feat: add authority in GRPC client initialization

Enables support for trustd behind load balancer by providing SNI.

(cherry picked from commit b593bc6)
(cherry picked from commit 33f336d)

Signed-off-by: Sébastien Masset <86793256+smasset-orange@users.noreply.github.com>
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>

Author: smasset-orange

internal/app/machined/pkg/controllers/secrets/api.go

@@ -269,7 +269,7 @@ func (ctrl *APIController) reconcile(ctx context.Context, r controller.Runtime,
 				return err
 			}
 		} else {
-			if err := ctrl.generateWorker(ctx, r, logger, rootSpec, endpointsStr, certSANs); err != nil {
+			if err := ctrl.generateWorker(ctx, r, logger, rootSpec, endpointsStr, "", certSANs); err != nil {
 				return err
 			}
 		}
@@ -336,9 +336,11 @@ func (ctrl *APIController) generateControlPlane(ctx context.Context, r controlle
 }
 
 func (ctrl *APIController) generateWorker(ctx context.Context, r controller.Runtime, logger *zap.Logger,
-	rootSpec *secrets.OSRootSpec, endpointsStr []string, certSANs *secrets.CertSANSpec,
+	rootSpec *secrets.OSRootSpec, endpointsStr []string, endpointHost string, certSANs *secrets.CertSANSpec,
 ) error {
-	remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr, rootSpec.AcceptedCAs)
+	logger.Debug("Initializing CSR generator", zap.Strings("endpoints", endpointsStr), zap.String("host", endpointHost))
+
+	remoteGen, err := gen.NewRemoteGenerator(rootSpec.Token, endpointsStr, endpointHost, rootSpec.AcceptedCAs)
 	if err != nil {
 		return fmt.Errorf("failed creating trustd client: %w", err)
 	}

pkg/grpc/gen/remote.go

@@ -31,7 +31,7 @@ type RemoteGenerator struct {
 }
 
 // NewRemoteGenerator initializes a RemoteGenerator with a preconfigured grpc.ClientConn.
-func NewRemoteGenerator(token string, endpoints []string, acceptedCAs []*x509.PEMEncodedCertificate) (g *RemoteGenerator, err error) {
+func NewRemoteGenerator(token string, endpoints []string, host string, acceptedCAs []*x509.PEMEncodedCertificate) (g *RemoteGenerator, err error) {
 	if len(endpoints) == 0 {
 		return nil, errors.New("at least one root of trust endpoint is required")
 	}
@@ -42,7 +42,7 @@ func NewRemoteGenerator(token string, endpoints []string, acceptedCAs []*x509.PE
 
 	remoteGeneratorPprof.Add(g, 1)
 
-	conn, err := basic.NewConnection(fmt.Sprintf("%s:///%s", resolver.RoundRobinResolverScheme, strings.Join(endpoints, ",")), basic.NewTokenCredentials(token), acceptedCAs)
+	conn, err := basic.NewConnection(fmt.Sprintf("%s:///%s", resolver.RoundRobinResolverScheme, strings.Join(endpoints, ",")), host, basic.NewTokenCredentials(token), acceptedCAs)
 	if err != nil {
 		return nil, err
 	}

pkg/grpc/middleware/auth/basic/basic.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"crypto/tls"
 	stdx509 "crypto/x509"
+	"net"
 
 	"github.com/siderolabs/crypto/x509"
 	"github.com/siderolabs/gen/xslices"
@@ -16,6 +17,7 @@ import (
 
 	"github.com/siderolabs/talos/pkg/httpdefaults"
 	"github.com/siderolabs/talos/pkg/machinery/client/dialer"
+	"github.com/siderolabs/talos/pkg/machinery/labels"
 )
 
 // Credentials describes an authorization method.
@@ -27,7 +29,7 @@ type Credentials interface {
 
 // NewConnection initializes a grpc.ClientConn configured for basic
 // authentication.
-func NewConnection(address string, creds credentials.PerRPCCredentials, acceptedCAs []*x509.PEMEncodedCertificate) (conn *grpc.ClientConn, err error) {
+func NewConnection(address string, host string, creds credentials.PerRPCCredentials, acceptedCAs []*x509.PEMEncodedCertificate) (conn *grpc.ClientConn, err error) {
 	tlsConfig := &tls.Config{}
 
 	tlsConfig.RootCAs = stdx509.NewCertPool()
@@ -42,6 +44,7 @@ func NewConnection(address string, creds credentials.PerRPCCredentials, accepted
 	))
 
 	grpcOpts := []grpc.DialOption{
+		grpc.WithAuthority(ParseAuthority(host)),
 		grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
 		grpc.WithPerRPCCredentials(creds),
 		grpc.WithSharedWriteBuffer(true),
@@ -55,3 +58,34 @@ func NewConnection(address string, creds credentials.PerRPCCredentials, accepted
 
 	return conn, nil
 }
+
+// ParseAuthority checks if provided host parameter is neither empty nor
+// an IP address and returns the extracted host if found
+// or an empty string in all other cases.
+func ParseAuthority(host string) string {
+	if host == "" {
+		return ""
+	}
+
+	var parsedHost string
+
+	// Check if port is provided and remove it
+	h, _, err := net.SplitHostPort(host)
+	if err == nil {
+		parsedHost = h
+	} else {
+		parsedHost = host
+	}
+
+	// If parsedHost is an IP address it should not be used as an authority
+	if ip := net.ParseIP(parsedHost); ip != nil {
+		return ""
+	}
+
+	if err := labels.ValidateDNS1123Subdomain(parsedHost); err != nil {
+		return ""
+	}
+
+	// Otherwise return the parsed host
+	return parsedHost
+}

pkg/grpc/middleware/auth/basic/basic_test.go

@@ -0,0 +1,32 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package basic_test
+
+import (
+	"testing"
+
+	"github.com/siderolabs/talos/pkg/grpc/middleware/auth/basic"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseAuthority(t *testing.T) {
+	for _, tc := range []struct {
+		host string
+		want string
+	}{
+		{"", ""},
+		{"::1", ""},
+		{"[::1]", ""},
+		{"[::1]:443", ""},
+		{"127.0.0.1", ""},
+		{"127.0.0.1:443", ""},
+		{"[example.com]", ""},
+		{"example.com", "example.com"},
+		{"example.com:443", "example.com"},
+		{"[example.com]:443", "example.com"},
+	} {
+		assert.Equalf(t, tc.want, basic.ParseAuthority(tc.host), "ParseAuthority(%q)", tc.host)
+	}
+}