forked from openshift/installer
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add an automatically generated Ignition provisioning token
Part of implementing: openshift/enhancements#443 The installer generates a random token (~password) and injects it into the Ignition pointer configuration and as a secret into the cluster. The MCO will check it.
- Loading branch information
Showing
9 changed files
with
145 additions
and
10 deletions.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
data/data/manifests/openshift/ignition-provisioning-secret.yaml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
kind: Secret | ||
apiVersion: v1 | ||
metadata: | ||
namespace: openshift-machine-config-operator | ||
name: provisioning-token | ||
data: | ||
token: {{.Base64EncodedKubeadminPwHash}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
package ignition | ||
|
||
import ( | ||
"crypto/rand" | ||
"encoding/base64" | ||
"fmt" | ||
|
||
"github.com/openshift/installer/pkg/asset" | ||
) | ||
|
||
// tokenLen is how many bytes of random input go into generating the token. | ||
// It should be a multiple of 3 to render nicely in base64 | ||
// encoding. The current default is long; it's a lot of entropy. The MCS | ||
// will have mitigations against brute forcing. | ||
const tokenLen = 30 | ||
|
||
// ProvisioningToken implements https://github.com/openshift/enhancements/pull/443/ | ||
type ProvisioningToken struct { | ||
Token string | ||
} | ||
|
||
var _ asset.Asset = (*ProvisioningToken)(nil) | ||
|
||
// Dependencies returns no dependencies. | ||
func (a *ProvisioningToken) Dependencies() []asset.Asset { | ||
return []asset.Asset{} | ||
} | ||
|
||
// Generate the token | ||
func (a *ProvisioningToken) Generate(asset.Parents) error { | ||
b := make([]byte, tokenLen) | ||
n, err := rand.Read(b) | ||
if err != nil { | ||
return err | ||
} | ||
if n != tokenLen { | ||
panic(fmt.Sprintf("Expected %d bytes", tokenLen)) | ||
} | ||
a.Token = base64.StdEncoding.EncodeToString(b) | ||
fmt.Printf("Generated token: %s\n", a.Token) | ||
return nil | ||
} | ||
|
||
// Name returns the human-friendly name of the asset. | ||
func (a *ProvisioningToken) Name() string { | ||
return "Ignition Provisioning Password" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
63 changes: 63 additions & 0 deletions
63
pkg/asset/templates/content/openshift/ignition-provisioning-token.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
package openshift | ||
|
||
import ( | ||
"os" | ||
"path/filepath" | ||
|
||
"github.com/openshift/installer/pkg/asset" | ||
"github.com/openshift/installer/pkg/asset/templates/content" | ||
) | ||
|
||
const ( | ||
fileName = "ignition-provisioning-secret.yaml.template" | ||
) | ||
|
||
var _ asset.WritableAsset = (*IgnitionProvisioningSecret)(nil) | ||
|
||
// IgnitionProvisioningSecret implements https://github.com/openshift/enhancements/pull/443 | ||
type IgnitionProvisioningSecret struct { | ||
FileList []*asset.File | ||
} | ||
|
||
// Dependencies returns all of the dependencies directly needed by the asset | ||
func (t *IgnitionProvisioningSecret) Dependencies() []asset.Asset { | ||
return []asset.Asset{} | ||
} | ||
|
||
// Name returns the human-friendly name of the asset. | ||
func (t *IgnitionProvisioningSecret) Name() string { | ||
return "IgnitionProvisioningSecret" | ||
} | ||
|
||
// Generate generates the actual files by this asset | ||
func (t *IgnitionProvisioningSecret) Generate(parents asset.Parents) error { | ||
data, err := content.GetOpenshiftTemplate(fileName) | ||
if err != nil { | ||
return err | ||
} | ||
t.FileList = []*asset.File{ | ||
{ | ||
Filename: filepath.Join(content.TemplateDir, fileName), | ||
Data: []byte(data), | ||
}, | ||
} | ||
return nil | ||
} | ||
|
||
// Files returns the files generated by the asset. | ||
func (t *IgnitionProvisioningSecret) Files() []*asset.File { | ||
return t.FileList | ||
} | ||
|
||
// Load returns the asset from disk. | ||
func (t *IgnitionProvisioningSecret) Load(f asset.FileFetcher) (bool, error) { | ||
file, err := f.FetchByName(filepath.Join(content.TemplateDir, fileName)) | ||
if err != nil { | ||
if os.IsNotExist(err) { | ||
return false, nil | ||
} | ||
return false, err | ||
} | ||
t.FileList = []*asset.File{file} | ||
return true, nil | ||
} |