Skip to content

Commit

Permalink
fix: check trustd API CA on worker nodes
Browse files Browse the repository at this point in the history
This distributes API CA (just the certificate, not the key) to the
worker nodes on config generation, and if the CA cert is present on the
worker node, it verifies TLS connection to the trustd with the CA
certificate.

Signed-off-by: Andrey Smirnov <[email protected]>
  • Loading branch information
smira committed Sep 27, 2021
1 parent 95f440e commit e628f84
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 13 deletions.
2 changes: 1 addition & 1 deletion internal/app/machined/pkg/controllers/secrets/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -337,7 +337,7 @@ func (ctrl *APIController) generateControlPlane(ctx context.Context, r controlle

func (ctrl *APIController) generateJoin(ctx context.Context, r controller.Runtime, logger *zap.Logger,
rootSpec *secrets.RootOSSpec, endpointsStr []string, certSANs *secrets.CertSANSpec) error {
remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr)
remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr, rootSpec.CA)
if err != nil {
return fmt.Errorf("failed creating trustd client: %w", err)
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/grpc/gen/remote.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,14 @@ type RemoteGenerator struct {
}

// NewRemoteGenerator initializes a RemoteGenerator with a preconfigured grpc.ClientConn.
func NewRemoteGenerator(token string, endpoints []string) (g *RemoteGenerator, err error) {
func NewRemoteGenerator(token string, endpoints []string, ca *x509.PEMEncodedCertificateAndKey) (g *RemoteGenerator, err error) {
if len(endpoints) == 0 {
return nil, fmt.Errorf("at least one root of trust endpoint is required")
}

g = &RemoteGenerator{}

conn, err := basic.NewConnection(fmt.Sprintf("%s:///%s", trustdResolverScheme, strings.Join(endpoints, ",")), basic.NewTokenCredentials(token))
conn, err := basic.NewConnection(fmt.Sprintf("%s:///%s", trustdResolverScheme, strings.Join(endpoints, ",")), basic.NewTokenCredentials(token), ca)
if err != nil {
return nil, err
}
Expand Down
25 changes: 15 additions & 10 deletions pkg/grpc/middleware/auth/basic/basic.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,9 @@ package basic

import (
"crypto/tls"
stdx509 "crypto/x509"

"github.com/talos-systems/crypto/x509"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
Expand All @@ -20,17 +22,20 @@ type Credentials interface {

// NewConnection initializes a grpc.ClientConn configured for basic
// authentication.
func NewConnection(address string, creds credentials.PerRPCCredentials) (conn *grpc.ClientConn, err error) {
grpcOpts := []grpc.DialOption{}

grpcOpts = append(
grpcOpts,
grpc.WithTransportCredentials(
credentials.NewTLS(&tls.Config{
InsecureSkipVerify: true,
})),
func NewConnection(address string, creds credentials.PerRPCCredentials, ca *x509.PEMEncodedCertificateAndKey) (conn *grpc.ClientConn, err error) {
tlsConfig := &tls.Config{}

if ca == nil {
tlsConfig.InsecureSkipVerify = true
} else {
tlsConfig.RootCAs = stdx509.NewCertPool()
tlsConfig.RootCAs.AppendCertsFromPEM(ca.Crt)
}

grpcOpts := []grpc.DialOption{
grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
grpc.WithPerRPCCredentials(creds),
)
}

conn, err = grpc.Dial(address, grpcOpts...)
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions pkg/machinery/config/types/v1alpha1/generate/worker.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ func workerUd(in *Input) (*v1alpha1.Config, error) {
KubeletImage: emptyIf(fmt.Sprintf("%s:v%s", constants.KubeletImage, in.KubernetesVersion), in.KubernetesVersion),
},
MachineNetwork: networkConfig,
MachineCA: &x509.PEMEncodedCertificateAndKey{Crt: in.Certs.OS.Crt},
MachineInstall: &v1alpha1.InstallConfig{
InstallDisk: in.InstallDisk,
InstallImage: in.InstallImage,
Expand Down

0 comments on commit e628f84

Please sign in to comment.