Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 7eeef0f448a4ec1737e2e63961f24f51eec5deae
commit7eeef0f448a4ec1737e2e63961f24f51eec5deae[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Mon Feb 05 14:40:15 2024 +0100
committerSerge Bazanski <serge@monogon.tech>Thu Feb 08 11:10:07 2024 +0000
tree690afce7d61fed7284991d3622d2b4b7f5948c14
parent925ec3de7a8562ef478216c77dff68c8235aeabd [diff]
m/c/metroctl: implement TOFU for CA certificates

This implements trust-on-first-use (TOFU) for connecting to a Metropolis
cluster.

If no locally persisted CA is available, one will be retrieved from the
cluster. If it is then accepted, it will be persisted for future use.

To retrieve the Cluster CA certificate we implement a new
unauthenticated call in the CuratorLocal service. The alternative would
be to include the CA certificate in the served TLS chain, but that would
likely cause some backwards compatibility problems with existing client
software.

Full TOFU (with an SSH style prompt) will be performed when the user
first takes ownership of a cluster. Otherwise, user credentials
including a certificate will be present, which allows the process to be
simplified by just retrieving a remote CA and checking it against the
signature of the credentials.

Change-Id: I20002399935c2f13adc4526f5cceddad84b36a8f
Reviewed-on: https://review.monogon.dev/c/monogon/+/2743
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
13 files changed
tree: 690afce7d61fed7284991d3622d2b4b7f5948c14
  1. .github/
  2. build/
  3. cloud/
  4. go/
  5. intellij/
  6. metropolis/
  7. net/
  8. third_party/
  9. tools/
  10. version/
  11. .bazelignore
  12. .bazelproject
  13. .bazelrc
  14. .bazelrc.sandboxroot
  15. .bazelversion
  16. .git-ignore-revs
  17. .gitignore
  18. BUILD.bazel
  19. CODING_STANDARDS.md
  20. go.mod
  21. go.sum
  22. LICENSE
  23. MODULE.bazel
  24. MODULE.bazel.lock
  25. README.md
  26. SETUP.md
  27. shell.nix
  28. WORKSPACE
README.md

Monogon Monorepo

This is the main repository containing the source code for the Monogon Platform.

This is pre-release software - take a look, and check back later!

Environment

Our build environment is self-contained and requires only minimal host dependencies:

  • A Linux machine or VM.
  • Bazelisk >= v1.15.0 (or a working Nix environment).
  • A reasonably recent kernel with user namespaces enabled.
  • Working KVM with access to /dev/kvm (if you want to run tests).

Our docs assume that Bazelisk is available as bazel on your PATH.

Refer to SETUP.md for detailed instructions.

Monogon OS

Run a single node demo cluster

Build CLI and node image:

bazel build //metropolis/cli/dbg //:launch --config dbg

Launch an ephemeral test node:

bazel test //:launch --config dbg --test_output=streamed

Run a kubectl command while the test is running:

bazel-bin/metropolis/cli/dbg/dbg_/dbg kubectl describe node

Test suite

Run full test suite:

bazel test --config dbg //...