forked from openshift/installer
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Generate an
ignition-auth
key and provide it to the MCS
This is an optional hardening for access to Ignition; the installer generates a random key (separately for master/worker pool) and installs it into the `openshift-machine-config-operator` namespace. If the MCS finds an `ignition-auth` secret with the `master/worker` keys, it will use it: openshift/machine-config-operator#736 This PR just generates those secrets, so we can land it before the MCO PR as well.
- Loading branch information
Showing
9 changed files
with
132 additions
and
10 deletions.
There are no files selected for viewing
9 changes: 9 additions & 0 deletions
9
data/data/manifests/bootkube/openshift-config-secret-ignition-auth.yaml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
type: Opaque | ||
metadata: | ||
namespace: openshift-machine-config-operator | ||
name: ignition-auth | ||
data: | ||
master: {{.IgnitionAuthMasterBase64}} | ||
worker: {{.IgnitionAuthWorkerBase64}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package installconfig | ||
|
||
import ( | ||
utilrand "k8s.io/apimachinery/pkg/util/rand" | ||
|
||
"github.com/openshift/installer/pkg/asset" | ||
) | ||
|
||
// IgnitionAuth gates access to the Machine Config Server | ||
type IgnitionAuth struct { | ||
Master string | ||
Worker string | ||
} | ||
|
||
var _ asset.Asset = (*IgnitionAuth)(nil) | ||
|
||
// Dependencies returns nothing. | ||
func (a *IgnitionAuth) Dependencies() []asset.Asset { | ||
return []asset.Asset{} | ||
} | ||
|
||
// Generate generates a new IgnitionAuth | ||
func (a *IgnitionAuth) Generate(dep asset.Parents) error { | ||
a.Master = utilrand.String(64) | ||
a.Worker = utilrand.String(64) | ||
return nil | ||
} | ||
|
||
// Name returns the human-friendly name of the asset. | ||
func (a *IgnitionAuth) Name() string { | ||
return "Ignition Auth" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
package bootkube | ||
|
||
import ( | ||
"os" | ||
"path/filepath" | ||
|
||
"github.com/openshift/installer/pkg/asset" | ||
"github.com/openshift/installer/pkg/asset/templates/content" | ||
) | ||
|
||
const ( | ||
openshiftConfigSecretIgnitionAuthFileName = "openshift-config-secret-ignition-auth.yaml.template" | ||
) | ||
|
||
var _ asset.WritableAsset = (*OpenshiftConfigSecretIgnitionAuth)(nil) | ||
|
||
// OpenshiftConfigSecretIgnitionAuth is the constant to represent contents of openshift-config-secret-ignition-auth.yaml.template file. | ||
type OpenshiftConfigSecretIgnitionAuth struct { | ||
FileList []*asset.File | ||
} | ||
|
||
// Dependencies returns all of the dependencies directly needed by the asset | ||
func (t *OpenshiftConfigSecretIgnitionAuth) Dependencies() []asset.Asset { | ||
return []asset.Asset{} | ||
} | ||
|
||
// Name returns the human-friendly name of the asset. | ||
func (t *OpenshiftConfigSecretIgnitionAuth) Name() string { | ||
return "OpenshiftConfigSecretIgnitionAuth" | ||
} | ||
|
||
// Generate generates the actual files by this asset | ||
func (t *OpenshiftConfigSecretIgnitionAuth) Generate(parents asset.Parents) error { | ||
fileName := openshiftConfigSecretIgnitionAuthFileName | ||
data, err := content.GetBootkubeTemplate(fileName) | ||
if err != nil { | ||
return err | ||
} | ||
t.FileList = []*asset.File{ | ||
{ | ||
Filename: filepath.Join(content.TemplateDir, fileName), | ||
Data: []byte(data), | ||
}, | ||
} | ||
return nil | ||
} | ||
|
||
// Files returns the files generated by the asset. | ||
func (t *OpenshiftConfigSecretIgnitionAuth) Files() []*asset.File { | ||
return t.FileList | ||
} | ||
|
||
// Load returns the asset from disk. | ||
func (t *OpenshiftConfigSecretIgnitionAuth) Load(f asset.FileFetcher) (bool, error) { | ||
file, err := f.FetchByName(filepath.Join(content.TemplateDir, openshiftConfigSecretIgnitionAuthFileName)) | ||
if err != nil { | ||
if os.IsNotExist(err) { | ||
return false, nil | ||
} | ||
return false, err | ||
} | ||
t.FileList = []*asset.File{file} | ||
return true, nil | ||
} |