feat(*): automate signed certificates

generate/.conform.yaml

@@ -30,6 +30,7 @@ tasks:
       COPY --from=dianemo/kernel:{{ .Docker.Image.Tag }} /tmp/vmlinuz /rootfs/boot/vmlinuz
       COPY --from=dianemo/kernel:{{ .Docker.Image.Tag }} /tmp/lib/modules /rootfs/lib/modules
       COPY --from=dianemo/initramfs:{{ .Docker.Image.Tag }} /tmp/osd /rootfs/bin/osd
+      COPY --from=dianemo/initramfs:{{ .Docker.Image.Tag }} /tmp/rotd /rootfs/bin/rotd
       COPY --from=dianemo/initramfs:{{ .Docker.Image.Tag }} /tmp/initramfs.xz /rootfs/boot/initramfs.xz
       COPY --from=dianemo/initramfs:{{ .Docker.Image.Tag }} /tmp/init /rootfs/bin/init
       WORKDIR /rootfs

initramfs/.conform.yaml

@@ -7,28 +7,35 @@ pipeline:
 stages:
   build:
     artifacts:
-    - source: /tmp/osctl
-      destination: ../build/osctl
+    - source: /tmp/osctl-linux-amd64
+      destination: ../build/osctl-linux-amd64
+    - source: /tmp/osctl-darwin-amd64
+      destination: ../build/osctl-darwin-amd64
     tasks:
     - src
     - test
     - osd
+    - rotd
     - osctl
     - init
     - image
   generate:
     artifacts:
-    - source: /go/src/github.com/autonomy/dianemo/proto
+    - source: /go/src/github.com/autonomy/dianemo/initramfs/cmd/osd/proto
       destination: ./cmd/osd
+    - source: /go/src/github.com/autonomy/dianemo/initramfs/cmd/rotd/proto
+      destination: ./cmd/rotd
     tasks:
     - proto
 tasks:
   image:
     template: |
       FROM scratch
       WORKDIR /tmp
-      COPY --from=src /osctl osctl
+      COPY --from=src /osctl-linux-amd64 osctl-linux-amd64
+      COPY --from=src /osctl-darwin-amd64 osctl-darwin-amd64
       COPY --from=src /osd osd
+      COPY --from=src /rotd rotd
       COPY --from=src /initramfs/init init
       COPY --from=src /initramfs/initramfs.xz initramfs.xz
       CMD false
@@ -42,26 +49,36 @@ tasks:
   osctl:
     template: |
       WORKDIR $GOPATH/src/github.com/autonomy/dianemo/initramfs/cmd/{{ .Docker.CurrentStage }}
-      RUN GOOS=darwin go build -o /{{ .Docker.CurrentStage }}
-      RUN chmod +x /{{ .Docker.CurrentStage }}
+      RUN GOOS=linux GOARCH=amd64 go build -o /{{ .Docker.CurrentStage }}-linux-amd64
+      RUN chmod +x /{{ .Docker.CurrentStage }}-linux-amd64
+      RUN GOOS=darwin GOARCH=amd64 go build -o /{{ .Docker.CurrentStage }}-darwin-amd64
+      RUN chmod +x /{{ .Docker.CurrentStage }}-darwin-amd64
   osd:
     template: |
       WORKDIR $GOPATH/src/github.com/autonomy/dianemo/initramfs/cmd/{{ .Docker.CurrentStage }}
       RUN go build -o /{{ .Docker.CurrentStage }}
       RUN chmod +x /{{ .Docker.CurrentStage }}
+  rotd:
+    template: |
+      WORKDIR $GOPATH/src/github.com/autonomy/dianemo/initramfs/cmd/{{ .Docker.CurrentStage }}
+      RUN go build -o /{{ .Docker.CurrentStage }}
+      RUN chmod +x /{{ .Docker.CurrentStage }}
   proto:
     template: |
       FROM golang:1.10.0 AS {{ .Docker.CurrentStage }}
-      WORKDIR /go/src/github.com/autonomy/dianemo
       RUN apt-get update
       RUN apt-get -y install bsdtar
       RUN go get github.com/golang/protobuf/protoc-gen-go
       RUN curl -L https://github.com/google/protobuf/releases/download/v3.5.1/protoc-3.5.1-linux-x86_64.zip | bsdtar -xf -  -C /tmp \
           && mv /tmp/bin/protoc /bin \
           && mv /tmp/include/* /usr/local/include \
           && chmod +x /bin/protoc
+      WORKDIR $GOPATH/src/github.com/autonomy/dianemo/initramfs/cmd/osd
       COPY ./cmd/osd/proto ./proto
       RUN protoc -I/usr/local/include -I./proto --go_out=plugins=grpc:proto proto/api.proto
+      WORKDIR $GOPATH/src/github.com/autonomy/dianemo/initramfs/cmd/rotd
+      COPY ./cmd/rotd/proto ./proto
+      RUN protoc -I/usr/local/include -I./proto --go_out=plugins=grpc:proto proto/api.proto
   src:
     template: |
       FROM dianemo/tools:{{ .Docker.Image.Tag }} AS {{ .Docker.CurrentStage }}

initramfs/cmd/init/main.go

@@ -14,22 +14,17 @@ import (
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/rootfs"
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service"
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/switchroot"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 var (
 	switchRoot *bool
 )
 
-func hang() {
-	if rec := recover(); rec != nil {
-		err, ok := rec.(error)
-		if ok {
-			log.Printf("%s\n", err.Error())
-		}
+func recovery() {
+	if r := recover(); r != nil {
+		log.Printf("recovered from: %v\n", r)
 	}
-	// Hang forever to avoid a kernel panic.
-	select {}
 }
 
 func init() {
@@ -44,23 +39,28 @@ func init() {
 
 func initram() (err error) {
 	// Read the block devices and populate the mount point definitions.
+	log.Println("initializing mount points")
 	if err = mount.Init(constants.NewRoot); err != nil {
 		return
 	}
 	// Download the user data.
+	log.Println("downloading the user data")
 	data, err := userdata.Download()
 	if err != nil {
 		return
 	}
 	// Prepare the necessary files in the rootfs.
+	log.Println("preparing the root filesystem")
 	if err = rootfs.Prepare(constants.NewRoot, data); err != nil {
 		return
 	}
 	// Unmount the ROOT and DATA block devices.
+	log.Println("unmounting the ROOT and DATA partitions")
 	if err = mount.Unmount(); err != nil {
 		return
 	}
 	// Perform the equivalent of switch_root.
+	log.Println("entering the new root")
 	if err = switchroot.Switch(constants.NewRoot); err != nil {
 		return
 	}
@@ -69,20 +69,26 @@ func initram() (err error) {
 }
 
 func root() (err error) {
-	// Download the user data.
-	data, err := userdata.Download()
+	// Read the user data.
+	log.Println("reading the user data")
+	data, err := userdata.Open(constants.UserDataPath)
 	if err != nil {
 		return
 	}
 
 	services := &service.Manager{
-		UserData: data,
+		UserData: *data,
 	}
 
-	// Start the OSD gRPC service.
+	// Start the services essential to managing the node.
+	log.Println("starting OS services")
 	services.Start(&service.OSD{})
+	if data.Kubernetes.Init {
+		services.Start(&service.ROTD{})
+	}
 
 	// Start the services essential to running Kubernetes.
+	log.Println("starting Kubernetes services")
 	switch data.Kubernetes.ContainerRuntime {
 	case constants.ContainerRuntimeDocker:
 		services.Start(&service.Docker{})
@@ -98,17 +104,19 @@ func root() (err error) {
 }
 
 func main() {
-	defer hang()
+	defer recovery()
 
 	if *switchRoot {
 		if err := root(); err != nil {
 			panic(err)
 		}
+		select {}
 	}
 
 	if err := initram(); err != nil {
 		panic(err)
 	}
 
+	// We should only reach this point if something within initram() fails.
 	select {}
 }

initramfs/cmd/init/pkg/etc/etc.go

@@ -7,7 +7,7 @@ import (
 	"path"
 	"text/template"
 
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 const hostsTemplate = `

initramfs/cmd/init/pkg/mount/mount.go

@@ -4,7 +4,6 @@ package mount
 
 import (
 	"fmt"
-	"log"
 	"os"
 	"path"
 	"sync"
@@ -165,7 +164,6 @@ func mountSpecialDevices() (err error) {
 		if err = unix.Mount(mountpoint.source, mountpoint.target, mountpoint.fstype, mountpoint.flags, mountpoint.data); err != nil {
 			return fmt.Errorf("mount %s: %s", mountpoint.target, err.Error())
 		}
-		log.Printf("mounted %s", mountpoint.target)
 	}
 
 	return nil
@@ -199,8 +197,6 @@ func mountBlockDevices(s string) (err error) {
 			return fmt.Errorf("mount %s: %s", mountpoint.target, err.Error())
 		}
 
-		log.Printf("mounted %s", mountpoint.target)
-
 		instance.blockdevices[b.LABEL] = mountpoint
 	}
 

initramfs/cmd/init/pkg/rootfs/rootfs.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/constants"
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/etc"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 	yaml "gopkg.in/yaml.v2"
 )
 

initramfs/cmd/init/pkg/service/crio.go

@@ -5,7 +5,7 @@ import (
 	"io/ioutil"
 
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service/conditions"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 const crioConf = `

initramfs/cmd/init/pkg/service/docker.go

@@ -2,7 +2,7 @@ package service
 
 import (
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service/conditions"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 // Docker implements the Service interface. It serves as the concrete type with

initramfs/cmd/init/pkg/service/kubeadm.go

@@ -1,15 +1,14 @@
 package service
 
 import (
-	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path"
 
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/constants"
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service/conditions"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 // Kubeadm implements the Service interface. It serves as the concrete type with
@@ -78,26 +77,18 @@ func writeKubeadmManifest(data string) (err error) {
 	return nil
 }
 
-func writeKubeadmPKIFiles(data *userdata.CertificateAndKeyPaths) (err error) {
-	caCrtBytes, err := base64.StdEncoding.DecodeString(data.Crt)
-	if err != nil {
-		return err
-	}
+func writeKubeadmPKIFiles(data *userdata.PEMEncodedCertificateAndKey) (err error) {
 	if err = os.MkdirAll(path.Dir(constants.KubeadmCACert), 0600); err != nil {
 		return err
 	}
-	if err = ioutil.WriteFile(constants.KubeadmCACert, caCrtBytes, 0400); err != nil {
+	if err = ioutil.WriteFile(constants.KubeadmCACert, data.Crt, 0400); err != nil {
 		return fmt.Errorf("write %s: %s", constants.KubeadmCACert, err.Error())
 	}
 
-	caKeyBytes, err := base64.StdEncoding.DecodeString(data.Key)
-	if err != nil {
-		return err
-	}
 	if err = os.MkdirAll(path.Dir(constants.KubeadmCAKey), 0600); err != nil {
 		return err
 	}
-	if err = ioutil.WriteFile(constants.KubeadmCAKey, caKeyBytes, 0400); err != nil {
+	if err = ioutil.WriteFile(constants.KubeadmCAKey, data.Key, 0400); err != nil {
 		return fmt.Errorf("write %s: %s", constants.KubeadmCAKey, err.Error())
 	}
 

initramfs/cmd/init/pkg/service/kubelet.go

@@ -6,7 +6,7 @@ import (
 
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/constants"
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service/conditions"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 // Kubelet implements the Service interface. It serves as the concrete type with

initramfs/cmd/init/pkg/service/osd.go

@@ -1,9 +1,10 @@
+// nolint: dupl,golint
 package service
 
 import (
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/constants"
 	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service/conditions"
-	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/userdata"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
 )
 
 // OSD implements the Service interface. It serves as the concrete type with
@@ -23,6 +24,10 @@ func (p *OSD) Cmd(data userdata.UserData) (name string, args []string) {
 		"--userdata=" + constants.UserDataPath,
 	}
 
+	if data.OS.Security.RootsOfTrust.Generate {
+		args = append(args, "--generate=true")
+	}
+
 	return name, args
 }
 

initramfs/cmd/init/pkg/service/rotd.go

@@ -0,0 +1,39 @@
+// nolint: dupl,golint
+package service
+
+import (
+	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/constants"
+	"github.com/autonomy/dianemo/initramfs/cmd/init/pkg/service/conditions"
+	"github.com/autonomy/dianemo/initramfs/pkg/userdata"
+)
+
+// ROTD implements the Service interface. It serves as the concrete type with
+// the required methods.
+type ROTD struct{}
+
+// Pre implements the Service interface.
+func (p *ROTD) Pre(data userdata.UserData) error {
+	return nil
+}
+
+// Cmd implements the Service interface.
+func (p *ROTD) Cmd(data userdata.UserData) (name string, args []string) {
+	name = "/bin/rotd"
+	args = []string{
+		"--port=50001",
+		"--userdata=" + constants.UserDataPath,
+	}
+
+	return name, args
+}
+
+// Condition implements the Service interface.
+func (p *ROTD) Condition(data userdata.UserData) func() (bool, error) {
+	return conditions.None()
+}
+
+// Env implements the Service interface.
+func (p *ROTD) Env() []string { return []string{} }
+
+// Type implements the Service interface.
+func (p *ROTD) Type() Type { return Forever }