isle/entrypoint/src/bootstrap/garage_global_bucket.go

package bootstrap

import (
	"bytes"
	"context"
	"cryptic-net/garage"
	"cryptic-net/nebula"
	"fmt"
	"os"
	"path/filepath"

	"github.com/minio/minio-go/v7"
	"gopkg.in/yaml.v3"
)

// Paths within garage's global bucket
const (
	garageGlobalBucketBootstrapHostsDirPath = "bootstrap/hosts"
)

// PutGarageBoostrapHost places the <hostname>.yml.signed file for this host
// into garage so that other hosts are able to see relevant configuration for
// it.
func (b Bootstrap) PutGarageBoostrapHost(ctx context.Context) error {

	host := b.ThisHost()
	client := b.GlobalBucketS3APIClient()

	hostB, err := yaml.Marshal(host)
	if err != nil {
		return fmt.Errorf("yaml encoding host data: %w", err)
	}

	buf := new(bytes.Buffer)

	err = nebula.SignAndWrap(buf, b.Nebula.HostCredentials.HostKeyPEM, hostB)
	if err != nil {
		return fmt.Errorf("signing encoded host data: %w", err)
	}

	filePath := filepath.Join(
		garageGlobalBucketBootstrapHostsDirPath,
		host.Name+".yml.signed",
	)

	_, err = client.PutObject(
		ctx, garage.GlobalBucket, filePath, buf, int64(buf.Len()),
		minio.PutObjectOptions{},
	)

	if err != nil {
		return fmt.Errorf("writing to %q in global bucket: %w", filePath, err)
	}

	return nil
}

// RemoveGarageBootstrapHost removes the <hostname>.yml.signed for the given
// host from garage.
//
// The given client should be for the global bucket.
func RemoveGarageBootstrapHost(
	ctx context.Context, client garage.S3APIClient, hostName string,
) error {

	filePath := filepath.Join(
		garageGlobalBucketBootstrapHostsDirPath,
		hostName+".yml.signed",
	)

	return client.RemoveObject(
		ctx, garage.GlobalBucket, filePath,
		minio.RemoveObjectOptions{},
	)
}

// GetGarageBootstrapHosts loads the <hostname>.yml.signed file for all hosts
// stored in garage.
func (b Bootstrap) GetGarageBootstrapHosts(
	ctx context.Context,
) (
	map[string]Host, error,
) {

	caCertPEM := b.Nebula.HostCredentials.CACertPEM
	client := b.GlobalBucketS3APIClient()

	hosts := map[string]Host{}

	objInfoCh := client.ListObjects(
		ctx, garage.GlobalBucket,
		minio.ListObjectsOptions{
			Prefix:    garageGlobalBucketBootstrapHostsDirPath,
			Recursive: true,
		},
	)

	for objInfo := range objInfoCh {

		if objInfo.Err != nil {
			return nil, fmt.Errorf("listing objects: %w", objInfo.Err)
		}

		obj, err := client.GetObject(
			ctx, garage.GlobalBucket, objInfo.Key, minio.GetObjectOptions{},
		)

		if err != nil {
			return nil, fmt.Errorf("retrieving object %q: %w", objInfo.Key, err)
		}

		hostB, sig, err := nebula.Unwrap(obj)
		obj.Close()

		if err != nil {
			return nil, fmt.Errorf("unwrapping signature from %q: %w", objInfo.Key, err)
		}

		var host Host
		if err = yaml.Unmarshal(hostB, &host); err != nil {
			return nil, fmt.Errorf("yaml decoding object %q: %w", objInfo.Key, err)
		}

		hostCertPEM := host.Nebula.CertPEM

		if err := nebula.ValidateSignature(hostCertPEM, hostB, sig); err != nil {
			fmt.Fprintf(os.Stderr, "invalid host data for %q: %v\n", objInfo.Key, err)
			continue
		}

		if err := nebula.ValidateHostCertPEM(caCertPEM, hostCertPEM); err != nil {
			fmt.Fprintf(os.Stderr, "invalid nebula cert for %q: %v\n", objInfo.Key, err)
			continue
		}

		hosts[host.Name] = host
	}

	return hosts, nil
}
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`package bootstrap`

			`import (`
			`"bytes"`
			`"context"`
			`"cryptic-net/garage"`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`"cryptic-net/nebula"`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`"fmt"`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`"os"`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`"path/filepath"`

			`"github.com/minio/minio-go/v7"`
			`"gopkg.in/yaml.v3"`
			`)`

			`// Paths within garage's global bucket`
			`const (`
			`garageGlobalBucketBootstrapHostsDirPath = "bootstrap/hosts"`
			`)`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`// PutGarageBoostrapHost places the <hostname>.yml.signed file for this host`
			`// into garage so that other hosts are able to see relevant configuration for`
			`// it.`
			`func (b Bootstrap) PutGarageBoostrapHost(ctx context.Context) error {`

			`host := b.ThisHost()`
			`client := b.GlobalBucketS3APIClient()`

			`hostB, err := yaml.Marshal(host)`
			`if err != nil {`
			`return fmt.Errorf("yaml encoding host data: %w", err)`
			`}`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00
			`buf := new(bytes.Buffer)`

Use yaml instead of tgz for bootstrap file 2022-11-02 13:34:40 +00:00			`err = nebula.SignAndWrap(buf, b.Nebula.HostCredentials.HostKeyPEM, hostB)`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`if err != nil {`
			`return fmt.Errorf("signing encoded host data: %w", err)`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`}`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`filePath := filepath.Join(`
			`garageGlobalBucketBootstrapHostsDirPath,`
			`host.Name+".yml.signed",`
			`)`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`_, err = client.PutObject(`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`ctx, garage.GlobalBucket, filePath, buf, int64(buf.Len()),`
			`minio.PutObjectOptions{},`
			`)`

			`if err != nil {`
			`return fmt.Errorf("writing to %q in global bucket: %w", filePath, err)`
			`}`

			`return nil`
			`}`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`// RemoveGarageBootstrapHost removes the <hostname>.yml.signed for the given`
			`// host from garage.`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`//`
			`// The given client should be for the global bucket.`
			`func RemoveGarageBootstrapHost(`
			`ctx context.Context, client garage.S3APIClient, hostName string,`
			`) error {`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`filePath := filepath.Join(`
			`garageGlobalBucketBootstrapHostsDirPath,`
			`hostName+".yml.signed",`
			`)`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00
			`return client.RemoveObject(`
			`ctx, garage.GlobalBucket, filePath,`
			`minio.RemoveObjectOptions{},`
			`)`
			`}`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`// GetGarageBootstrapHosts loads the <hostname>.yml.signed file for all hosts`
			`// stored in garage.`
			`func (b Bootstrap) GetGarageBootstrapHosts(`
			`ctx context.Context,`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`) (`
			`map[string]Host, error,`
			`) {`

Use yaml instead of tgz for bootstrap file 2022-11-02 13:34:40 +00:00			`caCertPEM := b.Nebula.HostCredentials.CACertPEM`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`client := b.GlobalBucketS3APIClient()`

More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`hosts := map[string]Host{}`

			`objInfoCh := client.ListObjects(`
			`ctx, garage.GlobalBucket,`
			`minio.ListObjectsOptions{`
			`Prefix: garageGlobalBucketBootstrapHostsDirPath,`
			`Recursive: true,`
			`},`
			`)`

			`for objInfo := range objInfoCh {`

			`if objInfo.Err != nil {`
			`return nil, fmt.Errorf("listing objects: %w", objInfo.Err)`
			`}`

			`obj, err := client.GetObject(`
			`ctx, garage.GlobalBucket, objInfo.Key, minio.GetObjectOptions{},`
			`)`

			`if err != nil {`
			`return nil, fmt.Errorf("retrieving object %q: %w", objInfo.Key, err)`
			`}`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`hostB, sig, err := nebula.Unwrap(obj)`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`obj.Close()`

			`if err != nil {`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`return nil, fmt.Errorf("unwrapping signature from %q: %w", objInfo.Key, err)`
			`}`

			`var host Host`
			`if err = yaml.Unmarshal(hostB, &host); err != nil {`
More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`return nil, fmt.Errorf("yaml decoding object %q: %w", objInfo.Key, err)`
			`}`

Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`hostCertPEM := host.Nebula.CertPEM`

			`if err := nebula.ValidateSignature(hostCertPEM, hostB, sig); err != nil {`
Use yaml instead of tgz for bootstrap file 2022-11-02 13:34:40 +00:00			`fmt.Fprintf(os.Stderr, "invalid host data for %q: %v\n", objInfo.Key, err)`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`continue`
			`}`

			`if err := nebula.ValidateHostCertPEM(caCertPEM, hostCertPEM); err != nil {`
Use yaml instead of tgz for bootstrap file 2022-11-02 13:34:40 +00:00			`fmt.Fprintf(os.Stderr, "invalid nebula cert for %q: %v\n", objInfo.Key, err)`
Store full nebula cert for each host in garage, rather than just the IP This allows each host to verify the cert against the CA cert. We also now have each host sign the yaml file that it posts to garage, to ensure that a host can't arbitrarily overwrite another host's file. 2022-10-29 19:11:40 +00:00			`continue`
			`}`

More big refactoring leading up to network creation The `bootstrap/creator` package is gone, almost as quickly as it arrived. The `Bootstrap` type is now able to write its own tgz file, and the two places where bootstrap files are being created pull the data down to do so and create the `Bootstrap` structs directly. The structure of the bootstrap file itself has been changed, now there's just a single `hosts` directory which contains files which are yaml encodings of the `Host` type, rather than having it be split into `nebula` and `garage` directories. This makes creating bootstrap files a lot easier. 2022-10-15 16:41:07 +00:00			`hosts[host.Name] = host`
			`}`

			`return hosts, nil`
			`}`