m/c/metroctl: implement TOFU for CA certificates
This implements trust-on-first-use (TOFU) for connecting to a Metropolis
cluster.
If no locally persisted CA is available, one will be retrieved from the
cluster. If it is then accepted, it will be persisted for future use.
To retrieve the Cluster CA certificate we implement a new
unauthenticated call in the CuratorLocal service. The alternative would
be to include the CA certificate in the served TLS chain, but that would
likely cause some backwards compatibility problems with existing client
software.
Full TOFU (with an SSH style prompt) will be performed when the user
first takes ownership of a cluster. Otherwise, user credentials
including a certificate will be present, which allows the process to be
simplified by just retrieving a remote CA and checking it against the
signature of the credentials.
Change-Id: I20002399935c2f13adc4526f5cceddad84b36a8f
Reviewed-on: https://review.monogon.dev/c/monogon/+/2743
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/test/launch/cluster/metroctl.go b/metropolis/test/launch/cluster/metroctl.go
index da77fe5..54a62fc 100644
--- a/metropolis/test/launch/cluster/metroctl.go
+++ b/metropolis/test/launch/cluster/metroctl.go
@@ -1,6 +1,8 @@
package cluster
import (
+ "context"
+ "crypto/x509"
"fmt"
"net"
"os"
@@ -26,6 +28,12 @@
return path, nil
}
+type acceptall struct{}
+
+func (a *acceptall) Ask(ctx context.Context, _ *metroctl.ConnectOptions, _ *x509.Certificate) (bool, error) {
+ return true, nil
+}
+
// ConnectOptions returns metroctl.ConnectOptions that describe connectivity to
// the launched cluster.
func (c *Cluster) ConnectOptions() *metroctl.ConnectOptions {
@@ -40,6 +48,7 @@
ConfigPath: c.metroctlDir,
ProxyServer: net.JoinHostPort("127.0.0.1", fmt.Sprintf("%d", c.Ports[SOCKSPort])),
Endpoints: endpoints,
+ TOFU: &acceptall{},
}
}