initserver: add client verification

2025-07-29 01:58:34 -04:00 · 2022-11-26 19:44:34 +01:00 · 2022-11-26 19:44:34 +01:00 · 3b6bc3b28f
commit 3b6bc3b28f
parent bffa5c580c
39 changed files with 704 additions and 175 deletions
--- a/cli/internal/terraform/terraform/aws/main.tf
+++ b/cli/internal/terraform/terraform/aws/main.tf
@ -19,6 +19,7 @@ provider "aws" {
 locals {
  uid                = random_id.uid.hex
  name               = "${var.name}-${local.uid}"
+  initSecretHash     = random_password.initSecret.bcrypt_hash
  ports_node_range   = "30000-32767"
  ports_kubernetes   = "6443"
  ports_bootstrapper = "9000"
@ -34,6 +35,12 @@ resource "random_id" "uid" {
  byte_length = 4
 }

+resource "random_password" "initSecret" {
+  length           = 32
+  special          = true
+  override_special = "_%@"
+}
+
 resource "aws_vpc" "vpc" {
  cidr_block = "192.168.0.0/16"
  tags       = merge(local.tags, { Name = "${local.name}-vpc" })
@ -230,6 +237,14 @@ module "instance_group_control_plane" {
  security_groups      = [aws_security_group.security_group.id]
  subnetwork           = module.public_private_subnet.private_subnet_id
  iam_instance_profile = var.iam_instance_profile_control_plane
+  tags = merge(
+    local.tags,
+    { Name = local.name },
+    { constellation-role = "control-plane" },
+    { constellation-uid = local.uid },
+    { KubernetesCluster = "Constellation-${local.uid}" },
+    { constellation-init-secret-hash = local.initSecretHash }
+  )
 }

 module "instance_group_worker_nodes" {
@ -246,4 +261,12 @@ module "instance_group_worker_nodes" {
  target_group_arns    = []
  security_groups      = [aws_security_group.security_group.id]
  iam_instance_profile = var.iam_instance_profile_worker_nodes
+  tags = merge(
+    local.tags,
+    { Name = local.name },
+    { constellation-role = "worker" },
+    { constellation-uid = local.uid },
+    { KubernetesCluster = "Constellation-${local.uid}" },
+    { constellation-init-secret-hash = local.initSecretHash }
+  )
 }
--- a/cli/internal/terraform/terraform/aws/modules/instance_group/main.tf
+++ b/cli/internal/terraform/terraform/aws/modules/instance_group/main.tf
@ -57,26 +57,13 @@ resource "aws_autoscaling_group" "autoscaling_group" {
  vpc_zone_identifier = [var.subnetwork]
  target_group_arns   = var.target_group_arns

-  tag {
-    key                 = "Name"
-    value               = local.name
-    propagate_at_launch = true
-  }
-  tag {
-    key                 = "constellation-role"
-    value               = var.role
-    propagate_at_launch = true
-  }
-  tag {
-    key                 = "constellation-uid"
-    value               = var.uid
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "KubernetesCluster"
-    value               = "Constellation-${var.uid}"
-    propagate_at_launch = true
+  dynamic "tag" {
+    for_each = var.tags
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
  }

  lifecycle {
--- a/cli/internal/terraform/terraform/aws/modules/instance_group/variables.tf
+++ b/cli/internal/terraform/terraform/aws/modules/instance_group/variables.tf
@ -57,3 +57,8 @@ variable "security_groups" {
  type        = list(string)
  description = "List of IDs of the security groups for an instance."
 }
+
+variable "tags" {
+  type        = map(string)
+  description = "The tags to add to the instance group."
+}
--- a/cli/internal/terraform/terraform/aws/outputs.tf
+++ b/cli/internal/terraform/terraform/aws/outputs.tf
@ -1,3 +1,8 @@
 output "ip" {
  value = aws_eip.lb.public_ip
 }
+
+output "initSecret" {
+  value     = random_password.initSecret.result
+  sensitive = true
+}
--- a/cli/internal/terraform/terraform/azure/main.tf
+++ b/cli/internal/terraform/terraform/azure/main.tf
@ -18,6 +18,7 @@ provider "azurerm" {
 locals {
  uid                   = random_id.uid.hex
  name                  = "${var.name}-${local.uid}"
+  initSecretHash        = random_password.initSecret.bcrypt_hash
  tags                  = { constellation-uid = local.uid }
  ports_node_range      = "30000-32767"
  ports_kubernetes      = "6443"
@ -34,6 +35,12 @@ resource "random_id" "uid" {
  byte_length = 4
 }

+resource "random_password" "initSecret" {
+  length           = 32
+  special          = true
+  override_special = "_%@"
+}
+
 resource "azurerm_application_insights" "insights" {
  name                = local.name
  location            = var.location
@ -194,7 +201,7 @@ module "scale_set_control_plane" {
  instance_type             = var.instance_type
  confidential_vm           = var.confidential_vm
  secure_boot               = var.secure_boot
-  tags                      = merge(local.tags, { constellation-role = "control-plane" })
+  tags                      = merge(local.tags, { constellation-role = "control-plane" }, { constellation-init-secret-hash = local.initSecretHash })
  image_id                  = var.image_id
  user_assigned_identity    = var.user_assigned_identity
  network_security_group_id = azurerm_network_security_group.security_group.id
@ -217,7 +224,7 @@ module "scale_set_worker" {
  instance_type             = var.instance_type
  confidential_vm           = var.confidential_vm
  secure_boot               = var.secure_boot
-  tags                      = merge(local.tags, { constellation-role = "worker" })
+  tags                      = merge(local.tags, { constellation-role = "worker" }, { constellation-init-secret-hash = local.initSecretHash })
  image_id                  = var.image_id
  user_assigned_identity    = var.user_assigned_identity
  network_security_group_id = azurerm_network_security_group.security_group.id
--- a/cli/internal/terraform/terraform/azure/outputs.tf
+++ b/cli/internal/terraform/terraform/azure/outputs.tf
@ -1,3 +1,8 @@
 output "ip" {
  value = azurerm_public_ip.loadbalancer_ip.ip_address
 }
+
+output "initSecret" {
+  value     = random_password.initSecret.result
+  sensitive = true
+}
--- a/cli/internal/terraform/terraform/gcp/main.tf
+++ b/cli/internal/terraform/terraform/gcp/main.tf
@ -20,6 +20,7 @@ provider "google" {
 locals {
  uid                   = random_id.uid.hex
  name                  = "${var.name}-${local.uid}"
+  initSecretHash        = random_password.initSecret.bcrypt_hash
  labels                = { constellation-uid = local.uid }
  ports_node_range      = "30000-32767"
  ports_kubernetes      = "6443"
@ -37,6 +38,12 @@ resource "random_id" "uid" {
  byte_length = 4
 }

+resource "random_password" "initSecret" {
+  length           = 32
+  special          = true
+  override_special = "_%@"
+}
+
 resource "google_compute_network" "vpc_network" {
  name                    = local.name
  description             = "Constellation VPC network"
@ -136,24 +143,26 @@ module "instance_group_control_plane" {
    { name = "recovery", port = local.ports_recovery },
    var.debug ? [{ name = "debugd", port = local.ports_debugd }] : [],
  ])
-  labels = local.labels
+  labels           = local.labels
+  init_secret_hash = local.initSecretHash
 }

 module "instance_group_worker" {
-  source         = "./modules/instance_group"
-  name           = local.name
-  role           = "Worker"
-  uid            = local.uid
-  instance_type  = var.instance_type
-  instance_count = var.worker_count
-  image_id       = var.image_id
-  disk_size      = var.state_disk_size
-  disk_type      = var.state_disk_type
-  network        = google_compute_network.vpc_network.id
-  subnetwork     = google_compute_subnetwork.vpc_subnetwork.id
-  kube_env       = local.kube_env
-  debug          = var.debug
-  labels         = local.labels
+  source           = "./modules/instance_group"
+  name             = local.name
+  role             = "Worker"
+  uid              = local.uid
+  instance_type    = var.instance_type
+  instance_count   = var.worker_count
+  image_id         = var.image_id
+  disk_size        = var.state_disk_size
+  disk_type        = var.state_disk_type
+  network          = google_compute_network.vpc_network.id
+  subnetwork       = google_compute_subnetwork.vpc_subnetwork.id
+  kube_env         = local.kube_env
+  debug            = var.debug
+  labels           = local.labels
+  init_secret_hash = local.initSecretHash
 }

 resource "google_compute_global_address" "loadbalancer_ip" {
--- a/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf
+++ b/cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf
@ -15,7 +15,7 @@ locals {
 resource "google_compute_instance_template" "template" {
  name         = local.name
  machine_type = var.instance_type
-  tags         = ["constellation-${var.uid}"]
+  tags         = ["constellation-${var.uid}"] // Note that this is also applied as a label 
  labels       = merge(var.labels, { constellation-role = local.role_dashed })

  confidential_instance_config {
@ -41,8 +41,9 @@ resource "google_compute_instance_template" "template" {
  }

  metadata = {
-    kube-env           = var.kube_env
-    serial-port-enable = var.debug ? "TRUE" : "FALSE"
+    kube-env                       = var.kube_env
+    constellation-init-secret-hash = var.init_secret_hash
+    serial-port-enable             = var.debug ? "TRUE" : "FALSE"
  }

  network_interface {
--- a/cli/internal/terraform/terraform/gcp/modules/instance_group/variables.tf
+++ b/cli/internal/terraform/terraform/gcp/modules/instance_group/variables.tf
@ -59,6 +59,11 @@ variable "kube_env" {
  description = "Kubernetes env."
 }

+variable "init_secret_hash" {
+  type        = string
+  description = "Hash of the init secret."
+}
+
 variable "named_ports" {
  type        = list(object({ name = string, port = number }))
  default     = []
--- a/cli/internal/terraform/terraform/gcp/outputs.tf
+++ b/cli/internal/terraform/terraform/gcp/outputs.tf
@ -1,3 +1,8 @@
 output "ip" {
  value = google_compute_global_address.loadbalancer_ip.address
 }
+
+output "initSecret" {
+  value     = random_password.initSecret.result
+  sensitive = true
+}
--- a/cli/internal/terraform/terraform/qemu/main.tf
+++ b/cli/internal/terraform/terraform/qemu/main.tf
@ -24,6 +24,11 @@ provider "docker" {
  }
 }

+resource "random_password" "initSecret" {
+  length           = 32
+  special          = true
+  override_special = "_%@"
+}
 resource "docker_image" "qemu_metadata" {
  name         = var.metadata_api_image
  keep_locally = true
@ -39,6 +44,8 @@ resource "docker_container" "qemu_metadata" {
    "${var.name}-network",
    "--libvirt-uri",
    "${var.metadata_libvirt_uri}",
+    "--initsecrethash",
+    "${random_password.initSecret.bcrypt_hash}",
  ]
  mounts {
    source = abspath(var.libvirt_socket_path)
@ -47,6 +54,8 @@ resource "docker_container" "qemu_metadata" {
  }
 }

+
+
 module "control_plane" {
  source          = "./modules/instance_group"
  role            = "control-plane"
--- a/cli/internal/terraform/terraform/qemu/outputs.tf
+++ b/cli/internal/terraform/terraform/qemu/outputs.tf
@ -1,3 +1,8 @@
 output "ip" {
  value = module.control_plane.instance_ips[0]
 }
+
+output "initSecret" {
+  value     = random_password.initSecret.result
+  sensitive = true
+}