|  | // Copyright 2020 The Monogon Project Authors. | 
|  | // | 
|  | // SPDX-License-Identifier: Apache-2.0 | 
|  | // | 
|  | // Licensed under the Apache License, Version 2.0 (the "License"); | 
|  | // you may not use this file except in compliance with the License. | 
|  | // You may obtain a copy of the License at | 
|  | // | 
|  | //     http://www.apache.org/licenses/LICENSE-2.0 | 
|  | // | 
|  | // Unless required by applicable law or agreed to in writing, software | 
|  | // distributed under the License is distributed on an "AS IS" BASIS, | 
|  | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
|  | // See the License for the specific language governing permissions and | 
|  | // limitations under the License. | 
|  |  | 
|  | syntax = "proto3"; | 
|  | option go_package = "source.monogon.dev/metropolis/proto/private"; | 
|  | package metropolis.proto.private; | 
|  |  | 
|  | // Node describes a single node's state in etcd | 
|  | // DEPRECATED: this will be moved to //metropolis/node/curator. | 
|  | message Node { | 
|  | // Node's public key.. | 
|  | bytes public_key = 1; | 
|  | // Node's individual cluster part of the data partition encryption key. It | 
|  | // is combined with the Node Unlock Key (NUK) kept within | 
|  | // SealedConfiguration. | 
|  | bytes cluster_unlock_key = 2; | 
|  |  | 
|  | // TODO(q3k): document this based on cluster lifecycle design doc once this | 
|  | // fully stabilizes. | 
|  | enum FSMState { | 
|  | FSM_STATE_INVALID = 0; | 
|  | FSM_STATE_NEW = 1; | 
|  | FSM_STATE_STANDBY = 2; | 
|  | FSM_STATE_UP = 3; | 
|  | FSM_STATE_DISOWNED = 4; | 
|  | }; | 
|  | FSMState fsm_state = 3; | 
|  |  | 
|  | message Roles { | 
|  | message ConsensusMember { | 
|  | // Used to be: consensus member name, can be deduced from | 
|  | // Certificate/Pubkey/ID. | 
|  | reserved 1; | 
|  | } | 
|  | ConsensusMember consensus_member = 1; | 
|  | message KubernetesWorker { | 
|  | // Used to be: node name, can be deduced from | 
|  | // Certificate/Pubkey/ID. | 
|  | reserved 1; | 
|  | } | 
|  | KubernetesWorker kubernetes_worker = 2; | 
|  | } | 
|  | Roles roles = 4; | 
|  | } | 
|  |  | 
|  | // SealedConfiguration is all configuration kept in a TPM-sealed (ie. | 
|  | // confidential and tamper-resistant) blob within the node's ESP (EFI) | 
|  | // partition. It contains everything that the node needs to join an existing | 
|  | // cluster after rebooting. | 
|  | message SealedConfiguration { | 
|  | // node_unlock_key (NUK) is the node's part of the key required to unlock | 
|  | // the node's data partition(s). It is combined with the Cluster Unlock Key | 
|  | // (CUK) that's stored in etcd to create a key which is then used to mount | 
|  | // the data partition. The NUK and CUK are generated on bootstrap and | 
|  | // registration. | 
|  | bytes node_unlock_key = 1; | 
|  | // join_key is an ED25519 private key generated during registration. The | 
|  | // public part is shared with Curator to authenticate the join procedure. | 
|  | bytes join_key = 2; | 
|  | // cluster_ca is the X509 CA certificate of the cluster set during | 
|  | // registration and used by nodes joining the cluster. | 
|  | bytes cluster_ca = 3; | 
|  | } |