,
+		kubeconstants.FrontProxyCAKeyName,
+		kubeconstants.EtcdCAKeyName,
 	}
-	return key, nil
+	certFilenames := []string{
+		kubeconstants.CACertName,
+		kubeconstants.ServiceAccountPublicKeyName,
+		kubeconstants.FrontProxyCACertName,
+		kubeconstants.EtcdCACertName,
+	}
+
+	for _, keyFilename := range keyFilenames {
+		key, err := k.file.Read(filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, keyFilename))
+		if err != nil {
+			return nil, err
+		}
+		controlPlaneFiles[keyFilename] = key
+	}
+
+	for _, certFilename := range certFilenames {
+		cert, err := k.file.Read(filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, certFilename))
+		if err != nil {
+			return nil, err
+		}
+		controlPlaneFiles[certFilename] = cert
+	}
+
+	return controlPlaneFiles, nil
 }
--- a/joinservice/internal/kubeadm/kubeadm_test.go
+++ b/joinservice/internal/kubeadm/kubeadm_test.go
@ -1,7 +1,7 @@
 package kubeadm

 import (
-	"context"
+	"path/filepath"
 	"testing"
 	"time"

@ -12,12 +12,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
-	v1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
-	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	fakecorev1 "k8s.io/client-go/kubernetes/typed/core/v1/fake"
-	testclock "k8s.io/utils/clock/testing"
+	kubeconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 )

 func TestMain(m *testing.M) {
@ -83,10 +79,9 @@ kind: Config`,
 			require := require.New(t)

 			client := &Kubeadm{
-				log:        logger.NewTest(t),
-				keyManager: &keyManager{clock: testclock.NewFakeClock(time.Time{})},
-				file:       file.NewHandler(afero.NewMemMapFs()),
-				client:     fake.NewSimpleClientset(),
+				log:    logger.NewTest(t),
+				file:   file.NewHandler(afero.NewMemMapFs()),
+				client: fake.NewSimpleClientset(),
 			}
 			if tc.adminConf != "" {
 				require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone))
@ -103,21 +98,70 @@ kind: Config`,
 	}
 }

-type failingCoreV1 struct {
-	*fakecorev1.FakeCoreV1
-}
+func TestGetControlPlaneCertificatesAndKeys(t *testing.T) {
+	someData := []byte{0x1, 0x2, 0x3}

-func (f *failingCoreV1) Secrets(namespace string) corev1.SecretInterface {
-	return &failingSecretInterface{
-		&fakecorev1.FakeSecrets{Fake: f.FakeCoreV1},
+	testCases := map[string]struct {
+		preExistingFiles map[string][]byte
+		wantErr          bool
+	}{
+		"success": {
+			preExistingFiles: map[string][]byte{
+				kubeconstants.CAKeyName:                    someData,
+				kubeconstants.ServiceAccountPrivateKeyName: someData,
+				kubeconstants.FrontProxyCAKeyName:          someData,
+				kubeconstants.EtcdCAKeyName:                someData,
+				kubeconstants.CACertName:                   someData,
+				kubeconstants.ServiceAccountPublicKeyName:  someData,
+				kubeconstants.FrontProxyCACertName:         someData,
+				kubeconstants.EtcdCACertName:               someData,
+			},
+		},
+		"missing key": {
+			preExistingFiles: map[string][]byte{
+				kubeconstants.CACertName:                  someData,
+				kubeconstants.ServiceAccountPublicKeyName: someData,
+				kubeconstants.FrontProxyCACertName:        someData,
+				kubeconstants.EtcdCACertName:              someData,
+			},
+			wantErr: true,
+		},
+		"missing cert": {
+			preExistingFiles: map[string][]byte{
+				kubeconstants.CAKeyName:                    someData,
+				kubeconstants.ServiceAccountPrivateKeyName: someData,
+				kubeconstants.FrontProxyCAKeyName:          someData,
+				kubeconstants.EtcdCAKeyName:                someData,
+			},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			client := &Kubeadm{
+				log:    logger.NewTest(t),
+				file:   file.NewHandler(afero.NewMemMapFs()),
+				client: fake.NewSimpleClientset(),
+			}
+			for filename, content := range tc.preExistingFiles {
+				require.NoError(client.file.Write(
+					filepath.Join(kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, filename),
+					content,
+					file.OptNone,
+				))
+			}
+
+			files, err := client.GetControlPlaneCertificatesAndKeys()
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.NotNil(files)
+			}
+		})
 	}
 }
-
-type failingSecretInterface struct {
-	*fakecorev1.FakeSecrets
-}
-
-// copycerts.UploadCerts will fail if a secret already exists.
-func (f *failingSecretInterface) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error) {
-	return &v1.Secret{}, nil
-}
--- a/joinservice/internal/server/server.go
+++ b/joinservice/internal/server/server.go
@ -106,13 +106,20 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 		return nil, status.Errorf(codes.Internal, "unable to generate kubelet certificate: %s", err)
 	}

-	var certKey string
+	var controlPlaneFiles []*joinproto.ControlPlaneCertOrKey
 	if req.IsControlPlane {
 		log.Infof("Creating control plane certificate key")
-		certKey, err = s.joinTokenGetter.GetControlPlaneCertificateKey()
+		filesMap, err := s.joinTokenGetter.GetControlPlaneCertificatesAndKeys()
 		if err != nil {
 			return nil, fmt.Errorf("ActivateControlPlane failed: %w", err)
 		}
+
+		for k, v := range filesMap {
+			controlPlaneFiles = append(controlPlaneFiles, &joinproto.ControlPlaneCertOrKey{
+				Name: k,
+				Data: v,
+			})
+		}
 	}

 	s.log.Infof("IssueJoinTicket successful")
@ -125,7 +132,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 		DiscoveryTokenCaCertHash: kubeArgs.CACertHashes[0],
 		KubeletCert:              kubeletCert,
 		KubeletKey:               kubeletKey,
-		CertificateKey:           certKey,
+		ControlPlaneFiles:        controlPlaneFiles,
 	}, nil
 }

@ -133,7 +140,7 @@ func (s *Server) IssueJoinTicket(ctx context.Context, req *joinproto.IssueJoinTi
 type joinTokenGetter interface {
 	// GetJoinToken returns a bootstrap (join) token.
 	GetJoinToken(ttl time.Duration) (*kubeadmv1.BootstrapTokenDiscovery, error)
-	GetControlPlaneCertificateKey() (string, error)
+	GetControlPlaneCertificatesAndKeys() (map[string][]byte, error)
 }

 // dataKeyGetter interacts with Constellation's key management system to retrieve keys.
--- a/joinservice/internal/server/server_test.go
+++ b/joinservice/internal/server/server_test.go
@ -88,10 +88,13 @@ func TestIssueJoinTicket(t *testing.T) {
 		},
 		"control plane": {
 			isControlPlane: true,
-			kubeadm:        stubTokenGetter{token: testJoinToken, certificateKey: "test"},
-			kms:            stubKeyGetter{dataKey: testKey},
-			ca:             stubCA{cert: testCert, key: testKey},
-			id:             mustMarshalID(testID),
+			kubeadm: stubTokenGetter{
+				token: testJoinToken,
+				files: map[string][]byte{"test": {0x1, 0x2, 0x3}},
+			},
+			kms: stubKeyGetter{dataKey: testKey},
+			ca:  stubCA{cert: testCert, key: testKey},
+			id:  mustMarshalID(testID),
 		},
 		"GetControlPlaneCertificateKey fails": {
 			isControlPlane: true,
@ -145,7 +148,7 @@ func TestIssueJoinTicket(t *testing.T) {
 			assert.Equal(tc.ca.key, resp.KubeletKey)

 			if tc.isControlPlane {
-				assert.Equal(tc.kubeadm.certificateKey, resp.CertificateKey)
+				assert.Len(resp.ControlPlaneFiles, len(tc.kubeadm.files))
 			}
 		})
 	}
@ -162,7 +165,7 @@ func mustMarshalID(id attestationtypes.ID) []byte {
 type stubTokenGetter struct {
 	token             *kubeadmv1.BootstrapTokenDiscovery
 	getJoinTokenErr   error
-	certificateKey    string
+	files             map[string][]byte
 	certificateKeyErr error
 }

@ -170,8 +173,8 @@ func (f stubTokenGetter) GetJoinToken(time.Duration) (*kubeadmv1.BootstrapTokenD
 	return f.token, f.getJoinTokenErr
 }

-func (f stubTokenGetter) GetControlPlaneCertificateKey() (string, error) {
-	return f.certificateKey, f.certificateKeyErr
+func (f stubTokenGetter) GetControlPlaneCertificatesAndKeys() (map[string][]byte, error) {
+	return f.files, f.certificateKeyErr
 }

 type stubKeyGetter struct {
--- a/joinservice/joinproto/join.pb.go
+++ b/joinservice/joinproto/join.pb.go
@ -88,15 +88,15 @@ type IssueJoinTicketResponse struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	StateDiskKey             []byte `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
-	OwnerId                  []byte `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"`
-	ClusterId                []byte `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
-	KubeletKey               []byte `protobuf:"bytes,4,opt,name=kubelet_key,json=kubeletKey,proto3" json:"kubelet_key,omitempty"`
-	KubeletCert              []byte `protobuf:"bytes,5,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"`
-	ApiServerEndpoint        string `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
-	Token                    string `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"`
-	DiscoveryTokenCaCertHash string `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
-	CertificateKey           string `protobuf:"bytes,9,opt,name=certificate_key,json=certificateKey,proto3" json:"certificate_key,omitempty"`
+	StateDiskKey             []byte                   `protobuf:"bytes,1,opt,name=state_disk_key,json=stateDiskKey,proto3" json:"state_disk_key,omitempty"`
+	OwnerId                  []byte                   `protobuf:"bytes,2,opt,name=owner_id,json=ownerId,proto3" json:"owner_id,omitempty"`
+	ClusterId                []byte                   `protobuf:"bytes,3,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
+	KubeletKey               []byte                   `protobuf:"bytes,4,opt,name=kubelet_key,json=kubeletKey,proto3" json:"kubelet_key,omitempty"`
+	KubeletCert              []byte                   `protobuf:"bytes,5,opt,name=kubelet_cert,json=kubeletCert,proto3" json:"kubelet_cert,omitempty"`
+	ApiServerEndpoint        string                   `protobuf:"bytes,6,opt,name=api_server_endpoint,json=apiServerEndpoint,proto3" json:"api_server_endpoint,omitempty"`
+	Token                    string                   `protobuf:"bytes,7,opt,name=token,proto3" json:"token,omitempty"`
+	DiscoveryTokenCaCertHash string                   `protobuf:"bytes,8,opt,name=discovery_token_ca_cert_hash,json=discoveryTokenCaCertHash,proto3" json:"discovery_token_ca_cert_hash,omitempty"`
+	ControlPlaneFiles        []*ControlPlaneCertOrKey `protobuf:"bytes,9,rep,name=control_plane_files,json=controlPlaneFiles,proto3" json:"control_plane_files,omitempty"`
 }

 func (x *IssueJoinTicketResponse) Reset() {
@ -187,13 +187,68 @@ func (x *IssueJoinTicketResponse) GetDiscoveryTokenCaCertHash() string {
 	return ""
 }

-func (x *IssueJoinTicketResponse) GetCertificateKey() string {
+func (x *IssueJoinTicketResponse) GetControlPlaneFiles() []*ControlPlaneCertOrKey {
 	if x != nil {
-		return x.CertificateKey
+		return x.ControlPlaneFiles
+	}
+	return nil
+}
+
+type ControlPlaneCertOrKey struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`
+}
+
+func (x *ControlPlaneCertOrKey) Reset() {
+	*x = ControlPlaneCertOrKey{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_join_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ControlPlaneCertOrKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ControlPlaneCertOrKey) ProtoMessage() {}
+
+func (x *ControlPlaneCertOrKey) ProtoReflect() protoreflect.Message {
+	mi := &file_join_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ControlPlaneCertOrKey.ProtoReflect.Descriptor instead.
+func (*ControlPlaneCertOrKey) Descriptor() ([]byte, []int) {
+	return file_join_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *ControlPlaneCertOrKey) GetName() string {
+	if x != nil {
+		return x.Name
 	}
 	return ""
 }

+func (x *ControlPlaneCertOrKey) GetData() []byte {
+	if x != nil {
+		return x.Data
+	}
+	return nil
+}
+
 var File_join_proto protoreflect.FileDescriptor

 var file_join_proto_rawDesc = []byte{
@ -206,7 +261,7 @@ var file_join_proto_rawDesc = []byte{
 	0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x28, 0x0a, 0x10, 0x69, 0x73, 0x5f, 0x63, 0x6f, 0x6e,
 	0x74, 0x72, 0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08,
 	0x52, 0x0e, 0x69, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65,
-	0x22, 0xec, 0x02, 0x0a, 0x17, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69,
+	0x22, 0x94, 0x03, 0x0a, 0x17, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69,
 	0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0e,
 	0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x65, 0x44, 0x69, 0x73, 0x6b, 0x4b,
@ -226,19 +281,26 @@ var file_join_proto_rawDesc = []byte{
 	0x65, 0x72, 0x79, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72,
 	0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x64, 0x69,
 	0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x43, 0x61, 0x43, 0x65,
-	0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
-	0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x0e, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x32,
-	0x55, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a,
-	0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e,
-	0x2e, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49,
-	0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
-	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73,
-	0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a,
-	0x6f, 0x69, 0x6e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x72, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f,
+	0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x09, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72,
+	0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72,
+	0x5f, 0x6b, 0x65, 0x79, 0x52, 0x11, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61,
+	0x6e, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x43, 0x0a, 0x19, 0x63, 0x6f, 0x6e, 0x74, 0x72,
+	0x6f, 0x6c, 0x5f, 0x70, 0x6c, 0x61, 0x6e, 0x65, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x6f, 0x72,
+	0x5f, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x32, 0x55, 0x0a, 0x03,
+	0x41, 0x50, 0x49, 0x12, 0x4e, 0x0a, 0x0f, 0x49, 0x73, 0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e,
+	0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x1c, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73,
+	0x73, 0x75, 0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d, 0x2e, 0x6a, 0x6f, 0x69, 0x6e, 0x2e, 0x49, 0x73, 0x73, 0x75,
+	0x65, 0x4a, 0x6f, 0x69, 0x6e, 0x54, 0x69, 0x63, 0x6b, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f,
+	0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x6a, 0x6f, 0x69, 0x6e,
+	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@ -253,19 +315,21 @@ func file_join_proto_rawDescGZIP() []byte {
 	return file_join_proto_rawDescData
 }

-var file_join_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_join_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
 var file_join_proto_goTypes = []interface{}{
 	(*IssueJoinTicketRequest)(nil),  // 0: join.IssueJoinTicketRequest
 	(*IssueJoinTicketResponse)(nil), // 1: join.IssueJoinTicketResponse
+	(*ControlPlaneCertOrKey)(nil),   // 2: join.control_plane_cert_or_key
 }
 var file_join_proto_depIdxs = []int32{
-	0, // 0: join.API.IssueJoinTicket:input_type -> join.IssueJoinTicketRequest
-	1, // 1: join.API.IssueJoinTicket:output_type -> join.IssueJoinTicketResponse
-	1, // [1:2] is the sub-list for method output_type
-	0, // [0:1] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
+	2, // 0: join.IssueJoinTicketResponse.control_plane_files:type_name -> join.control_plane_cert_or_key
+	0, // 1: join.API.IssueJoinTicket:input_type -> join.IssueJoinTicketRequest
+	1, // 2: join.API.IssueJoinTicket:output_type -> join.IssueJoinTicketResponse
+	2, // [2:3] is the sub-list for method output_type
+	1, // [1:2] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
 }

 func init() { file_join_proto_init() }
@ -298,6 +362,18 @@ func file_join_proto_init() {
 				return nil
 			}
 		}
+		file_join_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ControlPlaneCertOrKey); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@ -305,7 +381,7 @@ func file_join_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_join_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   2,
+			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/joinservice/joinproto/join.proto
+++ b/joinservice/joinproto/join.proto
@ -24,5 +24,10 @@ message IssueJoinTicketResponse {
    string api_server_endpoint = 6;
    string token = 7;
    string discovery_token_ca_cert_hash = 8;
-    string certificate_key = 9;
+    repeated control_plane_cert_or_key control_plane_files = 9;
+}
+
+message control_plane_cert_or_key {
+    string name = 1;
+    bytes data = 2;
 }