fix: properly support the PXE and ISO machines in the secure tokens flow #974
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The unique token flow was reworked to support machines running from PXE and ISO. As they do not support META persistence, Omni doesn't enforce secure tokens for them. But to distinguish machines and make the UUID conflict resolution to work, Omni now calculates the node fingerprints out of the mac addresses of all physical interfaces on the node. So now each unique token consists of two parts: - fingerprint. - a random string. Omni detects Talos installation on the machine in the following way: - check if the pending machine status exists and it detected the system disk. - overwrite the previous check if the existing link was labeled with the Talos being installed. - lastly if the `MachineStatus` exists, overwrite all checks with the installed label from it (ensures bare-metal provider workflow which goes to installed to not installed and PXE booted). Then when a machine joins Omni with some token, Omni checks if the random part is equal. If it is equal, the machine is immediately accepted. If the random part is different and the fingerprint matches: - if Talos is installed - reject the machine and log the warning in the logs. - if Talos is not installed - replace the existing link with the new one (only if the request has a valid join token). Then if nothing matches, the UUID conflict resolution kicks in. Provisioner creates a `PendingMachine` which is marked with UUID conflict label and `PendingMachineStatus` controller generates a random UUID for the node. Signed-off-by: Artem Chernyshev <[email protected]>
Unix4ever
force-pushed
the
secure-tokens-pxe-iso
branch
from
ca8362a to
f77cd97
Compare
Unix4ever
commented
Feb 28, 2025
| hasValidNodeUniqueToken bool | ||
| nodeUniqueTokensEnabled bool | ||
| forceValidNodeUniqueToken bool | ||
| supportsSecureJoinTokens bool | ||
| } | ||
|
|
||
| // isAuthorized returns true if the request has valid creds for at least one of the auth flows. | ||
| func (pc *provisionContext) isAuthorized() bool { |
There was a problem hiding this comment.
Maybe can split to smaller logical parts related to each action we do
Unix4ever
commented
Feb 28, 2025
| } | ||
| } | ||
|
|
||
| machineStatus, err := safe.ReaderGetByID[*system.ResourceLabels[*omni.MachineStatus]](ctx, h.state, req.NodeUuid) |
There was a problem hiding this comment.
We can use InfraMachineStatus last wipe time?
Change the infra machine status resource to have the last wiped token value.
Populate it this way Link -> InfraMachine -> InfraMachineStatus.
Unix4ever
commented
Feb 28, 2025
| // - has matching fingerprint and Talos is not installed. | ||
| // | ||
| //nolint:gocognit | ||
| func ensureResource[T res](ctx context.Context, logger *zap.Logger, |
There was a problem hiding this comment.
Try to split it to parts
Unix4ever
commented
Feb 28, 2025
Comment on lines
+294
to
+298
| if linkToken.IsSameFingerprint(provisionContext.requestNodeUniqueToken) { | ||
| logger.Warn("machine connection rejected: the machine has the correct fingerprint, but the random token part doesn't match") | ||
|
|
||
| return nil, status.Error(codes.PermissionDenied, "unauthorized") | ||
| } |
There was a problem hiding this comment.
Can move this part inside the ensureResource method probably.
Unix4ever
commented
Feb 28, 2025
| continue | ||
| } | ||
|
|
||
| macAddresses = append(macAddresses, string(link.TypedSpec().PermanentAddr)) |
There was a problem hiding this comment.
can be empty, if not set use HardwareAddr.
DmitriyMV
reviewed
Feb 28, 2025
Comment on lines
+112
to
+128
| macAddresses := make([]string, 0, links.Len()) | ||
|
|
||
| for link := range links.All() { | ||
| if !link.TypedSpec().Physical() { | ||
| continue | ||
| } | ||
|
|
||
| macAddresses = append(macAddresses, string(link.TypedSpec().PermanentAddr)) | ||
| } | ||
|
|
||
| slices.Sort(macAddresses) | ||
|
|
||
| hash := sha256.New() | ||
|
|
||
| for _, addr := range macAddresses { | ||
| hash.Write([]byte(addr)) | ||
| } |
There was a problem hiding this comment.
Suggested change
| macAddresses := make([]string, 0, links.Len()) | |
| for link := range links.All() { | |
| if !link.TypedSpec().Physical() { | |
| continue | |
| } | |
| macAddresses = append(macAddresses, string(link.TypedSpec().PermanentAddr)) | |
| } | |
| slices.Sort(macAddresses) | |
| hash := sha256.New() | |
| for _, addr := range macAddresses { | |
| hash.Write([]byte(addr)) | |
| } | |
| macAddresses := make([][]byte, 0, links.Len()) | |
| for link := range links.All() { | |
| if !link.TypedSpec().Physical() { | |
| continue | |
| } | |
| macAddresses = append(macAddresses, link.TypedSpec().PermanentAddr) | |
| } | |
| slices.SortFunc(macAddresses. bytes.Compare) | |
| hash := sha256.New() | |
| for _, addr := range macAddresses { | |
| hash.Write(addr) | |
| } |
Unix4ever
commented
Feb 28, 2025
| pointer.SafeDeref(req.TalosVersion), | ||
| ) | ||
| } | ||
|
|
||
| return h.updateLink(ctx, provisionContext) | ||
| return h.provision(ctx, provisionContext) |
There was a problem hiding this comment.
Sanitize errors returned here.
DmitriyMV
reviewed
Feb 28, 2025
| @@ -198,7 +199,7 @@ func HandleInput[T generic.ResourceWithRD, S generic.ResourceWithRD](ctx context | |||
|
|
|||
| // GetTalosClient for the machine id. | |||
| // Automatically pick secure or insecure client. | |||
| func GetTalosClient[T generic.ResourceWithRD](ctx context.Context, r controller.Reader, address string, machine T) (*client.Client, error) { | |||
| func GetTalosClient[T generic.ResourceWithRD](ctx context.Context, r controller.Reader, address string, machineResource T) (*client.Client, error) { | |||
There was a problem hiding this comment.
Suggested change
| func GetTalosClient[T generic.ResourceWithRD](ctx context.Context, r controller.Reader, address string, machineResource T) (*client.Client, error) { | |
| func GetTalosClient[T interface { | |
| *V | |
| generic.ResourceWithRD | |
| }, V any](ctx context.Context, r controller.Reader, address string, machineResource T) (*client.Client, error) { |
DmitriyMV
reviewed
Feb 28, 2025
| @@ -212,11 +213,20 @@ func GetTalosClient[T generic.ResourceWithRD](ctx context.Context, r controller. | |||
| )...) | |||
| } | |||
|
|
|||
| if reflect.ValueOf(machine).IsNil() { | |||
| if reflect.ValueOf(machineResource).IsNil() { | |||
There was a problem hiding this comment.
Suggested change
| if reflect.ValueOf(machineResource).IsNil() { | |
| if machineResource == nil { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The unique token flow was reworked to support machines running from PXE and ISO.
As they do not support META persistence, Omni doesn't enforce secure tokens for them.
But to distinguish machines and make the UUID conflict resolution to work, Omni now calculates the node fingerprints out of the mac addresses of all physical interfaces on the node.
So now each unique token consists of two parts:
Omni detects Talos installation on the machine in the following way:
MachineStatusexists, overwrite all checks with the installed label from it (ensures bare-metal provider workflow which goes to installed to not installed and PXE booted).Then when a machine joins Omni with some token, Omni checks if the random part is equal. If it is equal, the machine is immediately accepted.
If the random part is different and the fingerprint matches:
Then if nothing matches, the UUID conflict resolution kicks in. Provisioner creates a
PendingMachinewhich is marked with UUID conflict label andPendingMachineStatuscontroller generates a random UUID for the node.Fixes: #944