From 3f173736242e0c3c2e6a9e64af1778085e42618b Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 2 Oct 2022 11:57:33 -0500
Subject: [PATCH] Change WireGuard keys -> configs

Setting up the WireGuard client requires several pieces of information,
beyond the node private key and peer's public key.  The peer endpoint
address/port, peer public key, and node IP address are also required.
As such, naming the resource a "key" is somewhat misleading.
---
 src/events.rs | 14 ++++++-------
 src/k8s.rs    | 57 ++++++++++++++++++++++++++++++---------------------
 2 files changed, 41 insertions(+), 30 deletions(-)

diff --git a/src/events.rs b/src/events.rs
index 04a62d4..feee1fc 100644
--- a/src/events.rs
+++ b/src/events.rs
@@ -6,7 +6,7 @@
 use log::{debug, error};
 
 use crate::k8s::{
-    assign_wireguard_key, create_bootstrap_token, unassign_wireguard_key,
+    assign_wireguard_config, create_bootstrap_token, unassign_wireguard_config,
 };
 use crate::model::events::*;
 
@@ -16,18 +16,18 @@ use crate::model::events::*;
 /// associated with ephemeral nodes running as EC2 instances.
 ///
 /// When an instance starts:
-/// 1. A WireGuard key is assigned to the instance
+/// 1. A WireGuard config is assigned to the instance
 /// 2. A Kubernetes bootstrap token is generated, to be used by `kubeadm` to
 ///    add the node to the cluster.
 ///
 /// When an instance is terminated:
-/// 1. Any WireGuard keys assigned to the instance are unassigned
+/// 1. Any WireGuard configs assigned to the instance are unassigned
 pub async fn on_ec2_instance_state_change(evt: Ec2InstanceStateChange) {
     debug!("EC2 instance {} is now {}", &evt.instance_id, &evt.state);
     if evt.state == "running" {
-        if let Err(e) = assign_wireguard_key(&evt.instance_id).await {
+        if let Err(e) = assign_wireguard_config(&evt.instance_id).await {
             error!(
-                "Failed to assign WireGuard key to instnce {}: {}",
+                "Failed to assign WireGuard config to instnce {}: {}",
                 &evt.instance_id, e
             );
             return;
@@ -39,9 +39,9 @@ pub async fn on_ec2_instance_state_change(evt: Ec2InstanceStateChange) {
             )
         };
     } else if evt.state == "terminated" {
-        if let Err(e) = unassign_wireguard_key(&evt.instance_id).await {
+        if let Err(e) = unassign_wireguard_config(&evt.instance_id).await {
             error!(
-                "Failed to unassign WireGuard key from instance: {}: {}",
+                "Failed to unassign WireGuard config from instance: {}: {}",
                 &evt.instance_id, e
             );
         }
diff --git a/src/k8s.rs b/src/k8s.rs
index cbc7aed..caefea7 100644
--- a/src/k8s.rs
+++ b/src/k8s.rs
@@ -157,40 +157,48 @@ impl Into<Secret> for BootstrapToken {
     }
 }
 
-/// Assign an existing WireGuard key to the specified EC2 instance
+/// Assign an existing WireGuard configuration to the specified EC2 instance
 ///
-/// This function finds the first unused WireGuard key, stored as a Kubernetes
-/// Secret resource, and assigns it to the specified EC2 instance.  Keys are
-/// assigned by setting the `dynk8s.du5t1n.me/ec2-instance-id` label in the
-/// Secret resource's metadata.
+/// This function finds the first unused WireGuard client configuration, stored
+/// as a Kubernetes Secret resource, and assigns it to the specified EC2
+/// instance.  Configs are assigned by setting the
+/// `dynk8s.du5t1n.me/ec2-instance-id` label in the Secret resource's metadata.
 ///
-/// Secret resources for WireGuard keys have a *type* of
-/// `dynk8s.du5t1n.me/wireguard-key`.  They must be created ahead of time and
-/// must refer to working keys already configured on the WireGuard server.
-pub async fn assign_wireguard_key(
+/// Secret resources for WireGuard configuration have a *type* of
+/// `dynk8s.du5t1n.me/wireguard-config`.  The Secret's `data` field must
+/// contain a `wireguard-config` property, which contains the WireGuard client
+/// configuration the node should use.  Configs must be created ahead of time
+/// and must refer to working keys already configured on the WireGuard server.
+pub async fn assign_wireguard_config(
     instance_id: &str,
 ) -> Result<(), kube::Error> {
     let client = Client::try_default().await?;
     let secrets: Api<Secret> = Api::default_namespaced(client);
     debug!(
-        "Checking for WireGuard keys already assigned to instance {}",
+        "Checking for WireGuard configs already assigned to instance {}",
         instance_id
     );
     let lp = ListParams::default()
-        .fields("type=dynk8s.du5t1n.me/wireguard-key")
+        .fields("type=dynk8s.du5t1n.me/wireguard-config")
         .labels(&format!("dynk8s.du5t1n.me/ec2-instance-id={}", instance_id));
     let res = secrets.list(&lp).await?;
     if !res.items.is_empty() {
-        info!("WireGuard key already assigned to instance {}", instance_id);
+        info!(
+            "WireGuard config already assigned to instance {}",
+            instance_id
+        );
         return Ok(());
     }
-    debug!("Looking for available WireGuard keys");
+    debug!("Looking for available WireGuard configs");
     let lp = ListParams::default()
-        .fields("type=dynk8s.du5t1n.me/wireguard-key")
+        .fields("type=dynk8s.du5t1n.me/wireguard-config")
         .labels("dynk8s.du5t1n.me/ec2-instance-id=");
     let res = secrets.list(&lp).await?;
     if res.items.is_empty() {
-        error!("No WireGuard keys available for instance {}", &instance_id);
+        error!(
+            "No WireGuard config available for instance {}",
+            &instance_id
+        );
     } else {
         if let Some(name) = &res.items[0].metadata.name {
             let mut labels = BTreeMap::<String, String>::new();
@@ -204,7 +212,7 @@ pub async fn assign_wireguard_key(
             let pp = PatchParams::apply(env!("CARGO_PKG_NAME")).force();
             secrets.patch(&name, &pp, &patch).await?;
             info!(
-                "Assigned WireGuard key {} to instance {}",
+                "Assigned WireGuard config {} to instance {}",
                 name, &instance_id
             );
         }
@@ -212,21 +220,24 @@ pub async fn assign_wireguard_key(
     Ok(())
 }
 
-/// Unassign all WireGuard keys from the specified EC2 instance
+/// Unassign all WireGuard configs from the specified EC2 instance
 ///
-/// This function finds all WireGuard keys, stored as Kubernetes Secret
+/// This function finds all WireGuard configs, stored as Kubernetes Secret
 /// resources, associated with the specified EC2 instance and unassigns them.
-/// Unassigned keys have the `dynk8s.du5t1n.me/ec2-instance-id` label set to
+/// Unassigned configs have the `dynk8s.du5t1n.me/ec2-instance-id` label set to
 /// the empty string.
-pub async fn unassign_wireguard_key(
+pub async fn unassign_wireguard_config(
     instance_id: &str,
 ) -> Result<(), kube::Error> {
     let client = Client::try_default().await?;
     let secrets: Api<Secret> = Api::default_namespaced(client);
     let lp = ListParams::default()
-        .fields("type=dynk8s.du5t1n.me/wireguard-key")
+        .fields("type=dynk8s.du5t1n.me/wireguard-config")
         .labels(&format!("dynk8s.du5t1n.me/ec2-instance-id={}", instance_id));
-    info!("Unassigning WireGuard keys from instance {}", instance_id);
+    info!(
+        "Unassigning WireGuard configs from instance {}",
+        instance_id
+    );
     for s in secrets.list(&lp).await? {
         if let Some(name) = &s.metadata.name {
             let mut labels = BTreeMap::<String, String>::new();
@@ -238,7 +249,7 @@ pub async fn unassign_wireguard_key(
             let pp = PatchParams::apply(env!("CARGO_PKG_NAME")).force();
             secrets.patch(&name, &pp, &patch).await?;
             info!(
-                "Unassigned WireGuard key {} from instance {}",
+                "Unassigned WireGuard config {} from instance {}",
                 name, &instance_id
             );
         }