kms: rename kms to keyservice

In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
2025-12-10 21:49:48 -05:00 · 2023-01-11 10:08:57 +01:00 · 2023-01-11 10:08:57 +01:00 · 90b88e1cf9
commit 90b88e1cf9
parent 67f8336b9d
101 changed files with 313 additions and 319 deletions
--- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
 type: application
 version: 2.4.0
 dependencies:
-  - name: kms
+  - name: keyservice
    version: 2.4.0
    tags:
      - Azure
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml
@ -121,7 +121,7 @@ spec:
            - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
            - "--support-zone={{ .Values.node.supportZone }}"
            - "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
-            - "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}"
+            - "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
          ports:
            - containerPort: {{ .Values.node.livenessProbe.healthPort }}
              name: healthz
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml
@ -123,8 +123,10 @@ node:
  logLevel: 5
  livenessProbe:
    healthPort: 29603
-  kmsPort: "9000"
-  kmsNamespace: "kube-system"
+global:
+  keyserviceName: "keyservice"
+  keyservicePort: 9000
+  keyserviceNamespace: "kube-system"

 snapshot:
  enabled: false
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml
@ -41,7 +41,7 @@ spec:
            - "--v=5"
            - "--endpoint=unix:/csi/csi.sock"
            - "--run-controller-service=false"
-            - "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}"
+            - "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
          securityContext:
            privileged: true
          volumeMounts:
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml
@ -29,8 +29,9 @@ csiController:
  replicas: 1
  runOnControlPlane: true

-csiNode:
-  kmsPort: "9000"
-  kmsNamespace: "kube-system"
+global:
+  keyserviceName: "keyservice"
+  keyservicePort: 9000
+  keyserviceNamespace: "kube-system"

 createStorageClass: true
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml
@ -38,7 +38,7 @@ spec:
          image: {{ .Values.image | quote }}
          args:
            - --cloud-provider={{ .Values.csp }}
-            - --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }}
+            - --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
          volumeMounts:
            - mountPath: {{ .Values.global.serviceBasePath | quote }}
              name: config
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/.helmignore
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/.helmignore
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/Chart.yaml
@ -0,0 +1,5 @@
+apiVersion: v2
+name: keyservice
+description: A Helm chart to deploy the Constellation KeyService
+type: application
+version: 2.4.0
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrole.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrole.yaml
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
-    k8s-app: kms
-  name: kms
+    k8s-app: keyservice
+  name: keyservice
 rules:
 - apiGroups:
  - ""
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/clusterrolebinding.yaml
@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kms
+  name: keyservice
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: kms
+  name: keyservice
 subjects:
 - kind: ServiceAccount
-  name: kms
+  name: keyservice
  namespace: {{ .Release.Namespace }}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/daemonset.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/daemonset.yaml
@ -2,25 +2,25 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  labels:
-    component: kms
-    k8s-app: kms
+    component: keyservice
+    k8s-app: keyservice
    kubernetes.io/cluster-service: "true"
-  name: kms
+  name: keyservice
  namespace: {{ .Release.Namespace }}
 spec:
  selector:
    matchLabels:
-      k8s-app: kms
+      k8s-app: keyservice
  template:
    metadata:
      labels:
-        k8s-app: kms
+        k8s-app: keyservice
    spec:
      containers:
-        - name: kms
+        - name: keyservice
          image: {{ .Values.image | quote }}
          args:
-            - --port={{ .Values.global.kmsPort }}
+            - --port={{ .Values.global.keyservicePort }}
          volumeMounts:
            - mountPath: {{ .Values.global.serviceBasePath | quote }}
              name: config
@ -29,7 +29,7 @@ spec:
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      priorityClassName: system-cluster-critical
-      serviceAccountName: kms
+      serviceAccountName: keyservice
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/mastersecret.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/mastersecret.yaml
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/service.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/service.yaml
@ -1,16 +1,16 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: kms
+  name: keyservice
  namespace: {{ .Release.Namespace }}
 spec:
  ports:
  - name: grpc
-    port: {{ .Values.global.kmsPort }}
+    port: {{ .Values.global.keyservicePort }}
    protocol: TCP
-    targetPort: {{ .Values.global.kmsPort }}
+    targetPort: {{ .Values.global.keyservicePort }}
  selector:
-    k8s-app: kms
+    k8s-app: keyservice
  type: ClusterIP
 status:
  loadBalancer: {}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/serviceaccount.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/templates/serviceaccount.yaml
@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kms
+  name: keyservice
  namespace: {{ .Release.Namespace }}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.schema.json
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.schema.json
@ -4,7 +4,7 @@
        "image": {
            "description": "Container image to use for the spawned pods.",
            "type": "string",
-            "examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
+            "examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
        },
        "masterSecret": {
            "description": "Secret used to derive key material within the cluster",
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/keyservice/values.yaml
--- a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml
@ -1,6 +1,6 @@
 global:
-  # Port on which the KMS service will listen. Global since join-service also uses the value.
-  kmsPort: 9000
+  # Port on which the KeyService will listen. Global since join-service also uses the value.
+  keyservicePort: 9000
  # Path to which secrets/CMs are mounted.
  serviceBasePath: /var/config
  # Name of the ConfigMap that holds measurements and other info.