m/c/metroctl: implement TOFU for CA certificates
This implements trust-on-first-use (TOFU) for connecting to a Metropolis
cluster.
If no locally persisted CA is available, one will be retrieved from the
cluster. If it is then accepted, it will be persisted for future use.
To retrieve the Cluster CA certificate we implement a new
unauthenticated call in the CuratorLocal service. The alternative would
be to include the CA certificate in the served TLS chain, but that would
likely cause some backwards compatibility problems with existing client
software.
Full TOFU (with an SSH style prompt) will be performed when the user
first takes ownership of a cluster. Otherwise, user credentials
including a certificate will be present, which allows the process to be
simplified by just retrieving a remote CA and checking it against the
signature of the credentials.
Change-Id: I20002399935c2f13adc4526f5cceddad84b36a8f
Reviewed-on: https://review.monogon.dev/c/monogon/+/2743
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/cli/metroctl/core/config.go b/metropolis/cli/metroctl/core/config.go
index 1307d61..92a8871 100644
--- a/metropolis/cli/metroctl/core/config.go
+++ b/metropolis/cli/metroctl/core/config.go
@@ -3,6 +3,7 @@
import (
"crypto/ed25519"
"crypto/rand"
+ "crypto/tls"
"crypto/x509"
"encoding/pem"
"errors"
@@ -26,12 +27,17 @@
// OwnerCertificateFileName is the filename of the owner certificate in a
// metroctl config directory.
OwnerCertificateFileName = "owner.pem"
+ // CACertificateFileName is the filename of the cluster CA certificate in a
+ // metroctl config directory.
+ CACertificateFileName = "ca.pem"
)
// NoCredentialsError indicates that the requested datum (eg. owner key or owner
// certificate) is not present in the requested directory.
var NoCredentialsError = errors.New("owner certificate or key does not exist")
+var NoCACertificateError = errors.New("no cluster CA certificate while secure connection was requested")
+
// A PEM block type for a Metropolis initial owner private key
const ownerKeyType = "METROPOLIS INITIAL OWNER PRIVATE KEY"
@@ -67,6 +73,16 @@
return nil
}
+// WriteCACertificate writes the given der-encoded X509 certificate to the given
+// metorctl configuration directory path.
+func WriteCACertificate(path string, der []byte) error {
+ pemCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
+ if err := os.WriteFile(filepath.Join(path, CACertificateFileName), pemCert, 0600); err != nil {
+ return fmt.Errorf("when saving CA certificate: %w", err)
+ }
+ return nil
+}
+
// GetOwnerKey loads and returns a raw ED25519 private key from the saved owner
// key in a given metroctl configuration directory path. If the owner key doesn't
// exist, NoCredentialsError will be returned.
@@ -133,6 +149,43 @@
return
}
+// GetOwnerTLSCredentials returns a client TLS Certificate for authenticating to
+// the metropolis cluster, based on metroctl configuration at a given path.
+func GetOwnerTLSCredentials(path string) (*tls.Certificate, error) {
+ ocert, opkey, err := GetOwnerCredentials(path)
+ if err != nil {
+ return nil, err
+ }
+ return &tls.Certificate{
+ Certificate: [][]byte{ocert.Raw},
+ PrivateKey: opkey,
+ }, nil
+}
+
+// GetClusterCA returns the saved cluster CA certificate at the given metoctl
+// configuration path. This does not perform TOFU if the certificate is not
+// present.
+func GetClusterCA(path string) (cert *x509.Certificate, err error) {
+ caCertPEM, err := os.ReadFile(filepath.Join(path, CACertificateFileName))
+ if os.IsNotExist(err) {
+ return nil, NoCACertificateError
+ } else if err != nil {
+ return nil, fmt.Errorf("failed to load CA certificate: %w", err)
+ }
+ block, _ := pem.Decode(caCertPEM)
+ if block == nil {
+ return nil, errors.New("ca.pem contains invalid PEM armoring")
+ }
+ if block.Type != "CERTIFICATE" {
+ return nil, fmt.Errorf("ca.pem contains a PEM block that's not a CERTIFICATE")
+ }
+ cert, err = x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return nil, fmt.Errorf("ca.pem contains an invalid X.509 certificate: %w", err)
+ }
+ return
+}
+
// InstallKubeletConfig modifies the default kubelet kubeconfig of the host
// system to be able to connect via a metroctl (and an associated ConnectOptions)
// to a Kubernetes apiserver at IP address/hostname 'server'.
@@ -172,6 +225,7 @@
var u url.URL
u.Scheme = "https"
u.Host = net.JoinHostPort(server, node.KubernetesAPIWrappedPort.PortString())
+
config.Clusters[configName] = &clientapi.Cluster{
// MVP: This is insecure, but making this work would be wasted effort
// as all of it will be replaced by the identity system.
@@ -222,6 +276,10 @@
// ResolverLogger can be set to enable verbose logging of the Metropolis RPC
// resolver layer.
ResolverLogger ResolverLogger
+ // TOFU overrides the trust-on-first-use behaviour for CA certificates for the
+ // connection. If not set, TerminalTOFU is used which will interactively ask the
+ // user to accept a CA certificate using os.Stdin/Stdout.
+ TOFU CertificateTOFU
}
// ToFlags returns the metroctl flags corresponding to the options described by