feat: use dynamic NodeAddresses/HostnameStatus in Kubernetes certs

This is a PR on a path towards removing `ApplyDynamicConfig`. This fixes Kubernetes API server certificate generation to use dynamic data to generate cert with proper SANs for IPs of the node. As part of that refactored a bit apid certificate generation (without any changes). Added two unit-tests for apid and Kubernetes certificate generation. Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
siderolabs · Sep 1, 2021 · 0b34757 · 0b34757
1 parent bd5b9c9
commit 0b34757
Show file tree

Hide file tree

Showing 12 changed files with 675 additions and 82 deletions.
diff --git a/cmd/talosctl/cmd/mgmt/cluster/create.go b/cmd/talosctl/cmd/mgmt/cluster/create.go
@@ -414,7 +414,9 @@ func create(ctx context.Context) (err error) {
 			fallthrough
 		case forceEndpoint != "":
 			endpointList = []string{forceEndpoint}
+			// using non-default endpoints, provision additional cert SANs and fix endpoint list
 			provisionOptions = append(provisionOptions, provision.WithEndpoint(forceEndpoint))
+			genOptions = append(genOptions, generate.WithAdditionalSubjectAltNames(endpointList))
 		case forceInitNodeAsEndpoint:
 			endpointList = []string{ips[0][0].String()}
 		default:

diff --git a/internal/app/machined/pkg/controllers/secrets/altnames.go b/internal/app/machined/pkg/controllers/secrets/altnames.go
@@ -0,0 +1,62 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package secrets
+
+import "net"
+
+// AltNames defines certificate alternative names.
+type AltNames struct {
+	IPs      []net.IP
+	DNSNames []string
+}
+
+// Append list of SANs splitting into IPs/DNS names.
+func (altNames *AltNames) Append(sans ...string) {
+	for _, san := range sans {
+		if ip := net.ParseIP(san); ip != nil {
+			altNames.AppendIPs(ip)
+		} else {
+			altNames.AppendDNSNames(san)
+		}
+	}
+}
+
+// AppendIPs skipping duplicates.
+func (altNames *AltNames) AppendIPs(ips ...net.IP) {
+	for _, ip := range ips {
+		found := false
+
+		for _, addr := range altNames.IPs {
+			if addr.Equal(ip) {
+				found = true
+
+				break
+			}
+		}
+
+		if !found {
+			altNames.IPs = append(altNames.IPs, ip)
+		}
+	}
+}
+
+// AppendDNSNames skipping duplicates.
+func (altNames *AltNames) AppendDNSNames(dnsNames ...string) {
+	for _, dnsName := range dnsNames {
+		found := false
+
+		for _, name := range altNames.DNSNames {
+			if name == dnsName {
+				found = true
+
+				break
+			}
+		}
+
+		if !found {
+			altNames.DNSNames = append(altNames.DNSNames, dnsName)
+		}
+	}
+}
diff --git a/internal/app/machined/pkg/controllers/secrets/api.go b/internal/app/machined/pkg/controllers/secrets/api.go
@@ -6,8 +6,8 @@ package secrets
 
 import (
 	"context"
+	stdlibx509 "crypto/x509"
 	"fmt"
-	"net"
 	"time"
 
 	"github.com/AlekSi/pointer"
@@ -277,49 +277,42 @@ func (ctrl *APIController) reconcile(ctx context.Context, r controller.Runtime,
 			}
 		}
 
-		ips := make([]net.IP, 0, len(rootSpec.CertSANIPs)+len(nodeAddresses.Addresses))
+		var altNames AltNames
 
-		for _, ip := range rootSpec.CertSANIPs {
-			ips = append(ips, ip.IPAddr().IP)
+		for _, ip := range append(rootSpec.CertSANIPs, nodeAddresses.Addresses...) {
+			altNames.AppendIPs(ip.IPAddr().IP)
 		}
 
-		for _, ip := range nodeAddresses.Addresses {
-			ips = append(ips, ip.IPAddr().IP)
-		}
-
-		dnsNames := make([]string, 0, len(rootSpec.CertSANDNSNames)+2)
-
-		dnsNames = append(dnsNames, rootSpec.CertSANDNSNames...)
-		dnsNames = append(dnsNames, hostnameStatus.Hostname)
-
-		if hostnameStatus.FQDN() != hostnameStatus.Hostname {
-			dnsNames = append(dnsNames, hostnameStatus.FQDN())
-		}
+		altNames.AppendDNSNames(rootSpec.CertSANDNSNames...)
+		altNames.AppendDNSNames(hostnameStatus.Hostname, hostnameStatus.FQDN())
 
 		if isControlplane {
-			if err := ctrl.generateControlPlane(ctx, r, logger, rootSpec, ips, dnsNames, hostnameStatus.FQDN()); err != nil {
+			if err := ctrl.generateControlPlane(ctx, r, logger, rootSpec, altNames, hostnameStatus.FQDN()); err != nil {
 				return err
 			}
 		} else {
-			if err := ctrl.generateJoin(ctx, r, logger, rootSpec, endpointsStr, ips, dnsNames, hostnameStatus.FQDN()); err != nil {
+			if err := ctrl.generateJoin(ctx, r, logger, rootSpec, endpointsStr, altNames, hostnameStatus.FQDN()); err != nil {
 				return err
 			}
 		}
 	}
 }
 
-func (ctrl *APIController) generateControlPlane(ctx context.Context, r controller.Runtime, logger *zap.Logger, rootSpec *secrets.RootOSSpec, ips []net.IP, dnsNames []string, fqdn string) error {
-	// TODO: add keyusage
+func (ctrl *APIController) generateControlPlane(ctx context.Context, r controller.Runtime, logger *zap.Logger, rootSpec *secrets.RootOSSpec, altNames AltNames, fqdn string) error {
 	ca, err := x509.NewCertificateAuthorityFromCertificateAndKey(rootSpec.CA)
 	if err != nil {
 		return fmt.Errorf("failed to parse CA certificate: %w", err)
 	}
 
 	serverCert, err := x509.NewKeyPair(ca,
-		x509.IPAddresses(ips),
-		x509.DNSNames(dnsNames),
+		x509.IPAddresses(altNames.IPs),
+		x509.DNSNames(altNames.DNSNames),
 		x509.CommonName(fqdn),
 		x509.NotAfter(time.Now().Add(x509.DefaultCertificateValidityDuration)),
+		x509.KeyUsage(stdlibx509.KeyUsageDigitalSignature|stdlibx509.KeyUsageKeyEncipherment),
+		x509.ExtKeyUsage([]stdlibx509.ExtKeyUsage{
+			stdlibx509.ExtKeyUsageServerAuth,
+		}),
 	)
 	if err != nil {
 		return fmt.Errorf("failed to generate API server cert: %w", err)
@@ -329,6 +322,10 @@ func (ctrl *APIController) generateControlPlane(ctx context.Context, r controlle
 		x509.CommonName(fqdn),
 		x509.Organization(string(role.Impersonator)),
 		x509.NotAfter(time.Now().Add(x509.DefaultCertificateValidityDuration)),
+		x509.KeyUsage(stdlibx509.KeyUsageDigitalSignature|stdlibx509.KeyUsageKeyEncipherment),
+		x509.ExtKeyUsage([]stdlibx509.ExtKeyUsage{
+			stdlibx509.ExtKeyUsageClientAuth,
+		}),
 	)
 	if err != nil {
 		return fmt.Errorf("failed to generate API client cert: %w", err)
@@ -361,7 +358,7 @@ func (ctrl *APIController) generateControlPlane(ctx context.Context, r controlle
 }
 
 func (ctrl *APIController) generateJoin(ctx context.Context, r controller.Runtime, logger *zap.Logger,
-	rootSpec *secrets.RootOSSpec, endpointsStr []string, ips []net.IP, dnsNames []string, fqdn string) error {
+	rootSpec *secrets.RootOSSpec, endpointsStr []string, altNames AltNames, fqdn string) error {
 	remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr)
 	if err != nil {
 		return fmt.Errorf("failed creating trustd client: %w", err)
@@ -370,8 +367,8 @@ func (ctrl *APIController) generateJoin(ctx context.Context, r controller.Runtim
 	defer remoteGen.Close() //nolint:errcheck
 
 	serverCSR, serverCert, err := x509.NewEd25519CSRAndIdentity(
-		x509.IPAddresses(ips),
-		x509.DNSNames(dnsNames),
+		x509.IPAddresses(altNames.IPs),
+		x509.DNSNames(altNames.DNSNames),
 		x509.CommonName(fqdn),
 	)
 	if err != nil {
@@ -393,6 +390,7 @@ func (ctrl *APIController) generateJoin(ctx context.Context, r controller.Runtim
 		return fmt.Errorf("failed to generate API client CSR: %w", err)
 	}
 
+	// TODO: add keyusage: trustd should accept key usage as additional params
 	_, clientCert.Crt, err = remoteGen.IdentityContext(ctx, clientCSR)
 	if err != nil {
 		return fmt.Errorf("failed to sign API client CSR: %w", err)

diff --git a/internal/app/machined/pkg/controllers/secrets/api_test.go b/internal/app/machined/pkg/controllers/secrets/api_test.go
@@ -0,0 +1,164 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+//nolint:dupl
+package secrets_test
+
+import (
+	"context"
+	stdlibx509 "crypto/x509"
+	"log"
+	"net"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/cosi-project/runtime/pkg/controller/runtime"
+	"github.com/cosi-project/runtime/pkg/resource"
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/cosi-project/runtime/pkg/state/impl/inmem"
+	"github.com/cosi-project/runtime/pkg/state/impl/namespaced"
+	"github.com/stretchr/testify/suite"
+	"github.com/talos-systems/crypto/x509"
+	"github.com/talos-systems/go-retry/retry"
+	"inet.af/netaddr"
+
+	secretsctrl "github.com/talos-systems/talos/internal/app/machined/pkg/controllers/secrets"
+	"github.com/talos-systems/talos/pkg/logging"
+	"github.com/talos-systems/talos/pkg/machinery/config/types/v1alpha1/machine"
+	"github.com/talos-systems/talos/pkg/machinery/role"
+	"github.com/talos-systems/talos/pkg/resources/config"
+	"github.com/talos-systems/talos/pkg/resources/k8s"
+	"github.com/talos-systems/talos/pkg/resources/network"
+	"github.com/talos-systems/talos/pkg/resources/secrets"
+)
+
+type APISuite struct {
+	suite.Suite
+
+	state state.State
+
+	runtime *runtime.Runtime
+	wg      sync.WaitGroup
+
+	ctx       context.Context
+	ctxCancel context.CancelFunc
+}
+
+func (suite *APISuite) SetupTest() {
+	suite.ctx, suite.ctxCancel = context.WithTimeout(context.Background(), 3*time.Minute)
+
+	suite.state = state.WrapCore(namespaced.NewState(inmem.Build))
+
+	var err error
+
+	suite.runtime, err = runtime.NewRuntime(suite.state, logging.Wrap(log.Writer()))
+	suite.Require().NoError(err)
+
+	suite.Require().NoError(suite.runtime.RegisterController(&secretsctrl.APIController{}))
+
+	suite.startRuntime()
+}
+
+func (suite *APISuite) startRuntime() {
+	suite.wg.Add(1)
+
+	go func() {
+		defer suite.wg.Done()
+
+		suite.Assert().NoError(suite.runtime.Run(suite.ctx))
+	}()
+}
+
+func (suite *APISuite) TestReconcileControlPlane() {
+	rootSecrets := secrets.NewRoot(secrets.RootOSID)
+
+	talosCA, err := x509.NewSelfSignedCertificateAuthority(
+		x509.Organization("talos"),
+	)
+	suite.Require().NoError(err)
+
+	rootSecrets.OSSpec().CA = &x509.PEMEncodedCertificateAndKey{
+		Crt: talosCA.CrtPEM,
+		Key: talosCA.KeyPEM,
+	}
+	rootSecrets.OSSpec().CertSANDNSNames = []string{"example.com"}
+	rootSecrets.OSSpec().CertSANIPs = []netaddr.IP{netaddr.MustParseIP("10.4.3.2"), netaddr.MustParseIP("10.2.1.3")}
+	rootSecrets.OSSpec().Token = "something"
+	suite.Require().NoError(suite.state.Create(suite.ctx, rootSecrets))
+
+	machineType := config.NewMachineType()
+	machineType.SetMachineType(machine.TypeControlPlane)
+	suite.Require().NoError(suite.state.Create(suite.ctx, machineType))
+
+	networkStatus := network.NewStatus(network.NamespaceName, network.StatusID)
+	networkStatus.TypedSpec().AddressReady = true
+	networkStatus.TypedSpec().HostnameReady = true
+	suite.Require().NoError(suite.state.Create(suite.ctx, networkStatus))
+
+	hostnameStatus := network.NewHostnameStatus(network.NamespaceName, network.HostnameID)
+	hostnameStatus.TypedSpec().Hostname = "foo"
+	hostnameStatus.TypedSpec().Domainname = "example.com"
+	suite.Require().NoError(suite.state.Create(suite.ctx, hostnameStatus))
+
+	nodeAddresses := network.NewNodeAddress(network.NamespaceName, network.FilteredNodeAddressID(network.NodeAddressAccumulativeID, k8s.NodeAddressFilterNoK8s))
+	nodeAddresses.TypedSpec().Addresses = []netaddr.IP{netaddr.MustParseIP("10.2.1.3"), netaddr.MustParseIP("172.16.0.1")}
+	suite.Require().NoError(suite.state.Create(suite.ctx, nodeAddresses))
+
+	suite.Assert().NoError(retry.Constant(10*time.Second, retry.WithUnits(100*time.Millisecond)).Retry(
+		func() error {
+			certs, err := suite.state.Get(suite.ctx, resource.NewMetadata(secrets.NamespaceName, secrets.APIType, secrets.APIID, resource.VersionUndefined))
+			if err != nil {
+				if state.IsNotFoundError(err) {
+					return retry.ExpectedError(err)
+				}
+
+				return err
+			}
+
+			apiCerts := certs.(*secrets.API).TypedSpec()
+
+			suite.Assert().Equal(talosCA.CrtPEM, apiCerts.CA.Crt)
+			suite.Assert().Nil(apiCerts.CA.Key)
+
+			serverCert, err := apiCerts.Server.GetCert()
+			suite.Require().NoError(err)
+
+			suite.Assert().Equal([]string{"example.com", "foo", "foo.example.com"}, serverCert.DNSNames)
+			suite.Assert().Equal([]net.IP{net.ParseIP("10.4.3.2").To4(), net.ParseIP("10.2.1.3").To4(), net.ParseIP("172.16.0.1").To4()}, serverCert.IPAddresses)
+
+			suite.Assert().Equal("foo.example.com", serverCert.Subject.CommonName)
+			suite.Assert().Empty(serverCert.Subject.Organization)
+
+			suite.Assert().Equal(stdlibx509.KeyUsageDigitalSignature|stdlibx509.KeyUsageKeyEncipherment, serverCert.KeyUsage)
+			suite.Assert().Equal([]stdlibx509.ExtKeyUsage{stdlibx509.ExtKeyUsageServerAuth}, serverCert.ExtKeyUsage)
+
+			clientCert, err := apiCerts.Client.GetCert()
+			suite.Require().NoError(err)
+
+			suite.Assert().Empty(clientCert.DNSNames)
+			suite.Assert().Empty(clientCert.IPAddresses)
+
+			suite.Assert().Equal("foo.example.com", clientCert.Subject.CommonName)
+			suite.Assert().Equal([]string{string(role.Impersonator)}, clientCert.Subject.Organization)
+
+			suite.Assert().Equal(stdlibx509.KeyUsageDigitalSignature|stdlibx509.KeyUsageKeyEncipherment, clientCert.KeyUsage)
+			suite.Assert().Equal([]stdlibx509.ExtKeyUsage{stdlibx509.ExtKeyUsageClientAuth}, clientCert.ExtKeyUsage)
+
+			return nil
+		},
+	))
+}
+
+func (suite *APISuite) TearDownTest() {
+	suite.T().Log("tear down")
+
+	suite.ctxCancel()
+
+	suite.wg.Wait()
+}
+
+func TestAPISuite(t *testing.T) {
+	suite.Run(t, new(APISuite))
+}