)]}' { "commit": "7eeef0f448a4ec1737e2e63961f24f51eec5deae", "tree": "690afce7d61fed7284991d3622d2b4b7f5948c14", "parents": [ "925ec3de7a8562ef478216c77dff68c8235aeabd" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Feb 05 14:40:15 2024 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Feb 08 11:10:07 2024 +0000" }, "message": "m/c/metroctl: implement TOFU for CA certificates\n\nThis implements trust-on-first-use (TOFU) for connecting to a Metropolis\ncluster.\n\nIf no locally persisted CA is available, one will be retrieved from the\ncluster. If it is then accepted, it will be persisted for future use.\n\nTo retrieve the Cluster CA certificate we implement a new\nunauthenticated call in the CuratorLocal service. The alternative would\nbe to include the CA certificate in the served TLS chain, but that would\nlikely cause some backwards compatibility problems with existing client\nsoftware.\n\nFull TOFU (with an SSH style prompt) will be performed when the user\nfirst takes ownership of a cluster. Otherwise, user credentials\nincluding a certificate will be present, which allows the process to be\nsimplified by just retrieving a remote CA and checking it against the\nsignature of the credentials.\n\nChange-Id: I20002399935c2f13adc4526f5cceddad84b36a8f\nReviewed-on: https://review.monogon.dev/c/monogon/+/2743\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "61d6c4ecf9adeadb0f0a287f97847f8fa545ba47", "old_mode": 33188, "old_path": "metropolis/cli/metroctl/cmd_takeownership.go", "new_id": "2a93b57f8f81f298764ed70fab0a2dc1972b228b", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/cmd_takeownership.go" }, { "type": "modify", "old_id": "7c1a0f47274792c4ba61520ec4d6dedada165094", "old_mode": 33188, "old_path": "metropolis/cli/metroctl/core/BUILD.bazel", "new_id": "1795765c351ae77a9f913289a4d3d1ea6d433c9a", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/core/BUILD.bazel" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "fc30c6cd08afd50d6a7e4700fd920e8f85cd5692", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/core/ca_tofu.go" }, { "type": "modify", "old_id": "1307d61100e82ea927827820cc04a190078b2298", "old_mode": 33188, "old_path": "metropolis/cli/metroctl/core/config.go", "new_id": "92a8871a0a1d66df6588c2e37f0486b69318dffd", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/core/config.go" }, { "type": "modify", "old_id": "698dbbc3a22c24198bd977f8d018ccb15375fa48", "old_mode": 33188, "old_path": "metropolis/cli/metroctl/main.go", "new_id": "e3ae92b7daf3541e8db1de25e670ac8e08244997", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/main.go" }, { "type": "modify", "old_id": "f1c27e6ae96600c1dc29dc47178ab9cab55e07f6", "old_mode": 33188, "old_path": "metropolis/cli/metroctl/rpc.go", "new_id": "164e2ee4fb8a15eb48800771b0422726dba844a4", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/rpc.go" }, { "type": "modify", "old_id": "969b4cc58a8e00e94530fcda4a5421ce9b03d18b", "old_mode": 33188, "old_path": "metropolis/cli/metroctl/test/test.go", "new_id": "b031271c2ba5443c666610d65e9c3be8445a2aca", "new_mode": 33188, "new_path": "metropolis/cli/metroctl/test/test.go" }, { "type": "modify", "old_id": "9d1c2be5f11b9100646273b4b77110641e623e10", "old_mode": 33188, "old_path": "metropolis/node/core/curator/impl_follower.go", "new_id": "8690540bd00b6c0b5150299a9273b702f08a7be0", "new_mode": 33188, "new_path": "metropolis/node/core/curator/impl_follower.go" }, { "type": "modify", "old_id": "1427eb9ed1593c6d1ab0b052e6bebad5ba32b6e9", "old_mode": 33188, "old_path": "metropolis/node/core/curator/impl_leader_cluster_networking.go", "new_id": "f4f6edc1dc0c5a1145a22052431f50151ccfb85b", "new_mode": 33188, "new_path": "metropolis/node/core/curator/impl_leader_cluster_networking.go" }, { "type": "modify", "old_id": "46397296c7898c8aca71e53b1ec9072220823238", "old_mode": 33188, "old_path": "metropolis/node/core/curator/listener.go", "new_id": "620bc051231dba1fba6cee716577b138c9021186", "new_mode": 33188, "new_path": "metropolis/node/core/curator/listener.go" }, { "type": "modify", "old_id": "074621a7a616008140f2f370f952b7a1c70d713d", "old_mode": 33188, "old_path": "metropolis/node/core/curator/proto/api/api.proto", "new_id": "31c221d34761dbd29d5d8a183d5a1a4a25e62253", "new_mode": 33188, "new_path": "metropolis/node/core/curator/proto/api/api.proto" }, { "type": "modify", "old_id": "3d46448924c38edf1f304c6dd0393fbe60e10b50", "old_mode": 33188, "old_path": "metropolis/node/core/rpc/resolver/resolver_test.go", "new_id": "eac59d195ac67fc1714e61060aed9d43465343a9", "new_mode": 33188, "new_path": "metropolis/node/core/rpc/resolver/resolver_test.go" }, { "type": "modify", "old_id": "da77fe500be64e3b10f508967bc86366e8eeb920", "old_mode": 33188, "old_path": "metropolis/test/launch/cluster/metroctl.go", "new_id": "54a62fc3973d553148c01e9707fac6877f328c17", "new_mode": 33188, "new_path": "metropolis/test/launch/cluster/metroctl.go" } ] }