Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 39f4f5c360e7a286bff4adaeabc52393dc28dc22^! / . / metropolis / proto / common / common.proto
commit39f4f5c360e7a286bff4adaeabc52393dc28dc22[log] [tgz]
authorJan Schär <jan@monogon.tech>Tue Oct 29 09:41:50 2024 +0100
committerJan Schär <jan@monogon.tech>Wed Oct 30 13:10:29 2024 +0000
treec81382f2408a83ab7391414738713633b8fc9608
parent1e39914fbcecda7ec236e67f143bbefc31eee9da [diff] [blame]
metropolis: add cluster domain config and metroctl param

This adds a --cluster parameter to metroctl and a cluster domain field
to the bootstrap configuration. It is not yet used anywhere, but later
the cluster domain will be used to identify the cluster.

The length of the cluster domain is limited to 80, to allow for
constructing subdomains. This limit could be increased later if needed,
but it cannot easily be decreased, so I chose a conservative value that
should be enough in most cases.

Change-Id: I627cca8eb1d92c4b06e4dfd6b6926a013e8f33ae
Reviewed-on: https://review.monogon.dev/c/monogon/+/3508
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

diff --git a/metropolis/proto/common/common.proto b/metropolis/proto/common/common.proto
index 1e8d748..50ea4e4 100644
--- a/metropolis/proto/common/common.proto
+++ b/metropolis/proto/common/common.proto

@@ -270,6 +270,18 @@
 // NodeParamaters.ClusterBootstrap), and then can be partially managed by
 // management calls to the curator.
 message ClusterConfiguration {
+    // cluster_domain is the domain name which identifies the cluster.
+    // It should be unique, and ideally a public DNS name, but one under
+    // .internal works too. The cluster domain is used for different purposes:
+    //
+    //   - To identify the cluster in clients like metroctl.
+    //   - To resolve control plane endpoints with DNS in clients.
+    //   - As the SPIFFE trust domain name of the cluster. Every identity
+    //     issued by the cluster is rooted under `spiffe://cluster_domain/`.
+    //   - As the issuer of OpenID Connect identity tokens. The discovery
+    //     document is thus hosted at https://cluster_domain/.well-known/openid-configuration
+    string cluster_domain = 4;
+
     // tpm_mode defines the TPM usage policy for cluster nodes. When nodes
     // register into the cluster (and then join into it) they will report their
     // TPM availability, and in return the cluster will respond whether they
@@ -382,4 +394,4 @@
     // The node has encrypted and authenticated storage. Its data
     // partition is an XFS partition mounted through dm-integrity and dm-crypt.
     NODE_STORAGE_SECURITY_AUTHENTICATED_ENCRYPTED = 3;
-}
\ No newline at end of file
+}