From 90b88e1cf95a828ec0e8b7529ca5b980f2743ad9 Mon Sep 17 00:00:00 2001 From: Otto Bittner Date: Wed, 11 Jan 2023 10:08:57 +0100 Subject: [PATCH] kms: rename kms to keyservice In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management. --- .github/actions/e2e_mini/run-e2e.sh | 2 +- ...s-image.yml => build-keyservice-image.yml} | 12 +-- .../workflows/build-micro-service-manual.yml | 6 +- CODEOWNERS | 2 +- cli/internal/cmd/init.go | 6 +- .../constellation-services/Chart.yaml | 2 +- .../templates/csi-azuredisk-node.yaml | 2 +- .../charts/azuredisk-csi-driver/values.yaml | 6 +- .../templates/node.yaml | 2 +- .../values.yaml | 7 +- .../join-service/templates/daemonset.yaml | 2 +- .../charts/{kms => keyservice}/.helmignore | 0 .../charts/keyservice/Chart.yaml | 5 + .../keyservice}/templates/clusterrole.yaml | 4 +- .../templates/clusterrolebinding.yaml | 6 +- .../templates/daemonset.yaml | 16 +-- .../templates/mastersecret.yaml | 0 .../templates/service.yaml | 8 +- .../templates/serviceaccount.yaml | 2 +- .../{kms => keyservice}/values.schema.json | 2 +- .../charts/{kms => keyservice}/values.yaml | 0 .../constellation-services/values.yaml | 4 +- cli/internal/helm/loader.go | 31 ++---- cli/internal/helm/loader_test.go | 70 ++++++------ .../templates/csi-azuredisk-node.yaml | 2 +- .../join-service/templates/daemonset.yaml | 2 +- .../keyservice}/templates/clusterrole.yaml | 4 +- .../templates/clusterrolebinding.yaml | 6 +- .../templates/daemonset.yaml | 16 +-- .../templates/mastersecret.yaml | 0 .../charts/keyservice}/templates/service.yaml | 4 +- .../keyservice}/templates/serviceaccount.yaml | 2 +- .../templates/node.yaml | 2 +- .../join-service/templates/daemonset.yaml | 2 +- .../templates/clusterrole.yaml | 4 +- .../templates/clusterrolebinding.yaml | 6 +- .../templates/daemonset.yaml | 16 +-- .../templates/mastersecret.yaml | 0 .../charts/keyservice}/templates/service.yaml | 4 +- .../keyservice}/templates/serviceaccount.yaml | 2 +- .../join-service/templates/daemonset.yaml | 2 +- .../templates/clusterrole.yaml | 4 +- .../templates/clusterrolebinding.yaml | 6 +- .../templates/daemonset.yaml | 16 +-- .../templates/mastersecret.yaml | 0 .../templates/service.yaml | 4 +- .../keyservice}/templates/serviceaccount.yaml | 2 +- cli/internal/helm/update-csi-charts.sh | 4 +- csi/kms/constellation.go | 10 +- csi/kms/constellation_test.go | 6 +- dev-docs/layout.md | 2 +- docs/docs/architecture/components.md | 16 +-- docs/docs/architecture/encrypted-storage.md | 2 +- internal/constants/constants.go | 4 +- internal/versions/versions.go | 6 +- joinservice/README.md | 2 +- joinservice/cmd/main.go | 6 +- joinservice/internal/kms/kms.go | 12 +-- joinservice/internal/kms/kms_test.go | 6 +- {kms => keyservice}/Dockerfile | 8 +- {kms => keyservice}/cmd/main.go | 10 +- {kms => keyservice}/internal/README.md | 6 +- {kms => keyservice}/internal/config/config.go | 0 {kms => keyservice}/internal/server/server.go | 12 +-- .../internal/server/server_test.go | 10 +- .../internal/storage/awss3storage.go | 2 +- .../internal/storage/awss3storage_test.go | 0 .../internal/storage/azurestorage.go | 2 +- .../internal/storage/azurestorage_test.go | 0 .../internal/storage/gcloudstorage.go | 0 .../storage/gcloudstorage_integration_test.go | 0 .../internal/storage/gcloudstorage_test.go | 0 .../internal/storage/memfsstorage.go | 0 .../internal/storage/memfsstroage_test.go | 0 .../internal/storage/storage.go | 0 {kms => keyservice}/internal/test/aws_test.go | 6 +- .../internal/test/azure_test.go | 6 +- {kms => keyservice}/internal/test/gcp_test.go | 6 +- .../internal/test/integration_test.go | 0 .../keyserviceproto/keyservice.pb.go | 101 +++++++++--------- .../keyserviceproto/keyservice.proto | 2 +- .../keyserviceproto/keyservice_grpc.pb.go | 6 +- {kms => keyservice}/kms/aws/aws.go | 8 +- {kms => keyservice}/kms/aws/aws_test.go | 6 +- {kms => keyservice}/kms/azure/azure.go | 8 +- {kms => keyservice}/kms/azure/azure_test.go | 4 +- {kms => keyservice}/kms/azure/hsm.go | 8 +- {kms => keyservice}/kms/azure/hsm_test.go | 4 +- {kms => keyservice}/kms/cluster/cluster.go | 0 .../kms/cluster/cluster_test.go | 0 {kms => keyservice}/kms/gcp/gcp.go | 8 +- {kms => keyservice}/kms/gcp/gcp_test.go | 6 +- {kms => keyservice}/kms/kms.go | 0 {kms => keyservice}/kms/util/crypto.go | 0 {kms => keyservice}/kms/util/crypto_test.go | 0 {kms => keyservice}/setup/setup.go | 12 +-- {kms => keyservice}/setup/setup_test.go | 0 proto/Dockerfile.gen-proto | 6 +- rfc/external-kms.md | 2 +- rfc/key-derivation.md | 2 +- rfc/reproducible-builds.md | 2 +- 101 files changed, 313 insertions(+), 319 deletions(-) rename .github/workflows/{build-kms-image.yml => build-keyservice-image.yml} (86%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/.helmignore (100%) create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/Chart.yaml rename cli/internal/helm/{testdata/Azure/constellation-services/charts/kms => charts/edgeless/constellation-services/charts/keyservice}/templates/clusterrole.yaml (77%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/templates/clusterrolebinding.yaml (78%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/templates/daemonset.yaml (87%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/templates/mastersecret.yaml (100%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/templates/service.yaml (56%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/templates/serviceaccount.yaml (81%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/values.schema.json (91%) rename cli/internal/helm/charts/edgeless/constellation-services/charts/{kms => keyservice}/values.yaml (100%) rename cli/internal/helm/{charts/edgeless/constellation-services/charts/kms => testdata/Azure/constellation-services/charts/keyservice}/templates/clusterrole.yaml (77%) rename cli/internal/helm/testdata/Azure/constellation-services/charts/{kms => keyservice}/templates/clusterrolebinding.yaml (78%) rename cli/internal/helm/testdata/Azure/constellation-services/charts/{kms => keyservice}/templates/daemonset.yaml (86%) rename cli/internal/helm/testdata/Azure/constellation-services/charts/{kms => keyservice}/templates/mastersecret.yaml (100%) rename cli/internal/helm/testdata/{GCP/constellation-services/charts/kms => Azure/constellation-services/charts/keyservice}/templates/service.yaml (82%) rename cli/internal/helm/testdata/{GCP/constellation-services/charts/kms => Azure/constellation-services/charts/keyservice}/templates/serviceaccount.yaml (79%) rename cli/internal/helm/testdata/GCP/constellation-services/charts/{kms => keyservice}/templates/clusterrole.yaml (77%) rename cli/internal/helm/testdata/GCP/constellation-services/charts/{kms => keyservice}/templates/clusterrolebinding.yaml (78%) rename cli/internal/helm/testdata/GCP/constellation-services/charts/{kms => keyservice}/templates/daemonset.yaml (86%) rename cli/internal/helm/testdata/GCP/constellation-services/charts/{kms => keyservice}/templates/mastersecret.yaml (100%) rename cli/internal/helm/testdata/{Azure/constellation-services/charts/kms => GCP/constellation-services/charts/keyservice}/templates/service.yaml (82%) rename cli/internal/helm/testdata/{QEMU/constellation-services/charts/kms => GCP/constellation-services/charts/keyservice}/templates/serviceaccount.yaml (79%) rename cli/internal/helm/testdata/QEMU/constellation-services/charts/{kms => keyservice}/templates/clusterrole.yaml (77%) rename cli/internal/helm/testdata/QEMU/constellation-services/charts/{kms => keyservice}/templates/clusterrolebinding.yaml (78%) rename cli/internal/helm/testdata/QEMU/constellation-services/charts/{kms => keyservice}/templates/daemonset.yaml (86%) rename cli/internal/helm/testdata/QEMU/constellation-services/charts/{kms => keyservice}/templates/mastersecret.yaml (100%) rename cli/internal/helm/testdata/QEMU/constellation-services/charts/{kms => keyservice}/templates/service.yaml (82%) rename cli/internal/helm/testdata/{Azure/constellation-services/charts/kms => QEMU/constellation-services/charts/keyservice}/templates/serviceaccount.yaml (79%) rename {kms => keyservice}/Dockerfile (71%) rename {kms => keyservice}/cmd/main.go (85%) rename {kms => keyservice}/internal/README.md (98%) rename {kms => keyservice}/internal/config/config.go (100%) rename {kms => keyservice}/internal/server/server.go (83%) rename {kms => keyservice}/internal/server/server_test.go (72%) rename {kms => keyservice}/internal/storage/awss3storage.go (97%) rename {kms => keyservice}/internal/storage/awss3storage_test.go (100%) rename {kms => keyservice}/internal/storage/azurestorage.go (98%) rename {kms => keyservice}/internal/storage/azurestorage_test.go (100%) rename {kms => keyservice}/internal/storage/gcloudstorage.go (100%) rename {kms => keyservice}/internal/storage/gcloudstorage_integration_test.go (100%) rename {kms => keyservice}/internal/storage/gcloudstorage_test.go (100%) rename {kms => keyservice}/internal/storage/memfsstorage.go (100%) rename {kms => keyservice}/internal/storage/memfsstroage_test.go (100%) rename {kms => keyservice}/internal/storage/storage.go (100%) rename {kms => keyservice}/internal/test/aws_test.go (96%) rename {kms => keyservice}/internal/test/azure_test.go (94%) rename {kms => keyservice}/internal/test/gcp_test.go (93%) rename {kms => keyservice}/internal/test/integration_test.go (100%) rename kms/kmsproto/kms.pb.go => keyservice/keyserviceproto/keyservice.pb.go (54%) rename kms/kmsproto/kms.proto => keyservice/keyserviceproto/keyservice.proto (74%) rename kms/kmsproto/kms_grpc.pb.go => keyservice/keyserviceproto/keyservice_grpc.pb.go (97%) rename {kms => keyservice}/kms/aws/aws.go (97%) rename {kms => keyservice}/kms/aws/aws_test.go (98%) rename {kms => keyservice}/kms/azure/azure.go (95%) rename {kms => keyservice}/kms/azure/azure_test.go (97%) rename {kms => keyservice}/kms/azure/hsm.go (95%) rename {kms => keyservice}/kms/azure/hsm_test.go (97%) rename {kms => keyservice}/kms/cluster/cluster.go (100%) rename {kms => keyservice}/kms/cluster/cluster_test.go (100%) rename {kms => keyservice}/kms/gcp/gcp.go (97%) rename {kms => keyservice}/kms/gcp/gcp_test.go (98%) rename {kms => keyservice}/kms/kms.go (100%) rename {kms => keyservice}/kms/util/crypto.go (100%) rename {kms => keyservice}/kms/util/crypto_test.go (100%) rename {kms => keyservice}/setup/setup.go (93%) rename {kms => keyservice}/setup/setup_test.go (100%) diff --git a/.github/actions/e2e_mini/run-e2e.sh b/.github/actions/e2e_mini/run-e2e.sh index 500b0c9ca..e2bdd57da 100644 --- a/.github/actions/e2e_mini/run-e2e.sh +++ b/.github/actions/e2e_mini/run-e2e.sh @@ -56,7 +56,7 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy # Wait for daemon sets kubectl -n kube-system rollout status --timeout 180s daemonset cilium kubectl -n kube-system rollout status --timeout 180s daemonset join-service -kubectl -n kube-system rollout status --timeout 180s daemonset kms +kubectl -n kube-system rollout status --timeout 180s daemonset keyservice kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent kubectl -n kube-system rollout status --timeout 180s daemonset verification-service echo "::endgroup::" diff --git a/.github/workflows/build-kms-image.yml b/.github/workflows/build-keyservice-image.yml similarity index 86% rename from .github/workflows/build-kms-image.yml rename to .github/workflows/build-keyservice-image.yml index e18c6ede2..49746e57f 100644 --- a/.github/workflows/build-kms-image.yml +++ b/.github/workflows/build-keyservice-image.yml @@ -1,4 +1,4 @@ -name: Build and upload KMS image +name: Build and upload KeyService image on: workflow_dispatch: @@ -7,12 +7,12 @@ on: - main - "release/**" paths: - - "kms/**" + - "keyservice/**" - "internal/**" - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops jobs: - build-kms-server: + build-keyservice: runs-on: ubuntu-22.04 permissions: contents: read @@ -29,13 +29,13 @@ jobs: with: go-version: "1.19.5" - - name: Build and upload KMS server container image + - name: Build and upload KeyService container image id: build-and-upload uses: ./.github/actions/build_micro_service with: - name: kmsserver + name: keyservice projectVersion: "0.0.0" - dockerfile: kms/Dockerfile + dockerfile: keyservice/Dockerfile githubToken: ${{ secrets.GITHUB_TOKEN }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} diff --git a/.github/workflows/build-micro-service-manual.yml b/.github/workflows/build-micro-service-manual.yml index f2bb5854c..8364efd62 100644 --- a/.github/workflows/build-micro-service-manual.yml +++ b/.github/workflows/build-micro-service-manual.yml @@ -8,7 +8,7 @@ on: type: choice options: - "join-service" - - "kmsserver" + - "keyservice" - "verification-service" - "qemu-metadata-api" - "filebeat-debugd" @@ -80,8 +80,8 @@ jobs: case "${{ inputs.microService }}" in "join-service" ) echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;; - "kmsserver" ) - echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;; + "keyservice" ) + echo "microServiceDockerfile=keyservice/Dockerfile" >> "$GITHUB_ENV" ;; "verification-service" ) echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;; "qemu-metadata-api" ) diff --git a/CODEOWNERS b/CODEOWNERS index 651e58429..80984c5d7 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -36,7 +36,7 @@ /internal/versions @katexochen /internal/versionsapi @katexochen /joinservice @daniel-weisse -/kms @daniel-weisse +/keyservice @daniel-weisse /operators @malt3 /upgrade-agent @3u13r /verify @daniel-weisse diff --git a/cli/internal/cmd/init.go b/cli/internal/cmd/init.go index 4d11ad01d..b7c78a4be 100644 --- a/cli/internal/cmd/init.go +++ b/cli/internal/cmd/init.go @@ -33,7 +33,7 @@ import ( "github.com/edgelesssys/constellation/v2/internal/license" "github.com/edgelesssys/constellation/v2/internal/retry" "github.com/edgelesssys/constellation/v2/internal/versions" - kms "github.com/edgelesssys/constellation/v2/kms/setup" + keyservice "github.com/edgelesssys/constellation/v2/keyservice/setup" "github.com/spf13/afero" "github.com/spf13/cobra" "google.golang.org/grpc" @@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud req := &initproto.InitRequest{ MasterSecret: masterSecret.Key, Salt: masterSecret.Salt, - KmsUri: kms.ClusterKMSURI, - StorageUri: kms.NoStoreURI, + KmsUri: keyservice.ClusterKMSURI, + StorageUri: keyservice.NoStoreURI, KeyEncryptionKeyId: "", UseExistingKek: false, CloudServiceAccountUri: serviceAccURI, diff --git a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml index 80d7c3868..f39b6472d 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml @@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste type: application version: 2.4.0 dependencies: - - name: kms + - name: keyservice version: 2.4.0 tags: - Azure diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml index 3b0ef9a62..1b2ede570 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml @@ -121,7 +121,7 @@ spec: - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" - "--support-zone={{ .Values.node.supportZone }}" - "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}" - - "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}" + - "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}" ports: - containerPort: {{ .Values.node.livenessProbe.healthPort }} name: healthz diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml index 5b52761ef..6a948806f 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml @@ -123,8 +123,10 @@ node: logLevel: 5 livenessProbe: healthPort: 29603 - kmsPort: "9000" - kmsNamespace: "kube-system" +global: + keyserviceName: "keyservice" + keyservicePort: 9000 + keyserviceNamespace: "kube-system" snapshot: enabled: false diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml index 7b589710e..819be7a74 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml @@ -41,7 +41,7 @@ spec: - "--v=5" - "--endpoint=unix:/csi/csi.sock" - "--run-controller-service=false" - - "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}" + - "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}" securityContext: privileged: true volumeMounts: diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml index 135725a8b..3c5e0fde8 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml @@ -29,8 +29,9 @@ csiController: replicas: 1 runOnControlPlane: true -csiNode: - kmsPort: "9000" - kmsNamespace: "kube-system" +global: + keyserviceName: "keyservice" + keyservicePort: 9000 + keyserviceNamespace: "kube-system" createStorageClass: true diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml index 480d05850..ed1960354 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml @@ -38,7 +38,7 @@ spec: image: {{ .Values.image | quote }} args: - --cloud-provider={{ .Values.csp }} - - --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }} + - --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }} volumeMounts: - mountPath: {{ .Values.global.serviceBasePath | quote }} name: config diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/.helmignore b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/.helmignore similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/.helmignore rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/.helmignore diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/Chart.yaml new file mode 100644 index 000000000..e018fabc5 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: keyservice +description: A Helm chart to deploy the Constellation KeyService +type: application +version: 2.4.0 diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrole.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrole.yaml similarity index 77% rename from cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrole.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrole.yaml index d44b4b1c9..4bcdadd01 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrole.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrole.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - k8s-app: kms - name: kms + k8s-app: keyservice + name: keyservice rules: - apiGroups: - "" diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/clusterrolebinding.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml similarity index 78% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/clusterrolebinding.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml index aabc6f519..4387ab25b 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/clusterrolebinding.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kms + name: keyservice roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kms + name: keyservice subjects: - kind: ServiceAccount - name: kms + name: keyservice namespace: {{ .Release.Namespace }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/daemonset.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/daemonset.yaml similarity index 87% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/daemonset.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/daemonset.yaml index 39480b7a6..8ce5e99fe 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/daemonset.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/daemonset.yaml @@ -2,25 +2,25 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: - component: kms - k8s-app: kms + component: keyservice + k8s-app: keyservice kubernetes.io/cluster-service: "true" - name: kms + name: keyservice namespace: {{ .Release.Namespace }} spec: selector: matchLabels: - k8s-app: kms + k8s-app: keyservice template: metadata: labels: - k8s-app: kms + k8s-app: keyservice spec: containers: - - name: kms + - name: keyservice image: {{ .Values.image | quote }} args: - - --port={{ .Values.global.kmsPort }} + - --port={{ .Values.global.keyservicePort }} volumeMounts: - mountPath: {{ .Values.global.serviceBasePath | quote }} name: config @@ -29,7 +29,7 @@ spec: nodeSelector: node-role.kubernetes.io/control-plane: "" priorityClassName: system-cluster-critical - serviceAccountName: kms + serviceAccountName: keyservice tolerations: - key: CriticalAddonsOnly operator: Exists diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/mastersecret.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/mastersecret.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/mastersecret.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/mastersecret.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/service.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/service.yaml similarity index 56% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/service.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/service.yaml index a13d4a126..d6705cf65 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/service.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/service.yaml @@ -1,16 +1,16 @@ apiVersion: v1 kind: Service metadata: - name: kms + name: keyservice namespace: {{ .Release.Namespace }} spec: ports: - name: grpc - port: {{ .Values.global.kmsPort }} + port: {{ .Values.global.keyservicePort }} protocol: TCP - targetPort: {{ .Values.global.kmsPort }} + targetPort: {{ .Values.global.keyservicePort }} selector: - k8s-app: kms + k8s-app: keyservice type: ClusterIP status: loadBalancer: {} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/serviceaccount.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/serviceaccount.yaml similarity index 81% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/serviceaccount.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/serviceaccount.yaml index 59123813c..06f37fa35 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/serviceaccount.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: kms + name: keyservice namespace: {{ .Release.Namespace }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.schema.json b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.schema.json similarity index 91% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.schema.json rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.schema.json index 3c8b9b46f..2d2c09f6f 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.schema.json +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.schema.json @@ -4,7 +4,7 @@ "image": { "description": "Container image to use for the spawned pods.", "type": "string", - "examples": ["ghcr.io/edgelesssys/constellation/kms:latest"] + "examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"] }, "masterSecret": { "description": "Secret used to derive key material within the cluster", diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.yaml similarity index 100% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.yaml rename to cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.yaml diff --git a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml index aaaddbb09..ef3aac81c 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml @@ -1,6 +1,6 @@ global: - # Port on which the KMS service will listen. Global since join-service also uses the value. - kmsPort: 9000 + # Port on which the KeyService will listen. Global since join-service also uses the value. + keyservicePort: 9000 # Path to which secrets/CMs are mounted. serviceBasePath: /var/config # Name of the ConfigMap that holds measurements and other info. diff --git a/cli/internal/helm/loader.go b/cli/internal/helm/loader.go index e05939e7a..60f6a73af 100644 --- a/cli/internal/helm/loader.go +++ b/cli/internal/helm/loader.go @@ -52,7 +52,7 @@ const ( // ChartLoader loads embedded helm charts. type ChartLoader struct { joinServiceImage string - kmsImage string + keyserviceImage string ccmImage string cnmImage string autoscalerImage string @@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) return &ChartLoader{ joinServiceImage: versions.JoinImage, - kmsImage: versions.KmsImage, + keyserviceImage: versions.KeyServiceImage, ccmImage: ccmImage, cnmImage: cnmImage, autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage, @@ -359,13 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas csp := config.GetProvider() values := map[string]any{ "global": map[string]any{ - "kmsPort": constants.KMSPort, - "serviceBasePath": constants.ServiceBasePath, - "joinConfigCMName": constants.JoinConfigMap, - "internalCMName": constants.InternalConfigMap, + "keyservicePort": constants.KeyservicePort, + "keyserviceNamespace": "", // empty namespace means we use the release namespace + "serviceBasePath": constants.ServiceBasePath, + "joinConfigCMName": constants.JoinConfigMap, + "internalCMName": constants.InternalConfigMap, }, - "kms": map[string]any{ - "image": i.kmsImage, + "keyservice": map[string]any{ + "image": i.keyserviceImage, "masterSecret": base64.StdEncoding.EncodeToString(masterSecret), "salt": base64.StdEncoding.EncodeToString(salt), "saltKeyName": constants.ConstellationSaltKey, @@ -420,13 +421,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas "deployCSIDriver": config.DeployCSIDriver(), } - values["azuredisk-csi-driver"] = map[string]any{ - "node": map[string]any{ - "kmsPort": constants.KMSPort, - "kmsNamespace": "", // empty namespace means we use the release namespace - }, - } - values["tags"] = map[string]any{ "Azure": true, } @@ -444,13 +438,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas "deployCSIDriver": config.DeployCSIDriver(), } - values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{ - "csiNode": map[string]any{ - "kmsPort": constants.KMSPort, - "kmsNamespace": "", // empty namespace means we use the release namespace - }, - } - values["tags"] = map[string]any{ "GCP": true, } diff --git a/cli/internal/helm/loader_test.go b/cli/internal/helm/loader_test.go index b23566948..834797b4f 100644 --- a/cli/internal/helm/loader_test.go +++ b/cli/internal/helm/loader_test.go @@ -90,7 +90,7 @@ func TestConstellationServices(t *testing.T) { chartLoader := ChartLoader{ joinServiceImage: "joinServiceImage", - kmsImage: "kmsImage", + keyserviceImage: "keyserviceImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage", @@ -159,7 +159,7 @@ func TestOperators(t *testing.T) { chartLoader := ChartLoader{ joinServiceImage: "joinServiceImage", - kmsImage: "kmsImage", + keyserviceImage: "keyserviceImage", ccmImage: "ccmImage", cnmImage: "cnmImage", autoscalerImage: "autoscalerImage", @@ -301,40 +301,38 @@ func prepareGCPValues(values map[string]any) error { testTag := "v0.0.0" pullPolicy := "IfNotPresent" - csiVals, ok := values["gcp-compute-persistent-disk-csi-driver"].(map[string]any) - if !ok { - return errors.New("missing 'gcp-compute-persistent-disk-csi-driver' key") - } - csiVals["image"] = map[string]any{ - "csiProvisioner": map[string]any{ - "repo": "csi-provisioner", - "tag": testTag, - "pullPolicy": pullPolicy, - }, - "csiAttacher": map[string]any{ - "repo": "csi-attacher", - "tag": testTag, - "pullPolicy": pullPolicy, - }, - "csiResizer": map[string]any{ - "repo": "csi-resizer", - "tag": testTag, - "pullPolicy": pullPolicy, - }, - "csiSnapshotter": map[string]any{ - "repo": "csi-snapshotter", - "tag": testTag, - "pullPolicy": pullPolicy, - }, - "csiNodeRegistrar": map[string]any{ - "repo": "csi-registrar", - "tag": testTag, - "pullPolicy": pullPolicy, - }, - "gcepdDriver": map[string]any{ - "repo": "csi-driver", - "tag": testTag, - "pullPolicy": pullPolicy, + values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{ + "image": map[string]any{ + "csiProvisioner": map[string]any{ + "repo": "csi-provisioner", + "tag": testTag, + "pullPolicy": pullPolicy, + }, + "csiAttacher": map[string]any{ + "repo": "csi-attacher", + "tag": testTag, + "pullPolicy": pullPolicy, + }, + "csiResizer": map[string]any{ + "repo": "csi-resizer", + "tag": testTag, + "pullPolicy": pullPolicy, + }, + "csiSnapshotter": map[string]any{ + "repo": "csi-snapshotter", + "tag": testTag, + "pullPolicy": pullPolicy, + }, + "csiNodeRegistrar": map[string]any{ + "repo": "csi-registrar", + "tag": testTag, + "pullPolicy": pullPolicy, + }, + "gcepdDriver": map[string]any{ + "repo": "csi-driver", + "tag": testTag, + "pullPolicy": pullPolicy, + }, }, } diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml index 061263a22..dbb225d36 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml @@ -107,7 +107,7 @@ spec: - "--allow-empty-cloud-config=true" - "--support-zone=true" - "--get-node-info-from-labels=false" - - "--kms-addr=kms.testNamespace:9000" + - "--kms-addr=keyservice.testNamespace:9000" ports: - containerPort: 29603 name: healthz diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml index 29d643666..a8ec13b0b 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml @@ -38,7 +38,7 @@ spec: image: joinServiceImage args: - --cloud-provider=Azure - - --kms-endpoint=kms.testNamespace:9000 + - --keyservice-endpoint=keyservice.testNamespace:9000 volumeMounts: - mountPath: /var/config name: config diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/clusterrole.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/clusterrole.yaml similarity index 77% rename from cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/clusterrole.yaml rename to cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/clusterrole.yaml index d44b4b1c9..4bcdadd01 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/templates/clusterrole.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/clusterrole.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - k8s-app: kms - name: kms + k8s-app: keyservice + name: keyservice rules: - apiGroups: - "" diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml similarity index 78% rename from cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrolebinding.yaml rename to cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml index eba2c78c3..19d1b7196 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrolebinding.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kms + name: keyservice roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kms + name: keyservice subjects: - kind: ServiceAccount - name: kms + name: keyservice namespace: testNamespace diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/daemonset.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/daemonset.yaml similarity index 86% rename from cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/daemonset.yaml rename to cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/daemonset.yaml index 2f744e199..ec6e161a3 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/daemonset.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/daemonset.yaml @@ -2,23 +2,23 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: - component: kms - k8s-app: kms + component: keyservice + k8s-app: keyservice kubernetes.io/cluster-service: "true" - name: kms + name: keyservice namespace: testNamespace spec: selector: matchLabels: - k8s-app: kms + k8s-app: keyservice template: metadata: labels: - k8s-app: kms + k8s-app: keyservice spec: containers: - - name: kms - image: kmsImage + - name: keyservice + image: keyserviceImage args: - --port=9000 volumeMounts: @@ -29,7 +29,7 @@ spec: nodeSelector: node-role.kubernetes.io/control-plane: "" priorityClassName: system-cluster-critical - serviceAccountName: kms + serviceAccountName: keyservice tolerations: - key: CriticalAddonsOnly operator: Exists diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/mastersecret.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/mastersecret.yaml similarity index 100% rename from cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/mastersecret.yaml rename to cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/mastersecret.yaml diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/service.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/service.yaml similarity index 82% rename from cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/service.yaml rename to cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/service.yaml index d0daaa0c1..b15e2e24c 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/service.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: kms + name: keyservice namespace: testNamespace spec: ports: @@ -10,7 +10,7 @@ spec: protocol: TCP targetPort: 9000 selector: - k8s-app: kms + k8s-app: keyservice type: ClusterIP status: loadBalancer: {} diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/serviceaccount.yaml b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/serviceaccount.yaml similarity index 79% rename from cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/serviceaccount.yaml rename to cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/serviceaccount.yaml index c5f506fe5..18c918290 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/serviceaccount.yaml +++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/keyservice/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: kms + name: keyservice namespace: testNamespace diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml index 441edae3c..a1e1963c2 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml @@ -41,7 +41,7 @@ spec: - "--v=5" - "--endpoint=unix:/csi/csi.sock" - "--run-controller-service=false" - - "--kms-addr=kms.testNamespace:9000" + - "--kms-addr=keyservice.testNamespace:9000" securityContext: privileged: true volumeMounts: diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml index 6b813c4ae..ac09d955d 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml @@ -38,7 +38,7 @@ spec: image: joinServiceImage args: - --cloud-provider=GCP - - --kms-endpoint=kms.testNamespace:9000 + - --keyservice-endpoint=keyservice.testNamespace:9000 volumeMounts: - mountPath: /var/config name: config diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrole.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/clusterrole.yaml similarity index 77% rename from cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrole.yaml rename to cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/clusterrole.yaml index d44b4b1c9..4bcdadd01 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrole.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/clusterrole.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - k8s-app: kms - name: kms + k8s-app: keyservice + name: keyservice rules: - apiGroups: - "" diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml similarity index 78% rename from cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrolebinding.yaml rename to cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml index eba2c78c3..19d1b7196 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrolebinding.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kms + name: keyservice roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kms + name: keyservice subjects: - kind: ServiceAccount - name: kms + name: keyservice namespace: testNamespace diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/daemonset.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/daemonset.yaml similarity index 86% rename from cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/daemonset.yaml rename to cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/daemonset.yaml index 2f744e199..ec6e161a3 100644 --- a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/daemonset.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/daemonset.yaml @@ -2,23 +2,23 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: - component: kms - k8s-app: kms + component: keyservice + k8s-app: keyservice kubernetes.io/cluster-service: "true" - name: kms + name: keyservice namespace: testNamespace spec: selector: matchLabels: - k8s-app: kms + k8s-app: keyservice template: metadata: labels: - k8s-app: kms + k8s-app: keyservice spec: containers: - - name: kms - image: kmsImage + - name: keyservice + image: keyserviceImage args: - --port=9000 volumeMounts: @@ -29,7 +29,7 @@ spec: nodeSelector: node-role.kubernetes.io/control-plane: "" priorityClassName: system-cluster-critical - serviceAccountName: kms + serviceAccountName: keyservice tolerations: - key: CriticalAddonsOnly operator: Exists diff --git a/cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/mastersecret.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/mastersecret.yaml similarity index 100% rename from cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/mastersecret.yaml rename to cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/mastersecret.yaml diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/service.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/service.yaml similarity index 82% rename from cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/service.yaml rename to cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/service.yaml index d0daaa0c1..b15e2e24c 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/service.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: kms + name: keyservice namespace: testNamespace spec: ports: @@ -10,7 +10,7 @@ spec: protocol: TCP targetPort: 9000 selector: - k8s-app: kms + k8s-app: keyservice type: ClusterIP status: loadBalancer: {} diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/serviceaccount.yaml b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/serviceaccount.yaml similarity index 79% rename from cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/serviceaccount.yaml rename to cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/serviceaccount.yaml index c5f506fe5..18c918290 100644 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/serviceaccount.yaml +++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/keyservice/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: kms + name: keyservice namespace: testNamespace diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml index 3efd41e96..b1fc44076 100644 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml @@ -38,7 +38,7 @@ spec: image: joinServiceImage args: - --cloud-provider=QEMU - - --kms-endpoint=kms.testNamespace:9000 + - --keyservice-endpoint=keyservice.testNamespace:9000 volumeMounts: - mountPath: /var/config name: config diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrole.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/clusterrole.yaml similarity index 77% rename from cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrole.yaml rename to cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/clusterrole.yaml index d44b4b1c9..4bcdadd01 100644 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrole.yaml +++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/clusterrole.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - k8s-app: kms - name: kms + k8s-app: keyservice + name: keyservice rules: - apiGroups: - "" diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrolebinding.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml similarity index 78% rename from cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrolebinding.yaml rename to cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml index eba2c78c3..19d1b7196 100644 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrolebinding.yaml +++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kms + name: keyservice roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kms + name: keyservice subjects: - kind: ServiceAccount - name: kms + name: keyservice namespace: testNamespace diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/daemonset.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/daemonset.yaml similarity index 86% rename from cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/daemonset.yaml rename to cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/daemonset.yaml index 2f744e199..ec6e161a3 100644 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/daemonset.yaml +++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/daemonset.yaml @@ -2,23 +2,23 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: - component: kms - k8s-app: kms + component: keyservice + k8s-app: keyservice kubernetes.io/cluster-service: "true" - name: kms + name: keyservice namespace: testNamespace spec: selector: matchLabels: - k8s-app: kms + k8s-app: keyservice template: metadata: labels: - k8s-app: kms + k8s-app: keyservice spec: containers: - - name: kms - image: kmsImage + - name: keyservice + image: keyserviceImage args: - --port=9000 volumeMounts: @@ -29,7 +29,7 @@ spec: nodeSelector: node-role.kubernetes.io/control-plane: "" priorityClassName: system-cluster-critical - serviceAccountName: kms + serviceAccountName: keyservice tolerations: - key: CriticalAddonsOnly operator: Exists diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/mastersecret.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/mastersecret.yaml similarity index 100% rename from cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/mastersecret.yaml rename to cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/mastersecret.yaml diff --git a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/service.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/service.yaml similarity index 82% rename from cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/service.yaml rename to cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/service.yaml index d0daaa0c1..b15e2e24c 100644 --- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/service.yaml +++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: kms + name: keyservice namespace: testNamespace spec: ports: @@ -10,7 +10,7 @@ spec: protocol: TCP targetPort: 9000 selector: - k8s-app: kms + k8s-app: keyservice type: ClusterIP status: loadBalancer: {} diff --git a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/serviceaccount.yaml b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/serviceaccount.yaml similarity index 79% rename from cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/serviceaccount.yaml rename to cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/serviceaccount.yaml index c5f506fe5..18c918290 100644 --- a/cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/serviceaccount.yaml +++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/keyservice/templates/serviceaccount.yaml @@ -1,5 +1,5 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: kms + name: keyservice namespace: testNamespace diff --git a/cli/internal/helm/update-csi-charts.sh b/cli/internal/helm/update-csi-charts.sh index af115ccab..8dfd3344e 100755 --- a/cli/internal/helm/update-csi-charts.sh +++ b/cli/internal/helm/update-csi-charts.sh @@ -48,8 +48,8 @@ download_chart() { ## GCP CSI Driver # TODO: clone from main branch once we rebase on upstream -download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.0" "charts" "gcp-compute-persistent-disk-csi-driver" +download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.1" "charts" "gcp-compute-persistent-disk-csi-driver" ## Azure CSI Driver # TODO: clone from main branch once we rebase on upstream -download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.0" "charts/edgeless" "azuredisk-csi-driver" +download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.1" "charts/edgeless" "azuredisk-csi-driver" diff --git a/csi/kms/constellation.go b/csi/kms/constellation.go index 63164da83..dbc310bdb 100644 --- a/csi/kms/constellation.go +++ b/csi/kms/constellation.go @@ -10,7 +10,7 @@ import ( "context" "fmt" - "github.com/edgelesssys/constellation/v2/kms/kmsproto" + "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" ) @@ -39,7 +39,7 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int res, err := k.kms.GetDataKey( ctx, - &kmsproto.GetDataKeyRequest{ + &keyserviceproto.GetDataKeyRequest{ DataKeyId: dekID, Length: uint32(dekSize), }, @@ -53,11 +53,11 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int } type kmsClient interface { - GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) + GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) } type constellationKMSClient struct{} -func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { - return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req) +func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) { + return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req) } diff --git a/csi/kms/constellation_test.go b/csi/kms/constellation_test.go index 455b9e51d..4b362d287 100644 --- a/csi/kms/constellation_test.go +++ b/csi/kms/constellation_test.go @@ -11,7 +11,7 @@ import ( "errors" "testing" - "github.com/edgelesssys/constellation/v2/kms/kmsproto" + "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto" "github.com/stretchr/testify/assert" "go.uber.org/goleak" "google.golang.org/grpc" @@ -27,8 +27,8 @@ type stubKMSClient struct { dataKey []byte } -func (c *stubKMSClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { - return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr +func (c *stubKMSClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) { + return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr } func TestConstellationKMS(t *testing.T) { diff --git a/dev-docs/layout.md b/dev-docs/layout.md index 19894fde0..a1a7d7cf6 100644 --- a/dev-docs/layout.md +++ b/dev-docs/layout.md @@ -5,7 +5,7 @@ Core components: * [cli](/cli): The CLI is used to manage a Constellation cluster * [bootstrapper](/bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node * [image](/image): Build files for the Constellation disk image -* [kms](/kms): Constellation's key management client and server +* [keyservice](/keyservice): Constellation's key management client and server * [csi](/csi): Package used by CSI plugins to create and mount encrypted block devices * [disk-mapper](/disk-mapper): Contains the disk-mapper that maps the encrypted node data disk during boot diff --git a/docs/docs/architecture/components.md b/docs/docs/architecture/components.md index f29037b09..19300de7f 100644 --- a/docs/docs/architecture/components.md +++ b/docs/docs/architecture/components.md @@ -7,7 +7,7 @@ These features are provided by several components: * The [Bootstrapper](components.md#bootstrapper) initializes a Constellation node and bootstraps the cluster * The [JoinService](components.md#joinservice) joins new nodes to an existing cluster * The [VerificationService](components.md#verificationservice) provides remote attestation functionality -* The [Key Management Service (KMS)](components.md#kms) manages Constellation-internal keys +* The [KeyService](components.md#keyservice) manages Constellation-internal keys The relations between components are shown in the following diagram: @@ -22,7 +22,7 @@ flowchart LR end subgraph Kubernetes D[JoinService] - E[KMS] + E[KeyService] F[VerificationService] end A -- deploys --> @@ -45,7 +45,7 @@ Otherwise, it waits for an initialization request to create a new Kubernetes clu The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). The *JoinService* verifies the new node's certificate and attestation statement. -If attestation is successful, the new node is supplied with an encryption key from the [*KMS*](components.md#kms) for its state disk, and a Kubernetes bootstrap token. +If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](components.md#keyservice) for its state disk, and a Kubernetes bootstrap token. ```mermaid @@ -55,8 +55,8 @@ sequenceDiagram New node->>JoinService: aTLS handshake (server side verification) JoinService-->>New node: # New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) - JoinService->>+KMS: GetDataKey(DiskUUID) - KMS-->>-JoinService: DiskEncryptionKey + JoinService->>+KeyService: GetDataKey(DiskUUID) + KeyService-->>-JoinService: DiskEncryptionKey JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... ``` @@ -66,8 +66,8 @@ The *VerificationService* runs as DaemonSet on each node. It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. -## KMS +## KeyService -The *KMS* runs as DaemonSet on each control-plane node. +The *KeyService* runs as DaemonSet on each control-plane node. It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. -Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KMS* holds the key encryption key (KEK) directly or calls an external service for key derivation respectively. +Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively. diff --git a/docs/docs/architecture/encrypted-storage.md b/docs/docs/architecture/encrypted-storage.md index ec2f0bdf0..ca69d72b5 100644 --- a/docs/docs/architecture/encrypted-storage.md +++ b/docs/docs/architecture/encrypted-storage.md @@ -28,7 +28,7 @@ All cryptographic operations happen inside the trusted environment of the confid Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. -By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms). +By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](components.md#keyservice). The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. diff --git a/internal/constants/constants.go b/internal/constants/constants.go index e13d01301..67889ebf3 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -44,8 +44,8 @@ const ( VerifyServiceNodePortHTTP = 30080 // VerifyServiceNodePortGRPC GRPC node port for verification service. VerifyServiceNodePortGRPC = 30081 - // KMSPort is the port the KMS server listens on. - KMSPort = 9000 + // KeyservicePort is the port the KMS server listens on. + KeyservicePort = 9000 // BootstrapperPort port of bootstrapper. BootstrapperPort = 9000 // KubernetesPort port for Kubernetes API. diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 8a8745093..092421e6f 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -57,9 +57,9 @@ const ( // KonnectivityServerImage server image for konnectivity service. KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.35@sha256:d863f7fd0da4392b9753dc6c9195a658e80d70e0be8c9adb410d77cf20b75c76" // renovate:container // JoinImage image of Constellation join service. - JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:5fb9592e2777bfd54b460c09761a1d7fbcd47bad73efafc429b5fa88a0bf98fe" // renovate:container - // KmsImage image of Constellation KMS server. - KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:962ab2575028c3bd3b0ab97a572f4af96075ac031776b17bb2188aa2c40e12f3" // renovate:container + JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container + // KeyServiceImage image of Constellation KeyService server. + KeyServiceImage = "ghcr.io/edgelesssys/constellation/keyservice:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container // VerificationImage image of Constellation verification service. VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:43fd9d3494538d94f584dbcfa6d4fd82cadefe3e4fdaa33e9ffb19d8f6b98b94" // renovate:container // GcpGuestImage image for GCP guest agent. diff --git a/joinservice/README.md b/joinservice/README.md index a43ef5770..bc5dbc87f 100644 --- a/joinservice/README.md +++ b/joinservice/README.md @@ -34,7 +34,7 @@ sequenceDiagram ### [internal/kms](./internal/kms/) -Implements interaction with Constellation's key management service. +Implements interaction with Constellation's keyservice. This is needed for fetching data encryption keys for joining nodes. ### [internal/kubeadm](./internal/kubeadm/) diff --git a/joinservice/cmd/main.go b/joinservice/cmd/main.go index 87640f936..a146fae6b 100644 --- a/joinservice/cmd/main.go +++ b/joinservice/cmd/main.go @@ -40,7 +40,7 @@ const vpcIPTimeout = 30 * time.Second func main() { provider := flag.String("cloud-provider", "", "cloud service provider this binary is running on") - kmsEndpoint := flag.String("kms-endpoint", "", "endpoint of Constellations key management service") + keyserviceEndpoint := flag.String("keyservice-endpoint", "", "endpoint of Constellations key management service") verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription) flag.Parse() @@ -78,7 +78,7 @@ func main() { if err != nil { log.With(zap.Error(err)).Fatalf("Failed to create kubeadm") } - kms := kms.New(log.Named("kms"), *kmsEndpoint) + keyserviceClient := kms.New(log.Named("keyserviceClient"), *keyserviceEndpoint) measurementSalt, err := handler.Read(filepath.Join(constants.ServiceBasePath, constants.MeasurementSaltFilename)) if err != nil { @@ -89,7 +89,7 @@ func main() { measurementSalt, kubernetesca.New(log.Named("certificateAuthority"), handler), kubeadm, - kms, + keyserviceClient, log.Named("server"), ) if err != nil { diff --git a/joinservice/internal/kms/kms.go b/joinservice/internal/kms/kms.go index ef16019fa..e63a00cc9 100644 --- a/joinservice/internal/kms/kms.go +++ b/joinservice/internal/kms/kms.go @@ -11,13 +11,13 @@ import ( "fmt" "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/edgelesssys/constellation/v2/kms/kmsproto" + "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto" "go.uber.org/zap" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" ) -// Client interacts with Constellation's key management service. +// Client interacts with Constellation's keyservice. type Client struct { log *logger.Logger endpoint string @@ -48,7 +48,7 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt log.Infof("Requesting data key") res, err := c.grpc.GetDataKey( ctx, - &kmsproto.GetDataKeyRequest{ + &keyserviceproto.GetDataKeyRequest{ DataKeyId: keyID, Length: uint32(length), }, @@ -63,11 +63,11 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt } type grpcClient interface { - GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) + GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) } type client struct{} -func (c client) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { - return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req) +func (c client) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) { + return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req) } diff --git a/joinservice/internal/kms/kms_test.go b/joinservice/internal/kms/kms_test.go index 9d824dc26..e91fb34d6 100644 --- a/joinservice/internal/kms/kms_test.go +++ b/joinservice/internal/kms/kms_test.go @@ -12,7 +12,7 @@ import ( "testing" "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/edgelesssys/constellation/v2/kms/kmsproto" + "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto" "github.com/stretchr/testify/assert" "go.uber.org/goleak" "google.golang.org/grpc" @@ -24,8 +24,8 @@ type stubClient struct { dataKey []byte } -func (c *stubClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { - return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr +func (c *stubClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) { + return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr } func TestMain(m *testing.M) { diff --git a/kms/Dockerfile b/keyservice/Dockerfile similarity index 71% rename from kms/Dockerfile rename to keyservice/Dockerfile index 2b14a540e..2d32d7979 100644 --- a/kms/Dockerfile +++ b/keyservice/Dockerfile @@ -22,10 +22,10 @@ RUN rm -rf ./hack/ # Build RUN mkdir -p /constellation/build -WORKDIR /constellation/kms/cmd +WORKDIR /constellation/keyservice/cmd ARG PROJECT_VERSION=0.0.0 -RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/kmsserver -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}" +RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}" FROM gcr.io/distroless/static:nonroot@sha256:1fa522fe6cfe020d50341f1ca561c099487bd44f8eb98d25d1920b07e05e40be as release -COPY --from=build /constellation/build/kmsserver /kmsserver -ENTRYPOINT ["/kmsserver"] +COPY --from=build /constellation/build/keyservice /keyservice +ENTRYPOINT ["/keyservice"] diff --git a/kms/cmd/main.go b/keyservice/cmd/main.go similarity index 85% rename from kms/cmd/main.go rename to keyservice/cmd/main.go index f980aed2c..187b40401 100644 --- a/kms/cmd/main.go +++ b/keyservice/cmd/main.go @@ -19,14 +19,14 @@ import ( "github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/edgelesssys/constellation/v2/kms/internal/server" - "github.com/edgelesssys/constellation/v2/kms/setup" + "github.com/edgelesssys/constellation/v2/keyservice/internal/server" + "github.com/edgelesssys/constellation/v2/keyservice/setup" "github.com/spf13/afero" "go.uber.org/zap" ) func main() { - port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on") + port := flag.String("port", strconv.Itoa(constants.KeyservicePort), "Port gRPC server listens on") masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret") saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt") verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription) @@ -66,7 +66,7 @@ func main() { log.With(zap.Error(err)).Fatalf("Failed to create KMS KEK from MasterKey") } - if err := server.New(log.Named("kms"), conKMS).Run(*port); err != nil { - log.With(zap.Error(err)).Fatalf("Failed to run KMS server") + if err := server.New(log.Named("keyservice"), conKMS).Run(*port); err != nil { + log.With(zap.Error(err)).Fatalf("Failed to run keyservice server") } } diff --git a/kms/internal/README.md b/keyservice/internal/README.md similarity index 98% rename from kms/internal/README.md rename to keyservice/internal/README.md index fe5aea7d6..b6e1dd61e 100644 --- a/kms/internal/README.md +++ b/keyservice/internal/README.md @@ -6,10 +6,10 @@ It's intendet for the Constellation CSI Plugins and the CLI. ## KMS The Cloud KMS is where we store our key encryption key (KEK). -It should be initiated by the CLI and provided with a key release policy. -The CSP Plugin can request to encrypt data encryption keys (DEK) with the DEK to safely store them on persistent memory. +The KMS should be initiated by the CLI and provided with a key release policy. +The CSP Plugin can request to encrypt data encryption keys (DEK) with the KEK to safely store the DEKs in persistent storage. The [kms](../kms/) package interacts with the Cloud KMS APIs. -Currently planned are KMS are: +Support is planed for: * AWS KMS * GCP CKM diff --git a/kms/internal/config/config.go b/keyservice/internal/config/config.go similarity index 100% rename from kms/internal/config/config.go rename to keyservice/internal/config/config.go diff --git a/kms/internal/server/server.go b/keyservice/internal/server/server.go similarity index 83% rename from kms/internal/server/server.go rename to keyservice/internal/server/server.go index b0ebc1570..084c8cab7 100644 --- a/kms/internal/server/server.go +++ b/keyservice/internal/server/server.go @@ -15,8 +15,8 @@ import ( "github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/grpc/grpclog" "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kmsproto" + "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto" + "github.com/edgelesssys/constellation/v2/keyservice/kms" "go.uber.org/zap" "go.uber.org/zap/zapcore" "google.golang.org/grpc" @@ -30,7 +30,7 @@ import ( type Server struct { log *logger.Logger conKMS kms.CloudKMS - kmsproto.UnimplementedAPIServer + keyserviceproto.UnimplementedAPIServer } // New creates a new Server. @@ -50,7 +50,7 @@ func (s *Server) Run(port string) error { } server := grpc.NewServer(s.log.Named("gRPC").GetServerUnaryInterceptor()) - kmsproto.RegisterAPIServer(server, s) + keyserviceproto.RegisterAPIServer(server, s) s.log.Named("gRPC").WithIncreasedLevel(zapcore.WarnLevel).ReplaceGRPCLogger() // start the server @@ -59,7 +59,7 @@ func (s *Server) Run(port string) error { } // GetDataKey returns a data key. -func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) { +func (s *Server) GetDataKey(ctx context.Context, in *keyserviceproto.GetDataKeyRequest) (*keyserviceproto.GetDataKeyResponse, error) { log := s.log.With("peerAddress", grpclog.PeerAddrFromContext(ctx)) // Error on 0 key length @@ -79,5 +79,5 @@ func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) log.With(zap.Error(err)).Errorf("Failed to get data key") return nil, status.Errorf(codes.Internal, "%v", err) } - return &kmsproto.GetDataKeyResponse{DataKey: key}, nil + return &keyserviceproto.GetDataKeyResponse{DataKey: key}, nil } diff --git a/kms/internal/server/server_test.go b/keyservice/internal/server/server_test.go similarity index 72% rename from kms/internal/server/server_test.go rename to keyservice/internal/server/server_test.go index 9bca55cf7..f8db54af6 100644 --- a/kms/internal/server/server_test.go +++ b/keyservice/internal/server/server_test.go @@ -12,7 +12,7 @@ import ( "testing" "github.com/edgelesssys/constellation/v2/internal/logger" - "github.com/edgelesssys/constellation/v2/kms/kmsproto" + "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" @@ -31,23 +31,23 @@ func TestGetDataKey(t *testing.T) { kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}} api := New(log, kms) - res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + res, err := api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) require.NoError(err) assert.Equal(kms.derivedKey, res.DataKey) // Test no data key id - res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{Length: 32}) require.Error(err) assert.Nil(res) // Test no / zero key length - res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"}) require.Error(err) assert.Nil(res) // Test derive key error api = New(log, &stubKMS{deriveKeyErr: errors.New("error")}) - res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) assert.Error(err) assert.Nil(res) } diff --git a/kms/internal/storage/awss3storage.go b/keyservice/internal/storage/awss3storage.go similarity index 97% rename from kms/internal/storage/awss3storage.go rename to keyservice/internal/storage/awss3storage.go index 12e15e5cd..ef656930c 100644 --- a/kms/internal/storage/awss3storage.go +++ b/keyservice/internal/storage/awss3storage.go @@ -16,7 +16,7 @@ import ( awsconfig "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3/types" - "github.com/edgelesssys/constellation/v2/kms/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" ) type awsS3ClientAPI interface { diff --git a/kms/internal/storage/awss3storage_test.go b/keyservice/internal/storage/awss3storage_test.go similarity index 100% rename from kms/internal/storage/awss3storage_test.go rename to keyservice/internal/storage/awss3storage_test.go diff --git a/kms/internal/storage/azurestorage.go b/keyservice/internal/storage/azurestorage.go similarity index 98% rename from kms/internal/storage/azurestorage.go rename to keyservice/internal/storage/azurestorage.go index 37574506c..f592b73c2 100644 --- a/kms/internal/storage/azurestorage.go +++ b/keyservice/internal/storage/azurestorage.go @@ -16,7 +16,7 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob" "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror" "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container" - "github.com/edgelesssys/constellation/v2/kms/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" ) type azureBlobAPI interface { diff --git a/kms/internal/storage/azurestorage_test.go b/keyservice/internal/storage/azurestorage_test.go similarity index 100% rename from kms/internal/storage/azurestorage_test.go rename to keyservice/internal/storage/azurestorage_test.go diff --git a/kms/internal/storage/gcloudstorage.go b/keyservice/internal/storage/gcloudstorage.go similarity index 100% rename from kms/internal/storage/gcloudstorage.go rename to keyservice/internal/storage/gcloudstorage.go diff --git a/kms/internal/storage/gcloudstorage_integration_test.go b/keyservice/internal/storage/gcloudstorage_integration_test.go similarity index 100% rename from kms/internal/storage/gcloudstorage_integration_test.go rename to keyservice/internal/storage/gcloudstorage_integration_test.go diff --git a/kms/internal/storage/gcloudstorage_test.go b/keyservice/internal/storage/gcloudstorage_test.go similarity index 100% rename from kms/internal/storage/gcloudstorage_test.go rename to keyservice/internal/storage/gcloudstorage_test.go diff --git a/kms/internal/storage/memfsstorage.go b/keyservice/internal/storage/memfsstorage.go similarity index 100% rename from kms/internal/storage/memfsstorage.go rename to keyservice/internal/storage/memfsstorage.go diff --git a/kms/internal/storage/memfsstroage_test.go b/keyservice/internal/storage/memfsstroage_test.go similarity index 100% rename from kms/internal/storage/memfsstroage_test.go rename to keyservice/internal/storage/memfsstroage_test.go diff --git a/kms/internal/storage/storage.go b/keyservice/internal/storage/storage.go similarity index 100% rename from kms/internal/storage/storage.go rename to keyservice/internal/storage/storage.go diff --git a/kms/internal/test/aws_test.go b/keyservice/internal/test/aws_test.go similarity index 96% rename from kms/internal/test/aws_test.go rename to keyservice/internal/test/aws_test.go index 30c70ea6e..732f02a98 100644 --- a/kms/internal/test/aws_test.go +++ b/keyservice/internal/test/aws_test.go @@ -19,9 +19,9 @@ import ( "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3/types" - kmsconfig "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - awsInterface "github.com/edgelesssys/constellation/v2/kms/kms/aws" + kmsconfig "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + awsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms/aws" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/kms/internal/test/azure_test.go b/keyservice/internal/test/azure_test.go similarity index 94% rename from kms/internal/test/azure_test.go rename to keyservice/internal/test/azure_test.go index 8093d99b1..f0135abe9 100644 --- a/kms/internal/test/azure_test.go +++ b/keyservice/internal/test/azure_test.go @@ -13,9 +13,9 @@ import ( "testing" "time" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms/azure" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms/azure" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/kms/internal/test/gcp_test.go b/keyservice/internal/test/gcp_test.go similarity index 93% rename from kms/internal/test/gcp_test.go rename to keyservice/internal/test/gcp_test.go index e06e99bcd..81e046e4c 100644 --- a/kms/internal/test/gcp_test.go +++ b/keyservice/internal/test/gcp_test.go @@ -14,9 +14,9 @@ import ( "time" "cloud.google.com/go/kms/apiv1/kmspb" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms/gcp" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms/gcp" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/kms/internal/test/integration_test.go b/keyservice/internal/test/integration_test.go similarity index 100% rename from kms/internal/test/integration_test.go rename to keyservice/internal/test/integration_test.go diff --git a/kms/kmsproto/kms.pb.go b/keyservice/keyserviceproto/keyservice.pb.go similarity index 54% rename from kms/kmsproto/kms.pb.go rename to keyservice/keyserviceproto/keyservice.pb.go index 825df8d6e..971103365 100644 --- a/kms/kmsproto/kms.pb.go +++ b/keyservice/keyserviceproto/keyservice.pb.go @@ -2,9 +2,9 @@ // versions: // protoc-gen-go v1.28.1 // protoc v3.21.8 -// source: kms.proto +// source: keyservice.proto -package kmsproto +package keyserviceproto import ( protoreflect "google.golang.org/protobuf/reflect/protoreflect" @@ -32,7 +32,7 @@ type GetDataKeyRequest struct { func (x *GetDataKeyRequest) Reset() { *x = GetDataKeyRequest{} if protoimpl.UnsafeEnabled { - mi := &file_kms_proto_msgTypes[0] + mi := &file_keyservice_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -45,7 +45,7 @@ func (x *GetDataKeyRequest) String() string { func (*GetDataKeyRequest) ProtoMessage() {} func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message { - mi := &file_kms_proto_msgTypes[0] + mi := &file_keyservice_proto_msgTypes[0] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -58,7 +58,7 @@ func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead. func (*GetDataKeyRequest) Descriptor() ([]byte, []int) { - return file_kms_proto_rawDescGZIP(), []int{0} + return file_keyservice_proto_rawDescGZIP(), []int{0} } func (x *GetDataKeyRequest) GetDataKeyId() string { @@ -86,7 +86,7 @@ type GetDataKeyResponse struct { func (x *GetDataKeyResponse) Reset() { *x = GetDataKeyResponse{} if protoimpl.UnsafeEnabled { - mi := &file_kms_proto_msgTypes[1] + mi := &file_keyservice_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -99,7 +99,7 @@ func (x *GetDataKeyResponse) String() string { func (*GetDataKeyResponse) ProtoMessage() {} func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message { - mi := &file_kms_proto_msgTypes[1] + mi := &file_keyservice_proto_msgTypes[1] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -112,7 +112,7 @@ func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead. func (*GetDataKeyResponse) Descriptor() ([]byte, []int) { - return file_kms_proto_rawDescGZIP(), []int{1} + return file_keyservice_proto_rawDescGZIP(), []int{1} } func (x *GetDataKeyResponse) GetDataKey() []byte { @@ -122,47 +122,48 @@ func (x *GetDataKeyResponse) GetDataKey() []byte { return nil } -var File_kms_proto protoreflect.FileDescriptor +var File_keyservice_proto protoreflect.FileDescriptor -var file_kms_proto_rawDesc = []byte{ - 0x0a, 0x09, 0x6b, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73, - 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, - 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, - 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, - 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, - 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44, - 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, - 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, - 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d, - 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, - 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, - 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, - 0x6b, 0x6d, 0x73, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, +var file_keyservice_proto_rawDesc = []byte{ + 0x0a, 0x10, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, + 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, + 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, + 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, + 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, + 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, + 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, + 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, + 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, + 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, + 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, 0x42, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, + 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( - file_kms_proto_rawDescOnce sync.Once - file_kms_proto_rawDescData = file_kms_proto_rawDesc + file_keyservice_proto_rawDescOnce sync.Once + file_keyservice_proto_rawDescData = file_keyservice_proto_rawDesc ) -func file_kms_proto_rawDescGZIP() []byte { - file_kms_proto_rawDescOnce.Do(func() { - file_kms_proto_rawDescData = protoimpl.X.CompressGZIP(file_kms_proto_rawDescData) +func file_keyservice_proto_rawDescGZIP() []byte { + file_keyservice_proto_rawDescOnce.Do(func() { + file_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_proto_rawDescData) }) - return file_kms_proto_rawDescData + return file_keyservice_proto_rawDescData } -var file_kms_proto_msgTypes = make([]protoimpl.MessageInfo, 2) -var file_kms_proto_goTypes = []interface{}{ +var file_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_keyservice_proto_goTypes = []interface{}{ (*GetDataKeyRequest)(nil), // 0: kms.GetDataKeyRequest (*GetDataKeyResponse)(nil), // 1: kms.GetDataKeyResponse } -var file_kms_proto_depIdxs = []int32{ +var file_keyservice_proto_depIdxs = []int32{ 0, // 0: kms.API.GetDataKey:input_type -> kms.GetDataKeyRequest 1, // 1: kms.API.GetDataKey:output_type -> kms.GetDataKeyResponse 1, // [1:2] is the sub-list for method output_type @@ -172,13 +173,13 @@ var file_kms_proto_depIdxs = []int32{ 0, // [0:0] is the sub-list for field type_name } -func init() { file_kms_proto_init() } -func file_kms_proto_init() { - if File_kms_proto != nil { +func init() { file_keyservice_proto_init() } +func file_keyservice_proto_init() { + if File_keyservice_proto != nil { return } if !protoimpl.UnsafeEnabled { - file_kms_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + file_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*GetDataKeyRequest); i { case 0: return &v.state @@ -190,7 +191,7 @@ func file_kms_proto_init() { return nil } } - file_kms_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + file_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*GetDataKeyResponse); i { case 0: return &v.state @@ -207,18 +208,18 @@ func file_kms_proto_init() { out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_kms_proto_rawDesc, + RawDescriptor: file_keyservice_proto_rawDesc, NumEnums: 0, NumMessages: 2, NumExtensions: 0, NumServices: 1, }, - GoTypes: file_kms_proto_goTypes, - DependencyIndexes: file_kms_proto_depIdxs, - MessageInfos: file_kms_proto_msgTypes, + GoTypes: file_keyservice_proto_goTypes, + DependencyIndexes: file_keyservice_proto_depIdxs, + MessageInfos: file_keyservice_proto_msgTypes, }.Build() - File_kms_proto = out.File - file_kms_proto_rawDesc = nil - file_kms_proto_goTypes = nil - file_kms_proto_depIdxs = nil + File_keyservice_proto = out.File + file_keyservice_proto_rawDesc = nil + file_keyservice_proto_goTypes = nil + file_keyservice_proto_depIdxs = nil } diff --git a/kms/kmsproto/kms.proto b/keyservice/keyserviceproto/keyservice.proto similarity index 74% rename from kms/kmsproto/kms.proto rename to keyservice/keyserviceproto/keyservice.proto index 5292b16dc..1c03b5eef 100644 --- a/kms/kmsproto/kms.proto +++ b/keyservice/keyserviceproto/keyservice.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package kms; -option go_package = "github.com/edgelesssys/constellation/v2/kms/kmsproto"; +option go_package = "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"; service API { rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse); diff --git a/kms/kmsproto/kms_grpc.pb.go b/keyservice/keyserviceproto/keyservice_grpc.pb.go similarity index 97% rename from kms/kmsproto/kms_grpc.pb.go rename to keyservice/keyserviceproto/keyservice_grpc.pb.go index 8fd724650..3f55fcfe4 100644 --- a/kms/kmsproto/kms_grpc.pb.go +++ b/keyservice/keyserviceproto/keyservice_grpc.pb.go @@ -2,9 +2,9 @@ // versions: // - protoc-gen-go-grpc v1.2.0 // - protoc v3.21.8 -// source: kms.proto +// source: keyservice.proto -package kmsproto +package keyserviceproto import ( context "context" @@ -101,5 +101,5 @@ var API_ServiceDesc = grpc.ServiceDesc{ }, }, Streams: []grpc.StreamDesc{}, - Metadata: "kms.proto", + Metadata: "keyservice.proto", } diff --git a/kms/kms/aws/aws.go b/keyservice/kms/aws/aws.go similarity index 97% rename from kms/kms/aws/aws.go rename to keyservice/kms/aws/aws.go index 3ea190b99..374e7e0b4 100644 --- a/kms/kms/aws/aws.go +++ b/keyservice/kms/aws/aws.go @@ -17,10 +17,10 @@ import ( awsconfig "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kms/util" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms" + "github.com/edgelesssys/constellation/v2/keyservice/kms/util" ) const ( diff --git a/kms/kms/aws/aws_test.go b/keyservice/kms/aws/aws_test.go similarity index 98% rename from kms/kms/aws/aws_test.go rename to keyservice/kms/aws/aws_test.go index 4522c4655..efe77da08 100644 --- a/kms/kms/aws/aws_test.go +++ b/keyservice/kms/aws/aws_test.go @@ -22,9 +22,9 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms" "github.com/stretchr/testify/assert" "go.uber.org/goleak" ) diff --git a/kms/kms/azure/azure.go b/keyservice/kms/azure/azure.go similarity index 95% rename from kms/kms/azure/azure.go rename to keyservice/kms/azure/azure.go index b4f9da80d..ae6fce686 100644 --- a/kms/kms/azure/azure.go +++ b/keyservice/kms/azure/azure.go @@ -17,10 +17,10 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kms/util" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms" + "github.com/edgelesssys/constellation/v2/keyservice/kms/util" ) const ( diff --git a/kms/kms/azure/azure_test.go b/keyservice/kms/azure/azure_test.go similarity index 97% rename from kms/kms/azure/azure_test.go rename to keyservice/kms/azure/azure_test.go index 5b3172903..036a481e0 100644 --- a/kms/kms/azure/azure_test.go +++ b/keyservice/kms/azure/azure_test.go @@ -14,8 +14,8 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms" "github.com/stretchr/testify/assert" "go.uber.org/goleak" ) diff --git a/kms/kms/azure/hsm.go b/keyservice/kms/azure/hsm.go similarity index 95% rename from kms/kms/azure/hsm.go rename to keyservice/kms/azure/hsm.go index e247f8b98..a08ba08ab 100644 --- a/kms/kms/azure/hsm.go +++ b/keyservice/kms/azure/hsm.go @@ -15,10 +15,10 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kms/util" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms" + "github.com/edgelesssys/constellation/v2/keyservice/kms/util" ) type hsmClientAPI interface { diff --git a/kms/kms/azure/hsm_test.go b/keyservice/kms/azure/hsm_test.go similarity index 97% rename from kms/kms/azure/hsm_test.go rename to keyservice/kms/azure/hsm_test.go index 09ca7a428..adb2b7f79 100644 --- a/kms/kms/azure/hsm_test.go +++ b/keyservice/kms/azure/hsm_test.go @@ -13,8 +13,8 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) diff --git a/kms/kms/cluster/cluster.go b/keyservice/kms/cluster/cluster.go similarity index 100% rename from kms/kms/cluster/cluster.go rename to keyservice/kms/cluster/cluster.go diff --git a/kms/kms/cluster/cluster_test.go b/keyservice/kms/cluster/cluster_test.go similarity index 100% rename from kms/kms/cluster/cluster_test.go rename to keyservice/kms/cluster/cluster_test.go diff --git a/kms/kms/gcp/gcp.go b/keyservice/kms/gcp/gcp.go similarity index 97% rename from kms/kms/gcp/gcp.go rename to keyservice/kms/gcp/gcp.go index 8fd213f1a..560d0c878 100644 --- a/kms/kms/gcp/gcp.go +++ b/keyservice/kms/gcp/gcp.go @@ -19,10 +19,10 @@ import ( kms "cloud.google.com/go/kms/apiv1" "cloud.google.com/go/kms/apiv1/kmspb" - "github.com/edgelesssys/constellation/v2/kms/internal/config" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kms/util" + "github.com/edgelesssys/constellation/v2/keyservice/internal/config" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms" + "github.com/edgelesssys/constellation/v2/keyservice/kms/util" "github.com/googleapis/gax-go/v2" "google.golang.org/api/option" "google.golang.org/grpc/codes" diff --git a/kms/kms/gcp/gcp_test.go b/keyservice/kms/gcp/gcp_test.go similarity index 98% rename from kms/kms/gcp/gcp_test.go rename to keyservice/kms/gcp/gcp_test.go index e34986b4c..f7310a67e 100644 --- a/kms/kms/gcp/gcp_test.go +++ b/keyservice/kms/gcp/gcp_test.go @@ -12,9 +12,9 @@ import ( "testing" "cloud.google.com/go/kms/apiv1/kmspb" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kms/util" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms" + "github.com/edgelesssys/constellation/v2/keyservice/kms/util" "github.com/googleapis/gax-go/v2" "github.com/stretchr/testify/assert" "go.uber.org/goleak" diff --git a/kms/kms/kms.go b/keyservice/kms/kms.go similarity index 100% rename from kms/kms/kms.go rename to keyservice/kms/kms.go diff --git a/kms/kms/util/crypto.go b/keyservice/kms/util/crypto.go similarity index 100% rename from kms/kms/util/crypto.go rename to keyservice/kms/util/crypto.go diff --git a/kms/kms/util/crypto_test.go b/keyservice/kms/util/crypto_test.go similarity index 100% rename from kms/kms/util/crypto_test.go rename to keyservice/kms/util/crypto_test.go diff --git a/kms/setup/setup.go b/keyservice/setup/setup.go similarity index 93% rename from kms/setup/setup.go rename to keyservice/setup/setup.go index 87fa54e45..f7a0fbc1d 100644 --- a/kms/setup/setup.go +++ b/keyservice/setup/setup.go @@ -14,12 +14,12 @@ import ( "strconv" "cloud.google.com/go/kms/apiv1/kmspb" - "github.com/edgelesssys/constellation/v2/kms/internal/storage" - "github.com/edgelesssys/constellation/v2/kms/kms" - "github.com/edgelesssys/constellation/v2/kms/kms/aws" - "github.com/edgelesssys/constellation/v2/kms/kms/azure" - "github.com/edgelesssys/constellation/v2/kms/kms/cluster" - "github.com/edgelesssys/constellation/v2/kms/kms/gcp" + "github.com/edgelesssys/constellation/v2/keyservice/internal/storage" + "github.com/edgelesssys/constellation/v2/keyservice/kms" + "github.com/edgelesssys/constellation/v2/keyservice/kms/aws" + "github.com/edgelesssys/constellation/v2/keyservice/kms/azure" + "github.com/edgelesssys/constellation/v2/keyservice/kms/cluster" + "github.com/edgelesssys/constellation/v2/keyservice/kms/gcp" ) // Well known endpoints for KMS services. diff --git a/kms/setup/setup_test.go b/keyservice/setup/setup_test.go similarity index 100% rename from kms/setup/setup_test.go rename to keyservice/setup/setup_test.go diff --git a/proto/Dockerfile.gen-proto b/proto/Dockerfile.gen-proto index 39444dfed..128c29639 100644 --- a/proto/Dockerfile.gen-proto +++ b/proto/Dockerfile.gen-proto @@ -35,8 +35,8 @@ COPY debugd/service/*.proto /service RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto ## key management -WORKDIR /kms -COPY kms/kmsproto/*.proto /kms +WORKDIR /keyservice +COPY keyservice/keyserviceproto/*.proto /keyservice RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto ## join service @@ -62,7 +62,7 @@ RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_o FROM scratch as export COPY --from=build /disk-mapper/*.go disk-mapper/recoverproto/ COPY --from=build /service/*.go debugd/service/ -COPY --from=build /kms/*.go kms/kmsproto/ +COPY --from=build /keyservice/*.go keyservice/keyserviceproto/ COPY --from=build /joinservice/*.go joinservice/joinproto/ COPY --from=build /verify/*.go verify/verifyproto/ COPY --from=build /init/*.go bootstrapper/initproto/ diff --git a/rfc/external-kms.md b/rfc/external-kms.md index 8c826659e..ffb57a967 100644 --- a/rfc/external-kms.md +++ b/rfc/external-kms.md @@ -47,7 +47,7 @@ The measurement secret, together with a measurement salt (not secret) is used to * For eKMS backends the two URIs can be used directly to request new DEKs. * For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=`. -The above approach allows us to integrate with the existing setup code in `kms/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms). +The above approach allows us to integrate with the existing setup code in `keyservice/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms). This code is used to setup CloudKMS objects. The `setup.go` code will have to be refactored to live in `internal` so that the disk-mapper pkg can directly communicate with the respective external KMS. diff --git a/rfc/key-derivation.md b/rfc/key-derivation.md index 2f54482bd..1dcc10694 100644 --- a/rfc/key-derivation.md +++ b/rfc/key-derivation.md @@ -24,7 +24,7 @@ We use SHA-256 as the hash function. Constellation's master secret is used as *IKM* for HKDF. The master secret is either provided by the admin, or a randomly generated 32 byte value. -It is supplied to the cluster during `constellation init` and in the following used by [Constellation's KMS](../kms/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/). +It is supplied to the cluster during `constellation init` and in the following used by [Constellation's keyservice](../keyservice/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/). ## Salt diff --git a/rfc/reproducible-builds.md b/rfc/reproducible-builds.md index 845358db3..113ea7d7f 100644 --- a/rfc/reproducible-builds.md +++ b/rfc/reproducible-builds.md @@ -140,7 +140,7 @@ Then in our `.ko.yaml`, we can use the newly created image as a base image, also ```yaml baseImageOverrides: - github.com/edgelesssys/constellation/v2/kms/cmd: edgelesssys/alpine-custom:base + github.com/edgelesssys/constellation/v2/keyservice/cmd: edgelesssys/alpine-custom:base ``` The result is also a reproducible OCI image with reproducible artifacts.