commit 5b2ae5500a90dc48b9713095e5f1580b9c9646d9
author Serge Bazanski <serge@monogon.tech> Tue Aug 17 13:00:14 2021 +0200
committer Sergiusz Bazanski <serge@monogon.tech> Mon Aug 23 12:26:16 2021 +0000
tree 1f6efbed2aa20716c18772bb30dbafacd6f07db3
parent 03758714f4b7be2a712831beecfdfcbf151b4c66

m/n/c/curator: listen on public gRPC

This enables listening on CuratorPort (which was called
NodeServicePort) using TLS node certificates. No service is yet running
on the new gRPC listener.

Change-Id: I436ac1ae9cbdb257419ad114262fc2a7516396b1
Reviewed-on: https://review.monogon.dev/c/monogon/+/288
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/node/core/main.go

diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index d665fc4..71f4227 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go
@@ -170,6 +170,9 @@
 			return fmt.Errorf("failed to retrieve consensus kubernetes PKI client: %w", err)
 		}
 
+		// TODO(q3k): restart curator on credentials change?
+		curatorServerCreds := status.Credentials.PublicGRPCServerCredentials()
+
 		// Start cluster curator. The cluster curator is responsible for lifecycle
 		// management of the cluster.
 		// In the future, this will only be started on nodes that run etcd.
@@ -177,8 +180,9 @@
 			Etcd:   ckv,
 			NodeID: status.Credentials.ID(),
 			// TODO(q3k): make this configurable?
-			LeaderTTL: time.Second * 5,
-			Directory: &root.Ephemeral.Curator,
+			LeaderTTL:         time.Second * 5,
+			Directory:         &root.Ephemeral.Curator,
+			ServerCredentials: curatorServerCreds,
 		})
 		if err := supervisor.Run(ctx, "curator", c.Run); err != nil {
 			close(trapdoor)