MGMT-18684: WIP: Cryptographically verify CSRs of joining nodes.

openshift · Sep 8, 2024 · eb9f37f · eb9f37f
1 parent 4635ddf
commit eb9f37f
Show file tree

Hide file tree

Showing 14 changed files with 933 additions and 27 deletions.
diff --git a/src/assisted_installer_controller/reboots_notifier.go b/src/assisted_installer_controller/reboots_notifier.go
@@ -8,8 +8,8 @@ import (
 	"time"
 
 	"github.com/go-openapi/strfmt"
-	"github.com/go-openapi/swag"
 	"github.com/openshift/assisted-installer/src/common"
+	"github.com/openshift/assisted-installer/src/convert"
 	"github.com/openshift/assisted-installer/src/inventory_client"
 	"github.com/openshift/assisted-installer/src/ops"
 	"github.com/openshift/assisted-installer/src/utils"
@@ -97,8 +97,8 @@ func (r *rebootsNotifier) run(ctx context.Context, nodeName string, hostId, infr
 		ClusterID:  clusterId,
 		Name:       eventName,
 		Category:   models.EventCategoryUser,
-		Severity:   swag.String(models.EventSeverityInfo),
-		Message:    swag.String(fmt.Sprintf(eventMessageTemplate, nodeName, numberOfReboots)),
+		Severity:   convert.String(models.EventSeverityInfo),
+		Message:    convert.String(fmt.Sprintf(eventMessageTemplate, nodeName, numberOfReboots)),
 	}
 
 	if err = r.ic.TriggerEvent(ctx, ev); err != nil {

diff --git a/src/assisted_installer_controller/reboots_notifier_test.go b/src/assisted_installer_controller/reboots_notifier_test.go
@@ -5,10 +5,10 @@ import (
 	"fmt"
 
 	"github.com/go-openapi/strfmt"
-	"github.com/go-openapi/swag"
 	"github.com/google/uuid"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	"github.com/openshift/assisted-installer/src/convert"
 	"github.com/openshift/assisted-installer/src/inventory_client"
 	"github.com/openshift/assisted-installer/src/ops"
 	"github.com/openshift/assisted-service/models"
@@ -71,9 +71,9 @@ var _ = Describe("Reboots notifier", func() {
 				ClusterID:  &clusterId,
 				HostID:     &hostId,
 				InfraEnvID: &infraenvId,
-				Message:    swag.String(fmt.Sprintf(eventMessageTemplate, nodeName, 1)),
+				Message:    convert.String(fmt.Sprintf(eventMessageTemplate, nodeName, 1)),
 				Name:       eventName,
-				Severity:   swag.String(models.EventSeverityInfo),
+				Severity:   convert.String(models.EventSeverityInfo),
 			}).Return(nil)
 			notifier.Start(context.TODO(), nodeName, &hostId, &infraenvId, &clusterId)
 			notifier.Finalize()

diff --git a/src/common/common.go b/src/common/common.go
@@ -3,6 +3,10 @@ package common
 import (
 	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"os"
@@ -16,6 +20,8 @@ import (
 	"github.com/openshift/assisted-installer/src/utils"
 	"github.com/openshift/assisted-service/models"
 
+	cryptorand "crypto/rand"
+
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/thoas/go-funk"
@@ -35,6 +41,7 @@ const (
 	installConfigMapAttribute      = "invoker"
 	InvokerAssisted                = "assisted-service"
 	InvokerAgent                   = "agent-installer"
+	ECPrivateKeyPEMLabel           = "EC PRIVATE KEY"
 )
 
 func GetHostsInStatus(hosts map[string]inventory_client.HostData, status []string, isMatch bool) map[string]inventory_client.HostData {
@@ -306,3 +313,22 @@ func DownloadKubeconfigNoingress(ctx context.Context, dir string, ic inventory_c
 
 	return kubeconfigPath, nil
 }
+
+func MakeEllipticPrivatePublicKeyPems() ([]byte, []byte, error) {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	derBytes, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  ECPrivateKeyPEMLabel,
+		Bytes: derBytes,
+	}), publicKeyBytes, nil
+}