* Update system-upgrade-controller API
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
* Update Fleet API
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
* Sanitize dependencies
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
---------
Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>
- Added full registration config and statefile path parameters on elemental-register
- Remove support for multiple configuration files
- Added (hardcoded) timer to skip registration updates for 24 hours
- Store emulated TPM seed for future registration updates
- Exit with error code in case of failures (systemd will manage restarts)
- Use virtual filesystem where possible
Add MachineRegistration Elemental Registration Auth to allow
selection of the authentication method.
Add MachineInventory MachineHash key for authentication types different than
TPM (which has its own TPMHash key).
make generate
make build-manifests
* register client: aggregate args to the Register function
Since we basically pass almost all the Registration struct parameters
one by one, let's pass a reference to the structure directly.
* register client: introduce authClient interface
The register client code is tightly coupled with TPM attestation.
While this is not a problem right now as we just support authentication
through TPM, it may be good to better separate TPM attestation from the
registration process itself for two reasons:
- better code readibility
- support of alternative authentication methods
Note that on the operator side (register "server") the code is already
structured to allow alternative authentication methods.
This commit introduces an interface with the required authentication
methods: the TPM related code in now completely isolated in the interface
implementation.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator/registration: switch to Kubebuilder client
Fixes#239
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator/registration: adapt tests to Kubebuilder client
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* unit-tests: vendor controller-runtime fake client
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: add yaml annotations for correct marshalling
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator/RBAC: add "get" verb to ServiceAccount resources
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* operator: generate rbac
make generate-manifests
make build-rbac
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Add elementalcli package
Create a separate package to deal with elemental-cli installation.
This brings the elemental-cli functions declared in the config package
to a new package that just parses a map[string]interface argument.
This is a step to enable usage of the elemental-cli functions with the
new elementalv1.Config.Elemental.Install type.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: switch to Kubebuilder api
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: add mapstructure annotations for correct marshalling
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: reduce complexity of the run function
Make linter happy:
"cyclomatic complexity 16 of func `run` is high (> 15) (gocyclo)"
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* register: drop io/ioutil in favor of os package
io/ioutil is deprecated
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Till now, the attestation and communication with the elemental operator
were all demanded to the github.com/rancher-sandbox/go-tpm package.
Split TPM attestation from the communication with the elemental operator
demanding TPM authentication to the external library while taking full
control of the communication with the operator.
This doesn't introduce functional changes (so it will keep retrocompatibility
with the current elemental operator) and is a preparatory step to address
rancher/elemental-operator#5
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
Till now the TPM package was in charge to upgrade the HTTP connection
and manage the websocket one.
Move the connection management to the server package to split connection
management from TPM authentication.
This will allow us later to pass the smbios data and the labels through
the channel instead of abusing HTTP headers.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
If the websocket upgrade header is missing, the client is likely a plain
HTTP one, so let's return immediately the unauthenticated reply.
Add a couple of debug logs to semplify debugging when needed.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
This generates several X-Cattle-Smbios-NUMER headers when sending the
data to the operator in order to limit the max size of each individual
header to 7Kb. By default nginx is configured with a max of 8Kb header
and will return a 400 error if the headers excess that size.
As we currently use a GET+Websocket to go trougth the challenge/response
of TPM, this is the easiest implementation to workaround the issue.
Signed-off-by: Itxaka <igarcia@suse.com>
Signed-off-by: Itxaka <igarcia@suse.com>
When we pass a CACert we enfore the certificate we get from the Register.URL
to be signed by the passed CACert: let's keep also the System CAs in the pool
of allowed CAs in order to accept also imported certificates signed by public
trusted CAs.
Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
* Some register fixes
- Add debug flag for debug loggin
- Add docs to command
- Add docs to flags
- Pass the cacert via a file, NOT via string
- Rename var config so it doesnt clash with imported package name
Signed-off-by: Itxaka <igarcia@suse.com>
Remove all the mentions to rancheros-operator in tests, imports and
dependencies.
Restore e2e scripts and test targets on makefile
Fix all lint issues
Signed-off-by: Itxaka <igarcia@suse.com>
- Drops everything not needed for ros-operator
- New simple Dockerfile
- New jobs based on ros-operator only
- Remove uneeded tests
- Remove dependency on os2 images for integration tests
- Use gorelease to release ros-operator binaries
- Use docker to push ci images to ros-operator-ci registry on PR
- Use docker to push master/tag images to ros-operator registry
- Build chart indepently
- Have a null test CI job for future integration tests
Signed-off-by: Itxaka <igarcia@suse.com>
Francesco Giudici