Don't add loadbalancer IP routing rule on workers

bootstrapper/cmd/bootstrapper/main.go

@@ -17,6 +17,7 @@ import (
 	"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi"
 	"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/kubectl"
 	"github.com/edgelesssys/constellation/bootstrapper/internal/logging"
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/internal/atls"
 	"github.com/edgelesssys/constellation/internal/attestation/azure"
 	"github.com/edgelesssys/constellation/internal/attestation/gcp"
@@ -168,6 +169,13 @@ func main() {
 }
 
 func setLoadbalancerRoute(ctx context.Context, meta metadataAPI) error {
+	self, err := meta.Self(ctx)
+	if err != nil {
+		return err
+	}
+	if self.Role != role.ControlPlane {
+		return nil
+	}
 	endpoint, err := meta.GetLoadBalancerEndpoint(ctx)
 	if err != nil {
 		return err

debugd/debugd/cmd/debugd/debugd.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"sync"
 
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/debugd/bootstrapper"
 	"github.com/edgelesssys/constellation/debugd/debugd/deploy"
 	"github.com/edgelesssys/constellation/debugd/debugd/metadata"
@@ -99,6 +100,13 @@ func writeDebugBanner(log *logger.Logger) {
 }
 
 func setLoadbalancerRoute(ctx context.Context, fetcher metadata.Fetcher) error {
+	ownRole, err := fetcher.Role(ctx)
+	if err != nil {
+		return err
+	}
+	if ownRole != role.ControlPlane {
+		return nil
+	}
 	ip, err := fetcher.DiscoverLoadbalancerIP(ctx)
 	if err != nil {
 		return err

debugd/debugd/metadata/cloudprovider/cloudprovider.go

@@ -8,6 +8,7 @@ import (
 	azurecloud "github.com/edgelesssys/constellation/bootstrapper/cloudprovider/azure"
 	gcpcloud "github.com/edgelesssys/constellation/bootstrapper/cloudprovider/gcp"
 	qemucloud "github.com/edgelesssys/constellation/bootstrapper/cloudprovider/qemu"
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/internal/cloud/metadata"
 	"github.com/edgelesssys/constellation/internal/deploy/ssh"
 )
@@ -57,6 +58,15 @@ func NewQEMU() *Fetcher {
 	}
 }
 
+func (f *Fetcher) Role(ctx context.Context) (role.Role, error) {
+	self, err := f.metaAPI.Self(ctx)
+	if err != nil {
+		return role.Unknown, fmt.Errorf("retrieving role from cloud provider metadata: %w", err)
+	}
+
+	return self.Role, nil
+}
+
 // DiscoverDebugdIPs will query the metadata of all instances and return any ips of instances already set up for debugging.
 func (f *Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
 	self, err := f.metaAPI.Self(ctx)

debugd/debugd/metadata/cloudprovider/cloudprovider_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/internal/cloud/metadata"
 	"github.com/edgelesssys/constellation/internal/deploy/ssh"
 	"github.com/stretchr/testify/assert"
@@ -19,6 +20,48 @@ func TestMain(m *testing.M) {
 	)
 }
 
+func TestRole(t *testing.T) {
+	instance1 := metadata.InstanceMetadata{Role: role.ControlPlane}
+	instance2 := metadata.InstanceMetadata{Role: role.Worker}
+
+	testCases := map[string]struct {
+		meta     *stubMetadata
+		wantErr  bool
+		wantRole role.Role
+	}{
+		"control plane": {
+			meta:     &stubMetadata{selfRes: instance1},
+			wantRole: role.ControlPlane,
+		},
+		"worker": {
+			meta:     &stubMetadata{selfRes: instance2},
+			wantRole: role.Worker,
+		},
+		"self fails": {
+			meta:     &stubMetadata{selfErr: errors.New("some err")},
+			wantErr:  true,
+			wantRole: role.Unknown,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			fetcher := Fetcher{tc.meta}
+
+			role, err := fetcher.Role(context.Background())
+
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				assert.Equal(tc.wantRole, role)
+			}
+		})
+	}
+}
+
 func TestDiscoverDebugIPs(t *testing.T) {
 	err := errors.New("some err")
 

debugd/debugd/metadata/fallback/fallback.go

@@ -3,12 +3,18 @@ package fallback
 import (
 	"context"
 
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/internal/deploy/ssh"
 )
 
 // Fetcher implements metadata.Fetcher interface but does not actually fetch cloud provider metadata.
 type Fetcher struct{}
 
+func (f Fetcher) Role(_ context.Context) (role.Role, error) {
+	// Fallback fetcher does not try to fetch role
+	return role.Unknown, nil
+}
+
 func (f Fetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
 	// Fallback fetcher does not try to discover debugd IPs
 	return nil, nil

debugd/debugd/metadata/scheduler.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/debugd/debugd"
 	"github.com/edgelesssys/constellation/internal/deploy/ssh"
 	"github.com/edgelesssys/constellation/internal/logger"
@@ -15,6 +16,7 @@ import (
 
 // Fetcher retrieves other debugd IPs and SSH keys from cloud provider metadata.
 type Fetcher interface {
+	Role(ctx context.Context) (role.Role, error)
 	DiscoverDebugdIPs(ctx context.Context) ([]string, error)
 	FetchSSHKeys(ctx context.Context) ([]ssh.UserKey, error)
 	DiscoverLoadbalancerIP(ctx context.Context) (string, error)

debugd/debugd/metadata/scheduler_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/edgelesssys/constellation/bootstrapper/role"
 	"github.com/edgelesssys/constellation/internal/deploy/ssh"
 	"github.com/edgelesssys/constellation/internal/logger"
 	"github.com/stretchr/testify/assert"
@@ -91,6 +92,10 @@ type stubFetcher struct {
 	fetchSSHKeysErr error
 }
 
+func (s *stubFetcher) Role(_ context.Context) (role.Role, error) {
+	return role.Unknown, nil
+}
+
 func (s *stubFetcher) DiscoverDebugdIPs(ctx context.Context) ([]string, error) {
 	s.discoverCalls++
 	return s.ips, s.discoverErr