micropelago/isle
3
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 5 Activity
c3609252a5
isle/go/cmd/entrypoint/admin.go

399 lines
10 KiB
Go
Raw Normal View History

Factor out nebula-entrypoint As part of this all "wait" constraints have been migrated to pure-go implementations, taking advantage of pmux's `StartAfterFunc` argument. nebula-entrypoint was the final main process besides the entrypoint itself, allowing us to get rid of cryptic-net-main.
2022-10-20 19:59:46 +00:00
package main
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
import (
Enable the garage admin interface
2022-10-16 19:22:58 +00:00
"crypto/rand"
"encoding/hex"
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
"errors"
"fmt"
Perform all in-code renames which don't affect actual functionality
2023-08-05 21:53:17 +00:00
"isle/admin"
"isle/bootstrap"
"isle/daemon"
"isle/garage"
"isle/nebula"
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
"net"
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
"os"
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
"strings"
Switch to using latest mediocre-go-lib
2024-06-22 15:49:56 +00:00
"dev.mediocregopher.com/mediocre-go-lib.git/mlog"
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
)
Enable the garage admin interface
2022-10-16 19:22:58 +00:00
func randStr(l int) string {
b := make([]byte, l)
if _, err := rand.Read(b); err != nil {
panic(err)
}
return hex.EncodeToString(b)
}
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
func readAdmin(path string) (admin.Admin, error) {
if path == "-" {
adm, err := admin.FromReader(os.Stdin)
if err != nil {
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
return admin.Admin{}, fmt.Errorf("parsing admin.json from stdin: %w", err)
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
}
return adm, nil
}
f, err := os.Open(path)
if err != nil {
return admin.Admin{}, fmt.Errorf("opening file: %w", err)
}
defer f.Close()
return admin.FromReader(f)
}
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
var subCmdAdminCreateNetwork = subCmd{
name: "create-network",
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
descr: "Creates a new isle network, outputting the resulting admin.json to stdout",
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
do: func(subCmdCtx subCmdCtx) error {
flags := subCmdCtx.flagSet(false)
Move daemon.yml types and functionality out of entrypoint and Env
2022-10-26 21:21:31 +00:00
daemonConfigPath := flags.StringP(
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
"config-path", "c", "",
"Optional path to a daemon.yml file to load configuration from.",
)
dumpConfig := flags.Bool(
"dump-config", false,
"Write the default configuration file to stdout and exit.",
)
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
name := flags.StringP(
"name", "n", "",
"Human-readable name to identify the network as.",
)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
domain := flags.StringP(
"domain", "d", "",
"Domain name that should be used as the root domain in the network.",
)
Various fixes to bugs in `admin create-network`
2022-11-03 13:54:46 +00:00
ipNetStr := flags.StringP(
"ip-net", "i", "",
`IP+prefix (e.g. "10.10.0.1/16") which denotes the IP of this host, which will be the first host in the network, and the range of IPs which other hosts in the network can be assigned`,
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
)
hostName := flags.StringP(
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
"hostname", "h", "",
Various fixes to bugs in `admin create-network`
2022-11-03 13:54:46 +00:00
"Name of this host, which will be the first host in the network",
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
)
Improve logging, introduce log levels I switched to using mlog for logging, as opposed to writing directly to Stderr. This gives us control over log levels, as well as coordination so that we don't have multiple go-routines writing to stderr at the same time.
2022-11-13 15:45:42 +00:00
logLevelStr := flags.StringP(
"log-level", "l", "info",
`Maximum log level which should be output. Values can be "debug", "info", "warn", "error", "fatal". Does not apply to sub-processes`,
)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
if err := flags.Parse(subCmdCtx.args); err != nil {
return fmt.Errorf("parsing flags: %w", err)
}
Improve logging, introduce log levels I switched to using mlog for logging, as opposed to writing directly to Stderr. This gives us control over log levels, as well as coordination so that we don't have multiple go-routines writing to stderr at the same time.
2022-11-13 15:45:42 +00:00
ctx := subCmdCtx.ctx
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
if *dumpConfig {
Factor out crypticnet.Env completely
2022-10-26 22:37:03 +00:00
return daemon.CopyDefaultConfig(os.Stdout, envAppDirPath)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
if *name == "" || *domain == "" || *ipNetStr == "" || *hostName == "" {
return errors.New("--name, --domain, --ip-net, and --hostname are required")
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Improve logging, introduce log levels I switched to using mlog for logging, as opposed to writing directly to Stderr. This gives us control over log levels, as well as coordination so that we don't have multiple go-routines writing to stderr at the same time.
2022-11-13 15:45:42 +00:00
logLevel := mlog.LevelFromString(*logLevelStr)
if logLevel == nil {
return fmt.Errorf("couldn't parse log level %q", *logLevelStr)
}
logger := subCmdCtx.logger.WithMaxLevel(logLevel.Int())
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
*domain = strings.TrimRight(strings.TrimLeft(*domain, "."), ".")
Various fixes to bugs in `admin create-network`
2022-11-03 13:54:46 +00:00
ip, subnet, err := net.ParseCIDR(*ipNetStr)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
if err != nil {
Various fixes to bugs in `admin create-network`
2022-11-03 13:54:46 +00:00
return fmt.Errorf("parsing %q as a CIDR: %w", *ipNetStr, err)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
if err := validateHostName(*hostName); err != nil {
return fmt.Errorf("invalid hostname %q: %w", *hostName, err)
}
Improve logging, introduce log levels I switched to using mlog for logging, as opposed to writing directly to Stderr. This gives us control over log levels, as well as coordination so that we don't have multiple go-routines writing to stderr at the same time.
2022-11-13 15:45:42 +00:00
runtimeDirCleanup, err := setupAndLockRuntimeDir(ctx, logger)
Move proc locking into entrypoint This completely cleans up all logic that used to be in crypticnet.
2022-10-26 22:45:40 +00:00
if err != nil {
return fmt.Errorf("setting up runtime directory: %w", err)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Move proc locking into entrypoint This completely cleans up all logic that used to be in crypticnet.
2022-10-26 22:45:40 +00:00
defer runtimeDirCleanup()
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Factor out crypticnet.Env completely
2022-10-26 22:37:03 +00:00
daemonConfig, err := daemon.LoadConfig(envAppDirPath, *daemonConfigPath)
Move daemon.yml types and functionality out of entrypoint and Env
2022-10-26 21:21:31 +00:00
if err != nil {
return fmt.Errorf("loading daemon config: %w", err)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Move daemon.yml types and functionality out of entrypoint and Env
2022-10-26 21:21:31 +00:00
if len(daemonConfig.Storage.Allocations) < 3 {
return fmt.Errorf("daemon config with at least 3 allocations was not provided")
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
nebulaCACreds, err := nebula.NewCACredentials(*domain, subnet)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
if err != nil {
return fmt.Errorf("creating nebula CA cert: %w", err)
}
Move proc locking into entrypoint This completely cleans up all logic that used to be in crypticnet.
2022-10-26 22:45:40 +00:00
adminCreationParams := admin.CreationParams{
ID: randStr(32),
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
Name: *name,
Move proc locking into entrypoint This completely cleans up all logic that used to be in crypticnet.
2022-10-26 22:45:40 +00:00
Domain: *domain,
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
garageBootstrap := bootstrap.Garage{
Upgrade garage to v1.0.0 This required switching all garage admin API calls to the new v1 versions, and redoing how the global bucket key is created so it is created via the "create key" API call.
2024-06-11 12:54:26 +00:00
RPCSecret: randStr(32),
AdminToken: randStr(32),
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
hostBootstrap, err := bootstrap.New(
nebulaCACreds,
adminCreationParams,
garageBootstrap,
*hostName,
ip,
)
if err != nil {
return fmt.Errorf("initializing bootstrap data: %w", err)
}
Use yaml instead of tgz for bootstrap file
2022-11-02 13:34:40 +00:00
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
if hostBootstrap, err = coalesceDaemonConfigAndBootstrap(hostBootstrap, daemonConfig); err != nil {
Move daemon.yml types and functionality out of entrypoint and Env
2022-10-26 21:21:31 +00:00
return fmt.Errorf("merging daemon config into bootstrap data: %w", err)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
daemonInst, err := daemon.New(
ctx,
logger.WithNamespace("daemon"),
daemonConfig,
hostBootstrap,
envRuntimeDirPath,
envBinDirPath,
Move some Bootstrap methods onto Daemon
2024-06-17 20:15:28 +00:00
envStateDirPath,
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
&daemon.Opts{
// SkipHostBootstrapPush is required, because the global bucket
// hasn't actually been initialized yet, so there's nowhere to
// push to.
SkipHostBootstrapPush: true,
// NOTE both stdout and stderr are sent to stderr, so that the
// user can pipe the resulting admin.json to stdout.
Stdout: os.Stderr,
},
)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
if err != nil {
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
return fmt.Errorf("initializing daemon: %w", err)
Factor out nebula-entrypoint As part of this all "wait" constraints have been migrated to pure-go implementations, taking advantage of pmux's `StartAfterFunc` argument. nebula-entrypoint was the final main process besides the entrypoint itself, allowing us to get rid of cryptic-net-main.
2022-10-20 19:59:46 +00:00
}
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
logger.Info(ctx, "initializing garage shared global bucket")
garageGlobalBucketCreds, err := garageInitializeGlobalBucket(
ctx, logger, hostBootstrap, daemonConfig,
)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
if cErr := (garage.AdminClientError{}); errors.As(err, &cErr) && cErr.StatusCode == 409 {
return fmt.Errorf("shared global bucket has already been created, are the storage allocations from a previously initialized isle being used?")
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
} else if err != nil {
return fmt.Errorf("initializing garage shared global bucket: %w", err)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Move daemon sub-process logic into daemon package
2024-06-17 18:51:02 +00:00
if err := daemonInst.Shutdown(ctx); err != nil {
return fmt.Errorf("shutting down daemon: %w (this can mean there are zombie children leftover)", err)
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
Upgrade garage to v1.0.0 This required switching all garage admin API calls to the new v1 versions, and redoing how the global bucket key is created so it is created via the "create key" API call.
2024-06-11 12:54:26 +00:00
hostBootstrap.Garage.GlobalBucketS3APICredentials = garageGlobalBucketCreds
// rewrite the bootstrap now that the global bucket creds have been
// added to it.
Move some Bootstrap methods onto Daemon
2024-06-17 20:15:28 +00:00
if err := writeBootstrapToStateDir(hostBootstrap); err != nil {
Upgrade garage to v1.0.0 This required switching all garage admin API calls to the new v1 versions, and redoing how the global bucket key is created so it is created via the "create key" API call.
2024-06-11 12:54:26 +00:00
return fmt.Errorf("writing bootstrap file: %w", err)
}
Small fixes to get admin create-network working
2022-10-25 19:15:09 +00:00
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
logger.Info(ctx, "cluster initialized successfully, writing admin.json to stdout")
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Use yaml to encode admin file, not tgz
2022-11-02 13:02:21 +00:00
adm := admin.Admin{
CreationParams: adminCreationParams,
}
adm.Nebula.CACredentials = nebulaCACreds
Use yaml instead of tgz for bootstrap file
2022-11-02 13:34:40 +00:00
adm.Garage.RPCSecret = hostBootstrap.Garage.RPCSecret
adm.Garage.GlobalBucketS3APICredentials = hostBootstrap.Garage.GlobalBucketS3APICredentials
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
Use yaml to encode admin file, not tgz
2022-11-02 13:02:21 +00:00
if err := adm.WriteTo(os.Stdout); err != nil {
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
return fmt.Errorf("writing admin.json to stdout")
Implement `admin create-network` command This required a lot of re-implementation of how garage gets interacted with, including updating cluster layout using the admin API and initialization of the global bucket key.
2022-10-16 20:17:26 +00:00
}
return nil
},
}
Rename to make-bootstrap to create-bootstrap
2022-11-05 15:41:14 +00:00
var subCmdAdminCreateBootstrap = subCmd{
name: "create-bootstrap",
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
descr: "Creates a new bootstrap.json file for a particular host and writes it to stdout",
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
checkLock: false,
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
do: func(subCmdCtx subCmdCtx) error {
flags := subCmdCtx.flagSet(false)
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
hostName := flags.StringP(
"hostname", "h", "",
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
"Name of the host to generate bootstrap.json for",
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
)
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
ipStr := flags.StringP(
"ip", "i", "",
"IP of the new host",
)
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
adminPath := flags.StringP(
"admin-path", "a", "",
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
`Path to admin.json file. If the given path is "-" then stdin is used.`,
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
)
if err := flags.Parse(subCmdCtx.args); err != nil {
return fmt.Errorf("parsing flags: %w", err)
}
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
if *hostName == "" || *ipStr == "" || *adminPath == "" {
return errors.New("--hostname, --ip, and --admin-path are required")
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
}
Add Name field to admin.CreationParams
2022-11-05 11:34:49 +00:00
if err := validateHostName(*hostName); err != nil {
return fmt.Errorf("invalid hostname %q: %w", *hostName, err)
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file.
2022-10-29 19:11:40 +00:00
}
ip := net.ParseIP(*ipStr)
if ip == nil {
return fmt.Errorf("invalid ip %q", *ipStr)
Remove Bootstrap from Env
2022-10-26 22:23:39 +00:00
}
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
adm, err := readAdmin(*adminPath)
if err != nil {
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
return fmt.Errorf("reading admin.json with --admin-path of %q: %w", *adminPath, err)
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
garageBootstrap := bootstrap.Garage{
RPCSecret: adm.Garage.RPCSecret,
AdminToken: randStr(32),
GlobalBucketS3APICredentials: adm.Garage.GlobalBucketS3APICredentials,
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
newHostBootstrap, err := bootstrap.New(
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
adm.Nebula.CACredentials,
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
adm.CreationParams,
garageBootstrap,
*hostName,
ip,
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
)
if err != nil {
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
return fmt.Errorf("initializing bootstrap data: %w", err)
Refactor how nebula certs are signed and propagated I had previously made the mistake of thinking that the Curve25519 key which is generated for each host to use in nebula communication could also be used for signing. This is not the case, Ed25519 is used for signing and is different thant Curve25519. Rather than figuring out how to convert the Curve25519 key into an Ed25519 key, which there is no apparent support for in the standard library, I opted to instead ship a separate key just for signing with each host. Doing this required a bit of refactoring in order to keep all the different keys straight and ensure all data which needs a signature still has it.
2022-11-05 14:23:29 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
hostBootstrap, err := loadHostBootstrap()
if err != nil {
return fmt.Errorf("loading host bootstrap: %w", err)
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
}
Refactor how host data is signed, now it's simpler and probably more secure
2024-06-10 20:31:29 +00:00
newHostBootstrap.Hosts = hostBootstrap.Hosts
Use yaml instead of tgz for bootstrap file
2022-11-02 13:34:40 +00:00
Remove Bootstrap from Env
2022-10-26 22:23:39 +00:00
return newHostBootstrap.WriteTo(os.Stdout)
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
},
}
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
var subCmdAdminCreateNebulaCert = subCmd{
name: "create-nebula-cert",
descr: "Creates a signed nebula certificate file and writes it to stdout",
checkLock: false,
do: func(subCmdCtx subCmdCtx) error {
flags := subCmdCtx.flagSet(false)
hostName := flags.StringP(
"hostname", "h", "",
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
"Name of the host to generate bootstrap.json for",
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
)
ipStr := flags.StringP(
"ip", "i", "",
"IP of the new host",
)
adminPath := flags.StringP(
"admin-path", "a", "",
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
`Path to admin.json file. If the given path is "-" then stdin is used.`,
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
)
pubKeyPath := flags.StringP(
"public-key-path", "p", "",
`Path to PEM file containing public key which will be embedded in the cert.`,
)
if err := flags.Parse(subCmdCtx.args); err != nil {
return fmt.Errorf("parsing flags: %w", err)
}
if *hostName == "" || *ipStr == "" || *adminPath == "" || *pubKeyPath == "" {
return errors.New("--hostname, --ip, --admin-path, and --pub-key-path are required")
}
if err := validateHostName(*hostName); err != nil {
return fmt.Errorf("invalid hostname %q: %w", *hostName, err)
}
ip := net.ParseIP(*ipStr)
if ip == nil {
return fmt.Errorf("invalid ip %q", *ipStr)
}
adm, err := readAdmin(*adminPath)
if err != nil {
Use JSON instead of YAML for files which aren't intended for human editing
2024-06-10 16:56:36 +00:00
return fmt.Errorf("reading admin.json with --admin-path of %q: %w", *adminPath, err)
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
}
hostPubPEM, err := os.ReadFile(*pubKeyPath)
if err != nil {
return fmt.Errorf("reading public key from %q: %w", *pubKeyPath, err)
}
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
var hostPub nebula.EncryptingPublicKey
if err := hostPub.UnmarshalNebulaPEM(hostPubPEM); err != nil {
return fmt.Errorf("unmarshaling public key as PEM: %w", err)
}
nebulaHostCert, err := nebula.NewHostCert(
adm.Nebula.CACredentials, hostPub, *hostName, ip,
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
)
if err != nil {
return fmt.Errorf("creating cert: %w", err)
}
Implement RPC socket and use it to list hosts
2024-06-23 12:37:10 +00:00
nebulaHostCertPEM, err := nebulaHostCert.Unwrap().MarshalToPEM()
Refactor how signing/encryption keys are typed and (un)marshaled
2024-06-15 21:02:24 +00:00
if err != nil {
return fmt.Errorf("marshaling cert to PEM: %w", err)
}
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
if _, err := os.Stdout.Write([]byte(nebulaHostCertPEM)); err != nil {
return fmt.Errorf("writing to stdout: %w", err)
}
return nil
},
}
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
var subCmdAdmin = subCmd{
name: "admin",
descr: "Sub-commands which only admins can run",
do: func(subCmdCtx subCmdCtx) error {
return subCmdCtx.doSubCmd(
Small fixes to get admin create-network working
2022-10-25 19:15:09 +00:00
subCmdAdminCreateNetwork,
Rename to make-bootstrap to create-bootstrap
2022-11-05 15:41:14 +00:00
subCmdAdminCreateBootstrap,
Add ability to sign nebula public keys, and show nebula network info The new commands are: - `isle admin create-nebula-cert` - `isle nebula show` Between these two commands it's possible, with some effort, to get a nebula mobile client hooked up to an isle server.
2023-08-27 14:09:03 +00:00
subCmdAdminCreateNebulaCert,
Re-arrange sub-commands in entrypoint somewhat
2022-10-16 15:18:50 +00:00
)
},
}
Reference in New Issue Copy Permalink