Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity
0ba810240f
constellation/keyservice/cmd/main.go

70 lines
2.5 KiB
Go
Raw Normal View History

add license headers sed -i '1i/*\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n*/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w .
2022-09-05 03:06:08 -04:00
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
package main
import (
"context"
"errors"
"flag"
"path/filepath"
"strconv"
"time"
Upgrade go module to v2
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/file"
keyservice: move kms code to internal/kms Recovery (disk-mapper) and init (bootstrapper) will have to work with multiple external KMSes in the future.
2023-01-12 10:22:47 -05:00
"github.com/edgelesssys/constellation/v2/internal/kms/setup"
Upgrade go module to v2
2022-09-21 07:47:57 -04:00
"github.com/edgelesssys/constellation/v2/internal/logger"
kms: rename kms to keyservice In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
2023-01-11 04:08:57 -05:00
"github.com/edgelesssys/constellation/v2/keyservice/internal/server"
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
"github.com/spf13/afero"
"go.uber.org/zap"
)
func main() {
keyservice: use dash in container name (#1016) Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-01-20 12:51:06 -05:00
port := flag.String("port", strconv.Itoa(constants.KeyServicePort), "Port gRPC server listens on")
Generate random salt for key derivation on init (#309) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-29 03:52:47 -04:00
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
AB#2490: deploy KMS via Helm * Bundle helm-install related code in speparate package * Move cilium installation to new helm package
2022-10-18 07:15:54 -04:00
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt")
Add verbosity flag to all services (#244) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-01 10:17:06 -04:00
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
flag.Parse()
Add verbosity flag to all services (#244) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-01 10:17:06 -04:00
log := logger.New(logger.JSONLog, logger.VerbosityFromInt(*verbosity))
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
AB#2200 Merge Owner and Cluster ID (#282) * Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-26 04:58:39 -04:00
log.With(zap.String("version", constants.VersionInfo)).
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
Infof("Constellation Key Management Service")
Generate random salt for key derivation on init (#309) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-29 03:52:47 -04:00
// read master secret and salt
file := file.NewHandler(afero.NewOsFs())
masterKey, err := file.Read(*masterSecretPath)
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to read master secret")
}
Generate random salt for key derivation on init (#309) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-29 03:52:47 -04:00
if len(masterKey) < crypto.MasterSecretLengthMin {
log.With(zap.Error(errors.New("invalid key length"))).Fatalf("Provided master secret is smaller than the required minimum of %d bytes", crypto.MasterSecretLengthMin)
}
salt, err := file.Read(*saltPath)
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to read salt")
}
if len(salt) < crypto.RNGLengthDefault {
log.With(zap.Error(errors.New("invalid salt length"))).Fatalf("Expected salt to be %d bytes, but got %d", crypto.RNGLengthDefault, len(salt))
}
Refactor init/recovery to use kms URI So far the masterSecret was sent to the initial bootstrapper on init/recovery. With this commit this information is encoded in the kmsURI that is sent during init. For recover, the communication with the recoveryserver is changed. Before a streaming gRPC call was used to exchanges UUID for measurementSecret and state disk key. Now a standard gRPC is made that includes the same kmsURI & storageURI that are sent during init.
2023-01-16 05:19:03 -05:00
masterSecret := setup.MasterSecret{Key: masterKey, Salt: salt}
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
Generate random salt for key derivation on init (#309) Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-07-29 03:52:47 -04:00
// set up Key Management Service
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancel()
Refactor init/recovery to use kms URI So far the masterSecret was sent to the initial bootstrapper on init/recovery. With this commit this information is encoded in the kmsURI that is sent during init. For recover, the communication with the recoveryserver is changed. Before a streaming gRPC call was used to exchanges UUID for measurementSecret and state disk key. Now a standard gRPC is made that includes the same kmsURI & storageURI that are sent during init.
2023-01-16 05:19:03 -05:00
conKMS, err := setup.KMS(ctx, setup.NoStoreURI, masterSecret.EncodeToURI())
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to setup KMS")
}
internal: use go-kms-wrapping for KMS backends (#1012) * Replace external KMS backend logic for AWS, Azure, and GCP with go-kms-wrapping * Move kms client setup config into its own package for easier parsing * Update kms integration flag naming * Error if nil storage is passed to external KMS --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-02-08 06:03:54 -05:00
defer conKMS.Close()
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
keyservice: use dash in container name (#1016) Co-authored-by: Otto Bittner <cobittner@posteo.net>
2023-01-20 12:51:06 -05:00
if err := server.New(log.Named("keyService"), conKMS).Run(*port); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to run key-service server")
Add aTLS endpoint to KMS (#236) * Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2022-06-29 10:13:01 -04:00
}
}
Reference in New Issue Copy Permalink