Merge pull request kubernetes#16141 from justinsb/pki_bootstrap

Support bootstrapping nodes using Public Key authentication
borg-land · Dec 1, 2023 · d5818e8 · d5818e8
2 parents ec9dbe4 + 36d57eb
commit d5818e8
Show file tree

Hide file tree

Showing 35 changed files with 1,993 additions and 6 deletions.
diff --git a/cmd/kops-controller/main.go b/cmd/kops-controller/main.go
@@ -32,7 +32,9 @@ import (
 	"k8s.io/kops/cmd/kops-controller/controllers"
 	"k8s.io/kops/cmd/kops-controller/pkg/config"
 	"k8s.io/kops/cmd/kops-controller/pkg/server"
+	"k8s.io/kops/pkg/apis/kops/v1alpha2"
 	"k8s.io/kops/pkg/bootstrap"
+	"k8s.io/kops/pkg/bootstrap/pkibootstrap"
 	"k8s.io/kops/pkg/nodeidentity"
 	nodeidentityaws "k8s.io/kops/pkg/nodeidentity/aws"
 	nodeidentityazure "k8s.io/kops/pkg/nodeidentity/azure"
@@ -58,7 +60,6 @@ import (
 )
 
 var (
-	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
 )
 
@@ -100,14 +101,16 @@ func main() {
 
 	ctrl.SetLogger(klogr.New())
 
-	if err := buildScheme(); err != nil {
+	scheme, err := buildScheme()
+	if err != nil {
 		setupLog.Error(err, "error building scheme")
 		os.Exit(1)
 	}
 
 	kubeConfig := ctrl.GetConfigOrDie()
 	kubeConfig.Burst = 200
 	kubeConfig.QPS = 100
+
 	mgr, err := ctrl.NewManager(kubeConfig, ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
@@ -183,6 +186,15 @@ func main() {
 			verifiers = append(verifiers, verifier)
 		}
 
+		if opt.Server.PKI != nil {
+			verifier, err := pkibootstrap.NewVerifier(opt.Server.PKI, mgr.GetClient())
+			if err != nil {
+				setupLog.Error(err, "unable to create verifier")
+				os.Exit(1)
+			}
+			verifiers = append(verifiers, verifier)
+		}
+
 		if len(verifiers) == 0 {
 			klog.Fatalf("server verifiers not provided")
 		}
@@ -233,15 +245,19 @@ func main() {
 	}
 }
 
-func buildScheme() error {
+func buildScheme() (*runtime.Scheme, error) {
+	scheme := runtime.NewScheme()
 	if err := corev1.AddToScheme(scheme); err != nil {
-		return fmt.Errorf("error registering corev1: %v", err)
+		return nil, fmt.Errorf("error registering corev1: %v", err)
+	}
+	if err := v1alpha2.AddToScheme(scheme); err != nil {
+		return nil, fmt.Errorf("error registering kops/v1alpha2 API: %v", err)
 	}
 	// Needed so that the leader-election system can post events
 	if err := coordinationv1.AddToScheme(scheme); err != nil {
-		return fmt.Errorf("error registering coordinationv1: %v", err)
+		return nil, fmt.Errorf("error registering coordinationv1: %v", err)
 	}
-	return nil
+	return scheme, nil
 }
 
 func addNodeController(mgr manager.Manager, vfsContext *vfs.VFSContext, opt *config.Options) error {

diff --git a/cmd/kops-controller/pkg/config/options.go b/cmd/kops-controller/pkg/config/options.go
@@ -17,6 +17,7 @@ limitations under the License.
 package config
 
 import (
+	"k8s.io/kops/pkg/bootstrap/pkibootstrap"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
 	"k8s.io/kops/upup/pkg/fi/cloudup/azure"
 	"k8s.io/kops/upup/pkg/fi/cloudup/do"
@@ -51,6 +52,9 @@ type ServerOptions struct {
 	// Provider is the cloud provider.
 	Provider ServerProviderOptions `json:"provider"`
 
+	// PKI configures private/public key node authentication.
+	PKI *pkibootstrap.Options `json:"pki,omitempty"`
+
 	// ServerKeyPath is the path to our TLS serving private key.
 	ServerKeyPath string `json:"serverKeyPath,omitempty"`
 	// ServerCertificatePath is the path to our TLS serving certificate.

diff --git a/k8s/crds/kops.k8s.io_hosts.yaml b/k8s/crds/kops.k8s.io_hosts.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
+  name: hosts.kops.k8s.io
+spec:
+  group: kops.k8s.io
+  names:
+    kind: Host
+    listKind: HostList
+    plural: hosts
+    singular: host
+  scope: Namespaced
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Host represents a bare-metal machine that could be registered
+          as a Node.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              instanceGroup:
+                type: string
+              publicKey:
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
diff --git a/nodeup/pkg/model/bootstrap_client.go b/nodeup/pkg/model/bootstrap_client.go
@@ -24,6 +24,7 @@ import (
 
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/bootstrap"
+	"k8s.io/kops/pkg/bootstrap/pkibootstrap"
 	"k8s.io/kops/pkg/kopscontrollerclient"
 	"k8s.io/kops/pkg/resolver"
 	"k8s.io/kops/pkg/wellknownports"
@@ -101,6 +102,13 @@ func (b BootstrapClientBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 		}
 		authenticator = a
 
+	case "metal":
+		a, err := pkibootstrap.NewAuthenticatorFromFile("/etc/kubernetes/kops/pki/machine/private.pem")
+		if err != nil {
+			return err
+		}
+		authenticator = a
+
 	default:
 		return fmt.Errorf("unsupported cloud provider for authenticator %q", b.CloudProvider())
 	}

diff --git a/pkg/apis/kops/v1alpha2/host.go b/pkg/apis/kops/v1alpha2/host.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Host represents a bare-metal machine that could be registered as a Node.
+type Host struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec HostSpec `json:"spec,omitempty"`
+}
+
+type HostSpec struct {
+	PublicKey     string `json:"publicKey,omitempty"`
+	InstanceGroup string `json:"instanceGroup,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type HostList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []Host `json:"items"`
+}
diff --git a/pkg/apis/kops/v1alpha2/register.go b/pkg/apis/kops/v1alpha2/register.go
@@ -61,6 +61,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&KeysetList{},
 		&SSHCredential{},
 		&SSHCredentialList{},
+		&Host{},
+		&HostList{},
 	)
 
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
diff --git a/pkg/apis/kops/v1alpha3/host.go b/pkg/apis/kops/v1alpha3/host.go
@@ -0,0 +1,46 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// Host represents a bare-metal machine that could be registered as a Node.
+type Host struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec HostSpec `json:"spec,omitempty"`
+}
+
+type HostSpec struct {
+	PublicKey     string `json:"publicKey,omitempty"`
+	InstanceGroup string `json:"instanceGroup,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type HostList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	Items []Host `json:"items"`
+}
diff --git a/pkg/apis/kops/v1alpha3/register.go b/pkg/apis/kops/v1alpha3/register.go
@@ -61,6 +61,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&KeysetList{},
 		&SSHCredential{},
 		&SSHCredentialList{},
+		&Host{},
+		&HostList{},
 	)
 
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)