Add TPM support

.drone.yml

@@ -83,46 +83,3 @@ volumes:
 - name: docker
   host:
     path: /var/run/docker.sock
-
----
-kind: pipeline
-name: arm
-
-platform:
-  os: linux
-  arch: arm
-
-steps:
-- name: build
-  image: rancher/dapper:v0.4.1
-  commands:
-  - dapper ci
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-
-- name: github_binary_release
-  image: plugins/github-release
-  settings:
-    api_key:
-      from_secret: github_token
-    prerelease: true
-    checksum:
-    - sha256
-    checksum_file: CHECKSUMsum-arm.txt
-    checksum_flatten: true
-    files:
-    - "dist/artifacts/*"
-  when:
-    instance:
-    - drone-publish.rancher.io
-    ref:
-    - refs/head/master
-    - refs/tags/*
-    event:
-    - tag
-
-volumes:
-- name: docker
-  host:
-    path: /var/run/docker.sock

cmd/rancherd/gettpmhash/gettpmhash.go

@@ -0,0 +1,28 @@
+package gettpmhash
+
+import (
+	"fmt"
+
+	"github.com/rancher/rancherd/pkg/tpm"
+	cli "github.com/rancher/wrangler-cli"
+	"github.com/spf13/cobra"
+)
+
+func NewGetTPMHash() *cobra.Command {
+	return cli.Command(&GetTPMHash{}, cobra.Command{
+		Use:   "get-tpm-hash",
+		Short: "Print TPM hash to identify this machine",
+	})
+}
+
+type GetTPMHash struct {
+}
+
+func (p *GetTPMHash) Run(cmd *cobra.Command, args []string) error {
+	str, err := tpm.GetPubHash()
+	if err != nil {
+		return err
+	}
+	fmt.Println(str)
+	return nil
+}

cmd/rancherd/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"github.com/rancher/rancherd/cmd/rancherd/bootstrap"
 	"github.com/rancher/rancherd/cmd/rancherd/gettoken"
+	"github.com/rancher/rancherd/cmd/rancherd/gettpmhash"
 	"github.com/rancher/rancherd/cmd/rancherd/info"
 	"github.com/rancher/rancherd/cmd/rancherd/probe"
 	"github.com/rancher/rancherd/cmd/rancherd/resetadmin"
@@ -31,6 +32,7 @@ func main() {
 		retry.NewRetry(),
 		upgrade.NewUpgrade(),
 		info.NewInfo(),
+		gettpmhash.NewGetTPMHash(),
 	)
 	cli.Main(root)
 }

pkg/cacerts/cacerts.go

@@ -14,6 +14,7 @@ import (
 	url2 "net/url"
 	"time"
 
+	"github.com/rancher/rancherd/pkg/tpm"
 	"github.com/rancher/wrangler/pkg/randomtoken"
 )
 
@@ -42,18 +43,33 @@ func get(server, token, path string, clusterToken bool) ([]byte, string, error)
 	}
 	u.Path = path
 
-	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+	var (
+		isTPM bool
+	)
+	if !clusterToken {
+		isTPM, token, err = tpm.ResolveToken(token)
+		if err != nil {
+			return nil, "", err
+		}
+	}
+
+	cacert, caChecksum, err := CACerts(server, token, clusterToken)
 	if err != nil {
 		return nil, "", err
 	}
-	if !clusterToken {
-		req.Header.Set("Authorization", "Bearer "+base64.StdEncoding.EncodeToString([]byte(token)))
+
+	if isTPM {
+		data, err := tpm.Get(cacert, u.String(), nil)
+		return data, caChecksum, err
 	}
 
-	cacert, caChecksum, err := CACerts(server, token, clusterToken)
+	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
 	if err != nil {
 		return nil, "", err
 	}
+	if !clusterToken {
+		req.Header.Set("Authorization", "Bearer "+base64.StdEncoding.EncodeToString([]byte(token)))
+	}
 
 	var resp *http.Response
 	if len(cacert) == 0 {
@@ -103,6 +119,13 @@ func CACerts(server, token string, clusterToken bool) ([]byte, string, error) {
 	if !clusterToken {
 		requestURL = fmt.Sprintf("https://%s/v1-rancheros/cacerts", url.Host)
 	}
+
+	if resp, err := http.Get(requestURL); err == nil {
+		_, _ = ioutil.ReadAll(resp.Body)
+		resp.Body.Close()
+		return nil, "", nil
+	}
+
 	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
 	if err != nil {
 		return nil, "", err
@@ -121,6 +144,10 @@ func CACerts(server, token string, clusterToken bool) ([]byte, string, error) {
 		return nil, "", err
 	}
 
+	if resp.StatusCode != http.StatusOK {
+		return nil, "", fmt.Errorf("response %d: %s getting cacerts: %s", resp.StatusCode, resp.Status, data)
+	}
+
 	if resp.Header.Get("X-Cattle-Hash") != hash(token, nonce, data) {
 		return nil, "", fmt.Errorf("response hash (%s) does not match (%s)",
 			resp.Header.Get("X-Cattle-Hash"),

pkg/config/runtime.go

@@ -3,8 +3,9 @@ package config
 import "strings"
 
 var (
-	RuntimeRKE2 Runtime = "rke2"
-	RuntimeK3S  Runtime = "k3s"
+	RuntimeRKE2    Runtime = "rke2"
+	RuntimeK3S     Runtime = "k3s"
+	RuntimeUnknown Runtime = "unknown"
 )
 
 type Runtime string

pkg/discovery/discovery.go

@@ -106,6 +106,9 @@ func discoverServerAndRole(ctx context.Context, cfg *config.Config) (string, boo
 }
 
 func (j *joinServer) addresses(params map[string]string, discovery *discover.Discover) ([]string, error) {
+	if params["provider"] == "mdns" {
+		params["v6"] = "false"
+	}
 	addrs, err := discovery.Addrs(discover.Config(params).String(), log.Default())
 	if err != nil {
 		return nil, err
@@ -146,15 +149,15 @@ func (j *joinServer) loop(ctx context.Context, count int, params map[string]stri
 		}
 		resp, err := insecureHTTPClient.Do(req)
 		if err != nil {
-			logrus.Errorf("failed to connect to %s: %v", url, err)
+			logrus.Infof("failed to connect to %s: %v", url, err)
 			allAgree = false
 			continue
 		}
 
 		data, err := ioutil.ReadAll(resp.Body)
 		resp.Body.Close()
 		if err != nil || resp.StatusCode != http.StatusOK {
-			logrus.Errorf("failed to read response from %s: code %d: %v", url, resp.StatusCode, err)
+			logrus.Infof("failed to read response from %s: code %d: %v", url, resp.StatusCode, err)
 			allAgree = false
 			continue
 		}
@@ -181,6 +184,11 @@ func (j *joinServer) loop(ctx context.Context, count int, params map[string]stri
 		}
 	}
 
+	if len(addrs) == 0 {
+		logrus.Infof("No available peers")
+		return "", false
+	}
+
 	if firstID != j.id {
 		logrus.Infof("Waiting for peer %s from %v to initialize", addrs[0], addrs)
 		return "", false
@@ -219,7 +227,7 @@ func newJoinServer(ctx context.Context, cacheDuration string, port int64) (*join
 	}
 
 	if cacheDuration == "" {
-		cacheDuration = "5m"
+		cacheDuration = "1m"
 	}
 
 	duration, err := time.ParseDuration(cacheDuration)

pkg/plan/bootstrap.go

@@ -49,28 +49,19 @@ func toJoinPlan(cfg *config.Config, dataDir string) (*applyinator.Plan, error) {
 	}
 
 	plan := plan{}
-	k8sVersion, err := versions.K8sVersion(cfg.KubernetesVersion)
-	if err != nil {
-		return nil, err
-	}
-
 	if err := plan.addFile(join.ToScriptFile(cfg, dataDir)); err != nil {
 		return nil, err
 	}
-	if err := plan.addFile(runtime.ToFile(&cfg.RuntimeConfig, config.GetRuntime(k8sVersion), false)); err != nil {
-		return nil, err
-	}
 	if err := plan.addInstruction(join.ToInstruction(cfg, dataDir)); err != nil {
 		return nil, err
 	}
-	if err := plan.addInstruction(probe.ToInstruction(cfg.RuntimeInstallerImage, cfg.SystemDefaultRegistry, k8sVersion)); err != nil {
+	if err := plan.addInstruction(probe.ToInstruction()); err != nil {
 		return nil, err
 	}
-	if err := plan.addProbesForRoles(cfg); err != nil {
+	if err := plan.addProbesForJoin(cfg); err != nil {
 		return nil, err
 	}
 
-	plan.addPrePostInstructions(cfg, "")
 	return (*applyinator.Plan)(&plan), nil
 }
 
@@ -95,7 +86,7 @@ func (p *plan) addInstructions(cfg *config.Config, dataDir string) error {
 		return err
 	}
 
-	if err := p.addInstruction(probe.ToInstruction(cfg.RuntimeInstallerImage, cfg.SystemDefaultRegistry, k8sVersion)); err != nil {
+	if err := p.addInstruction(probe.ToInstruction()); err != nil {
 		return err
 	}
 
@@ -204,12 +195,8 @@ func (p *plan) addFile(file *applyinator.File, err error) error {
 	return nil
 }
 
-func (p *plan) addProbesForRoles(cfg *config.Config) error {
-	k8sVersion, err := versions.K8sVersion(cfg.KubernetesVersion)
-	if err != nil {
-		return err
-	}
-	p.Probes = probe.ProbesForRole(&cfg.RuntimeConfig, config.GetRuntime(k8sVersion))
+func (p *plan) addProbesForJoin(cfg *config.Config) error {
+	p.Probes = probe.ProbesForJoin(&cfg.RuntimeConfig)
 	return nil
 }
 

pkg/probe/probe.go

@@ -61,13 +61,13 @@ func replaceRuntime(str string, runtime config.Runtime) string {
 	return fmt.Sprintf(str, runtime)
 }
 
-func ProbesForRole(config *config.RuntimeConfig, runtime config.Runtime) map[string]prober.Probe {
-	if roles.IsControlPlane(config.Role) {
-		return AllProbes(runtime)
+func ProbesForJoin(cfg *config.RuntimeConfig) map[string]prober.Probe {
+	if roles.IsControlPlane(cfg.Role) {
+		return AllProbes(config.RuntimeUnknown)
 	}
 	return replaceRuntimeForProbes(map[string]prober.Probe{
 		"kubelet": probes["kubelet"],
-	}, runtime)
+	}, config.RuntimeUnknown)
 }
 
 func AllProbes(runtime config.Runtime) map[string]prober.Probe {
@@ -77,6 +77,12 @@ func AllProbes(runtime config.Runtime) map[string]prober.Probe {
 func replaceRuntimeForProbes(probes map[string]prober.Probe, runtime config.Runtime) map[string]prober.Probe {
 	result := map[string]prober.Probe{}
 	for k, v := range probes {
+		// we don't know the runtime to find the file
+		if runtime == config.RuntimeUnknown && (v.HTTPGetAction.CACert+
+			v.HTTPGetAction.ClientCert+
+			v.HTTPGetAction.ClientKey) != "" {
+			continue
+		}
 		v.HTTPGetAction.CACert = replaceRuntime(v.HTTPGetAction.CACert, runtime)
 		v.HTTPGetAction.ClientCert = replaceRuntime(v.HTTPGetAction.ClientCert, runtime)
 		v.HTTPGetAction.ClientKey = replaceRuntime(v.HTTPGetAction.ClientKey, runtime)
@@ -85,7 +91,7 @@ func replaceRuntimeForProbes(probes map[string]prober.Probe, runtime config.Runt
 	return result
 }
 
-func ToInstruction(imageOverride string, systemDefaultRegistry string, k8sVersion string) (*applyinator.Instruction, error) {
+func ToInstruction() (*applyinator.Instruction, error) {
 	cmd, err := self.Self()
 	if err != nil {
 		return nil, fmt.Errorf("resolving location of %s: %w", os.Args[0], err)

pkg/rancher/run.go

@@ -16,12 +16,11 @@ var defaultValues = map[string]interface{}{
 	"ingress": map[string]interface{}{
 		"enabled": false,
 	},
-	"features":       "multi-cluster-management=false",
-	"antiAffinity":   "required",
-	"replicas":       -3,
-	"tls":            "external",
-	"hostPort":       8443,
-	"noDefaultAdmin": true,
+	"features":     "multi-cluster-management=false",
+	"antiAffinity": "required",
+	"replicas":     -3,
+	"tls":          "external",
+	"hostPort":     8443,
 }
 
 func GetRancherValues(dataDir string) string {