metropolis/proto/private/private.proto - monogon - Gitiles

 // Copyright 2020 The Monogon Project Authors.
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 syntax = "proto3";
 option go_package = "source.monogon.dev/metropolis/proto/private";
 package metropolis.proto.private;

 // Node describes a single node's state in etcd
 message Node {
     // Node's public key..
     bytes public_key = 1;
     // Node's individual cluster part of the data partition encryption key. It
     // is combined with the Node Unlock Key (NUK) kept within
     // SealedConfiguration.
     bytes cluster_unlock_key = 2;

     // TODO(q3k): document this based on cluster lifecycle design doc once this
     // fully stabilizes.
     enum FSMState {
         FSM_STATE_INVALID = 0;
         FSM_STATE_NEW = 1;
         FSM_STATE_STANDBY = 2;
         FSM_STATE_UP = 3;
         FSM_STATE_DISOWNED = 4;
     };
     FSMState fsm_state = 3;

     message Roles {
         message ConsensusMember {
             // Used to be: consensus member name, can be deduced from
             // Certificate/Pubkey/ID.
             reserved 1;
         }
         ConsensusMember consensus_member = 1;
         message KubernetesWorker {
             // Used to be: node name, can be deduced from
             // Certificate/Pubkey/ID.
             reserved 1;
         }
         KubernetesWorker kubernetes_worker = 2;
     }
     Roles roles = 4;
 }

 // SealedConfiguration is all configuration kept in a TPM-sealed (ie.
 // confidential and tamper-resistant) blob within the node's ESP (EFI)
 // partition. It contains everything that the node needs to join an existing
 // cluster after rebooting.
 message SealedConfiguration {
     // node_unlock_key (NUK) is the node's part of the key required to unlock
     // the node's data partition(s). It is combined with the Cluster Unlock Key
     // (CUK) that's stored in etcd to create a key which is then used to mount
     // the data partition. The NUK and CUK are generated on bootstrap and
     // registration.
     bytes node_unlock_key = 1;
 }
	// Copyright 2020 The Monogon Project Authors.
	//
	// SPDX-License-Identifier: Apache-2.0
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	syntax = "proto3";
	option go_package = "source.monogon.dev/metropolis/proto/private";
	package metropolis.proto.private;

	// Node describes a single node's state in etcd
	message Node {
	// Node's public key..
	bytes public_key = 1;
	// Node's individual cluster part of the data partition encryption key. It
	// is combined with the Node Unlock Key (NUK) kept within
	// SealedConfiguration.
	bytes cluster_unlock_key = 2;

	// TODO(q3k): document this based on cluster lifecycle design doc once this
	// fully stabilizes.
	enum FSMState {
	FSM_STATE_INVALID = 0;
	FSM_STATE_NEW = 1;
	FSM_STATE_STANDBY = 2;
	FSM_STATE_UP = 3;
	FSM_STATE_DISOWNED = 4;
	};
	FSMState fsm_state = 3;

	message Roles {
	message ConsensusMember {
	// Used to be: consensus member name, can be deduced from
	// Certificate/Pubkey/ID.
	reserved 1;
	}
	ConsensusMember consensus_member = 1;
	message KubernetesWorker {
	// Used to be: node name, can be deduced from
	// Certificate/Pubkey/ID.
	reserved 1;
	}
	KubernetesWorker kubernetes_worker = 2;
	}
	Roles roles = 4;
	}

	// SealedConfiguration is all configuration kept in a TPM-sealed (ie.
	// confidential and tamper-resistant) blob within the node's ESP (EFI)
	// partition. It contains everything that the node needs to join an existing
	// cluster after rebooting.
	message SealedConfiguration {
	// node_unlock_key (NUK) is the node's part of the key required to unlock
	// the node's data partition(s). It is combined with the Cluster Unlock Key
	// (CUK) that's stored in etcd to create a key which is then used to mount
	// the data partition. The NUK and CUK are generated on bootstrap and
	// registration.
	bytes node_unlock_key = 1;
	}