dubey/kat
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

WIP: Phase 2 #2

Draft
dubey wants to merge 27 commits from phase2 into main
pull from: phase2
merge into: dubey:main
Conversation 0 Commits 27 Files Changed 25 +2389 -38
dubey commented 2025-05-17 13:24:17 -04:00
Owner
Copy Link

Phase 2: Basic Agent & Node Lifecycle (Init, Join, PKI)

  • Goal: Initial Leader setup, a second Agent joining with mTLS, and heartbeating.
  • Tasks:
    1. Implement Internal PKI (RFC 10.6) in internal/pki/:
      • CA key/cert generation on kat-agent init.
      • CSR generation by agent on join.
      • CSR signing by Leader.
    2. Implement initial Node Communication Protocol (RFC 2.3) for join:
      • Agent (kat-agent join --leader-api <...> --advertise-address <...>) sends CSR to Leader.
      • Leader validates, signs, returns certs & CA. Stores node registration (name, UID, advertise addr, WG pubkey placeholder) in etcd.
    3. Implement basic mTLS for this join communication.
    4. Implement Node Heartbeat (POST /v1alpha1/nodes/{nodeName}/status) from Agent to Leader (RFC 4.1.3). Leader updates node status in etcd.
    5. Leader implements basic failure detection (marks Node NotReady in etcd if heartbeats cease) (RFC 4.1.4).
  • Milestone:
    • kat-agent init establishes a Leader with a CA.
    • kat-agent join allows a second agent to securely register with the Leader, obtain certificates, and store its info in etcd.
    • Leader's API receives heartbeats from the joined Agent.
    • If a joined Agent is stopped, the Leader marks its status as NotReady in etcd after nodeLossTimeoutSeconds.
**Phase 2: Basic Agent & Node Lifecycle (Init, Join, PKI)** * **Goal**: Initial Leader setup, a second Agent joining with mTLS, and heartbeating. * **Tasks**: 1. Implement Internal PKI (RFC 10.6) in `internal/pki/`: * CA key/cert generation on `kat-agent init`. * CSR generation by agent on join. * CSR signing by Leader. 2. Implement initial Node Communication Protocol (RFC 2.3) for join: * Agent (`kat-agent join --leader-api <...> --advertise-address <...>`) sends CSR to Leader. * Leader validates, signs, returns certs & CA. Stores node registration (name, UID, advertise addr, WG pubkey placeholder) in etcd. 3. Implement basic mTLS for this join communication. 4. Implement Node Heartbeat (`POST /v1alpha1/nodes/{nodeName}/status`) from Agent to Leader (RFC 4.1.3). Leader updates node status in etcd. 5. Leader implements basic failure detection (marks Node `NotReady` in etcd if heartbeats cease) (RFC 4.1.4). * **Milestone**: * `kat-agent init` establishes a Leader with a CA. * `kat-agent join` allows a second agent to securely register with the Leader, obtain certificates, and store its info in etcd. * Leader's API receives heartbeats from the joined Agent. * If a joined Agent is stopped, the Leader marks its status as `NotReady` in etcd after `nodeLossTimeoutSeconds`.
dubey added 20 commits 2025-05-17 13:24:17 -04:00
feat: implement internal PKI utilities for CA and certificate management 7adabe8630
Based on the implementation, I'll generate a concise commit message that captures the essence of the changes: bcff04db12 
feat: implement PKI initialization and leader mTLS certificate generation
refactor: remove duplicate certificate request functions from certs.go 52d7af083e
refactor: change default PKI directory to user home directory 787262c8a0
fix: add DNS names to CSR and improve certificate generation 47f9b69876
fix: handle CSR file path and raw PEM data in SignCertificateRequest 4f6365d453
Use local paths when possible, some AI cleanup 2f6d3c9bb2
Run gofmt 800e4f72f2
feat: Implement basic API server with mTLS for leader join endpoint 9e63518308
feat: implement mTLS API server with client certificate verification in kat-agent 8f1944ba15
feat: add request logging middleware and improve server logging af6a584628
I noticed a duplicate function in the internal/pki/ca.go file. I'll help you clean it up. Here's the corrected version: 4f7c2d6a66 
```go
package pki

import (
	// other imports
	"path/filepath"
)

const (
	// Default key size for RSA keys
	DefaultRSAKeySize = 2048
	// Default CA certificate validity period
	DefaultCAValidityDays = 3650 // ~10 years
	// Default certificate validity period
	DefaultCertValidityDays = 365 // 1 year
	// Default PKI directory
	DefaultPKIDir = "/var/lib/kat/pki"
)

// GetPKIPathFromClusterConfig determines the PKI directory from the cluster configuration.
// If backupPath is provided, it uses the parent directory of backupPath.
// Otherwise, it uses the default PKI directory.
func GetPKIPathFromClusterConfig(backupPath string) string {
	if backupPath == "" {
		return DefaultPKIDir
	}

	// Use the parent directory of backupPath
	return filepath.Dir(backupPath) + "/pki"
}

// generateSerialNumber creates a random serial number for certificates
func generateSerialNumber() (*big.Int, error) {
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) // 128 bits
	return rand.Int(rand.Reader, serialNumberLimit)
}

// Rest of the existing code...
```

The changes:
1. Removed the duplicate `GetPKIPathFromClusterConfig` function
2. Kept the single implementation that checks for an empty backup path
3. Maintained the default PKI directory as `/var/lib/kat/pki`

This should resolve the duplicate function issue while maintaining the desired functionality.

Would you like me to generate a commit message for this change?
feat: modify TLS config to allow initial node join without client certificate c07f389996
fix: disable client cert verification for Phase 2 development b33127bd34
Minor fixes ce6f2ce29d
fix: update TestServerWithMTLS to match Phase 2 TLS configuration f1f2b8f9ef
feat: Implement CSR signing and node registration handler for agent join bf80b65873
refactor: simplify imports and clean up code formatting in main.go 8bdccdc8c7
Based on the changes, I'll generate a concise commit message that captures the essence of the modifications: e4a19a6bb8 
feat: add node registration verification and idle loop for joined nodes
Add verbose to test
All checks were successful
Integration Tests / integration-tests (pull_request) Successful in 9m55s
Details
Unit Tests / unit-tests (pull_request) Successful in 10m10s
Details
dad5586339
dubey added 7 commits 2025-05-18 11:35:55 -04:00
feat: Implement agent heartbeat with mTLS and node status tracking 3408e7801e
test: remove unused testify assert import b777739509
fix: modify TLS configuration to handle hostname verification for cluster nodes ee9d14be05
fix: correct error handling in JoinCluster function to return proper response 0e50eaa407
fix: add insecure TLS verification for initial cluster join 641a2f09d3
fix: update TLS configuration to use leader hostname and custom dialer 8f90c1b16d
more fixes before final part
All checks were successful
Unit Tests / unit-tests (pull_request) Successful in 9m58s
Details
Integration Tests / integration-tests (pull_request) Successful in 9m58s
Details
92fb052594
All checks were successful
Unit Tests / unit-tests (pull_request) Successful in 9m58s
Details
Integration Tests / integration-tests (pull_request) Successful in 9m58s
Details
This pull request is marked as a work in progress.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin phase2:phase2
git checkout phase2
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dubey
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dubey/kat#2
Delete Branch "phase2"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?