Generate an `ignition-auth` key and provide it to the MCS #1740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

cgwalters wants to merge 1 commit into openshift:master from cgwalters:mcs-auth

data/data/manifests/bootkube/openshift-config-secret-ignition-auth.yaml.template

-Original file line number
+Diff line change
@@ -0,0 +1,9 @@
+    apiVersion: v1
+    kind: Secret
+    type: Opaque
+    metadata:
+      namespace: openshift-machine-config-operator
+      name: ignition-auth
+    data:
+      master: {{.IgnitionAuthMasterBase64}}
+      worker: {{.IgnitionAuthWorkerBase64}}

pkg/asset/ignition/machine/master.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,6 +28,7 @@ var _ asset.WritableAsset = (*Master)(nil) @@
     func (a *Master) Dependencies() []asset.Asset {
     	return []asset.Asset{
     		&installconfig.InstallConfig{},
+    		&installconfig.IgnitionAuth{},
     		&tls.RootCA{},
     	}
     }
@@ Expand All / @@ -36,9 +37,10 @@ func (a *Master) Dependencies() []asset.Asset { @@
     func (a *Master) Generate(dependencies asset.Parents) error {
     	installConfig := &installconfig.InstallConfig{}
     	rootCA := &tls.RootCA{}
-    	dependencies.Get(installConfig, rootCA)
+    	ignitionAuth := &installconfig.IgnitionAuth{}
+    	dependencies.Get(installConfig, rootCA, ignitionAuth)
-    	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "master")
+    	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "master", ignitionAuth.Master)
     	data, err := json.Marshal(a.Config)
     	if err != nil {
@@ Expand Down @@

pkg/asset/ignition/machine/node.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -12,18 +12,20 @@ import ( @@
     // pointerIgnitionConfig generates a config which references the remote config
     // served by the machine config server.
-    func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, role string) *ignition.Config {
+    func pointerIgnitionConfig(installConfig *types.InstallConfig, rootCA []byte, role, auth string) *ignition.Config {
+    	authURL := url.URL{
+    		Scheme: "https",
+    		Host:   fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain()),
+    		Path:   fmt.Sprintf("/config/%s", role),
+    	}
+    	authURL.Query().Set("auth", auth)
     	return &ignition.Config{
     		Ignition: ignition.Ignition{
     			Version: ignition.MaxVersion.String(),
     			Config: ignition.IgnitionConfig{
     				Append: []ignition.ConfigReference{{
     					Source: func() *url.URL {
-    						return &url.URL{
-    							Scheme: "https",
-    							Host:   fmt.Sprintf("api-int.%s:22623", installConfig.ClusterDomain()),
-    							Path:   fmt.Sprintf("/config/%s", role),
-    						}
+    						return &authURL
     					}().String(),
     				}},
     			},
@@ Expand Down @@

pkg/asset/ignition/machine/worker.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,6 +28,8 @@ var _ asset.WritableAsset = (*Worker)(nil) @@
     func (a *Worker) Dependencies() []asset.Asset {
     	return []asset.Asset{
     		&installconfig.InstallConfig{},
+    		&installconfig.IgnitionAuth{},
     		&tls.RootCA{},
     	}
     }
@@ Expand All / @@ -36,9 +38,10 @@ func (a *Worker) Dependencies() []asset.Asset { @@
     func (a *Worker) Generate(dependencies asset.Parents) error {
     	installConfig := &installconfig.InstallConfig{}
     	rootCA := &tls.RootCA{}
-    	dependencies.Get(installConfig, rootCA)
+    	ignitionAuth := &installconfig.IgnitionAuth{}
+    	dependencies.Get(installConfig, rootCA, ignitionAuth)
-    	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "worker")
+    	a.Config = pointerIgnitionConfig(installConfig.Config, rootCA.Cert(), "worker", ignitionAuth.Worker)
     	data, err := json.Marshal(a.Config)
     	if err != nil {
@@ Expand Down @@

pkg/asset/installconfig/ignitionauth.go

-Original file line number
+Diff line change
@@ -0,0 +1,32 @@
+    package installconfig
+    import (
+    	utilrand "k8s.io/apimachinery/pkg/util/rand"
+    	"github.com/openshift/installer/pkg/asset"
+    )
+    // IgnitionAuth gates access to the Machine Config Server
+    type IgnitionAuth struct {
+    	Master string
+    	Worker string
+    }
+    var _ asset.Asset = (*IgnitionAuth)(nil)
+    // Dependencies returns nothing.
+    func (a *IgnitionAuth) Dependencies() []asset.Asset {
+    	return []asset.Asset{}
+    }
+    // Generate generates a new IgnitionAuth
+    func (a *IgnitionAuth) Generate(dep asset.Parents) error {
+    	a.Master = utilrand.String(64)
+    	a.Worker = utilrand.String(64)
+    	return nil
+    }
+    // Name returns the human-friendly name of the asset.
+    func (a *IgnitionAuth) Name() string {
+    	return "Ignition Auth"
+    }

pkg/asset/manifests/operators.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -55,6 +55,7 @@ func (m *Manifests) Dependencies() []asset.Asset { @@
     	return []asset.Asset{
     		&installconfig.ClusterID{},
     		&installconfig.InstallConfig{},
+    		&installconfig.IgnitionAuth{},
     		&Ingress{},
     		&DNS{},
     		&Infrastructure{},
@@ Expand Down Expand Up / @@ -84,6 +85,7 @@ func (m *Manifests) Dependencies() []asset.Asset { @@
     		&bootkube.KubeSystemConfigmapRootCA{},
     		&bootkube.MachineConfigServerTLSSecret{},
     		&bootkube.OpenshiftConfigSecretPullSecret{},
+    		&bootkube.OpenshiftConfigSecretIgnitionAuth{},
     		&bootkube.OpenshiftMachineConfigOperator{},
     	}
     }
@@ Expand Down Expand Up / @@ -136,6 +138,7 @@ func (m *Manifests) Files() []*asset.File { @@
     func (m *Manifests) generateBootKubeManifests(dependencies asset.Parents) []*asset.File {
     	clusterID := &installconfig.ClusterID{}
     	installConfig := &installconfig.InstallConfig{}
+    	ignitionAuth := &installconfig.IgnitionAuth{}
     	mcsCertKey := &tls.MCSCertKey{}
     	etcdMetricCABundle := &tls.EtcdMetricCABundle{}
     	etcdMetricSignerClientCertKey := &tls.EtcdMetricSignerClientCertKey{}
@@ Expand All @@
     	dependencies.Get(
     		clusterID,
     		installConfig,
+    		ignitionAuth,
     		etcdSignerCertKey,
     		etcdCABundle,
     		etcdSignerClientCertKey,
@@ Expand Down Expand Up @@
     		McsTLSCert:                 base64.StdEncoding.EncodeToString(mcsCertKey.Cert()),
     		McsTLSKey:                  base64.StdEncoding.EncodeToString(mcsCertKey.Key()),
     		PullSecretBase64:           base64.StdEncoding.EncodeToString([]byte(installConfig.Config.PullSecret)),
+    		IgnitionAuthMasterBase64:   base64.StdEncoding.EncodeToString([]byte(ignitionAuth.Master)),
+    		IgnitionAuthWorkerBase64:   base64.StdEncoding.EncodeToString([]byte(ignitionAuth.Master)),
     		RootCaCert:                 string(rootCA.Cert()),
     	}
@@ Expand All @@
     		&bootkube.KubeSystemConfigmapRootCA{},
     		&bootkube.MachineConfigServerTLSSecret{},
     		&bootkube.OpenshiftConfigSecretPullSecret{},
+    		&bootkube.OpenshiftConfigSecretIgnitionAuth{},
     		&bootkube.OpenshiftMachineConfigOperator{},
     	} {
     		dependencies.Get(a)
@@ Expand Down @@

pkg/asset/manifests/template.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -53,6 +53,8 @@ type bootkubeTemplateData struct { @@
     	McsTLSCert                 string
     	McsTLSKey                  string
     	PullSecretBase64           string
+    	IgnitionAuthMasterBase64   string
+    	IgnitionAuthWorkerBase64   string
     	RootCaCert                 string
     	WorkerIgnConfig            string
     }
@@ Expand Down @@

pkg/asset/targets/targets.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -46,6 +46,7 @@ var ( @@
     		&bootkube.EtcdMetricSignerSecret{},
     		&bootkube.EtcdMetricServingCAConfigMap{},
     		&bootkube.OpenshiftConfigSecretPullSecret{},
+    		&bootkube.OpenshiftConfigSecretIgnitionAuth{},
     		&openshift.BindingDiscovery{},
     		&openshift.CloudCredsSecret{},
     		&openshift.KubeadminPasswordSecret{},
@@ Expand Down @@

pkg/asset/templates/content/bootkube/ignition-auth.go

-Original file line number
+Diff line change
@@ -0,0 +1,64 @@
+    package bootkube
+    import (
+    	"os"
+    	"path/filepath"
+    	"github.com/openshift/installer/pkg/asset"
+    	"github.com/openshift/installer/pkg/asset/templates/content"
+    )
+    const (
+    	openshiftConfigSecretIgnitionAuthFileName = "openshift-config-secret-ignition-auth.yaml.template"
+    )
+    var _ asset.WritableAsset = (*OpenshiftConfigSecretIgnitionAuth)(nil)
+    // OpenshiftConfigSecretIgnitionAuth is the constant to represent contents of openshift-config-secret-ignition-auth.yaml.template file.
+    type OpenshiftConfigSecretIgnitionAuth struct {
+    	FileList []*asset.File
+    }
+    // Dependencies returns all of the dependencies directly needed by the asset
+    func (t *OpenshiftConfigSecretIgnitionAuth) Dependencies() []asset.Asset {
+    	return []asset.Asset{}
+    }
+    // Name returns the human-friendly name of the asset.
+    func (t *OpenshiftConfigSecretIgnitionAuth) Name() string {
+    	return "OpenshiftConfigSecretIgnitionAuth"
+    }
+    // Generate generates the actual files by this asset
+    func (t *OpenshiftConfigSecretIgnitionAuth) Generate(parents asset.Parents) error {
+    	fileName := openshiftConfigSecretIgnitionAuthFileName
+    	data, err := content.GetBootkubeTemplate(fileName)
+    	if err != nil {
+    		return err
+    	}
+    	t.FileList = []*asset.File{
+    		{
+    			Filename: filepath.Join(content.TemplateDir, fileName),
+    			Data:     []byte(data),
+    		},
+    	}
+    	return nil
+    }
+    // Files returns the files generated by the asset.
+    func (t *OpenshiftConfigSecretIgnitionAuth) Files() []*asset.File {
+    	return t.FileList
+    }
+    // Load returns the asset from disk.
+    func (t *OpenshiftConfigSecretIgnitionAuth) Load(f asset.FileFetcher) (bool, error) {
+    	file, err := f.FetchByName(filepath.Join(content.TemplateDir, openshiftConfigSecretIgnitionAuthFileName))
+    	if err != nil {
+    		if os.IsNotExist(err) {
+    			return false, nil
+    		}
+    		return false, err
+    	}
+    	t.FileList = []*asset.File{file}
+    	return true, nil
+    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Generate an `ignition-auth` key and provide it to the MCS #1740

Uh oh!

Diff view

Diff view

There are no files selected for viewing

ashcrow May 13, 2019

Uh oh!

Generate an ignition-auth key and provide it to the MCS #1740

Uh oh!

Generate an ignition-auth key and provide it to the MCS #1740

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

ashcrow May 13, 2019

Choose a reason for hiding this comment

Uh oh!

Generate an `ignition-auth` key and provide it to the MCS #1740

Generate an `ignition-auth` key and provide it to the MCS #1740