mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-07-24 07:50:40 -04:00
kms: rename kms to keyservice
In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
This commit is contained in:
Otto Bittner
parent
67f8336b9d
commit
90b88e1cf9
101 changed files with 313 additions and 319 deletions
|
|
@ -33,7 +33,7 @@ import (
|
|||
"github.com/edgelesssys/constellation/v2/internal/license"
|
||||
"github.com/edgelesssys/constellation/v2/internal/retry"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
kms "github.com/edgelesssys/constellation/v2/kms/setup"
|
||||
keyservice "github.com/edgelesssys/constellation/v2/keyservice/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/spf13/cobra"
|
||||
"google.golang.org/grpc"
|
||||
|
|
@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud
|
|||
req := &initproto.InitRequest{
|
||||
MasterSecret: masterSecret.Key,
|
||||
Salt: masterSecret.Salt,
|
||||
KmsUri: kms.ClusterKMSURI,
|
||||
StorageUri: kms.NoStoreURI,
|
||||
KmsUri: keyservice.ClusterKMSURI,
|
||||
StorageUri: keyservice.NoStoreURI,
|
||||
KeyEncryptionKeyId: "",
|
||||
UseExistingKek: false,
|
||||
CloudServiceAccountUri: serviceAccURI,
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
|
|||
type: application
|
||||
version: 2.4.0
|
||||
dependencies:
|
||||
- name: kms
|
||||
- name: keyservice
|
||||
version: 2.4.0
|
||||
tags:
|
||||
- Azure
|
||||
|
|
|
|||
|
|
@ -121,7 +121,7 @@ spec:
|
|||
- "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
|
||||
- "--support-zone={{ .Values.node.supportZone }}"
|
||||
- "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
|
||||
- "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}"
|
||||
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
|
||||
ports:
|
||||
- containerPort: {{ .Values.node.livenessProbe.healthPort }}
|
||||
name: healthz
|
||||
|
|
|
|||
|
|
@ -123,8 +123,10 @@ node:
|
|||
logLevel: 5
|
||||
livenessProbe:
|
||||
healthPort: 29603
|
||||
kmsPort: "9000"
|
||||
kmsNamespace: "kube-system"
|
||||
global:
|
||||
keyserviceName: "keyservice"
|
||||
keyservicePort: 9000
|
||||
keyserviceNamespace: "kube-system"
|
||||
|
||||
snapshot:
|
||||
enabled: false
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ spec:
|
|||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}"
|
||||
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
|
|
|
|||
|
|
@ -29,8 +29,9 @@ csiController:
|
|||
replicas: 1
|
||||
runOnControlPlane: true
|
||||
|
||||
csiNode:
|
||||
kmsPort: "9000"
|
||||
kmsNamespace: "kube-system"
|
||||
global:
|
||||
keyserviceName: "keyservice"
|
||||
keyservicePort: 9000
|
||||
keyserviceNamespace: "kube-system"
|
||||
|
||||
createStorageClass: true
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ spec:
|
|||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --cloud-provider={{ .Values.csp }}
|
||||
- --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }}
|
||||
- --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v2
|
||||
name: keyservice
|
||||
description: A Helm chart to deploy the Constellation KeyService
|
||||
type: application
|
||||
version: 2.4.0
|
||||
|
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
|
@ -2,25 +2,25 @@ apiVersion: apps/v1
|
|||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
- name: keyservice
|
||||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --port={{ .Values.global.kmsPort }}
|
||||
- --port={{ .Values.global.keyservicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
|
|
@ -29,7 +29,7 @@ spec:
|
|||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
|
|
@ -1,16 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: {{ .Values.global.kmsPort }}
|
||||
port: {{ .Values.global.keyservicePort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.global.kmsPort }}
|
||||
targetPort: {{ .Values.global.keyservicePort }}
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
|
@ -4,7 +4,7 @@
|
|||
"image": {
|
||||
"description": "Container image to use for the spawned pods.",
|
||||
"type": "string",
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
|
||||
},
|
||||
"masterSecret": {
|
||||
"description": "Secret used to derive key material within the cluster",
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
global:
|
||||
# Port on which the KMS service will listen. Global since join-service also uses the value.
|
||||
kmsPort: 9000
|
||||
# Port on which the KeyService will listen. Global since join-service also uses the value.
|
||||
keyservicePort: 9000
|
||||
# Path to which secrets/CMs are mounted.
|
||||
serviceBasePath: /var/config
|
||||
# Name of the ConfigMap that holds measurements and other info.
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ const (
|
|||
// ChartLoader loads embedded helm charts.
|
||||
type ChartLoader struct {
|
||||
joinServiceImage string
|
||||
kmsImage string
|
||||
keyserviceImage string
|
||||
ccmImage string
|
||||
cnmImage string
|
||||
autoscalerImage string
|
||||
|
|
@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)
|
|||
|
||||
return &ChartLoader{
|
||||
joinServiceImage: versions.JoinImage,
|
||||
kmsImage: versions.KmsImage,
|
||||
keyserviceImage: versions.KeyServiceImage,
|
||||
ccmImage: ccmImage,
|
||||
cnmImage: cnmImage,
|
||||
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
|
||||
|
|
@ -359,13 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
|||
csp := config.GetProvider()
|
||||
values := map[string]any{
|
||||
"global": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"serviceBasePath": constants.ServiceBasePath,
|
||||
"joinConfigCMName": constants.JoinConfigMap,
|
||||
"internalCMName": constants.InternalConfigMap,
|
||||
"keyservicePort": constants.KeyservicePort,
|
||||
"keyserviceNamespace": "", // empty namespace means we use the release namespace
|
||||
"serviceBasePath": constants.ServiceBasePath,
|
||||
"joinConfigCMName": constants.JoinConfigMap,
|
||||
"internalCMName": constants.InternalConfigMap,
|
||||
},
|
||||
"kms": map[string]any{
|
||||
"image": i.kmsImage,
|
||||
"keyservice": map[string]any{
|
||||
"image": i.keyserviceImage,
|
||||
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
|
||||
"salt": base64.StdEncoding.EncodeToString(salt),
|
||||
"saltKeyName": constants.ConstellationSaltKey,
|
||||
|
|
@ -420,13 +421,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
|||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
values["azuredisk-csi-driver"] = map[string]any{
|
||||
"node": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"kmsNamespace": "", // empty namespace means we use the release namespace
|
||||
},
|
||||
}
|
||||
|
||||
values["tags"] = map[string]any{
|
||||
"Azure": true,
|
||||
}
|
||||
|
|
@ -444,13 +438,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
|||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
|
||||
"csiNode": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"kmsNamespace": "", // empty namespace means we use the release namespace
|
||||
},
|
||||
}
|
||||
|
||||
values["tags"] = map[string]any{
|
||||
"GCP": true,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ func TestConstellationServices(t *testing.T) {
|
|||
|
||||
chartLoader := ChartLoader{
|
||||
joinServiceImage: "joinServiceImage",
|
||||
kmsImage: "kmsImage",
|
||||
keyserviceImage: "keyserviceImage",
|
||||
ccmImage: tc.ccmImage,
|
||||
cnmImage: tc.cnmImage,
|
||||
autoscalerImage: "autoscalerImage",
|
||||
|
|
@ -159,7 +159,7 @@ func TestOperators(t *testing.T) {
|
|||
|
||||
chartLoader := ChartLoader{
|
||||
joinServiceImage: "joinServiceImage",
|
||||
kmsImage: "kmsImage",
|
||||
keyserviceImage: "keyserviceImage",
|
||||
ccmImage: "ccmImage",
|
||||
cnmImage: "cnmImage",
|
||||
autoscalerImage: "autoscalerImage",
|
||||
|
|
@ -301,40 +301,38 @@ func prepareGCPValues(values map[string]any) error {
|
|||
|
||||
testTag := "v0.0.0"
|
||||
pullPolicy := "IfNotPresent"
|
||||
csiVals, ok := values["gcp-compute-persistent-disk-csi-driver"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'gcp-compute-persistent-disk-csi-driver' key")
|
||||
}
|
||||
csiVals["image"] = map[string]any{
|
||||
"csiProvisioner": map[string]any{
|
||||
"repo": "csi-provisioner",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiAttacher": map[string]any{
|
||||
"repo": "csi-attacher",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiResizer": map[string]any{
|
||||
"repo": "csi-resizer",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiSnapshotter": map[string]any{
|
||||
"repo": "csi-snapshotter",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiNodeRegistrar": map[string]any{
|
||||
"repo": "csi-registrar",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"gcepdDriver": map[string]any{
|
||||
"repo": "csi-driver",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
|
||||
"image": map[string]any{
|
||||
"csiProvisioner": map[string]any{
|
||||
"repo": "csi-provisioner",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiAttacher": map[string]any{
|
||||
"repo": "csi-attacher",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiResizer": map[string]any{
|
||||
"repo": "csi-resizer",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiSnapshotter": map[string]any{
|
||||
"repo": "csi-snapshotter",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiNodeRegistrar": map[string]any{
|
||||
"repo": "csi-registrar",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"gcepdDriver": map[string]any{
|
||||
"repo": "csi-driver",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@ spec:
|
|||
- "--allow-empty-cloud-config=true"
|
||||
- "--support-zone=true"
|
||||
- "--get-node-info-from-labels=false"
|
||||
- "--kms-addr=kms.testNamespace:9000"
|
||||
- "--kms-addr=keyservice.testNamespace:9000"
|
||||
ports:
|
||||
- containerPort: 29603
|
||||
name: healthz
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ spec:
|
|||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=Azure
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
|
|
@ -2,23 +2,23 @@ apiVersion: apps/v1
|
|||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
image: kmsImage
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
|
|
@ -29,7 +29,7 @@ spec:
|
|||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
|
|
@ -10,7 +10,7 @@ spec:
|
|||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
|
|
@ -41,7 +41,7 @@ spec:
|
|||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=kms.testNamespace:9000"
|
||||
- "--kms-addr=keyservice.testNamespace:9000"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ spec:
|
|||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=GCP
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
|
|
@ -2,23 +2,23 @@ apiVersion: apps/v1
|
|||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
image: kmsImage
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
|
|
@ -29,7 +29,7 @@ spec:
|
|||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
|
|
@ -10,7 +10,7 @@ spec:
|
|||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
|
|
@ -38,7 +38,7 @@ spec:
|
|||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=QEMU
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
|||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
|
|
@ -2,23 +2,23 @@ apiVersion: apps/v1
|
|||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
image: kmsImage
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
|
|
@ -29,7 +29,7 @@ spec:
|
|||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
|
|
@ -10,7 +10,7 @@ spec:
|
|||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
|
|
@ -48,8 +48,8 @@ download_chart() {
|
|||
|
||||
## GCP CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.0" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.1" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
|
||||
## Azure CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.0" "charts/edgeless" "azuredisk-csi-driver"
|
||||
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.1" "charts/edgeless" "azuredisk-csi-driver"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue