Blame - metropolis/node/core/consensus/status.go - monogon

blob: 40988e50bfe5f08d5ad8c8be0c70f0d4c444fc3b [file] [log] [blame]

Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	1	package consensus
				2
				3	import (
				4	"context"
				5	"crypto/ed25519"
				6	"crypto/x509"
				7	"fmt"
				8	"net"
				9	"strconv"
				10
Lorenz Brun	d13c1c6	2022-03-30 19:58:58 +0200	[diff] [blame]	11	clientv3 "go.etcd.io/etcd/client/v3"
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	12
				13	"source.monogon.dev/metropolis/node"
				14	"source.monogon.dev/metropolis/node/core/consensus/client"
Tim Windelschmidt	9f21f53	2024-05-07 15:14:20 +0200	[diff] [blame]	15	"source.monogon.dev/osbase/event"
				16	"source.monogon.dev/osbase/pki"
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	17	)
				18
Serge Bazanski	5839e97	2021-11-16 15:46:19 +0100	[diff] [blame]	19	// ServiceHandle is implemented by Service and should be the type expected by
				20	// other code which relies on a Consensus instance. Ie., it's the downstream API
				21	// for a Consensus Service.
				22	type ServiceHandle interface {
				23	// Watch returns a Event Value compatible Watcher for accessing the State of the
				24	// consensus Service in a safe manner.
Serge Bazanski	37110c3	2023-03-01 13:57:27 +0000	[diff] [blame]	25	Watch() event.Watcher[*Status]
Serge Bazanski	5839e97	2021-11-16 15:46:19 +0100	[diff] [blame]	26	}
				27
Serge Bazanski	37110c3	2023-03-01 13:57:27 +0000	[diff] [blame]	28	var FilterRunning = event.Filter(func(st *Status) bool {
				29	return st.Running()
				30	})
Serge Bazanski	5839e97	2021-11-16 15:46:19 +0100	[diff] [blame]	31
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	32	// Status of the consensus service. It represents either a running consensus
				33	// service to which a client can connect and on which management can be
				34	// performed, or a stopped service.
				35	type Status struct {
Serge Bazanski	5839e97	2021-11-16 15:46:19 +0100	[diff] [blame]	36	// localPeerURL and localMemberID are the expected public URL and etcd member ID
				37	// of the etcd server wrapped by this consensus instance. If set, a sub-runnable
				38	// of the consensus will ensure that the given memberID always has localPeerURL
				39	// set as its peer URL.
				40	//
				41	// These will not be set when the Status has been generated by a
				42	// testServiceHandle.
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	43	localPeerURL string
				44	localMemberID uint64
Serge Bazanski	5839e97	2021-11-16 15:46:19 +0100	[diff] [blame]	45	// cl is the root etcd client to the underlying cluster.
				46	cl *clientv3.Client
				47	// ca is the PKI CA used to authenticate etcd members.
				48	ca *pki.Certificate
				49	// stopped is set to true if the underlying service has been stopped or hasn't
				50	// yet been started.
				51	stopped bool
Mateusz Zalega	bb2edbe	2022-06-08 11:57:09 +0200	[diff] [blame]	52
				53	// noClusterMemberManagement disables etcd cluster member management in
				54	// UpdateNodeRoles. This is currently necessary in order to test the call,
				55	// due to limitations of the test harness.
				56	noClusterMemberManagement bool
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	57	}
				58
				59	// Running returns true if this status represents a running consensus service
				60	// which can be connected to or managed. These calls are not guaranteed to
				61	// succeed (as the server might have stopped in the meantime), but the caller
				62	// can use this value as a hint to whether attempts to access the consensus
				63	// service should be done.
				64	func (s *Status) Running() bool {
				65	return !s.stopped
				66	}
				67
				68	func (s *Status) pkiClient() (client.Namespaced, error) {
				69	return clientFor(s.cl, "namespaced", "etcd-pki")
				70	}
				71
Serge Bazanski	5839e97	2021-11-16 15:46:19 +0100	[diff] [blame]	72	// CuratorClient returns a namespaced etcd client for use by the Curator.
				73	func (s *Status) CuratorClient() (client.Namespaced, error) {
				74	return clientFor(s.cl, "namespaced", "curator")
				75	}
				76
				77	// KubernetesClient returns a namespaced etcd client for use by Kubernetes.
				78	func (s *Status) KubernetesClient() (client.Namespaced, error) {
				79	return clientFor(s.cl, "namespaced", "kubernetes")
				80	}
				81
				82	// ClusterClient returns an etcd management API client, for use by downstream
				83	// clients that wish to perform maintenance operations on the etcd cluster (eg.
				84	// list/modify nodes, promote learners, ...).
				85	func (s *Status) ClusterClient() clientv3.Cluster {
				86	return s.cl
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	87	}
				88
Jan Schär	39d9c24	2024-09-24 13:49:55 +0200	[diff] [blame]	89	// AddNode creates a new consensus member corresponding to a given node ID
				90	// if one does not yet exist. The member will at first be marked as a
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	91	// Learner, ensuring it does not take part in quorum until it has finished
				92	// catching up to the state of the etcd store. As it does, the autopromoter will
				93	// turn it into a 'full' node and it will start taking part in the quorum and be
				94	// able to perform all etcd operations.
Jan Schär	39d9c24	2024-09-24 13:49:55 +0200	[diff] [blame]	95	func (s Status) AddNode(ctx context.Context, nodeID string, pk ed25519.PublicKey, opts ...AddNodeOption) (*JoinCluster, error) {
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	96	clPKI, err := s.pkiClient()
				97	if err != nil {
				98	return nil, err
				99	}
				100
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	101	var extraNames []string
				102	name := nodeID
				103	port := int(node.ConsensusPort)
				104	for _, opt := range opts {
				105	if opt.externalAddress != "" {
				106	name = opt.externalAddress
				107	extraNames = append(extraNames, name)
				108	}
				109	if opt.externalPort != 0 {
				110	port = opt.externalPort
				111	}
				112	}
				113
				114	member := pki.Certificate{
				115	Name: nodeID,
				116	Namespace: &pkiNamespace,
				117	Issuer: s.ca,
Jan Schär	39d9c24	2024-09-24 13:49:55 +0200	[diff] [blame]	118	Template: pkiPeerCertificate(nodeID, extraNames),
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	119	Mode: pki.CertificateExternal,
				120	PublicKey: pk,
				121	}
				122	caBytes, err := s.ca.Ensure(ctx, clPKI)
				123	if err != nil {
				124	return nil, fmt.Errorf("could not ensure CA certificate: %w", err)
				125	}
				126	memberBytes, err := member.Ensure(ctx, clPKI)
				127	if err != nil {
				128	return nil, fmt.Errorf("could not ensure member certificate: %w", err)
				129	}
				130	caCert, err := x509.ParseCertificate(caBytes)
				131	if err != nil {
				132	return nil, fmt.Errorf("could not parse CA certificate: %w", err)
				133	}
				134	memberCert, err := x509.ParseCertificate(memberBytes)
				135	if err != nil {
				136	return nil, fmt.Errorf("could not parse newly issued member certificate: %w", err)
				137	}
				138
				139	members, err := s.cl.MemberList(ctx)
				140	if err != nil {
				141	return nil, fmt.Errorf("could not retrieve existing members: %w", err)
				142	}
				143
				144	var existingNodes []ExistingNode
				145	var newExists bool
				146	for _, m := range members.Members {
Jan Schär	442cf68	2024-09-05 18:28:48 +0200	[diff] [blame]	147	if GetEtcdMemberNodeId(m) == nodeID {
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	148	newExists = true
				149	}
				150	if m.IsLearner {
				151	continue
				152	}
				153	if len(m.PeerURLs) < 1 {
				154	continue
				155	}
				156	existingNodes = append(existingNodes, ExistingNode{
				157	Name: m.Name,
				158	URL: m.PeerURLs[0],
				159	})
				160	}
				161
				162	crlW := s.ca.WatchCRL(clPKI)
Serge Bazanski	50f5ec7	2022-06-21 14:16:56 +0200	[diff] [blame]	163	defer crlW.Close()
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	164	crl, err := crlW.Get(ctx)
				165	if err != nil {
				166	return nil, fmt.Errorf("could not retrieve initial CRL: %w", err)
				167	}
				168
Mateusz Zalega	bb2edbe	2022-06-08 11:57:09 +0200	[diff] [blame]	169	if !newExists && !s.noClusterMemberManagement {
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	170	addr := fmt.Sprintf("https://%s", net.JoinHostPort(name, strconv.Itoa(port)))
				171	if _, err := s.cl.MemberAddAsLearner(ctx, []string{addr}); err != nil {
				172	return nil, fmt.Errorf("could not add new member as learner: %w", err)
				173	}
				174	}
				175
				176	return &JoinCluster{
				177	CACertificate: caCert,
				178	NodeCertificate: memberCert,
				179	ExistingNodes: existingNodes,
				180	InitialCRL: crl,
				181	}, nil
				182	}
				183
Tim Windelschmidt	8732d43	2024-04-18 23:20:05 +0200	[diff] [blame]	184	// AddNodeOption can be passed to AddNode to influence the behaviour of the
Serge Bazanski	f05e80a	2021-10-12 11:53:34 +0200	[diff] [blame]	185	// function. Currently this is only used internally by tests.
				186	type AddNodeOption struct {
				187	externalAddress string
				188	externalPort int
				189	}
Jan Schär	ad8982f	2024-09-17 13:56:34 +0200	[diff] [blame]	190
				191	// RemoveNode removes the etcd member with the given node ID, if it is currently
				192	// a member. Etcd fails this operation if it is not safe to perform.
				193	func (s *Status) RemoveNode(ctx context.Context, nodeID string) error {
				194	members, err := s.cl.MemberList(ctx)
				195	if err != nil {
				196	return fmt.Errorf("could not retrieve existing members: %w", err)
				197	}
				198	for _, m := range members.Members {
				199	if GetEtcdMemberNodeId(m) == nodeID {
				200	_, err := s.cl.MemberRemove(ctx, m.ID)
				201	if err != nil {
				202	return fmt.Errorf("could not remove member: %w", err)
				203	}
				204	}
				205	}
				206	return nil
				207	}