Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 7eeef0f448a4ec1737e2e63961f24f51eec5deae^! / . / metropolis / cli / metroctl / cmd_takeownership.go
commit7eeef0f448a4ec1737e2e63961f24f51eec5deae[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Mon Feb 05 14:40:15 2024 +0100
committerSerge Bazanski <serge@monogon.tech>Thu Feb 08 11:10:07 2024 +0000
tree690afce7d61fed7284991d3622d2b4b7f5948c14
parent925ec3de7a8562ef478216c77dff68c8235aeabd [diff] [blame]
m/c/metroctl: implement TOFU for CA certificates

This implements trust-on-first-use (TOFU) for connecting to a Metropolis
cluster.

If no locally persisted CA is available, one will be retrieved from the
cluster. If it is then accepted, it will be persisted for future use.

To retrieve the Cluster CA certificate we implement a new
unauthenticated call in the CuratorLocal service. The alternative would
be to include the CA certificate in the served TLS chain, but that would
likely cause some backwards compatibility problems with existing client
software.

Full TOFU (with an SSH style prompt) will be performed when the user
first takes ownership of a cluster. Otherwise, user credentials
including a certificate will be present, which allows the process to be
simplified by just retrieving a remote CA and checking it against the
signature of the credentials.

Change-Id: I20002399935c2f13adc4526f5cceddad84b36a8f
Reviewed-on: https://review.monogon.dev/c/monogon/+/2743
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/cli/metroctl/cmd_takeownership.go b/metropolis/cli/metroctl/cmd_takeownership.go
index 61d6c4e..2a93b57 100644
--- a/metropolis/cli/metroctl/cmd_takeownership.go
+++ b/metropolis/cli/metroctl/cmd_takeownership.go

@@ -31,6 +31,12 @@
 	if len(flags.clusterEndpoints) != 1 {
 		log.Fatalf("takeownership requires a single cluster endpoint to be provided with the --endpoints parameter.")
 	}
+	ctx := clicontext.WithInterrupt(context.Background())
+
+	ca, err := core.GetClusterCAWithTOFU(ctx, connectOptions())
+	if err != nil {
+		log.Fatalf("Could not retrieve cluster CA: %v", err)
+	}
 
 	// Retrieve the cluster owner's private key, and use it to construct
 	// ephemeral credentials. Then, dial the cluster.
@@ -41,12 +47,11 @@
 	if err != nil {
 		log.Fatalf("Couldn't get owner's key: %v", err)
 	}
-	ctx := clicontext.WithInterrupt(context.Background())
 	opts, err := core.DialOpts(ctx, connectOptions())
 	if err != nil {
 		log.Fatalf("While configuring cluster dial opts: %v", err)
 	}
-	creds, err := rpc.NewEphemeralCredentials(opk, rpc.WantInsecure())
+	creds, err := rpc.NewEphemeralCredentials(opk, rpc.WantRemoteCluster(ca))
 	if err != nil {
 		log.Fatalf("While generating ephemeral credentials: %v", err)
 	}