mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-09-20 16:26:19 +00:00
3177b2fdb7
* AB#2032 Write IDs to disk and read when verifying * Update CHANGELOG.md * update changelog * update changelog * cli verify: prefer flag values * Rename fid file Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
494 lines
17 KiB
Go
494 lines
17 KiB
Go
package cmd
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/fs"
|
|
"net"
|
|
"strconv"
|
|
"text/tabwriter"
|
|
|
|
"github.com/edgelesssys/constellation/cli/internal/azure"
|
|
"github.com/edgelesssys/constellation/cli/internal/cloudcmd"
|
|
"github.com/edgelesssys/constellation/cli/internal/gcp"
|
|
"github.com/edgelesssys/constellation/cli/internal/proto"
|
|
"github.com/edgelesssys/constellation/cli/internal/vpn"
|
|
"github.com/edgelesssys/constellation/coordinator/pubapi/pubproto"
|
|
coordinatorstate "github.com/edgelesssys/constellation/coordinator/state"
|
|
"github.com/edgelesssys/constellation/coordinator/util"
|
|
"github.com/edgelesssys/constellation/internal/atls"
|
|
"github.com/edgelesssys/constellation/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/internal/cloud/cloudtypes"
|
|
"github.com/edgelesssys/constellation/internal/config"
|
|
"github.com/edgelesssys/constellation/internal/constants"
|
|
"github.com/edgelesssys/constellation/internal/deploy/ssh"
|
|
"github.com/edgelesssys/constellation/internal/file"
|
|
"github.com/edgelesssys/constellation/internal/state"
|
|
"github.com/edgelesssys/constellation/internal/statuswaiter"
|
|
"github.com/kr/text"
|
|
wgquick "github.com/nmiculinic/wg-quick-go"
|
|
"github.com/spf13/afero"
|
|
"github.com/spf13/cobra"
|
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
|
)
|
|
|
|
// NewInitCmd returns a new cobra.Command for the init command.
|
|
func NewInitCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "init",
|
|
Short: "Initialize the Constellation cluster",
|
|
Long: "Initialize the Constellation cluster. Start your confidential Kubernetes.",
|
|
ValidArgsFunction: initCompletion,
|
|
Args: cobra.ExactArgs(0),
|
|
RunE: runInitialize,
|
|
}
|
|
cmd.Flags().String("privatekey", "", "path to your private key")
|
|
cmd.Flags().String("master-secret", "", "path to base64-encoded master secret")
|
|
cmd.Flags().Bool("wg-autoconfig", false, "enable automatic configuration of WireGuard interface")
|
|
must(cmd.Flags().MarkHidden("wg-autoconfig"))
|
|
cmd.Flags().Bool("autoscale", false, "enable Kubernetes cluster-autoscaler")
|
|
return cmd
|
|
}
|
|
|
|
// runInitialize runs the initialize command.
|
|
func runInitialize(cmd *cobra.Command, args []string) error {
|
|
fileHandler := file.NewHandler(afero.NewOsFs())
|
|
vpnHandler := vpn.NewConfigHandler()
|
|
serviceAccountCreator := cloudcmd.NewServiceAccountCreator()
|
|
waiter := statuswaiter.New()
|
|
protoClient := &proto.Client{}
|
|
defer protoClient.Close()
|
|
|
|
return initialize(cmd, protoClient, serviceAccountCreator, fileHandler, waiter, vpnHandler)
|
|
}
|
|
|
|
// initialize initializes a Constellation. Coordinator instances are activated as contole-plane nodes and will
|
|
// themself activate the other peers as workers.
|
|
func initialize(cmd *cobra.Command, protCl protoClient, serviceAccCreator serviceAccountCreator,
|
|
fileHandler file.Handler, waiter statusWaiter, vpnHandler vpnHandler,
|
|
) error {
|
|
flags, err := evalFlagArgs(cmd, fileHandler)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var stat state.ConstellationState
|
|
err = fileHandler.ReadJSON(constants.StateFilename, &stat)
|
|
if errors.Is(err, fs.ErrNotExist) {
|
|
return fmt.Errorf("missing Constellation state file: %w. Please do 'constellation create ...' before 'constellation init'", err)
|
|
} else if err != nil {
|
|
return fmt.Errorf("loading Constellation state file: %w", err)
|
|
}
|
|
|
|
provider := cloudprovider.FromString(stat.CloudProvider)
|
|
|
|
config, err := readConfig(cmd.OutOrStdout(), fileHandler, flags.configPath, provider)
|
|
if err != nil {
|
|
return fmt.Errorf("reading and validating config: %w", err)
|
|
}
|
|
|
|
var sshUsers []*ssh.UserKey
|
|
for _, user := range config.SSHUsers {
|
|
sshUsers = append(sshUsers, &ssh.UserKey{
|
|
Username: user.Username,
|
|
PublicKey: user.PublicKey,
|
|
})
|
|
}
|
|
|
|
validators, err := cloudcmd.NewValidators(provider, config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cmd.Print(validators.WarningsIncludeInit())
|
|
|
|
cmd.Println("Creating service account ...")
|
|
serviceAccount, stat, err := serviceAccCreator.Create(cmd.Context(), stat, config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := fileHandler.WriteJSON(constants.StateFilename, stat, file.OptOverwrite); err != nil {
|
|
return err
|
|
}
|
|
|
|
coordinators, nodes, err := getScalingGroupsFromConfig(stat, config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
endpoints := ipsToEndpoints(append(coordinators.PublicIPs(), nodes.PublicIPs()...), strconv.Itoa(constants.CoordinatorPort))
|
|
|
|
cmd.Println("Waiting for cloud provider resource creation and boot ...")
|
|
if err := waiter.InitializeValidators(validators.V()); err != nil {
|
|
return err
|
|
}
|
|
if err := waiter.WaitForAll(cmd.Context(), endpoints, coordinatorstate.AcceptingInit); err != nil {
|
|
return fmt.Errorf("waiting for all peers status: %w", err)
|
|
}
|
|
|
|
var autoscalingNodeGroups []string
|
|
if flags.autoscale {
|
|
autoscalingNodeGroups = append(autoscalingNodeGroups, nodes.GroupID)
|
|
}
|
|
|
|
input := activationInput{
|
|
coordinatorPubIP: coordinators.PublicIPs()[0],
|
|
pubKey: flags.userPubKey,
|
|
masterSecret: flags.masterSecret,
|
|
nodePrivIPs: nodes.PrivateIPs(),
|
|
coordinatorPrivIPs: coordinators.PrivateIPs()[1:],
|
|
autoscalingNodeGroups: autoscalingNodeGroups,
|
|
cloudServiceAccountURI: serviceAccount,
|
|
sshUserKeys: ssh.ToProtoSlice(sshUsers),
|
|
}
|
|
result, err := activate(cmd, protCl, input, validators.V())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = result.writeOutput(cmd.OutOrStdout(), fileHandler)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
vpnConfig, err := vpnHandler.Create(result.coordinatorPubKey, result.coordinatorPubIP, string(flags.userPrivKey), result.clientVpnIP, constants.WireguardAdminMTU)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := writeWGQuickFile(fileHandler, vpnHandler, vpnConfig); err != nil {
|
|
return fmt.Errorf("writing wg-quick file: %w", err)
|
|
}
|
|
|
|
if flags.autoconfigureWG {
|
|
if err := vpnHandler.Apply(vpnConfig); err != nil {
|
|
return fmt.Errorf("configuring WireGuard: %w", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func activate(cmd *cobra.Command, client protoClient, input activationInput,
|
|
validators []atls.Validator,
|
|
) (activationResult, error) {
|
|
err := client.Connect(net.JoinHostPort(input.coordinatorPubIP, strconv.Itoa(constants.CoordinatorPort)), validators)
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
|
|
respCl, err := client.Activate(cmd.Context(), input.pubKey, input.masterSecret, input.nodePrivIPs, input.coordinatorPrivIPs, input.autoscalingNodeGroups, input.cloudServiceAccountURI, input.sshUserKeys)
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
|
|
indentOut := text.NewIndentWriter(cmd.OutOrStdout(), []byte{'\t'})
|
|
cmd.Println("Activating the cluster ...")
|
|
if err := respCl.WriteLogStream(indentOut); err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
|
|
clientVpnIp, err := respCl.GetClientVpnIp()
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
coordinatorPubKey, err := respCl.GetCoordinatorVpnKey()
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
kubeconfig, err := respCl.GetKubeconfig()
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
ownerID, err := respCl.GetOwnerID()
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
clusterID, err := respCl.GetClusterID()
|
|
if err != nil {
|
|
return activationResult{}, err
|
|
}
|
|
|
|
return activationResult{
|
|
clientVpnIP: clientVpnIp,
|
|
coordinatorPubKey: coordinatorPubKey,
|
|
coordinatorPubIP: input.coordinatorPubIP,
|
|
kubeconfig: kubeconfig,
|
|
ownerID: ownerID,
|
|
clusterID: clusterID,
|
|
}, nil
|
|
}
|
|
|
|
type activationInput struct {
|
|
coordinatorPubIP string
|
|
pubKey []byte
|
|
masterSecret []byte
|
|
nodePrivIPs []string
|
|
coordinatorPrivIPs []string
|
|
autoscalingNodeGroups []string
|
|
cloudServiceAccountURI string
|
|
sshUserKeys []*pubproto.SSHUserKey
|
|
}
|
|
|
|
type activationResult struct {
|
|
clientVpnIP string
|
|
coordinatorPubKey string
|
|
coordinatorPubIP string
|
|
kubeconfig string
|
|
ownerID string
|
|
clusterID string
|
|
}
|
|
|
|
// writeWGQuickFile writes the wg-quick file to the default path.
|
|
func writeWGQuickFile(fileHandler file.Handler, vpnHandler vpnHandler, vpnConfig *wgquick.Config) error {
|
|
data, err := vpnHandler.Marshal(vpnConfig)
|
|
if err != nil {
|
|
return fmt.Errorf("marshalling VPN config: %w", err)
|
|
}
|
|
return fileHandler.Write(constants.WGQuickConfigFilename, data, file.OptNone)
|
|
}
|
|
|
|
func (r activationResult) writeOutput(wr io.Writer, fileHandler file.Handler) error {
|
|
fmt.Fprint(wr, "Your Constellation cluster was successfully initialized.\n\n")
|
|
|
|
tw := tabwriter.NewWriter(wr, 0, 0, 2, ' ', 0)
|
|
writeRow(tw, "Your WireGuard IP", r.clientVpnIP)
|
|
writeRow(tw, "Control plane's public IP", r.coordinatorPubIP)
|
|
writeRow(tw, "Control plane's public key", r.coordinatorPubKey)
|
|
writeRow(tw, "Constellation cluster's owner identifier", r.ownerID)
|
|
writeRow(tw, "Constellation cluster's unique identifier", r.clusterID)
|
|
writeRow(tw, "WireGuard configuration file", constants.WGQuickConfigFilename)
|
|
writeRow(tw, "Kubernetes configuration", constants.AdminConfFilename)
|
|
tw.Flush()
|
|
fmt.Fprintln(wr)
|
|
|
|
if err := fileHandler.Write(constants.AdminConfFilename, []byte(r.kubeconfig), file.OptNone); err != nil {
|
|
return fmt.Errorf("write kubeconfig: %w", err)
|
|
}
|
|
|
|
idFile := clusterIDFile{ClusterID: r.clusterID, OwnerID: r.ownerID, Endpoint: r.coordinatorPubIP}
|
|
if err := fileHandler.WriteJSON(constants.IDsFileName, idFile, file.OptNone); err != nil {
|
|
return fmt.Errorf("writing Constellation id file: %w", err)
|
|
}
|
|
|
|
fmt.Fprintln(wr, "You can now connect to your cluster by executing:")
|
|
fmt.Fprintf(wr, "\twg-quick up ./%s\n", constants.WGQuickConfigFilename)
|
|
fmt.Fprintf(wr, "\texport KUBECONFIG=\"$PWD/%s\"\n", constants.AdminConfFilename)
|
|
return nil
|
|
}
|
|
|
|
func writeRow(wr io.Writer, col1 string, col2 string) {
|
|
fmt.Fprint(wr, col1, "\t", col2, "\n")
|
|
}
|
|
|
|
// evalFlagArgs gets the flag values and does preprocessing of these values like
|
|
// reading the content from file path flags and deriving other values from flag combinations.
|
|
func evalFlagArgs(cmd *cobra.Command, fileHandler file.Handler) (initFlags, error) {
|
|
userPrivKeyPath, err := cmd.Flags().GetString("privatekey")
|
|
if err != nil {
|
|
return initFlags{}, fmt.Errorf("parsing privatekey path argument: %w", err)
|
|
}
|
|
userPrivKey, userPubKey, err := readOrGenerateVPNKey(fileHandler, userPrivKeyPath)
|
|
if err != nil {
|
|
return initFlags{}, err
|
|
}
|
|
autoconfigureWG, err := cmd.Flags().GetBool("wg-autoconfig")
|
|
if err != nil {
|
|
return initFlags{}, fmt.Errorf("parsing wg-autoconfig argument: %w", err)
|
|
}
|
|
masterSecretPath, err := cmd.Flags().GetString("master-secret")
|
|
if err != nil {
|
|
return initFlags{}, fmt.Errorf("parsing master-secret path argument: %w", err)
|
|
}
|
|
masterSecret, err := readOrGenerateMasterSecret(cmd.OutOrStdout(), fileHandler, masterSecretPath)
|
|
if err != nil {
|
|
return initFlags{}, fmt.Errorf("parsing or generating master mastersecret from file %s: %w", masterSecretPath, err)
|
|
}
|
|
autoscale, err := cmd.Flags().GetBool("autoscale")
|
|
if err != nil {
|
|
return initFlags{}, fmt.Errorf("parsing autoscale argument: %w", err)
|
|
}
|
|
configPath, err := cmd.Flags().GetString("config")
|
|
if err != nil {
|
|
return initFlags{}, fmt.Errorf("parsing config path argument: %w", err)
|
|
}
|
|
|
|
return initFlags{
|
|
configPath: configPath,
|
|
userPrivKey: userPrivKey,
|
|
userPubKey: userPubKey,
|
|
autoconfigureWG: autoconfigureWG,
|
|
autoscale: autoscale,
|
|
masterSecret: masterSecret,
|
|
}, nil
|
|
}
|
|
|
|
// initFlags are the resulting values of flag preprocessing.
|
|
type initFlags struct {
|
|
configPath string
|
|
userPrivKey []byte
|
|
userPubKey []byte
|
|
masterSecret []byte
|
|
autoconfigureWG bool
|
|
autoscale bool
|
|
}
|
|
|
|
func readOrGenerateVPNKey(fileHandler file.Handler, privKeyPath string) (privKey, pubKey []byte, err error) {
|
|
var privKeyParsed wgtypes.Key
|
|
if privKeyPath == "" {
|
|
privKeyParsed, err = wgtypes.GeneratePrivateKey()
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("generating WireGuard private key: %w", err)
|
|
}
|
|
privKey = []byte(privKeyParsed.String())
|
|
} else {
|
|
privKey, err = fileHandler.Read(privKeyPath)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("reading the VPN private key: %w", err)
|
|
}
|
|
privKeyParsed, err = wgtypes.ParseKey(string(privKey))
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("parsing the WireGuard private key: %w", err)
|
|
}
|
|
}
|
|
|
|
pubKey = []byte(privKeyParsed.PublicKey().String())
|
|
|
|
return privKey, pubKey, nil
|
|
}
|
|
|
|
func ipsToEndpoints(ips []string, port string) []string {
|
|
var endpoints []string
|
|
for _, ip := range ips {
|
|
if ip == "" {
|
|
continue
|
|
}
|
|
endpoints = append(endpoints, net.JoinHostPort(ip, port))
|
|
}
|
|
return endpoints
|
|
}
|
|
|
|
// readOrGenerateMasterSecret reads a base64 encoded master secret from file or generates a new 32 byte secret.
|
|
func readOrGenerateMasterSecret(writer io.Writer, fileHandler file.Handler, filename string) ([]byte, error) {
|
|
if filename != "" {
|
|
// Try to read the base64 secret from file
|
|
encodedSecret, err := fileHandler.Read(filename)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
decoded, err := base64.StdEncoding.DecodeString(string(encodedSecret))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(decoded) < constants.MasterSecretLengthMin {
|
|
return nil, errors.New("provided master secret is smaller than the required minimum of 16 Bytes")
|
|
}
|
|
return decoded, nil
|
|
}
|
|
|
|
// No file given, generate a new secret, and save it to disk
|
|
masterSecret, err := util.GenerateRandomBytes(constants.MasterSecretLengthDefault)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := fileHandler.Write(constants.MasterSecretFilename, []byte(base64.StdEncoding.EncodeToString(masterSecret)), file.OptNone); err != nil {
|
|
return nil, err
|
|
}
|
|
fmt.Fprintf(writer, "Your Constellation master secret was successfully written to ./%s\n", constants.MasterSecretFilename)
|
|
return masterSecret, nil
|
|
}
|
|
|
|
func getScalingGroupsFromConfig(stat state.ConstellationState, config *config.Config) (coordinators, nodes cloudtypes.ScalingGroup, err error) {
|
|
switch {
|
|
case len(stat.GCPCoordinators) != 0:
|
|
return getGCPInstances(stat, config)
|
|
case len(stat.AzureCoordinators) != 0:
|
|
return getAzureInstances(stat, config)
|
|
case len(stat.QEMUCoordinators) != 0:
|
|
return getQEMUInstances(stat, config)
|
|
default:
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no instances to initialize")
|
|
}
|
|
}
|
|
|
|
func getGCPInstances(stat state.ConstellationState, config *config.Config) (coordinators, nodes cloudtypes.ScalingGroup, err error) {
|
|
if len(stat.GCPCoordinators) == 0 {
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no control-plane nodes available, can't create Constellation without any instance")
|
|
}
|
|
|
|
// GroupID of coordinators is empty, since they currently do not scale.
|
|
coordinators = cloudtypes.ScalingGroup{
|
|
Instances: stat.GCPCoordinators,
|
|
GroupID: "",
|
|
}
|
|
|
|
if len(stat.GCPNodes) == 0 {
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no worker nodes available, can't create Constellation with one instance")
|
|
}
|
|
|
|
// TODO: make min / max configurable and abstract autoscaling for different cloud providers
|
|
nodes = cloudtypes.ScalingGroup{
|
|
Instances: stat.GCPNodes,
|
|
GroupID: gcp.AutoscalingNodeGroup(stat.GCPProject, stat.GCPZone, stat.GCPNodeInstanceGroup, config.AutoscalingNodeGroupMin, config.AutoscalingNodeGroupMax),
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
func getAzureInstances(stat state.ConstellationState, config *config.Config) (coordinators, nodes cloudtypes.ScalingGroup, err error) {
|
|
if len(stat.AzureCoordinators) == 0 {
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no control-plane nodes available, can't create Constellation cluster without any instance")
|
|
}
|
|
|
|
// GroupID of coordinators is empty, since they currently do not scale.
|
|
coordinators = cloudtypes.ScalingGroup{
|
|
Instances: stat.AzureCoordinators,
|
|
GroupID: "",
|
|
}
|
|
|
|
if len(stat.AzureNodes) == 0 {
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no worker nodes available, can't create Constellation cluster with one instance")
|
|
}
|
|
|
|
// TODO: make min / max configurable and abstract autoscaling for different cloud providers
|
|
nodes = cloudtypes.ScalingGroup{
|
|
Instances: stat.AzureNodes,
|
|
GroupID: azure.AutoscalingNodeGroup(stat.AzureNodesScaleSet, config.AutoscalingNodeGroupMin, config.AutoscalingNodeGroupMax),
|
|
}
|
|
return
|
|
}
|
|
|
|
func getQEMUInstances(stat state.ConstellationState, config *config.Config) (coordinators, nodes cloudtypes.ScalingGroup, err error) {
|
|
coordinatorMap := stat.QEMUCoordinators
|
|
if len(coordinatorMap) == 0 {
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no coordinators available, can't create Constellation without any instance")
|
|
}
|
|
|
|
// QEMU does not support autoscaling
|
|
coordinators = cloudtypes.ScalingGroup{
|
|
Instances: stat.QEMUCoordinators,
|
|
GroupID: "",
|
|
}
|
|
|
|
if len(stat.QEMUNodes) == 0 {
|
|
return cloudtypes.ScalingGroup{}, cloudtypes.ScalingGroup{}, errors.New("no nodes available, can't create Constellation with one instance")
|
|
}
|
|
|
|
// QEMU does not support autoscaling
|
|
nodes = cloudtypes.ScalingGroup{
|
|
Instances: stat.QEMUNodes,
|
|
GroupID: "",
|
|
}
|
|
return
|
|
}
|
|
|
|
// initCompletion handels the completion of CLI arguments. It is frequently called
|
|
// while the user types arguments of the command to suggest completion.
|
|
func initCompletion(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
|
|
if len(args) != 0 {
|
|
return []string{}, cobra.ShellCompDirectiveError
|
|
}
|
|
return []string{}, cobra.ShellCompDirectiveDefault
|
|
}
|