cluster: generate ring keys on scan if missing

Signed-off-by: Alejandro Mery <amery@jpi.io>

pkg/cluster/cluster_scan.go

@@ -73,6 +73,10 @@ func (m *Cluster) scanMachines(opts *ScanOptions) error {
 		err = p.scan(opts)
 		return err != nil
 	})
+	m.ForEachMachine(func(p *Machine) bool {
+		err = p.scanWrapUp(opts)
+		return err != nil
+	})
 	return err
 }
 

pkg/cluster/machine_rings.go

@@ -240,6 +240,23 @@ func (m *Machine) applyZoneNodeID(zoneID, nodeID int) error {
 	return nil
 }
 
+func (m *Machine) setRingDefaults(ri *RingInfo) error {
+	if ri.Keys.PrivateKey.IsZero() {
+		m.info().
+			WithField("subsystem", "wireguard").
+			WithField("node", m.Name).
+			WithField("ring", ri.Ring).
+			Print("generating key pair")
+
+		kp, err := wireguard.NewKeyPair()
+		if err != nil {
+			return err
+		}
+		ri.Keys = kp
+	}
+	return nil
+}
+
 // RemoveWireguardConfig deletes wgN.conf from the machine's
 // config directory.
 func (m *Machine) RemoveWireguardConfig(ring int) error {

pkg/cluster/machine_scan.go

@@ -68,7 +68,8 @@ func (m *Machine) setID() error {
 	return nil
 }
 
-func (m *Machine) scan(opts *ScanOptions) error {
+// scan is called once we know about all zones and machine names
+func (m *Machine) scan(_ *ScanOptions) error {
 	for i := 0; i < RingsCount; i++ {
 		if err := m.tryApplyWireguardConfig(i); err != nil {
 			m.error(err).
@@ -80,6 +81,22 @@ func (m *Machine) scan(opts *ScanOptions) error {
 		}
 	}
 
+	return nil
+}
+
+// scanWrapUp is called once all machines have been scanned
+func (m *Machine) scanWrapUp(opts *ScanOptions) error {
+	for _, ri := range m.Rings {
+		if err := m.setRingDefaults(ri); err != nil {
+			m.error(err).
+				WithField("subsystem", "wireguard").
+				WithField("node", m.Name).
+				WithField("ring", ri.Ring).
+				Print()
+			return err
+		}
+	}
+
 	if !opts.DontResolvePublicAddresses {
 		return m.UpdatePublicAddresses()
 	}

pkg/cluster/rings.go

@@ -41,7 +41,7 @@ func (ri *RingInfo) Merge(alter *RingInfo) error {
 		// can't disable via Merge
 		return fmt.Errorf("invalid %s: %v → %v", "enabled", ri.Enabled, alter.Enabled)
 	case !canMergeKeyPairs(ri.Keys, alter.Keys):
-		// incompatible keypairs
+		// incompatible key pairs
 		return fmt.Errorf("invalid %s: %s ≠ %s", "keys", ri.Keys, alter.Keys)
 	}