commit fbd38e280916f0883263cf0b566984d3fea4ff39
author Serge Bazanski <serge@monogon.tech> Fri Oct 08 14:41:16 2021 +0200
committer Sergiusz Bazanski <serge@monogon.tech> Thu Nov 18 13:01:16 2021 +0000
tree 44abb583a39606b61940523e873af4d92a787be4
parent 579015afff6be9d6c87c867b0645f254b9aeb2d8

m/proto: switch from CA pubkey to CA certificate in ClusterDirectory/Register

A CA certificate is a strict superset of the public key, and using it
instead of a public key allows us to connect to the cluster securely by
reusing standard/existing x509 CA auth, instead of having to implement a
check based on just a public key.

Backwards-incompatible proto change, but we're pre-MVP, and this flow is
just being implemented.

Change-Id: I014780a6ec3e5e8c6e81532531b18ad1438c8258
Reviewed-on: https://review.monogon.dev/c/monogon/+/424
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/proto/api/configuration.proto

diff --git a/metropolis/proto/api/configuration.proto b/metropolis/proto/api/configuration.proto
index 62d5094..9ff1c43 100644
--- a/metropolis/proto/api/configuration.proto
+++ b/metropolis/proto/api/configuration.proto
@@ -51,10 +51,11 @@
         // begin registering it into a cluster. It can be retrieved by an
         // operator from a running cluster via Management.GetRegisterTicket.
         bytes register_ticket = 2;
-        // ca_public_key is the public key of the CA of the cluster that the
+        // ca_certificate is the DER-encoded x509 CA of the cluster that the
         // node should expect when contacting nodes in cluster_directory and
-        // attempting to register into a cluster.
-        bytes ca_public_key = 3;
+        // attempting to register into a cluster. It can be retrieved by
+        // an operator from a running cluster via Management.GetClusterInfo.
+        bytes ca_certificate = 3;
     }
     oneof cluster {
         ClusterBootstrap cluster_bootstrap = 1;