| Lorenz Brun | dd8c80e | 2019-10-07 16:19:49 +0200 | [diff] [blame] | 1 | // Copyright 2020 The Monogon Project Authors. |
| 2 | // |
| 3 | // SPDX-License-Identifier: Apache-2.0 |
| 4 | // |
| 5 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | // you may not use this file except in compliance with the License. |
| 7 | // You may obtain a copy of the License at |
| 8 | // |
| 9 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | // |
| 11 | // Unless required by applicable law or agreed to in writing, software |
| 12 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | // See the License for the specific language governing permissions and |
| 15 | // limitations under the License. |
| 16 | |
| Hendrik Hofstadt | 0d7c91e | 2019-10-23 21:44:47 +0200 | [diff] [blame] | 17 | syntax = "proto3"; |
| Serge Bazanski | 662b5b3 | 2020-12-21 13:49:00 +0100 | [diff] [blame] | 18 | package metropolis.proto.common; |
| Serge Bazanski | 31370b0 | 2021-01-07 16:31:14 +0100 | [diff] [blame] | 19 | option go_package = "source.monogon.dev/metropolis/proto/common"; |
| Hendrik Hofstadt | 0d7c91e | 2019-10-23 21:44:47 +0200 | [diff] [blame] | 20 | |
| Serge Bazanski | 30653ee | 2021-06-17 15:44:29 +0200 | [diff] [blame] | 21 | // NodeRoles are the possible roles that a Metropolis Node should run within the |
| 22 | // cluster. These are configured by the cluster and can be retrieved through the |
| 23 | // Curator. |
| 24 | message NodeRoles { |
| 25 | message KubernetesWorker { |
| 26 | } |
| 27 | KubernetesWorker kubernetes_worker = 1; |
| 28 | } |
| 29 | |
| 30 | // NodeState is the state of a Metropolis node from the point of view of the |
| 31 | // cluster it is a part of (or intending to be a part of). |
| 32 | enum NodeState { |
| 33 | NODE_STATE_INVALID = 0; |
| 34 | |
| 35 | // NEW: the node has established a first contact with the cluster and |
| 36 | // intends to register into it. The node's identity has not been verified |
| 37 | // and no hardware attestation of the new node was performed. |
| 38 | // The node has generated a CUK/LUK and set up storage encrypted with the |
| 39 | // combination of both keys. |
| 40 | // The node has generated a private/public keypair, and that keypair has |
| 41 | // been used to contact the already running Cluster. |
| 42 | NODE_STATE_NEW = 1; |
| 43 | // STANDBY: the node has successfully passed identity and hardware |
| 44 | // attestation checks as defined by the cluster policy. The node still isn't |
| 45 | // part of the cluster, as it itself might perform checks against the |
| 46 | // running Cluster. |
| 47 | NODE_STATE_STANDBY = 2; |
| 48 | // UP: the node has passed all preconditions for STANDBY and has also |
| 49 | // performed a commit into the cluster by exchanging its CUK for a |
| 50 | // certificate issued by the cluster. |
| 51 | // The node is now ready to serve, and its certificate can be used to |
| 52 | // authenticate its identity cryptographically. |
| 53 | NODE_STATE_UP = 3; |
| 54 | // DISOWNED: the node has been rejected or decommissioned by the cluster. |
| 55 | // Any further contact from the node to the cluster will be rejected. |
| 56 | NODE_STATE_DISOWNED = 4; |
| 57 | }; |
| 58 | |
| 59 | // ClusterState is the state of the cluster from the point of view of a node. |
| 60 | // Different subsystems can watch this state and depend on it for behaviour |
| 61 | // (eg. start serving when HOME, maybe self-fence on SPLIT, etc.). |
| 62 | enum ClusterState { |
| 63 | CLUSTER_STATE_INVALID = 0; |
| 64 | |
| 65 | // UNKNOWN: the node has not yet determined the existence of a cluster it |
| 66 | // should join or start. This is a transient, initial state that should only |
| 67 | // manifest during boot. |
| 68 | CLUSTER_STATE_UNKNOWN = 1; |
| 69 | // FOREIGN: the node is attempting to register into an already existing |
| 70 | // cluster with which it managed to make preliminary contact, but which the |
| 71 | // cluster has not yet fully productionized (eg. the node is still being |
| 72 | // hardware attested, or the operator needs to confirm the |
| 73 | // registration of this node). |
| 74 | CLUSTER_STATE_FOREIGN = 2; |
| 75 | // TRUSTED: the node is attempting to register into an already registered |
| 76 | // cluster, and has been trusted by it. The node is now attempting to fully |
| 77 | // commit to registering into the cluster. |
| 78 | CLUSTER_STATE_TRUSTED = 3; |
| 79 | // HOME: the node is part of this cluster. This is the bulk of time in which |
| 80 | // this node will spend its time. |
| 81 | CLUSTER_STATE_HOME = 4; |
| 82 | // DISOWNING: the node has been disowned (ie., removed) by the cluster, and |
| 83 | // that it will not be ever part of any cluster again, and that it will be |
| 84 | // decommissioned by the operator. |
| 85 | CLUSTER_STATE_DISOWNING = 5; |
| 86 | // SPLIT:the node would usually be Home in a cluster, but has been split |
| 87 | // from the consensus of the cluster. This can happen for nodes running |
| 88 | // consensus when consensus is lost (eg. when there is no quorum or this |
| 89 | // node has been netsplit), and for other nodes if they have lost network |
| 90 | // connectivity to the consensus nodes. Clients should make their own |
| 91 | // decision what action to perform in this state, depending on the level of |
| 92 | // consistency required and whether it makes sense for the node to fence its |
| 93 | // services off. |
| 94 | CLUSTER_STATE_SPLIT = 6; |
| 95 | } |
| Serge Bazanski | 2893e98 | 2021-09-09 13:06:16 +0200 | [diff] [blame^] | 96 | |
| 97 | // NodeStatus contains all fields self-reported by nodes. This data is |
| 98 | // inherently less trusted than other data available about a node, as it can be |
| 99 | // updated to any value by each node individually, including compromised nodes. |
| 100 | message NodeStatus { |
| 101 | // external_address is the IP address that the node expects management, |
| 102 | // cluster and user traffic to arrive at (ie. the address on which it is |
| 103 | // listening for gRPC, and role-specific services like etcd and |
| 104 | // Kubernetes). |
| 105 | string external_address = 1; |
| 106 | } |
| 107 | |
| 108 | // The Cluster Directory is information about the network addressing of nodes |
| 109 | // in a cluster. It is a serialized snapshot of some of the state within the |
| 110 | // etcd cluster, and can be used by external processes (like a node Registering |
| 111 | // into the cluster) to know how to reach this cluster over the network. It can |
| 112 | // be thought of as a phonebook, or a static name/address configuration that |
| 113 | // could live in /etc/hosts. |
| 114 | // |
| 115 | // The directory explicitly doesn't carry any information about the cluster's |
| 116 | // identity or security - these should be configured and checked by higher |
| 117 | // level configuration and processes. The directory can be stored and |
| 118 | // transmitted in cleartext and without an integrity checks (like saved to the |
| 119 | // EFI system partition across reboots) and any malicious change to it will |
| 120 | // cause no more than a denial of service against the consumer of this |
| 121 | // directory. This is because all nodes contacted must present a valid cluster |
| 122 | // identity/certificate before they are trusted by the consumers of this |
| 123 | // directory. |
| 124 | message ClusterDirectory { |
| 125 | message Node { |
| 126 | bytes public_key = 1; |
| 127 | message Address { |
| 128 | string host = 1; |
| 129 | }; |
| 130 | repeated Address addesses = 2; |
| 131 | }; |
| 132 | repeated Node nodes = 1; |
| 133 | } |
| 134 | |
| 135 | message ClusterIdentity { |
| 136 | bytes ca_fingerprint = 1; |
| 137 | } |