Support GCE TPM verification

cmd/kops-controller/main.go

@@ -38,6 +38,7 @@ import (
 	nodeidentitygce "k8s.io/kops/pkg/nodeidentity/gce"
 	nodeidentityos "k8s.io/kops/pkg/nodeidentity/openstack"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+	"k8s.io/kops/upup/pkg/fi/cloudup/gce/tpm/gcetpmverifier"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/yaml"
@@ -94,6 +95,12 @@ func main() {
 				setupLog.Error(err, "unable to create verifier")
 				os.Exit(1)
 			}
+		} else if opt.Server.Provider.GCE != nil {
+			verifier, err = gcetpmverifier.NewTPMVerifier(opt.Server.Provider.GCE)
+			if err != nil {
+				setupLog.Error(err, "unable to create verifier")
+				os.Exit(1)
+			}
 		} else {
 			klog.Fatalf("server cloud provider config not provided")
 		}

cmd/kops-controller/pkg/config/options.go

@@ -16,7 +16,10 @@ limitations under the License.
 
 package config
 
-import "k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+import (
+	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+	gcetpm "k8s.io/kops/upup/pkg/fi/cloudup/gce/tpm"
+)
 
 type Options struct {
 	Cloud                 string         `json:"cloud,omitempty"`
@@ -52,5 +55,6 @@ type ServerOptions struct {
 }
 
 type ServerProviderOptions struct {
-	AWS *awsup.AWSVerifierOptions `json:"aws,omitempty"`
+	AWS *awsup.AWSVerifierOptions  `json:"aws,omitempty"`
+	GCE *gcetpm.TPMVerifierOptions `json:"gce,omitempty"`
 }

cmd/kops-controller/pkg/server/server.go

@@ -106,7 +106,9 @@ func (s *Server) bootstrap(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	id, err := s.verifier.VerifyToken(r.Header.Get("Authorization"), body)
+	ctx := r.Context()
+
+	id, err := s.verifier.VerifyToken(ctx, r.Header.Get("Authorization"), body)
 	if err != nil {
 		klog.Infof("bootstrap %s verify err: %v", r.RemoteAddr, err)
 		w.WriteHeader(http.StatusForbidden)
@@ -115,8 +117,7 @@ func (s *Server) bootstrap(w http.ResponseWriter, r *http.Request) {
 	}
 
 	req := &nodeup.BootstrapRequest{}
-	err = json.Unmarshal(body, req)
-	if err != nil {
+	if err := json.Unmarshal(body, req); err != nil {
 		klog.Infof("bootstrap %s decode err: %v", r.RemoteAddr, err)
 		w.WriteHeader(http.StatusBadRequest)
 		_, _ = w.Write([]byte(fmt.Sprintf("failed to decode: %v", err)))

go.mod

@@ -56,6 +56,8 @@ require (
 	github.com/gogo/protobuf v1.3.2
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-containerregistry v0.5.1
+	github.com/google/go-tpm v0.3.2
+	github.com/google/go-tpm-tools v0.3.0-beta1
 	github.com/google/uuid v1.2.0
 	github.com/gophercloud/gophercloud v0.18.0
 	github.com/gorilla/mux v1.8.0 // indirect

nodeup/pkg/model/bootstrap_client.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/kops/pkg/wellknownports"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/awsup"
+	"k8s.io/kops/upup/pkg/fi/cloudup/gce/tpm/gcetpmsigner"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
 
@@ -45,6 +46,8 @@ func (b BootstrapClientBuilder) Build(c *fi.ModelBuilderContext) error {
 	switch kops.CloudProviderID(b.Cluster.Spec.CloudProvider) {
 	case kops.CloudProviderAWS:
 		authenticator, err = awsup.NewAWSAuthenticator(b.Cloud.Region())
+	case kops.CloudProviderGCE:
+		authenticator, err = gcetpmsigner.NewTPMAuthenticator()
 	default:
 		return fmt.Errorf("unsupported cloud provider %s", b.Cluster.Spec.CloudProvider)
 	}

pkg/apis/kops/model/features.go

@@ -22,7 +22,14 @@ import (
 
 // UseKopsControllerForNodeBootstrap is true if nodeup should use kops-controller for bootstrapping.
 func UseKopsControllerForNodeBootstrap(cluster *kops.Cluster) bool {
-	return kops.CloudProviderID(cluster.Spec.CloudProvider) == kops.CloudProviderAWS && cluster.IsKubernetesGTE("1.19")
+	switch kops.CloudProviderID(cluster.Spec.CloudProvider) {
+	case kops.CloudProviderAWS:
+		return cluster.IsKubernetesGTE("1.19")
+	case kops.CloudProviderGCE:
+		return cluster.IsKubernetesGTE("1.22")
+	default:
+		return false
+	}
 }
 
 // UseCiliumEtcd is true if we are using the Cilium etcd cluster.

pkg/bootstrap/authenticate.go

@@ -16,6 +16,10 @@ limitations under the License.
 
 package bootstrap
 
+import (
+	"context"
+)
+
 // Authenticator generates authentication credentials for requests.
 type Authenticator interface {
 	CreateToken(body []byte) (string, error)
@@ -29,11 +33,11 @@ type VerifyResult struct {
 	// InstanceGroupName is the name of the kops InstanceGroup this node is a member of.
 	InstanceGroupName string
 
-	// CertificateNames is the names the node is authorized to use for certificates.
+	// CertificateNames is the alternate names the node is authorized to use for certificates.
 	CertificateNames []string
 }
 
 // Verifier verifies authentication credentials for requests.
 type Verifier interface {
-	VerifyToken(token string, body []byte) (*VerifyResult, error)
+	VerifyToken(ctx context.Context, token string, body []byte) (*VerifyResult, error)
 }