replicatedhq · alicenstar · Oct 16, 2023 · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023
diff --git a/migrations/tables/k0s_tokens.yaml b/migrations/tables/k0s_tokens.yaml
@@ -0,0 +1,21 @@
+apiVersion: schemas.schemahero.io/v1alpha4
+kind: Table
+metadata:
+  name: k0s-tokens
+spec:
+  name: k0s_tokens
+  requires: []
+  schema:
+    rqlite:
+      strict: true
+      primaryKey:
+      - token
+      columns:
+      - name: token
+        type: text
+        constraints:
+          notNull: true
+      - name: roles
+        type: text
+        constraints:
+          notNull: true
diff --git a/pkg/handlers/handlers.go b/pkg/handlers/handlers.go
@@ -277,16 +277,16 @@ func RegisterSessionAuthRoutes(r *mux.Router, kotsStore store.Store, handler KOT
 
 	// HelmVM
 	r.Name("HelmVM").Path("/api/v1/helmvm").HandlerFunc(NotImplemented)
-	r.Name("GenerateHelmVMNodeJoinCommandSecondary").Path("/api/v1/helmvm/generate-node-join-command-secondary").Methods("POST").
-		HandlerFunc(middleware.EnforceAccess(policy.ClusterWrite, handler.GenerateHelmVMNodeJoinCommandSecondary))
-	r.Name("GenerateHelmVMNodeJoinCommandPrimary").Path("/api/v1/helmvm/generate-node-join-command-primary").Methods("POST").
-		HandlerFunc(middleware.EnforceAccess(policy.ClusterWrite, handler.GenerateHelmVMNodeJoinCommandPrimary))
+	r.Name("GenerateK0sNodeJoinCommand").Path("/api/v1/helmvm/generate-node-join-command").Methods("POST").
+		HandlerFunc(middleware.EnforceAccess(policy.ClusterWrite, handler.GenerateK0sNodeJoinCommand))
 	r.Name("DrainHelmVMNode").Path("/api/v1/helmvm/nodes/{nodeName}/drain").Methods("POST").
 		HandlerFunc(middleware.EnforceAccess(policy.ClusterWrite, handler.DrainHelmVMNode))
 	r.Name("DeleteHelmVMNode").Path("/api/v1/helmvm/nodes/{nodeName}").Methods("DELETE").
 		HandlerFunc(middleware.EnforceAccess(policy.ClusterWrite, handler.DeleteHelmVMNode))
 	r.Name("GetHelmVMNodes").Path("/api/v1/helmvm/nodes").Methods("GET").
 		HandlerFunc(middleware.EnforceAccess(policy.ClusterRead, handler.GetHelmVMNodes))
+	r.Name("GetHelmVMNode").Path("/api/v1/helmvm/node/{nodeName}").Methods("GET").
+		HandlerFunc(middleware.EnforceAccess(policy.ClusterRead, handler.GetHelmVMNode))
 
 	// Prometheus
 	r.Name("SetPrometheusAddress").Path("/api/v1/prometheus").Methods("POST").
@@ -355,6 +355,9 @@ func RegisterUnauthenticatedRoutes(handler *Handler, kotsStore store.Store, debu
 	// These handlers should be called by the application only.
 	loggingRouter.Path("/license/v1/license").Methods("GET").HandlerFunc(handler.GetPlatformLicenseCompatibility)
 	loggingRouter.Path("/api/v1/app/custom-metrics").Methods("POST").HandlerFunc(handler.GetSendCustomAppMetricsHandler(kotsStore))
+
+	// This handler requires a valid token in the query
+	loggingRouter.Path("/api/v1/embedded-cluster/join").Methods("GET").HandlerFunc(handler.GetK0sNodeJoinCommand)
 }
 
 func RegisterLicenseIDAuthRoutes(r *mux.Router, kotsStore store.Store, handler KOTSHandler) {

diff --git a/pkg/handlers/handlers_test.go b/pkg/handlers/handlers_test.go
@@ -1210,54 +1210,65 @@ var HandlerPolicyTests = map[string][]HandlerPolicyTest{
 	},
 
 	"HelmVM": {}, // Not implemented
-	"GenerateHelmVMNodeJoinCommandSecondary": {
+	"GenerateK0sNodeJoinCommand": {
 		{
 			Roles:        []rbactypes.Role{rbac.ClusterAdminRole},
 			SessionRoles: []string{rbac.ClusterAdminRoleID},
 			Calls: func(storeRecorder *mock_store.MockStoreMockRecorder, handlerRecorder *mock_handlers.MockKOTSHandlerMockRecorder) {
-				handlerRecorder.GenerateHelmVMNodeJoinCommandSecondary(gomock.Any(), gomock.Any())
+				handlerRecorder.GenerateK0sNodeJoinCommand(gomock.Any(), gomock.Any())
 			},
 			ExpectStatus: http.StatusOK,
 		},
 	},
-	"GenerateHelmVMNodeJoinCommandPrimary": {
+	"DrainHelmVMNode": {
 		{
+			Vars:         map[string]string{"nodeName": "node-name"},
 			Roles:        []rbactypes.Role{rbac.ClusterAdminRole},
 			SessionRoles: []string{rbac.ClusterAdminRoleID},
 			Calls: func(storeRecorder *mock_store.MockStoreMockRecorder, handlerRecorder *mock_handlers.MockKOTSHandlerMockRecorder) {
-				handlerRecorder.GenerateHelmVMNodeJoinCommandPrimary(gomock.Any(), gomock.Any())
+				handlerRecorder.DrainHelmVMNode(gomock.Any(), gomock.Any())
 			},
 			ExpectStatus: http.StatusOK,
 		},
 	},
-	"DrainHelmVMNode": {
+	"DeleteHelmVMNode": {
 		{
 			Vars:         map[string]string{"nodeName": "node-name"},
 			Roles:        []rbactypes.Role{rbac.ClusterAdminRole},
 			SessionRoles: []string{rbac.ClusterAdminRoleID},
 			Calls: func(storeRecorder *mock_store.MockStoreMockRecorder, handlerRecorder *mock_handlers.MockKOTSHandlerMockRecorder) {
-				handlerRecorder.DrainHelmVMNode(gomock.Any(), gomock.Any())
+				handlerRecorder.DeleteHelmVMNode(gomock.Any(), gomock.Any())
 			},
 			ExpectStatus: http.StatusOK,
 		},
 	},
-	"DeleteHelmVMNode": {
+	"GetHelmVMNodes": {
+		{
+			Roles:        []rbactypes.Role{rbac.ClusterAdminRole},
+			SessionRoles: []string{rbac.ClusterAdminRoleID},
+			Calls: func(storeRecorder *mock_store.MockStoreMockRecorder, handlerRecorder *mock_handlers.MockKOTSHandlerMockRecorder) {
+				handlerRecorder.GetHelmVMNodes(gomock.Any(), gomock.Any())
+			},
+			ExpectStatus: http.StatusOK,
+		},
+	},
+	"GetHelmVMNode": {
 		{
 			Vars:         map[string]string{"nodeName": "node-name"},
 			Roles:        []rbactypes.Role{rbac.ClusterAdminRole},
 			SessionRoles: []string{rbac.ClusterAdminRoleID},
 			Calls: func(storeRecorder *mock_store.MockStoreMockRecorder, handlerRecorder *mock_handlers.MockKOTSHandlerMockRecorder) {
-				handlerRecorder.DeleteHelmVMNode(gomock.Any(), gomock.Any())
+				handlerRecorder.GetHelmVMNode(gomock.Any(), gomock.Any())
 			},
 			ExpectStatus: http.StatusOK,
 		},
 	},
-	"GetHelmVMNodes": {
+	"GetK0sNodeJoinCommand": {
 		{
 			Roles:        []rbactypes.Role{rbac.ClusterAdminRole},
 			SessionRoles: []string{rbac.ClusterAdminRoleID},
 			Calls: func(storeRecorder *mock_store.MockStoreMockRecorder, handlerRecorder *mock_handlers.MockKOTSHandlerMockRecorder) {
-				handlerRecorder.GetHelmVMNodes(gomock.Any(), gomock.Any())
+				handlerRecorder.GetK0sNodeJoinCommand(gomock.Any(), gomock.Any())
 			},
 			ExpectStatus: http.StatusOK,
 		},

diff --git a/pkg/handlers/helmvm_get.go b/pkg/handlers/helmvm_get.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"net/http"
 
+	"github.com/gorilla/mux"
 	"github.com/replicatedhq/kots/pkg/helmvm"
 	"github.com/replicatedhq/kots/pkg/k8sutil"
 	"github.com/replicatedhq/kots/pkg/logger"
@@ -16,11 +17,29 @@ func (h *Handler) GetHelmVMNodes(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	nodes, err := helmvm.GetNodes(client)
+	nodes, err := helmvm.GetNodes(r.Context(), client)
 	if err != nil {
 		logger.Error(err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 	JSON(w, http.StatusOK, nodes)
 }
+
+func (h *Handler) GetHelmVMNode(w http.ResponseWriter, r *http.Request) {
+	client, err := k8sutil.GetClientset()
+	if err != nil {
+		logger.Error(err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	nodeName := mux.Vars(r)["nodeName"]
+	node, err := helmvm.GetNode(r.Context(), client, nodeName)
+	if err != nil {
+		logger.Error(err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	JSON(w, http.StatusOK, node)
+}
diff --git a/pkg/handlers/helmvm_node_join_command.go b/pkg/handlers/helmvm_node_join_command.go
@@ -1,55 +1,116 @@
 package handlers
 
 import (
+	"encoding/json"
+	"fmt"
 	"net/http"
-	"time"
 
 	"github.com/replicatedhq/kots/pkg/helmvm"
 	"github.com/replicatedhq/kots/pkg/k8sutil"
 	"github.com/replicatedhq/kots/pkg/logger"
+	"github.com/replicatedhq/kots/pkg/store/kotsstore"
 )
 
-type GenerateHelmVMNodeJoinCommandResponse struct {
+type GenerateK0sNodeJoinCommandResponse struct {
 	Command []string `json:"command"`
-	Expiry  string   `json:"expiry"`
 }
 
-func (h *Handler) GenerateHelmVMNodeJoinCommandSecondary(w http.ResponseWriter, r *http.Request) {
-	client, err := k8sutil.GetClientset()
+type GetK0sNodeJoinCommandResponse struct {
+	ClusterID      string `json:"clusterID"`
+	K0sJoinCommand string `json:"k0sJoinCommand"`
+	K0sToken       string `json:"k0sToken"`
+}
+
+type GenerateHelmVMNodeJoinCommandRequest struct {
+	Roles []string `json:"roles"`
+}
+
+func (h *Handler) GenerateK0sNodeJoinCommand(w http.ResponseWriter, r *http.Request) {
+	generateHelmVMNodeJoinCommandRequest := GenerateHelmVMNodeJoinCommandRequest{}
+	if err := json.NewDecoder(r.Body).Decode(&generateHelmVMNodeJoinCommandRequest); err != nil {
+		logger.Error(fmt.Errorf("failed to decode request body: %w", err))
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	store := kotsstore.StoreFromEnv()
+	token, err := store.SetK0sInstallCommandRoles(generateHelmVMNodeJoinCommandRequest.Roles)
 	if err != nil {
-		logger.Error(err)
+		logger.Error(fmt.Errorf("failed to set k0s install command roles: %w", err))
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
-	command, expiry, err := helmvm.GenerateAddNodeCommand(client, false)
+	client, err := k8sutil.GetClientset()
+	if err != nil {
+		logger.Error(fmt.Errorf("failed to get clientset: %w", err))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	nodeJoinCommand, err := helmvm.GenerateAddNodeCommand(r.Context(), client, token)
 	if err != nil {
-		logger.Error(err)
+		logger.Error(fmt.Errorf("failed to generate add node command: %w", err))
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
-	JSON(w, http.StatusOK, GenerateHelmVMNodeJoinCommandResponse{
-		Command: command,
-		Expiry:  expiry.Format(time.RFC3339),
+
+	JSON(w, http.StatusOK, GenerateK0sNodeJoinCommandResponse{
+		Command: []string{nodeJoinCommand},
 	})
 }
 
-func (h *Handler) GenerateHelmVMNodeJoinCommandPrimary(w http.ResponseWriter, r *http.Request) {
+// this function relies on the token being valid for authentication
+func (h *Handler) GetK0sNodeJoinCommand(w http.ResponseWriter, r *http.Request) {
+	// read query string, ensure that the token is valid
+	token := r.URL.Query().Get("token")
+	store := kotsstore.StoreFromEnv()
+	roles, err := store.GetK0sInstallCommandRoles(token)
+	if err != nil {
+		logger.Error(fmt.Errorf("failed to get k0s install command roles: %w", err))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	// use roles to generate join token etc
 	client, err := k8sutil.GetClientset()
 	if err != nil {
-		logger.Error(err)
+		logger.Error(fmt.Errorf("failed to get clientset: %w", err))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	k0sRole := "worker"
+	for _, role := range roles {
+		if role == "controller" {
+			k0sRole = "controller"
+			break
+		}
+	}
+
+	k0sToken, err := helmvm.GenerateAddNodeToken(r.Context(), client, k0sRole)
+	if err != nil {
+		logger.Error(fmt.Errorf("failed to generate add node token: %w", err))
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	k0sJoinCommand, err := helmvm.GenerateK0sJoinCommand(r.Context(), client, roles)
+	if err != nil {
+		logger.Error(fmt.Errorf("failed to generate k0s join command: %w", err))
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
-	command, expiry, err := helmvm.GenerateAddNodeCommand(client, true)
+	clusterID, err := helmvm.ClusterID(client)
 	if err != nil {
-		logger.Error(err)
+		logger.Error(fmt.Errorf("failed to get cluster id: %w", err))
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
-	JSON(w, http.StatusOK, GenerateHelmVMNodeJoinCommandResponse{
-		Command: command,
-		Expiry:  expiry.Format(time.RFC3339),
+
+	JSON(w, http.StatusOK, GetK0sNodeJoinCommandResponse{
+		ClusterID:      clusterID,
+		K0sJoinCommand: k0sJoinCommand,
+		K0sToken:       k0sToken,
 	})
 }
diff --git a/pkg/handlers/interface.go b/pkg/handlers/interface.go
@@ -139,11 +139,12 @@ type KOTSHandler interface {
 	GetKurlNodes(w http.ResponseWriter, r *http.Request)
 
 	// HelmVM
-	GenerateHelmVMNodeJoinCommandSecondary(w http.ResponseWriter, r *http.Request)
-	GenerateHelmVMNodeJoinCommandPrimary(w http.ResponseWriter, r *http.Request)
+	GenerateK0sNodeJoinCommand(w http.ResponseWriter, r *http.Request)
 	DrainHelmVMNode(w http.ResponseWriter, r *http.Request)
 	DeleteHelmVMNode(w http.ResponseWriter, r *http.Request)
 	GetHelmVMNodes(w http.ResponseWriter, r *http.Request)
+	GetHelmVMNode(w http.ResponseWriter, r *http.Request)
+	GetK0sNodeJoinCommand(w http.ResponseWriter, r *http.Request)
 
 	// Prometheus
 	SetPrometheusAddress(w http.ResponseWriter, r *http.Request)

diff --git a/pkg/handlers/mock/mock.go b/pkg/handlers/mock/mock.go