Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / bb2edbe8a69a04b0d72c5a565bdead5040959125^! / . / metropolis / proto
commitbb2edbe8a69a04b0d72c5a565bdead5040959125[log] [tgz]
authorMateusz Zalega <mateusz@monogon.tech>Wed Jun 08 11:57:09 2022 +0200
committerMateusz Zalega <mateusz@monogon.tech>Tue Jun 21 11:19:32 2022 +0000
tree3d9286bd95757222431a279db7e9fcb1b6238dfb
parent83e8b6c897aaabb4230ae73a28bba0ed0aca039c [diff]
m/n/c/curator: add Management.UpdateNodeRoles

This provides an API for node role adjustments.

While changes to KubernetesWorker role are registered, not all side
effects are accounted for as of now. Specifically, disabling this role
within a node won't lead to its removal from the Kubernetes cluster.

Change-Id: Ie8e65990108b8cf82afecf3374f40f2e857fa776
Reviewed-on: https://review.monogon.dev/c/monogon/+/767
Tested-by: Jenkins CI
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>

diff --git a/metropolis/proto/api/management.proto b/metropolis/proto/api/management.proto
index 17ff6af..ba20cee 100644
--- a/metropolis/proto/api/management.proto
+++ b/metropolis/proto/api/management.proto

@@ -60,6 +60,13 @@
             need: PERMISSION_APPROVE_NODE
         };
     }
+
+    // UpdateNodeRoles updates a single node's roles.
+    rpc UpdateNodeRoles(UpdateNodeRolesRequest) returns (UpdateNodeRolesResponse) {
+        option (metropolis.proto.ext.authorization) = {
+            need: PERMISSION_UPDATE_NODE_ROLES
+        };
+    }
 }
 
 message GetRegisterTicketRequest {
@@ -144,3 +151,20 @@
 
 message ApproveNodeResponse {
 }
+
+// UpdateNodeRolesRequest updates roles of a single node matching pubkey. All
+// role fields are optional, and no change will result if they're either unset
+// or if their value matches existing state.
+message UpdateNodeRolesRequest {
+  // pubkey is the Ed25519 public key of this node, which can be used to
+  // generate the node's ID. This is always set.
+  bytes pubkey = 1;
+
+  // kubernetesWorker adjusts the appropriate role when set. Nodes performing
+  // this role must also be consensus members. 
+  optional bool kubernetesWorker = 2;
+  optional bool consensusMember = 3;
+}
+
+message UpdateNodeRolesResponse {
+}

diff --git a/metropolis/proto/ext/authorization.proto b/metropolis/proto/ext/authorization.proto
index 60ad68a..0275bba 100644
--- a/metropolis/proto/ext/authorization.proto
+++ b/metropolis/proto/ext/authorization.proto

@@ -23,6 +23,7 @@
     PERMISSION_READ_CLUSTER_STATUS = 2;
     PERMISSION_UPDATE_NODE_SELF = 3;
     PERMISSION_APPROVE_NODE = 4;
+    PERMISSION_UPDATE_NODE_ROLES = 5;
 }
 
 // Authorization policy for an RPC method. This message/API does not have the