kms: rename kms to keyservice

In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
This commit is contained in:
Otto Bittner 2023-01-11 10:08:57 +01:00
parent 67f8336b9d
commit 90b88e1cf9
101 changed files with 313 additions and 319 deletions

View File

@ -56,7 +56,7 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy
# Wait for daemon sets # Wait for daemon sets
kubectl -n kube-system rollout status --timeout 180s daemonset cilium kubectl -n kube-system rollout status --timeout 180s daemonset cilium
kubectl -n kube-system rollout status --timeout 180s daemonset join-service kubectl -n kube-system rollout status --timeout 180s daemonset join-service
kubectl -n kube-system rollout status --timeout 180s daemonset kms kubectl -n kube-system rollout status --timeout 180s daemonset keyservice
kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent
kubectl -n kube-system rollout status --timeout 180s daemonset verification-service kubectl -n kube-system rollout status --timeout 180s daemonset verification-service
echo "::endgroup::" echo "::endgroup::"

View File

@ -1,4 +1,4 @@
name: Build and upload KMS image name: Build and upload KeyService image
on: on:
workflow_dispatch: workflow_dispatch:
@ -7,12 +7,12 @@ on:
- main - main
- "release/**" - "release/**"
paths: paths:
- "kms/**" - "keyservice/**"
- "internal/**" - "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops - "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
jobs: jobs:
build-kms-server: build-keyservice:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions: permissions:
contents: read contents: read
@ -29,13 +29,13 @@ jobs:
with: with:
go-version: "1.19.5" go-version: "1.19.5"
- name: Build and upload KMS server container image - name: Build and upload KeyService container image
id: build-and-upload id: build-and-upload
uses: ./.github/actions/build_micro_service uses: ./.github/actions/build_micro_service
with: with:
name: kmsserver name: keyservice
projectVersion: "0.0.0" projectVersion: "0.0.0"
dockerfile: kms/Dockerfile dockerfile: keyservice/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }} githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

View File

@ -8,7 +8,7 @@ on:
type: choice type: choice
options: options:
- "join-service" - "join-service"
- "kmsserver" - "keyservice"
- "verification-service" - "verification-service"
- "qemu-metadata-api" - "qemu-metadata-api"
- "filebeat-debugd" - "filebeat-debugd"
@ -80,8 +80,8 @@ jobs:
case "${{ inputs.microService }}" in case "${{ inputs.microService }}" in
"join-service" ) "join-service" )
echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;; echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;;
"kmsserver" ) "keyservice" )
echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;; echo "microServiceDockerfile=keyservice/Dockerfile" >> "$GITHUB_ENV" ;;
"verification-service" ) "verification-service" )
echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;; echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;;
"qemu-metadata-api" ) "qemu-metadata-api" )

View File

@ -36,7 +36,7 @@
/internal/versions @katexochen /internal/versions @katexochen
/internal/versionsapi @katexochen /internal/versionsapi @katexochen
/joinservice @daniel-weisse /joinservice @daniel-weisse
/kms @daniel-weisse /keyservice @daniel-weisse
/operators @malt3 /operators @malt3
/upgrade-agent @3u13r /upgrade-agent @3u13r
/verify @daniel-weisse /verify @daniel-weisse

View File

@ -33,7 +33,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/license" "github.com/edgelesssys/constellation/v2/internal/license"
"github.com/edgelesssys/constellation/v2/internal/retry" "github.com/edgelesssys/constellation/v2/internal/retry"
"github.com/edgelesssys/constellation/v2/internal/versions" "github.com/edgelesssys/constellation/v2/internal/versions"
kms "github.com/edgelesssys/constellation/v2/kms/setup" keyservice "github.com/edgelesssys/constellation/v2/keyservice/setup"
"github.com/spf13/afero" "github.com/spf13/afero"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud
req := &initproto.InitRequest{ req := &initproto.InitRequest{
MasterSecret: masterSecret.Key, MasterSecret: masterSecret.Key,
Salt: masterSecret.Salt, Salt: masterSecret.Salt,
KmsUri: kms.ClusterKMSURI, KmsUri: keyservice.ClusterKMSURI,
StorageUri: kms.NoStoreURI, StorageUri: keyservice.NoStoreURI,
KeyEncryptionKeyId: "", KeyEncryptionKeyId: "",
UseExistingKek: false, UseExistingKek: false,
CloudServiceAccountUri: serviceAccURI, CloudServiceAccountUri: serviceAccURI,

View File

@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
type: application type: application
version: 2.4.0 version: 2.4.0
dependencies: dependencies:
- name: kms - name: keyservice
version: 2.4.0 version: 2.4.0
tags: tags:
- Azure - Azure

View File

@ -121,7 +121,7 @@ spec:
- "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
- "--support-zone={{ .Values.node.supportZone }}" - "--support-zone={{ .Values.node.supportZone }}"
- "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}" - "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
- "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}" - "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
ports: ports:
- containerPort: {{ .Values.node.livenessProbe.healthPort }} - containerPort: {{ .Values.node.livenessProbe.healthPort }}
name: healthz name: healthz

View File

@ -123,8 +123,10 @@ node:
logLevel: 5 logLevel: 5
livenessProbe: livenessProbe:
healthPort: 29603 healthPort: 29603
kmsPort: "9000" global:
kmsNamespace: "kube-system" keyserviceName: "keyservice"
keyservicePort: 9000
keyserviceNamespace: "kube-system"
snapshot: snapshot:
enabled: false enabled: false

View File

@ -41,7 +41,7 @@ spec:
- "--v=5" - "--v=5"
- "--endpoint=unix:/csi/csi.sock" - "--endpoint=unix:/csi/csi.sock"
- "--run-controller-service=false" - "--run-controller-service=false"
- "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}" - "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
securityContext: securityContext:
privileged: true privileged: true
volumeMounts: volumeMounts:

View File

@ -29,8 +29,9 @@ csiController:
replicas: 1 replicas: 1
runOnControlPlane: true runOnControlPlane: true
csiNode: global:
kmsPort: "9000" keyserviceName: "keyservice"
kmsNamespace: "kube-system" keyservicePort: 9000
keyserviceNamespace: "kube-system"
createStorageClass: true createStorageClass: true

View File

@ -38,7 +38,7 @@ spec:
image: {{ .Values.image | quote }} image: {{ .Values.image | quote }}
args: args:
- --cloud-provider={{ .Values.csp }} - --cloud-provider={{ .Values.csp }}
- --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }} - --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
volumeMounts: volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }} - mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config name: config

View File

@ -0,0 +1,5 @@
apiVersion: v2
name: keyservice
description: A Helm chart to deploy the Constellation KeyService
type: application
version: 2.4.0

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
name: kms name: keyservice
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: kms name: keyservice
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: kms name: keyservice
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kms name: keyservice
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}

View File

@ -2,25 +2,25 @@ apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
labels: labels:
component: kms component: keyservice
k8s-app: kms k8s-app: keyservice
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
name: kms name: keyservice
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
spec: spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: kms k8s-app: keyservice
template: template:
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
spec: spec:
containers: containers:
- name: kms - name: keyservice
image: {{ .Values.image | quote }} image: {{ .Values.image | quote }}
args: args:
- --port={{ .Values.global.kmsPort }} - --port={{ .Values.global.keyservicePort }}
volumeMounts: volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }} - mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config name: config
@ -29,7 +29,7 @@ spec:
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: kms serviceAccountName: keyservice
tolerations: tolerations:
- key: CriticalAddonsOnly - key: CriticalAddonsOnly
operator: Exists operator: Exists

View File

@ -1,16 +1,16 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: kms name: keyservice
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
spec: spec:
ports: ports:
- name: grpc - name: grpc
port: {{ .Values.global.kmsPort }} port: {{ .Values.global.keyservicePort }}
protocol: TCP protocol: TCP
targetPort: {{ .Values.global.kmsPort }} targetPort: {{ .Values.global.keyservicePort }}
selector: selector:
k8s-app: kms k8s-app: keyservice
type: ClusterIP type: ClusterIP
status: status:
loadBalancer: {} loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: kms name: keyservice
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}

View File

@ -4,7 +4,7 @@
"image": { "image": {
"description": "Container image to use for the spawned pods.", "description": "Container image to use for the spawned pods.",
"type": "string", "type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"] "examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
}, },
"masterSecret": { "masterSecret": {
"description": "Secret used to derive key material within the cluster", "description": "Secret used to derive key material within the cluster",

View File

@ -1,6 +1,6 @@
global: global:
# Port on which the KMS service will listen. Global since join-service also uses the value. # Port on which the KeyService will listen. Global since join-service also uses the value.
kmsPort: 9000 keyservicePort: 9000
# Path to which secrets/CMs are mounted. # Path to which secrets/CMs are mounted.
serviceBasePath: /var/config serviceBasePath: /var/config
# Name of the ConfigMap that holds measurements and other info. # Name of the ConfigMap that holds measurements and other info.

View File

@ -52,7 +52,7 @@ const (
// ChartLoader loads embedded helm charts. // ChartLoader loads embedded helm charts.
type ChartLoader struct { type ChartLoader struct {
joinServiceImage string joinServiceImage string
kmsImage string keyserviceImage string
ccmImage string ccmImage string
cnmImage string cnmImage string
autoscalerImage string autoscalerImage string
@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)
return &ChartLoader{ return &ChartLoader{
joinServiceImage: versions.JoinImage, joinServiceImage: versions.JoinImage,
kmsImage: versions.KmsImage, keyserviceImage: versions.KeyServiceImage,
ccmImage: ccmImage, ccmImage: ccmImage,
cnmImage: cnmImage, cnmImage: cnmImage,
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage, autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
@ -359,13 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
csp := config.GetProvider() csp := config.GetProvider()
values := map[string]any{ values := map[string]any{
"global": map[string]any{ "global": map[string]any{
"kmsPort": constants.KMSPort, "keyservicePort": constants.KeyservicePort,
"keyserviceNamespace": "", // empty namespace means we use the release namespace
"serviceBasePath": constants.ServiceBasePath, "serviceBasePath": constants.ServiceBasePath,
"joinConfigCMName": constants.JoinConfigMap, "joinConfigCMName": constants.JoinConfigMap,
"internalCMName": constants.InternalConfigMap, "internalCMName": constants.InternalConfigMap,
}, },
"kms": map[string]any{ "keyservice": map[string]any{
"image": i.kmsImage, "image": i.keyserviceImage,
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret), "masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
"salt": base64.StdEncoding.EncodeToString(salt), "salt": base64.StdEncoding.EncodeToString(salt),
"saltKeyName": constants.ConstellationSaltKey, "saltKeyName": constants.ConstellationSaltKey,
@ -420,13 +421,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
"deployCSIDriver": config.DeployCSIDriver(), "deployCSIDriver": config.DeployCSIDriver(),
} }
values["azuredisk-csi-driver"] = map[string]any{
"node": map[string]any{
"kmsPort": constants.KMSPort,
"kmsNamespace": "", // empty namespace means we use the release namespace
},
}
values["tags"] = map[string]any{ values["tags"] = map[string]any{
"Azure": true, "Azure": true,
} }
@ -444,13 +438,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
"deployCSIDriver": config.DeployCSIDriver(), "deployCSIDriver": config.DeployCSIDriver(),
} }
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
"csiNode": map[string]any{
"kmsPort": constants.KMSPort,
"kmsNamespace": "", // empty namespace means we use the release namespace
},
}
values["tags"] = map[string]any{ values["tags"] = map[string]any{
"GCP": true, "GCP": true,
} }

View File

@ -90,7 +90,7 @@ func TestConstellationServices(t *testing.T) {
chartLoader := ChartLoader{ chartLoader := ChartLoader{
joinServiceImage: "joinServiceImage", joinServiceImage: "joinServiceImage",
kmsImage: "kmsImage", keyserviceImage: "keyserviceImage",
ccmImage: tc.ccmImage, ccmImage: tc.ccmImage,
cnmImage: tc.cnmImage, cnmImage: tc.cnmImage,
autoscalerImage: "autoscalerImage", autoscalerImage: "autoscalerImage",
@ -159,7 +159,7 @@ func TestOperators(t *testing.T) {
chartLoader := ChartLoader{ chartLoader := ChartLoader{
joinServiceImage: "joinServiceImage", joinServiceImage: "joinServiceImage",
kmsImage: "kmsImage", keyserviceImage: "keyserviceImage",
ccmImage: "ccmImage", ccmImage: "ccmImage",
cnmImage: "cnmImage", cnmImage: "cnmImage",
autoscalerImage: "autoscalerImage", autoscalerImage: "autoscalerImage",
@ -301,11 +301,8 @@ func prepareGCPValues(values map[string]any) error {
testTag := "v0.0.0" testTag := "v0.0.0"
pullPolicy := "IfNotPresent" pullPolicy := "IfNotPresent"
csiVals, ok := values["gcp-compute-persistent-disk-csi-driver"].(map[string]any) values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
if !ok { "image": map[string]any{
return errors.New("missing 'gcp-compute-persistent-disk-csi-driver' key")
}
csiVals["image"] = map[string]any{
"csiProvisioner": map[string]any{ "csiProvisioner": map[string]any{
"repo": "csi-provisioner", "repo": "csi-provisioner",
"tag": testTag, "tag": testTag,
@ -336,6 +333,7 @@ func prepareGCPValues(values map[string]any) error {
"tag": testTag, "tag": testTag,
"pullPolicy": pullPolicy, "pullPolicy": pullPolicy,
}, },
},
} }
verificationVals, ok := values["verification-service"].(map[string]any) verificationVals, ok := values["verification-service"].(map[string]any)

View File

@ -107,7 +107,7 @@ spec:
- "--allow-empty-cloud-config=true" - "--allow-empty-cloud-config=true"
- "--support-zone=true" - "--support-zone=true"
- "--get-node-info-from-labels=false" - "--get-node-info-from-labels=false"
- "--kms-addr=kms.testNamespace:9000" - "--kms-addr=keyservice.testNamespace:9000"
ports: ports:
- containerPort: 29603 - containerPort: 29603
name: healthz name: healthz

View File

@ -38,7 +38,7 @@ spec:
image: joinServiceImage image: joinServiceImage
args: args:
- --cloud-provider=Azure - --cloud-provider=Azure
- --kms-endpoint=kms.testNamespace:9000 - --keyservice-endpoint=keyservice.testNamespace:9000
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
name: kms name: keyservice
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: kms name: keyservice
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: kms name: keyservice
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace

View File

@ -2,23 +2,23 @@ apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
labels: labels:
component: kms component: keyservice
k8s-app: kms k8s-app: keyservice
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace
spec: spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: kms k8s-app: keyservice
template: template:
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
spec: spec:
containers: containers:
- name: kms - name: keyservice
image: kmsImage image: keyserviceImage
args: args:
- --port=9000 - --port=9000
volumeMounts: volumeMounts:
@ -29,7 +29,7 @@ spec:
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: kms serviceAccountName: keyservice
tolerations: tolerations:
- key: CriticalAddonsOnly - key: CriticalAddonsOnly
operator: Exists operator: Exists

View File

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace
spec: spec:
ports: ports:
@ -10,7 +10,7 @@ spec:
protocol: TCP protocol: TCP
targetPort: 9000 targetPort: 9000
selector: selector:
k8s-app: kms k8s-app: keyservice
type: ClusterIP type: ClusterIP
status: status:
loadBalancer: {} loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace

View File

@ -41,7 +41,7 @@ spec:
- "--v=5" - "--v=5"
- "--endpoint=unix:/csi/csi.sock" - "--endpoint=unix:/csi/csi.sock"
- "--run-controller-service=false" - "--run-controller-service=false"
- "--kms-addr=kms.testNamespace:9000" - "--kms-addr=keyservice.testNamespace:9000"
securityContext: securityContext:
privileged: true privileged: true
volumeMounts: volumeMounts:

View File

@ -38,7 +38,7 @@ spec:
image: joinServiceImage image: joinServiceImage
args: args:
- --cloud-provider=GCP - --cloud-provider=GCP
- --kms-endpoint=kms.testNamespace:9000 - --keyservice-endpoint=keyservice.testNamespace:9000
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
name: kms name: keyservice
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: kms name: keyservice
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: kms name: keyservice
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace

View File

@ -2,23 +2,23 @@ apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
labels: labels:
component: kms component: keyservice
k8s-app: kms k8s-app: keyservice
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace
spec: spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: kms k8s-app: keyservice
template: template:
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
spec: spec:
containers: containers:
- name: kms - name: keyservice
image: kmsImage image: keyserviceImage
args: args:
- --port=9000 - --port=9000
volumeMounts: volumeMounts:
@ -29,7 +29,7 @@ spec:
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: kms serviceAccountName: keyservice
tolerations: tolerations:
- key: CriticalAddonsOnly - key: CriticalAddonsOnly
operator: Exists operator: Exists

View File

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace
spec: spec:
ports: ports:
@ -10,7 +10,7 @@ spec:
protocol: TCP protocol: TCP
targetPort: 9000 targetPort: 9000
selector: selector:
k8s-app: kms k8s-app: keyservice
type: ClusterIP type: ClusterIP
status: status:
loadBalancer: {} loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace

View File

@ -38,7 +38,7 @@ spec:
image: joinServiceImage image: joinServiceImage
args: args:
- --cloud-provider=QEMU - --cloud-provider=QEMU
- --kms-endpoint=kms.testNamespace:9000 - --keyservice-endpoint=keyservice.testNamespace:9000
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
name: kms name: keyservice
rules: rules:
- apiGroups: - apiGroups:
- "" - ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: kms name: keyservice
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: kms name: keyservice
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace

View File

@ -2,23 +2,23 @@ apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
labels: labels:
component: kms component: keyservice
k8s-app: kms k8s-app: keyservice
kubernetes.io/cluster-service: "true" kubernetes.io/cluster-service: "true"
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace
spec: spec:
selector: selector:
matchLabels: matchLabels:
k8s-app: kms k8s-app: keyservice
template: template:
metadata: metadata:
labels: labels:
k8s-app: kms k8s-app: keyservice
spec: spec:
containers: containers:
- name: kms - name: keyservice
image: kmsImage image: keyserviceImage
args: args:
- --port=9000 - --port=9000
volumeMounts: volumeMounts:
@ -29,7 +29,7 @@ spec:
nodeSelector: nodeSelector:
node-role.kubernetes.io/control-plane: "" node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
serviceAccountName: kms serviceAccountName: keyservice
tolerations: tolerations:
- key: CriticalAddonsOnly - key: CriticalAddonsOnly
operator: Exists operator: Exists

View File

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace
spec: spec:
ports: ports:
@ -10,7 +10,7 @@ spec:
protocol: TCP protocol: TCP
targetPort: 9000 targetPort: 9000
selector: selector:
k8s-app: kms k8s-app: keyservice
type: ClusterIP type: ClusterIP
status: status:
loadBalancer: {} loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: kms name: keyservice
namespace: testNamespace namespace: testNamespace

View File

@ -48,8 +48,8 @@ download_chart() {
## GCP CSI Driver ## GCP CSI Driver
# TODO: clone from main branch once we rebase on upstream # TODO: clone from main branch once we rebase on upstream
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.0" "charts" "gcp-compute-persistent-disk-csi-driver" download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.1" "charts" "gcp-compute-persistent-disk-csi-driver"
## Azure CSI Driver ## Azure CSI Driver
# TODO: clone from main branch once we rebase on upstream # TODO: clone from main branch once we rebase on upstream
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.0" "charts/edgeless" "azuredisk-csi-driver" download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.1" "charts/edgeless" "azuredisk-csi-driver"

View File

@ -10,7 +10,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/edgelesssys/constellation/v2/kms/kmsproto" "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure" "google.golang.org/grpc/credentials/insecure"
) )
@ -39,7 +39,7 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int
res, err := k.kms.GetDataKey( res, err := k.kms.GetDataKey(
ctx, ctx,
&kmsproto.GetDataKeyRequest{ &keyserviceproto.GetDataKeyRequest{
DataKeyId: dekID, DataKeyId: dekID,
Length: uint32(dekSize), Length: uint32(dekSize),
}, },
@ -53,11 +53,11 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int
} }
type kmsClient interface { type kmsClient interface {
GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
} }
type constellationKMSClient struct{} type constellationKMSClient struct{}
func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req) return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
} }

View File

@ -11,7 +11,7 @@ import (
"errors" "errors"
"testing" "testing"
"github.com/edgelesssys/constellation/v2/kms/kmsproto" "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"go.uber.org/goleak" "go.uber.org/goleak"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -27,8 +27,8 @@ type stubKMSClient struct {
dataKey []byte dataKey []byte
} }
func (c *stubKMSClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { func (c *stubKMSClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
} }
func TestConstellationKMS(t *testing.T) { func TestConstellationKMS(t *testing.T) {

View File

@ -5,7 +5,7 @@ Core components:
* [cli](/cli): The CLI is used to manage a Constellation cluster * [cli](/cli): The CLI is used to manage a Constellation cluster
* [bootstrapper](/bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node * [bootstrapper](/bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
* [image](/image): Build files for the Constellation disk image * [image](/image): Build files for the Constellation disk image
* [kms](/kms): Constellation's key management client and server * [keyservice](/keyservice): Constellation's key management client and server
* [csi](/csi): Package used by CSI plugins to create and mount encrypted block devices * [csi](/csi): Package used by CSI plugins to create and mount encrypted block devices
* [disk-mapper](/disk-mapper): Contains the disk-mapper that maps the encrypted node data disk during boot * [disk-mapper](/disk-mapper): Contains the disk-mapper that maps the encrypted node data disk during boot

View File

@ -7,7 +7,7 @@ These features are provided by several components:
* The [Bootstrapper](components.md#bootstrapper) initializes a Constellation node and bootstraps the cluster * The [Bootstrapper](components.md#bootstrapper) initializes a Constellation node and bootstraps the cluster
* The [JoinService](components.md#joinservice) joins new nodes to an existing cluster * The [JoinService](components.md#joinservice) joins new nodes to an existing cluster
* The [VerificationService](components.md#verificationservice) provides remote attestation functionality * The [VerificationService](components.md#verificationservice) provides remote attestation functionality
* The [Key Management Service (KMS)](components.md#kms) manages Constellation-internal keys * The [KeyService](components.md#keyservice) manages Constellation-internal keys
The relations between components are shown in the following diagram: The relations between components are shown in the following diagram:
@ -22,7 +22,7 @@ flowchart LR
end end
subgraph Kubernetes subgraph Kubernetes
D[JoinService] D[JoinService]
E[KMS] E[KeyService]
F[VerificationService] F[VerificationService]
end end
A -- deploys --> A -- deploys -->
@ -45,7 +45,7 @@ Otherwise, it waits for an initialization request to create a new Kubernetes clu
The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node. The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node.
New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls). New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls).
The *JoinService* verifies the new node's certificate and attestation statement. The *JoinService* verifies the new node's certificate and attestation statement.
If attestation is successful, the new node is supplied with an encryption key from the [*KMS*](components.md#kms) for its state disk, and a Kubernetes bootstrap token. If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](components.md#keyservice) for its state disk, and a Kubernetes bootstrap token.
```mermaid ```mermaid
@ -55,8 +55,8 @@ sequenceDiagram
New node->>JoinService: aTLS handshake (server side verification) New node->>JoinService: aTLS handshake (server side verification)
JoinService-->>New node: # JoinService-->>New node: #
New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane) New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
JoinService->>+KMS: GetDataKey(DiskUUID) JoinService->>+KeyService: GetDataKey(DiskUUID)
KMS-->>-JoinService: DiskEncryptionKey KeyService-->>-JoinService: DiskEncryptionKey
JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ... JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ...
``` ```
@ -66,8 +66,8 @@ The *VerificationService* runs as DaemonSet on each node.
It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation). It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation).
Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side. Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side.
## KMS ## KeyService
The *KMS* runs as DaemonSet on each control-plane node. The *KeyService* runs as DaemonSet on each control-plane node.
It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes. It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes.
Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KMS* holds the key encryption key (KEK) directly or calls an external service for key derivation respectively. Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively.

View File

@ -28,7 +28,7 @@ All cryptographic operations happen inside the trusted environment of the confid
Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported. Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms). By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](components.md#keyservice).
The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret). The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator. This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator.

View File

@ -44,8 +44,8 @@ const (
VerifyServiceNodePortHTTP = 30080 VerifyServiceNodePortHTTP = 30080
// VerifyServiceNodePortGRPC GRPC node port for verification service. // VerifyServiceNodePortGRPC GRPC node port for verification service.
VerifyServiceNodePortGRPC = 30081 VerifyServiceNodePortGRPC = 30081
// KMSPort is the port the KMS server listens on. // KeyservicePort is the port the KMS server listens on.
KMSPort = 9000 KeyservicePort = 9000
// BootstrapperPort port of bootstrapper. // BootstrapperPort port of bootstrapper.
BootstrapperPort = 9000 BootstrapperPort = 9000
// KubernetesPort port for Kubernetes API. // KubernetesPort port for Kubernetes API.

View File

@ -57,9 +57,9 @@ const (
// KonnectivityServerImage server image for konnectivity service. // KonnectivityServerImage server image for konnectivity service.
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.35@sha256:d863f7fd0da4392b9753dc6c9195a658e80d70e0be8c9adb410d77cf20b75c76" // renovate:container KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.35@sha256:d863f7fd0da4392b9753dc6c9195a658e80d70e0be8c9adb410d77cf20b75c76" // renovate:container
// JoinImage image of Constellation join service. // JoinImage image of Constellation join service.
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:5fb9592e2777bfd54b460c09761a1d7fbcd47bad73efafc429b5fa88a0bf98fe" // renovate:container JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container
// KmsImage image of Constellation KMS server. // KeyServiceImage image of Constellation KeyService server.
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:962ab2575028c3bd3b0ab97a572f4af96075ac031776b17bb2188aa2c40e12f3" // renovate:container KeyServiceImage = "ghcr.io/edgelesssys/constellation/keyservice:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container
// VerificationImage image of Constellation verification service. // VerificationImage image of Constellation verification service.
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:43fd9d3494538d94f584dbcfa6d4fd82cadefe3e4fdaa33e9ffb19d8f6b98b94" // renovate:container VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:43fd9d3494538d94f584dbcfa6d4fd82cadefe3e4fdaa33e9ffb19d8f6b98b94" // renovate:container
// GcpGuestImage image for GCP guest agent. // GcpGuestImage image for GCP guest agent.

View File

@ -34,7 +34,7 @@ sequenceDiagram
### [internal/kms](./internal/kms/) ### [internal/kms](./internal/kms/)
Implements interaction with Constellation's key management service. Implements interaction with Constellation's keyservice.
This is needed for fetching data encryption keys for joining nodes. This is needed for fetching data encryption keys for joining nodes.
### [internal/kubeadm](./internal/kubeadm/) ### [internal/kubeadm](./internal/kubeadm/)

View File

@ -40,7 +40,7 @@ const vpcIPTimeout = 30 * time.Second
func main() { func main() {
provider := flag.String("cloud-provider", "", "cloud service provider this binary is running on") provider := flag.String("cloud-provider", "", "cloud service provider this binary is running on")
kmsEndpoint := flag.String("kms-endpoint", "", "endpoint of Constellations key management service") keyserviceEndpoint := flag.String("keyservice-endpoint", "", "endpoint of Constellations key management service")
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription) verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
flag.Parse() flag.Parse()
@ -78,7 +78,7 @@ func main() {
if err != nil { if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to create kubeadm") log.With(zap.Error(err)).Fatalf("Failed to create kubeadm")
} }
kms := kms.New(log.Named("kms"), *kmsEndpoint) keyserviceClient := kms.New(log.Named("keyserviceClient"), *keyserviceEndpoint)
measurementSalt, err := handler.Read(filepath.Join(constants.ServiceBasePath, constants.MeasurementSaltFilename)) measurementSalt, err := handler.Read(filepath.Join(constants.ServiceBasePath, constants.MeasurementSaltFilename))
if err != nil { if err != nil {
@ -89,7 +89,7 @@ func main() {
measurementSalt, measurementSalt,
kubernetesca.New(log.Named("certificateAuthority"), handler), kubernetesca.New(log.Named("certificateAuthority"), handler),
kubeadm, kubeadm,
kms, keyserviceClient,
log.Named("server"), log.Named("server"),
) )
if err != nil { if err != nil {

View File

@ -11,13 +11,13 @@ import (
"fmt" "fmt"
"github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kmsproto" "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"go.uber.org/zap" "go.uber.org/zap"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure" "google.golang.org/grpc/credentials/insecure"
) )
// Client interacts with Constellation's key management service. // Client interacts with Constellation's keyservice.
type Client struct { type Client struct {
log *logger.Logger log *logger.Logger
endpoint string endpoint string
@ -48,7 +48,7 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt
log.Infof("Requesting data key") log.Infof("Requesting data key")
res, err := c.grpc.GetDataKey( res, err := c.grpc.GetDataKey(
ctx, ctx,
&kmsproto.GetDataKeyRequest{ &keyserviceproto.GetDataKeyRequest{
DataKeyId: keyID, DataKeyId: keyID,
Length: uint32(length), Length: uint32(length),
}, },
@ -63,11 +63,11 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt
} }
type grpcClient interface { type grpcClient interface {
GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
} }
type client struct{} type client struct{}
func (c client) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { func (c client) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req) return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
} }

View File

@ -12,7 +12,7 @@ import (
"testing" "testing"
"github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kmsproto" "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"go.uber.org/goleak" "go.uber.org/goleak"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -24,8 +24,8 @@ type stubClient struct {
dataKey []byte dataKey []byte
} }
func (c *stubClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) { func (c *stubClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
} }
func TestMain(m *testing.M) { func TestMain(m *testing.M) {

View File

@ -22,10 +22,10 @@ RUN rm -rf ./hack/
# Build # Build
RUN mkdir -p /constellation/build RUN mkdir -p /constellation/build
WORKDIR /constellation/kms/cmd WORKDIR /constellation/keyservice/cmd
ARG PROJECT_VERSION=0.0.0 ARG PROJECT_VERSION=0.0.0
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/kmsserver -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}" RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}"
FROM gcr.io/distroless/static:nonroot@sha256:1fa522fe6cfe020d50341f1ca561c099487bd44f8eb98d25d1920b07e05e40be as release FROM gcr.io/distroless/static:nonroot@sha256:1fa522fe6cfe020d50341f1ca561c099487bd44f8eb98d25d1920b07e05e40be as release
COPY --from=build /constellation/build/kmsserver /kmsserver COPY --from=build /constellation/build/keyservice /keyservice
ENTRYPOINT ["/kmsserver"] ENTRYPOINT ["/keyservice"]

View File

@ -19,14 +19,14 @@ import (
"github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/file" "github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/internal/server" "github.com/edgelesssys/constellation/v2/keyservice/internal/server"
"github.com/edgelesssys/constellation/v2/kms/setup" "github.com/edgelesssys/constellation/v2/keyservice/setup"
"github.com/spf13/afero" "github.com/spf13/afero"
"go.uber.org/zap" "go.uber.org/zap"
) )
func main() { func main() {
port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on") port := flag.String("port", strconv.Itoa(constants.KeyservicePort), "Port gRPC server listens on")
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret") masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt") saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt")
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription) verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
@ -66,7 +66,7 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to create KMS KEK from MasterKey") log.With(zap.Error(err)).Fatalf("Failed to create KMS KEK from MasterKey")
} }
if err := server.New(log.Named("kms"), conKMS).Run(*port); err != nil { if err := server.New(log.Named("keyservice"), conKMS).Run(*port); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to run KMS server") log.With(zap.Error(err)).Fatalf("Failed to run keyservice server")
} }
} }

View File

@ -6,10 +6,10 @@ It's intendet for the Constellation CSI Plugins and the CLI.
## KMS ## KMS
The Cloud KMS is where we store our key encryption key (KEK). The Cloud KMS is where we store our key encryption key (KEK).
It should be initiated by the CLI and provided with a key release policy. The KMS should be initiated by the CLI and provided with a key release policy.
The CSP Plugin can request to encrypt data encryption keys (DEK) with the DEK to safely store them on persistent memory. The CSP Plugin can request to encrypt data encryption keys (DEK) with the KEK to safely store the DEKs in persistent storage.
The [kms](../kms/) package interacts with the Cloud KMS APIs. The [kms](../kms/) package interacts with the Cloud KMS APIs.
Currently planned are KMS are: Support is planed for:
* AWS KMS * AWS KMS
* GCP CKM * GCP CKM

View File

@ -15,8 +15,8 @@ import (
"github.com/edgelesssys/constellation/v2/internal/crypto" "github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/grpc/grpclog" "github.com/edgelesssys/constellation/v2/internal/grpc/grpclog"
"github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kms" "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/edgelesssys/constellation/v2/kms/kmsproto" "github.com/edgelesssys/constellation/v2/keyservice/kms"
"go.uber.org/zap" "go.uber.org/zap"
"go.uber.org/zap/zapcore" "go.uber.org/zap/zapcore"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -30,7 +30,7 @@ import (
type Server struct { type Server struct {
log *logger.Logger log *logger.Logger
conKMS kms.CloudKMS conKMS kms.CloudKMS
kmsproto.UnimplementedAPIServer keyserviceproto.UnimplementedAPIServer
} }
// New creates a new Server. // New creates a new Server.
@ -50,7 +50,7 @@ func (s *Server) Run(port string) error {
} }
server := grpc.NewServer(s.log.Named("gRPC").GetServerUnaryInterceptor()) server := grpc.NewServer(s.log.Named("gRPC").GetServerUnaryInterceptor())
kmsproto.RegisterAPIServer(server, s) keyserviceproto.RegisterAPIServer(server, s)
s.log.Named("gRPC").WithIncreasedLevel(zapcore.WarnLevel).ReplaceGRPCLogger() s.log.Named("gRPC").WithIncreasedLevel(zapcore.WarnLevel).ReplaceGRPCLogger()
// start the server // start the server
@ -59,7 +59,7 @@ func (s *Server) Run(port string) error {
} }
// GetDataKey returns a data key. // GetDataKey returns a data key.
func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) { func (s *Server) GetDataKey(ctx context.Context, in *keyserviceproto.GetDataKeyRequest) (*keyserviceproto.GetDataKeyResponse, error) {
log := s.log.With("peerAddress", grpclog.PeerAddrFromContext(ctx)) log := s.log.With("peerAddress", grpclog.PeerAddrFromContext(ctx))
// Error on 0 key length // Error on 0 key length
@ -79,5 +79,5 @@ func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest)
log.With(zap.Error(err)).Errorf("Failed to get data key") log.With(zap.Error(err)).Errorf("Failed to get data key")
return nil, status.Errorf(codes.Internal, "%v", err) return nil, status.Errorf(codes.Internal, "%v", err)
} }
return &kmsproto.GetDataKeyResponse{DataKey: key}, nil return &keyserviceproto.GetDataKeyResponse{DataKey: key}, nil
} }

View File

@ -12,7 +12,7 @@ import (
"testing" "testing"
"github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kmsproto" "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"go.uber.org/goleak" "go.uber.org/goleak"
@ -31,23 +31,23 @@ func TestGetDataKey(t *testing.T) {
kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}} kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}}
api := New(log, kms) api := New(log, kms)
res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) res, err := api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
require.NoError(err) require.NoError(err)
assert.Equal(kms.derivedKey, res.DataKey) assert.Equal(kms.derivedKey, res.DataKey)
// Test no data key id // Test no data key id
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32}) res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{Length: 32})
require.Error(err) require.Error(err)
assert.Nil(res) assert.Nil(res)
// Test no / zero key length // Test no / zero key length
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"}) res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"})
require.Error(err) require.Error(err)
assert.Nil(res) assert.Nil(res)
// Test derive key error // Test derive key error
api = New(log, &stubKMS{deriveKeyErr: errors.New("error")}) api = New(log, &stubKMS{deriveKeyErr: errors.New("error")})
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
assert.Error(err) assert.Error(err)
assert.Nil(res) assert.Nil(res)
} }

View File

@ -16,7 +16,7 @@ import (
awsconfig "github.com/aws/aws-sdk-go-v2/config" awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types" "github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
) )
type awsS3ClientAPI interface { type awsS3ClientAPI interface {

View File

@ -16,7 +16,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob" "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror" "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container" "github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
) )
type azureBlobAPI interface { type azureBlobAPI interface {

View File

@ -19,9 +19,9 @@ import (
"github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/s3" "github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types" "github.com/aws/aws-sdk-go-v2/service/s3/types"
kmsconfig "github.com/edgelesssys/constellation/v2/kms/internal/config" kmsconfig "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
awsInterface "github.com/edgelesssys/constellation/v2/kms/kms/aws" awsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms/aws"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )

View File

@ -13,9 +13,9 @@ import (
"testing" "testing"
"time" "time"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms/azure" "github.com/edgelesssys/constellation/v2/keyservice/kms/azure"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )

View File

@ -14,9 +14,9 @@ import (
"time" "time"
"cloud.google.com/go/kms/apiv1/kmspb" "cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms/gcp" "github.com/edgelesssys/constellation/v2/keyservice/kms/gcp"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )

View File

@ -2,9 +2,9 @@
// versions: // versions:
// protoc-gen-go v1.28.1 // protoc-gen-go v1.28.1
// protoc v3.21.8 // protoc v3.21.8
// source: kms.proto // source: keyservice.proto
package kmsproto package keyserviceproto
import ( import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoreflect "google.golang.org/protobuf/reflect/protoreflect"
@ -32,7 +32,7 @@ type GetDataKeyRequest struct {
func (x *GetDataKeyRequest) Reset() { func (x *GetDataKeyRequest) Reset() {
*x = GetDataKeyRequest{} *x = GetDataKeyRequest{}
if protoimpl.UnsafeEnabled { if protoimpl.UnsafeEnabled {
mi := &file_kms_proto_msgTypes[0] mi := &file_keyservice_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi) ms.StoreMessageInfo(mi)
} }
@ -45,7 +45,7 @@ func (x *GetDataKeyRequest) String() string {
func (*GetDataKeyRequest) ProtoMessage() {} func (*GetDataKeyRequest) ProtoMessage() {}
func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message { func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
mi := &file_kms_proto_msgTypes[0] mi := &file_keyservice_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil { if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil { if ms.LoadMessageInfo() == nil {
@ -58,7 +58,7 @@ func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead. // Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead.
func (*GetDataKeyRequest) Descriptor() ([]byte, []int) { func (*GetDataKeyRequest) Descriptor() ([]byte, []int) {
return file_kms_proto_rawDescGZIP(), []int{0} return file_keyservice_proto_rawDescGZIP(), []int{0}
} }
func (x *GetDataKeyRequest) GetDataKeyId() string { func (x *GetDataKeyRequest) GetDataKeyId() string {
@ -86,7 +86,7 @@ type GetDataKeyResponse struct {
func (x *GetDataKeyResponse) Reset() { func (x *GetDataKeyResponse) Reset() {
*x = GetDataKeyResponse{} *x = GetDataKeyResponse{}
if protoimpl.UnsafeEnabled { if protoimpl.UnsafeEnabled {
mi := &file_kms_proto_msgTypes[1] mi := &file_keyservice_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi) ms.StoreMessageInfo(mi)
} }
@ -99,7 +99,7 @@ func (x *GetDataKeyResponse) String() string {
func (*GetDataKeyResponse) ProtoMessage() {} func (*GetDataKeyResponse) ProtoMessage() {}
func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message { func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
mi := &file_kms_proto_msgTypes[1] mi := &file_keyservice_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil { if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil { if ms.LoadMessageInfo() == nil {
@ -112,7 +112,7 @@ func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead. // Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead.
func (*GetDataKeyResponse) Descriptor() ([]byte, []int) { func (*GetDataKeyResponse) Descriptor() ([]byte, []int) {
return file_kms_proto_rawDescGZIP(), []int{1} return file_keyservice_proto_rawDescGZIP(), []int{1}
} }
func (x *GetDataKeyResponse) GetDataKey() []byte { func (x *GetDataKeyResponse) GetDataKey() []byte {
@ -122,47 +122,48 @@ func (x *GetDataKeyResponse) GetDataKey() []byte {
return nil return nil
} }
var File_kms_proto protoreflect.FileDescriptor var File_keyservice_proto protoreflect.FileDescriptor
var file_kms_proto_rawDesc = []byte{ var file_keyservice_proto_rawDesc = []byte{
0x0a, 0x09, 0x6b, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73, 0x0a, 0x10, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f,
0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61,
0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b,
0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06,
0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65,
0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b,
0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61,
0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61,
0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a,
0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73,
0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61,
0x6f, 0x6e, 0x73, 0x65, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, 0x42, 0x67,
0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65,
0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74,
0x6b, 0x6d, 0x73, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
0x6f, 0x74, 0x6f, 0x33, 0x65, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (
file_kms_proto_rawDescOnce sync.Once file_keyservice_proto_rawDescOnce sync.Once
file_kms_proto_rawDescData = file_kms_proto_rawDesc file_keyservice_proto_rawDescData = file_keyservice_proto_rawDesc
) )
func file_kms_proto_rawDescGZIP() []byte { func file_keyservice_proto_rawDescGZIP() []byte {
file_kms_proto_rawDescOnce.Do(func() { file_keyservice_proto_rawDescOnce.Do(func() {
file_kms_proto_rawDescData = protoimpl.X.CompressGZIP(file_kms_proto_rawDescData) file_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_proto_rawDescData)
}) })
return file_kms_proto_rawDescData return file_keyservice_proto_rawDescData
} }
var file_kms_proto_msgTypes = make([]protoimpl.MessageInfo, 2) var file_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_kms_proto_goTypes = []interface{}{ var file_keyservice_proto_goTypes = []interface{}{
(*GetDataKeyRequest)(nil), // 0: kms.GetDataKeyRequest (*GetDataKeyRequest)(nil), // 0: kms.GetDataKeyRequest
(*GetDataKeyResponse)(nil), // 1: kms.GetDataKeyResponse (*GetDataKeyResponse)(nil), // 1: kms.GetDataKeyResponse
} }
var file_kms_proto_depIdxs = []int32{ var file_keyservice_proto_depIdxs = []int32{
0, // 0: kms.API.GetDataKey:input_type -> kms.GetDataKeyRequest 0, // 0: kms.API.GetDataKey:input_type -> kms.GetDataKeyRequest
1, // 1: kms.API.GetDataKey:output_type -> kms.GetDataKeyResponse 1, // 1: kms.API.GetDataKey:output_type -> kms.GetDataKeyResponse
1, // [1:2] is the sub-list for method output_type 1, // [1:2] is the sub-list for method output_type
@ -172,13 +173,13 @@ var file_kms_proto_depIdxs = []int32{
0, // [0:0] is the sub-list for field type_name 0, // [0:0] is the sub-list for field type_name
} }
func init() { file_kms_proto_init() } func init() { file_keyservice_proto_init() }
func file_kms_proto_init() { func file_keyservice_proto_init() {
if File_kms_proto != nil { if File_keyservice_proto != nil {
return return
} }
if !protoimpl.UnsafeEnabled { if !protoimpl.UnsafeEnabled {
file_kms_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { file_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetDataKeyRequest); i { switch v := v.(*GetDataKeyRequest); i {
case 0: case 0:
return &v.state return &v.state
@ -190,7 +191,7 @@ func file_kms_proto_init() {
return nil return nil
} }
} }
file_kms_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { file_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetDataKeyResponse); i { switch v := v.(*GetDataKeyResponse); i {
case 0: case 0:
return &v.state return &v.state
@ -207,18 +208,18 @@ func file_kms_proto_init() {
out := protoimpl.TypeBuilder{ out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{ File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(), GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_kms_proto_rawDesc, RawDescriptor: file_keyservice_proto_rawDesc,
NumEnums: 0, NumEnums: 0,
NumMessages: 2, NumMessages: 2,
NumExtensions: 0, NumExtensions: 0,
NumServices: 1, NumServices: 1,
}, },
GoTypes: file_kms_proto_goTypes, GoTypes: file_keyservice_proto_goTypes,
DependencyIndexes: file_kms_proto_depIdxs, DependencyIndexes: file_keyservice_proto_depIdxs,
MessageInfos: file_kms_proto_msgTypes, MessageInfos: file_keyservice_proto_msgTypes,
}.Build() }.Build()
File_kms_proto = out.File File_keyservice_proto = out.File
file_kms_proto_rawDesc = nil file_keyservice_proto_rawDesc = nil
file_kms_proto_goTypes = nil file_keyservice_proto_goTypes = nil
file_kms_proto_depIdxs = nil file_keyservice_proto_depIdxs = nil
} }

View File

@ -2,7 +2,7 @@ syntax = "proto3";
package kms; package kms;
option go_package = "github.com/edgelesssys/constellation/v2/kms/kmsproto"; option go_package = "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto";
service API { service API {
rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse); rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse);

View File

@ -2,9 +2,9 @@
// versions: // versions:
// - protoc-gen-go-grpc v1.2.0 // - protoc-gen-go-grpc v1.2.0
// - protoc v3.21.8 // - protoc v3.21.8
// source: kms.proto // source: keyservice.proto
package kmsproto package keyserviceproto
import ( import (
context "context" context "context"
@ -101,5 +101,5 @@ var API_ServiceDesc = grpc.ServiceDesc{
}, },
}, },
Streams: []grpc.StreamDesc{}, Streams: []grpc.StreamDesc{},
Metadata: "kms.proto", Metadata: "keyservice.proto",
} }

View File

@ -17,10 +17,10 @@ import (
awsconfig "github.com/aws/aws-sdk-go-v2/config" awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/kms/types" "github.com/aws/aws-sdk-go-v2/service/kms/types"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util" "github.com/edgelesssys/constellation/v2/keyservice/kms/util"
) )
const ( const (

View File

@ -22,9 +22,9 @@ import (
"github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/kms/types" "github.com/aws/aws-sdk-go-v2/service/kms/types"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"go.uber.org/goleak" "go.uber.org/goleak"
) )

View File

@ -17,10 +17,10 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms" "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util" "github.com/edgelesssys/constellation/v2/keyservice/kms/util"
) )
const ( const (

View File

@ -14,8 +14,8 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms" "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"go.uber.org/goleak" "go.uber.org/goleak"
) )

View File

@ -15,10 +15,10 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms" "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util" "github.com/edgelesssys/constellation/v2/keyservice/kms/util"
) )
type hsmClientAPI interface { type hsmClientAPI interface {

View File

@ -13,8 +13,8 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms" "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
) )

View File

@ -19,10 +19,10 @@ import (
kms "cloud.google.com/go/kms/apiv1" kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb" "cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/config" "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util" "github.com/edgelesssys/constellation/v2/keyservice/kms/util"
"github.com/googleapis/gax-go/v2" "github.com/googleapis/gax-go/v2"
"google.golang.org/api/option" "google.golang.org/api/option"
"google.golang.org/grpc/codes" "google.golang.org/grpc/codes"

View File

@ -12,9 +12,9 @@ import (
"testing" "testing"
"cloud.google.com/go/kms/apiv1/kmspb" "cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms" kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util" "github.com/edgelesssys/constellation/v2/keyservice/kms/util"
"github.com/googleapis/gax-go/v2" "github.com/googleapis/gax-go/v2"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"go.uber.org/goleak" "go.uber.org/goleak"

View File

@ -14,12 +14,12 @@ import (
"strconv" "strconv"
"cloud.google.com/go/kms/apiv1/kmspb" "cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/storage" "github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms" "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/aws" "github.com/edgelesssys/constellation/v2/keyservice/kms/aws"
"github.com/edgelesssys/constellation/v2/kms/kms/azure" "github.com/edgelesssys/constellation/v2/keyservice/kms/azure"
"github.com/edgelesssys/constellation/v2/kms/kms/cluster" "github.com/edgelesssys/constellation/v2/keyservice/kms/cluster"
"github.com/edgelesssys/constellation/v2/kms/kms/gcp" "github.com/edgelesssys/constellation/v2/keyservice/kms/gcp"
) )
// Well known endpoints for KMS services. // Well known endpoints for KMS services.

View File

@ -35,8 +35,8 @@ COPY debugd/service/*.proto /service
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
## key management ## key management
WORKDIR /kms WORKDIR /keyservice
COPY kms/kmsproto/*.proto /kms COPY keyservice/keyserviceproto/*.proto /keyservice
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
## join service ## join service
@ -62,7 +62,7 @@ RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_o
FROM scratch as export FROM scratch as export
COPY --from=build /disk-mapper/*.go disk-mapper/recoverproto/ COPY --from=build /disk-mapper/*.go disk-mapper/recoverproto/
COPY --from=build /service/*.go debugd/service/ COPY --from=build /service/*.go debugd/service/
COPY --from=build /kms/*.go kms/kmsproto/ COPY --from=build /keyservice/*.go keyservice/keyserviceproto/
COPY --from=build /joinservice/*.go joinservice/joinproto/ COPY --from=build /joinservice/*.go joinservice/joinproto/
COPY --from=build /verify/*.go verify/verifyproto/ COPY --from=build /verify/*.go verify/verifyproto/
COPY --from=build /init/*.go bootstrapper/initproto/ COPY --from=build /init/*.go bootstrapper/initproto/

View File

@ -47,7 +47,7 @@ The measurement secret, together with a measurement salt (not secret) is used to
* For eKMS backends the two URIs can be used directly to request new DEKs. * For eKMS backends the two URIs can be used directly to request new DEKs.
* For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=<masterSecret>`. * For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=<masterSecret>`.
The above approach allows us to integrate with the existing setup code in `kms/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms). The above approach allows us to integrate with the existing setup code in `keyservice/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
This code is used to setup CloudKMS objects. This code is used to setup CloudKMS objects.
The `setup.go` code will have to be refactored to live in `internal` so that the disk-mapper pkg can directly communicate with the respective external KMS. The `setup.go` code will have to be refactored to live in `internal` so that the disk-mapper pkg can directly communicate with the respective external KMS.

View File

@ -24,7 +24,7 @@ We use SHA-256 as the hash function.
Constellation's master secret is used as *IKM* for HKDF. Constellation's master secret is used as *IKM* for HKDF.
The master secret is either provided by the admin, or a randomly generated 32 byte value. The master secret is either provided by the admin, or a randomly generated 32 byte value.
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's KMS](../kms/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/). It is supplied to the cluster during `constellation init` and in the following used by [Constellation's keyservice](../keyservice/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
## Salt ## Salt

Some files were not shown because too many files have changed in this diff Show More