metropolis: reduce usage of identity.NodeID
Eventually, we want to be able to rotate node keypairs. To allow this,
the node ID needs to become independent of the public key. This change
is a refactoring which starts this work by reducing the usage of
identity.NodeID, the function which derives a node ID from a public key.
Change-Id: I5231ed0a7be37c23327fec93481b00c74374af07
Reviewed-on: https://review.monogon.dev/c/monogon/+/3445
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/node/core/roleserve/roleserve.go b/metropolis/node/core/roleserve/roleserve.go
index 3bcc48d..e5e0d74 100644
--- a/metropolis/node/core/roleserve/roleserve.go
+++ b/metropolis/node/core/roleserve/roleserve.go
@@ -183,6 +183,7 @@
type BootstrapData struct {
// Data about the bootstrapping node.
Node struct {
+ ID string
PrivateKey ed25519.PrivateKey
// CUK/NUK for storage, if storage encryption is enabled.
@@ -209,12 +210,9 @@
}
func (s *Service) ProvideBootstrapData(data *BootstrapData) {
- pubkey := data.Node.PrivateKey.Public().(ed25519.PublicKey)
- nid := identity.NodeID(pubkey)
-
// This is the first time we have the node ID, tell the resolver that it's
// available on the loopback interface.
- s.Resolver.AddOverride(nid, resolver.NodeByHostPort("127.0.0.1", uint16(common.CuratorServicePort)))
+ s.Resolver.AddOverride(data.Node.ID, resolver.NodeByHostPort("127.0.0.1", uint16(common.CuratorServicePort)))
s.Resolver.AddEndpoint(resolver.NodeByHostPort("127.0.0.1", uint16(common.CuratorServicePort)))
s.bootstrapData.Set(data)
diff --git a/metropolis/node/core/roleserve/values.go b/metropolis/node/core/roleserve/values.go
index 34c743b..aa0c227 100644
--- a/metropolis/node/core/roleserve/values.go
+++ b/metropolis/node/core/roleserve/values.go
@@ -63,7 +63,7 @@
}
func (c *CuratorConnection) nodeID() string {
- return identity.NodeID(c.Credentials.PublicKey())
+ return c.Credentials.ID()
}
// KubernetesStatus is an Event Value structure populated by a running
diff --git a/metropolis/node/core/roleserve/worker_controlplane.go b/metropolis/node/core/roleserve/worker_controlplane.go
index 3ba4293..8b4657a 100644
--- a/metropolis/node/core/roleserve/worker_controlplane.go
+++ b/metropolis/node/core/roleserve/worker_controlplane.go
@@ -145,6 +145,7 @@
consensusConfig: &consensus.Config{
Data: &s.storageRoot.Data.Etcd,
Ephemeral: &s.storageRoot.Ephemeral.Consensus,
+ NodeID: bd.Node.ID,
NodePrivateKey: bd.Node.PrivateKey,
},
bootstrap: bd,
@@ -197,6 +198,7 @@
consensusConfig: &consensus.Config{
Data: &s.storageRoot.Data.Etcd,
Ephemeral: &s.storageRoot.Ephemeral.Consensus,
+ NodeID: cc.nodeID(),
NodePrivateKey: cc.Credentials.TLSCredentials().PrivateKey.(ed25519.PrivateKey),
JoinCluster: &consensus.JoinCluster{
CACertificate: caCert,
@@ -274,6 +276,7 @@
n := curator.NewNodeForBootstrap(&curator.NewNodeData{
CUK: b.Node.ClusterUnlockKey,
+ ID: b.Node.ID,
Pubkey: npub,
JPub: jpub,
TPMUsage: b.Node.TPMUsage,
@@ -281,7 +284,7 @@
})
// The first node always runs consensus.
- join, err := st.AddNode(ctx, npub)
+ join, err := st.AddNode(ctx, b.Node.ID, npub)
if err != nil {
return fmt.Errorf("when retrieving node join data from consensus: %w", err)
}