Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 5839e97231f31fac6730a1d553fe7114d37a1521^! / . / metropolis / proto
commit5839e97231f31fac6730a1d553fe7114d37a1521[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Tue Nov 16 15:46:19 2021 +0100
committerSergiusz Bazanski <serge@monogon.tech>Wed Feb 23 16:15:54 2022 +0000
tree9a3da7bf6f6546c527750bd8e5c101ecb3824740
parent54c4f181c3195f4cc4e53aa5f8311ee161c75bbd [diff]
m/n/core/{curator,cluster}: refactor against new Consensus API

This updates the Curator and the Cluster Manager to use the new
Consensus API, notably to use JoinParameters and ServiceHandle.Watch.

Using JoinParameters end-to-end requires piping them through a node's
roles. For this we create a new ConsensusMember role and replicate all
the data from JoinParameters there.

We also move a whole bunch of logic that used to live in the Cluster
Manager's Status object away from it. Instead, now the Consensus
ServiceHandle is exposed directly to downstream users, providing the
same functionality.

Change-Id: I8cfa247011554553836019f60ea172dd6069f49c
Reviewed-on: https://review.monogon.dev/c/monogon/+/522
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/proto/common/common.proto b/metropolis/proto/common/common.proto
index 63e6cfb..07ff460 100644
--- a/metropolis/proto/common/common.proto
+++ b/metropolis/proto/common/common.proto

@@ -21,10 +21,39 @@
 // NodeRoles are the possible roles that a Metropolis Node should run within the
 // cluster. These are configured by the cluster and can be retrieved through the
 // Curator.
+//
+// Fields contained within each individual are publicly available, so while they
+// can be used to carry required data to start up services for a given role,
+// this must not be confidential/private data.
 message NodeRoles {
     message KubernetesWorker {
     }
+    message ConsensusMember {
+        // ca_certificate is a DER-encoded x509 certificate of the etcd
+        // cluster's CA. The member must use this certificate to verify the
+        // identity of the cluster it's connecting to.
+        bytes ca_certificate = 1;
+        // pper_certificate is a DER-encoded x509 certificate of this node's
+        // etcd peer listener. The member must serve member traffic using this
+        // certificate. The private key corresponding to this certificate is
+        // the same as the node's primary private keypair.
+        bytes peer_certificate = 2;
+        // initial_crl is a certificate revocation list that the etcd member
+        // should be started with. After startup, the member will maintain its
+        // own CRL by updating it from its primary storage location, and etcd
+        // value.
+        //
+        // TODO(q3k): don't pass this here, instead pass this over an etcd
+        // watcher and curator.Watch.
+        bytes initial_crl = 3;
+        message Peer {
+            string Name = 1;
+            string URL = 2;
+        }
+        repeated Peer peers = 4;
+    }
     KubernetesWorker kubernetes_worker = 1;
+    ConsensusMember consensus_member = 2;
 }
 
 // NodeState is the state of a Metropolis node from the point of view of the