Merge pull request #13 from ibuildthecloud/master

Add TPM support

Author: ibuildthecloud

.drone.yml

@@ -83,46 +83,3 @@ volumes:
 - name: docker
   host:
     path: /var/run/docker.sock
-
----
-kind: pipeline
-name: arm
-
-platform:
-  os: linux
-  arch: arm
-
-steps:
-- name: build
-  image: rancher/dapper:v0.4.1
-  commands:
-  - dapper ci
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-
-- name: github_binary_release
-  image: plugins/github-release
-  settings:
-    api_key:
-      from_secret: github_token
-    prerelease: true
-    checksum:
-    - sha256
-    checksum_file: CHECKSUMsum-arm.txt
-    checksum_flatten: true
-    files:
-    - "dist/artifacts/*"
-  when:
-    instance:
-    - drone-publish.rancher.io
-    ref:
-    - refs/head/master
-    - refs/tags/*
-    event:
-    - tag
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock

Dockerfile.dapper

@@ -1,9 +1,9 @@
-FROM golang:1.16.2-alpine3.12
+FROM registry.suse.com/bci/golang:1.16
 
 ARG DAPPER_HOST_ARCH
 ENV ARCH $DAPPER_HOST_ARCH
 
-RUN apk -U add bash git gcc musl-dev docker vim less file curl wget ca-certificates
+RUN zypper in -y bash git gcc docker vim less file curl wget ca-certificates trousers-devel
 RUN go get golang.org/x/tools/cmd/goimports
 RUN if [ "${ARCH}" == "amd64" ]; then \
         curl -sL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s v1.40.1; \
@@ -13,8 +13,7 @@ ENV DAPPER_ENV REPO TAG DRONE_TAG CROSS
 ENV DAPPER_SOURCE /go/src/github.com/rancher/rancherd/
 ENV DAPPER_OUTPUT ./bin ./dist
 ENV DAPPER_DOCKER_SOCKET true
-ENV DAPPER_RUN_ARGS "-v rancherd:/go/pkg -v rancherd:/root/.cache/go-build"
-ENV HOME ${DAPPER_SOURCE}
+ENV DAPPER_RUN_ARGS "-v rancherd-go:/root/go -v rancherd-cache:/root/.cache"
 WORKDIR ${DAPPER_SOURCE}
 
 ENTRYPOINT ["./scripts/entry"]

cmd/rancherd/gettpmhash/gettpmhash.go

@@ -0,0 +1,28 @@
+package gettpmhash
+
+import (
+	"fmt"
+
+	"github.com/rancher/rancherd/pkg/tpm"
+	cli "github.com/rancher/wrangler-cli"
+	"github.com/spf13/cobra"
+)
+
+func NewGetTPMHash() *cobra.Command {
+	return cli.Command(&GetTPMHash{}, cobra.Command{
+		Use:   "get-tpm-hash",
+		Short: "Print TPM hash to identify this machine",
+	})
+}
+
+type GetTPMHash struct {
+}
+
+func (p *GetTPMHash) Run(cmd *cobra.Command, args []string) error {
+	str, err := tpm.GetPubHash()
+	if err != nil {
+		return err
+	}
+	fmt.Println(str)
+	return nil
+}

cmd/rancherd/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"github.com/rancher/rancherd/cmd/rancherd/bootstrap"
 	"github.com/rancher/rancherd/cmd/rancherd/gettoken"
+	"github.com/rancher/rancherd/cmd/rancherd/gettpmhash"
 	"github.com/rancher/rancherd/cmd/rancherd/info"
 	"github.com/rancher/rancherd/cmd/rancherd/probe"
 	"github.com/rancher/rancherd/cmd/rancherd/resetadmin"
@@ -31,6 +32,7 @@ func main() {
 		retry.NewRetry(),
 		upgrade.NewUpgrade(),
 		info.NewInfo(),
+		gettpmhash.NewGetTPMHash(),
 	)
 	cli.Main(root)
 }

go.mod

@@ -31,6 +31,9 @@ replace (
 )
 
 require (
+	github.com/google/certificate-transparency-go v1.1.2
+	github.com/google/go-attestation v0.3.2
+	github.com/gorilla/websocket v1.4.2
 	github.com/hashicorp/go-discover v0.0.0-20201029210230-738cb3105cd0
 	github.com/pkg/errors v0.9.1
 	github.com/rancher/rancher/pkg/apis v0.0.0-20210920193801-79027c456224
@@ -42,7 +45,7 @@ require (
 	github.com/spf13/cobra v1.1.3
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/api v0.21.3
 	k8s.io/apimachinery v0.21.3
 	k8s.io/client-go v12.0.0+incompatible

go.sum

@@ -14,6 +14,7 @@ import (
 	url2 "net/url"
 	"time"
 
+	"github.com/rancher/rancherd/pkg/tpm"
 	"github.com/rancher/wrangler/pkg/randomtoken"
 )
 
@@ -42,18 +43,33 @@ func get(server, token, path string, clusterToken bool) ([]byte, string, error)
 	}
 	u.Path = path
 
-	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+	var (
+		isTPM bool
+	)
+	if !clusterToken {
+		isTPM, token, err = tpm.ResolveToken(token)
+		if err != nil {
+			return nil, "", err
+		}
+	}
+
+	cacert, caChecksum, err := CACerts(server, token, clusterToken)
 	if err != nil {
 		return nil, "", err
 	}
-	if !clusterToken {
-		req.Header.Set("Authorization", "Bearer "+base64.StdEncoding.EncodeToString([]byte(token)))
+
+	if isTPM {
+		data, err := tpm.Get(cacert, u.String(), nil)
+		return data, caChecksum, err
 	}
 
-	cacert, caChecksum, err := CACerts(server, token, clusterToken)
+	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
 	if err != nil {
 		return nil, "", err
 	}
+	if !clusterToken {
+		req.Header.Set("Authorization", "Bearer "+base64.StdEncoding.EncodeToString([]byte(token)))
+	}
 
 	var resp *http.Response
 	if len(cacert) == 0 {
@@ -103,6 +119,13 @@ func CACerts(server, token string, clusterToken bool) ([]byte, string, error) {
 	if !clusterToken {
 		requestURL = fmt.Sprintf("https://%s/v1-rancheros/cacerts", url.Host)
 	}
+
+	if resp, err := http.Get(requestURL); err == nil {
+		_, _ = ioutil.ReadAll(resp.Body)
+		resp.Body.Close()
+		return nil, "", nil
+	}
+
 	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		return nil, "", err
@@ -121,6 +144,10 @@ func CACerts(server, token string, clusterToken bool) ([]byte, string, error) {
 		return nil, "", err
 	}
 
+	if resp.StatusCode != http.StatusOK {
+		return nil, "", fmt.Errorf("response %d: %s getting cacerts: %s", resp.StatusCode, resp.Status, data)
+	}
+
 	if resp.Header.Get("X-Cattle-Hash") != hash(token, nonce, data) {
 		return nil, "", fmt.Errorf("response hash (%s) does not match (%s)",
 			resp.Header.Get("X-Cattle-Hash"),

pkg/cacerts/cacerts.go

@@ -3,8 +3,9 @@ package config
 import "strings"
 
 var (
-	RuntimeRKE2 Runtime = "rke2"
-	RuntimeK3S  Runtime = "k3s"
+	RuntimeRKE2    Runtime = "rke2"
+	RuntimeK3S     Runtime = "k3s"
+	RuntimeUnknown Runtime = "unknown"
 )
 
 type Runtime string

pkg/config/runtime.go

@@ -106,6 +106,9 @@ func discoverServerAndRole(ctx context.Context, cfg *config.Config) (string, boo
 }
 
 func (j *joinServer) addresses(params map[string]string, discovery *discover.Discover) ([]string, error) {
+	if params["provider"] == "mdns" {
+		params["v6"] = "false"
+	}
 	addrs, err := discovery.Addrs(discover.Config(params).String(), log.Default())
 	if err != nil {
 		return nil, err
@@ -146,15 +149,15 @@ func (j *joinServer) loop(ctx context.Context, count int, params map[string]stri
 		}
 		resp, err := insecureHTTPClient.Do(req)
 		if err != nil {
-			logrus.Errorf("failed to connect to %s: %v", url, err)
+			logrus.Infof("failed to connect to %s: %v", url, err)
 			allAgree = false
 			continue
 		}
 
 		data, err := ioutil.ReadAll(resp.Body)
 		resp.Body.Close()
 		if err != nil || resp.StatusCode != http.StatusOK {
-			logrus.Errorf("failed to read response from %s: code %d: %v", url, resp.StatusCode, err)
+			logrus.Infof("failed to read response from %s: code %d: %v", url, resp.StatusCode, err)
 			allAgree = false
 			continue
 		}
@@ -181,6 +184,11 @@ func (j *joinServer) loop(ctx context.Context, count int, params map[string]stri
 		}
 	}
 
+	if len(addrs) == 0 {
+		logrus.Infof("No available peers")
+		return "", false
+	}
+
 	if firstID != j.id {
 		logrus.Infof("Waiting for peer %s from %v to initialize", addrs[0], addrs)
 		return "", false
@@ -219,7 +227,7 @@ func newJoinServer(ctx context.Context, cacheDuration string, port int64) (*join
 	}
 
 	if cacheDuration == "" {
-		cacheDuration = "5m"
+		cacheDuration = "1m"
 	}
 
 	duration, err := time.ParseDuration(cacheDuration)

pkg/discovery/discovery.go

@@ -49,28 +49,19 @@ func toJoinPlan(cfg *config.Config, dataDir string) (*applyinator.Plan, error) {
 	}
 
 	plan := plan{}
-	k8sVersion, err := versions.K8sVersion(cfg.KubernetesVersion)
-	if err != nil {
-		return nil, err
-	}
-
 	if err := plan.addFile(join.ToScriptFile(cfg, dataDir)); err != nil {
 		return nil, err
 	}
-	if err := plan.addFile(runtime.ToFile(&cfg.RuntimeConfig, config.GetRuntime(k8sVersion), false)); err != nil {
-		return nil, err
-	}
 	if err := plan.addInstruction(join.ToInstruction(cfg, dataDir)); err != nil {
 		return nil, err
 	}
-	if err := plan.addInstruction(probe.ToInstruction(cfg.RuntimeInstallerImage, cfg.SystemDefaultRegistry, k8sVersion)); err != nil {
+	if err := plan.addInstruction(probe.ToInstruction()); err != nil {
 		return nil, err
 	}
-	if err := plan.addProbesForRoles(cfg); err != nil {
+	if err := plan.addProbesForJoin(cfg); err != nil {
 		return nil, err
 	}
 
-	plan.addPrePostInstructions(cfg, "")
 	return (*applyinator.Plan)(&plan), nil
 }
 
@@ -95,7 +86,7 @@ func (p *plan) addInstructions(cfg *config.Config, dataDir string) error {
 		return err
 	}
 
-	if err := p.addInstruction(probe.ToInstruction(cfg.RuntimeInstallerImage, cfg.SystemDefaultRegistry, k8sVersion)); err != nil {
+	if err := p.addInstruction(probe.ToInstruction()); err != nil {
 		return err
 	}
 
@@ -204,12 +195,8 @@ func (p *plan) addFile(file *applyinator.File, err error) error {
 	return nil
 }
 
-func (p *plan) addProbesForRoles(cfg *config.Config) error {
-	k8sVersion, err := versions.K8sVersion(cfg.KubernetesVersion)
-	if err != nil {
-		return err
-	}
-	p.Probes = probe.ProbesForRole(&cfg.RuntimeConfig, config.GetRuntime(k8sVersion))
+func (p *plan) addProbesForJoin(cfg *config.Config) error {
+	p.Probes = probe.ProbesForJoin(&cfg.RuntimeConfig)
 	return nil
 }
 

pkg/plan/bootstrap.go

@@ -61,13 +61,13 @@ func replaceRuntime(str string, runtime config.Runtime) string {
 	return fmt.Sprintf(str, runtime)
 }
 
-func ProbesForRole(config *config.RuntimeConfig, runtime config.Runtime) map[string]prober.Probe {
-	if roles.IsControlPlane(config.Role) {
-		return AllProbes(runtime)
+func ProbesForJoin(cfg *config.RuntimeConfig) map[string]prober.Probe {
+	if roles.IsControlPlane(cfg.Role) {
+		return AllProbes(config.RuntimeUnknown)
 	}
 	return replaceRuntimeForProbes(map[string]prober.Probe{
 		"kubelet": probes["kubelet"],
-	}, runtime)
+	}, config.RuntimeUnknown)
 }
 
 func AllProbes(runtime config.Runtime) map[string]prober.Probe {
@@ -77,6 +77,12 @@ func AllProbes(runtime config.Runtime) map[string]prober.Probe {
 func replaceRuntimeForProbes(probes map[string]prober.Probe, runtime config.Runtime) map[string]prober.Probe {
 	result := map[string]prober.Probe{}
 	for k, v := range probes {
+		// we don't know the runtime to find the file
+		if runtime == config.RuntimeUnknown && (v.HTTPGetAction.CACert+
+			v.HTTPGetAction.ClientCert+
+			v.HTTPGetAction.ClientKey) != "" {
+			continue
+		}
 		v.HTTPGetAction.CACert = replaceRuntime(v.HTTPGetAction.CACert, runtime)
 		v.HTTPGetAction.ClientCert = replaceRuntime(v.HTTPGetAction.ClientCert, runtime)
 		v.HTTPGetAction.ClientKey = replaceRuntime(v.HTTPGetAction.ClientKey, runtime)
@@ -85,7 +91,7 @@ func replaceRuntimeForProbes(probes map[string]prober.Probe, runtime config.Runt
 	return result
 }
 
-func ToInstruction(imageOverride string, systemDefaultRegistry string, k8sVersion string) (*applyinator.Instruction, error) {
+func ToInstruction() (*applyinator.Instruction, error) {
 	cmd, err := self.Self()
 	if err != nil {
 		return nil, fmt.Errorf("resolving location of %s: %w", os.Args[0], err)

pkg/probe/probe.go

@@ -16,12 +16,11 @@ var defaultValues = map[string]interface{}{
 	"ingress": map[string]interface{}{
 		"enabled": false,
 	},
-	"features":       "multi-cluster-management=false",
-	"antiAffinity":   "required",
-	"replicas":       -3,
-	"tls":            "external",
-	"hostPort":       8443,
-	"noDefaultAdmin": true,
+	"features":     "multi-cluster-management=false",
+	"antiAffinity": "required",
+	"replicas":     -3,
+	"tls":          "external",
+	"hostPort":     8443,
 }
 
 func GetRancherValues(dataDir string) string {