Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-10 16:00:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

kms: rename kms to keyservice

Browse source 
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
This commit is contained in:
Otto Bittner 2023-01-11 10:08:57 +01:00
parent 67f8336b9d
commit 90b88e1cf9
101 changed files with 313 additions and 319 deletions
Download patch file Download diff file Expand all files Collapse all files

2
rfc/external-kms.md
View file

@ -47,7 +47,7 @@ The measurement secret, together with a measurement salt (not secret) is used to
* For eKMS backends the two URIs can be used directly to request new DEKs.
* For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=<masterSecret>`.
The above approach allows us to integrate with the existing setup code in `kms/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
The above approach allows us to integrate with the existing setup code in `keyservice/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
This code is used to setup CloudKMS objects.
The `setup.go` code will have to be refactored to live in `internal` so that the disk-mapper pkg can directly communicate with the respective external KMS.

2
rfc/key-derivation.md
View file

@ -24,7 +24,7 @@ We use SHA-256 as the hash function.
Constellation's master secret is used as *IKM* for HKDF.
The master secret is either provided by the admin, or a randomly generated 32 byte value.
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's KMS](../kms/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's keyservice](../keyservice/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
## Salt

2
rfc/reproducible-builds.md
View file

@ -140,7 +140,7 @@ Then in our `.ko.yaml`, we can use the newly created image as a base image, also
```yaml
baseImageOverrides:
github.com/edgelesssys/constellation/v2/kms/cmd: edgelesssys/alpine-custom:base
github.com/edgelesssys/constellation/v2/keyservice/cmd: edgelesssys/alpine-custom:base
```
The result is also a reproducible OCI image with reproducible artifacts.