mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 23:19:39 -05:00
kms: rename kms to keyservice
In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
This commit is contained in:
parent
67f8336b9d
commit
90b88e1cf9
2
.github/actions/e2e_mini/run-e2e.sh
vendored
2
.github/actions/e2e_mini/run-e2e.sh
vendored
@ -56,7 +56,7 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy
|
||||
# Wait for daemon sets
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset cilium
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset join-service
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset kms
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset keyservice
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset verification-service
|
||||
echo "::endgroup::"
|
||||
|
@ -1,4 +1,4 @@
|
||||
name: Build and upload KMS image
|
||||
name: Build and upload KeyService image
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
@ -7,12 +7,12 @@ on:
|
||||
- main
|
||||
- "release/**"
|
||||
paths:
|
||||
- "kms/**"
|
||||
- "keyservice/**"
|
||||
- "internal/**"
|
||||
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
|
||||
|
||||
jobs:
|
||||
build-kms-server:
|
||||
build-keyservice:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
@ -29,13 +29,13 @@ jobs:
|
||||
with:
|
||||
go-version: "1.19.5"
|
||||
|
||||
- name: Build and upload KMS server container image
|
||||
- name: Build and upload KeyService container image
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
with:
|
||||
name: kmsserver
|
||||
name: keyservice
|
||||
projectVersion: "0.0.0"
|
||||
dockerfile: kms/Dockerfile
|
||||
dockerfile: keyservice/Dockerfile
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
@ -8,7 +8,7 @@ on:
|
||||
type: choice
|
||||
options:
|
||||
- "join-service"
|
||||
- "kmsserver"
|
||||
- "keyservice"
|
||||
- "verification-service"
|
||||
- "qemu-metadata-api"
|
||||
- "filebeat-debugd"
|
||||
@ -80,8 +80,8 @@ jobs:
|
||||
case "${{ inputs.microService }}" in
|
||||
"join-service" )
|
||||
echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
"kmsserver" )
|
||||
echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
"keyservice" )
|
||||
echo "microServiceDockerfile=keyservice/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
"verification-service" )
|
||||
echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
"qemu-metadata-api" )
|
||||
|
@ -36,7 +36,7 @@
|
||||
/internal/versions @katexochen
|
||||
/internal/versionsapi @katexochen
|
||||
/joinservice @daniel-weisse
|
||||
/kms @daniel-weisse
|
||||
/keyservice @daniel-weisse
|
||||
/operators @malt3
|
||||
/upgrade-agent @3u13r
|
||||
/verify @daniel-weisse
|
||||
|
@ -33,7 +33,7 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/license"
|
||||
"github.com/edgelesssys/constellation/v2/internal/retry"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
kms "github.com/edgelesssys/constellation/v2/kms/setup"
|
||||
keyservice "github.com/edgelesssys/constellation/v2/keyservice/setup"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/spf13/cobra"
|
||||
"google.golang.org/grpc"
|
||||
@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud
|
||||
req := &initproto.InitRequest{
|
||||
MasterSecret: masterSecret.Key,
|
||||
Salt: masterSecret.Salt,
|
||||
KmsUri: kms.ClusterKMSURI,
|
||||
StorageUri: kms.NoStoreURI,
|
||||
KmsUri: keyservice.ClusterKMSURI,
|
||||
StorageUri: keyservice.NoStoreURI,
|
||||
KeyEncryptionKeyId: "",
|
||||
UseExistingKek: false,
|
||||
CloudServiceAccountUri: serviceAccURI,
|
||||
|
@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
|
||||
type: application
|
||||
version: 2.4.0
|
||||
dependencies:
|
||||
- name: kms
|
||||
- name: keyservice
|
||||
version: 2.4.0
|
||||
tags:
|
||||
- Azure
|
||||
|
@ -121,7 +121,7 @@ spec:
|
||||
- "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
|
||||
- "--support-zone={{ .Values.node.supportZone }}"
|
||||
- "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
|
||||
- "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}"
|
||||
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
|
||||
ports:
|
||||
- containerPort: {{ .Values.node.livenessProbe.healthPort }}
|
||||
name: healthz
|
||||
|
@ -123,8 +123,10 @@ node:
|
||||
logLevel: 5
|
||||
livenessProbe:
|
||||
healthPort: 29603
|
||||
kmsPort: "9000"
|
||||
kmsNamespace: "kube-system"
|
||||
global:
|
||||
keyserviceName: "keyservice"
|
||||
keyservicePort: 9000
|
||||
keyserviceNamespace: "kube-system"
|
||||
|
||||
snapshot:
|
||||
enabled: false
|
||||
|
@ -41,7 +41,7 @@ spec:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}"
|
||||
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
|
@ -29,8 +29,9 @@ csiController:
|
||||
replicas: 1
|
||||
runOnControlPlane: true
|
||||
|
||||
csiNode:
|
||||
kmsPort: "9000"
|
||||
kmsNamespace: "kube-system"
|
||||
global:
|
||||
keyserviceName: "keyservice"
|
||||
keyservicePort: 9000
|
||||
keyserviceNamespace: "kube-system"
|
||||
|
||||
createStorageClass: true
|
||||
|
@ -38,7 +38,7 @@ spec:
|
||||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --cloud-provider={{ .Values.csp }}
|
||||
- --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }}
|
||||
- --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
|
@ -0,0 +1,5 @@
|
||||
apiVersion: v2
|
||||
name: keyservice
|
||||
description: A Helm chart to deploy the Constellation KeyService
|
||||
type: application
|
||||
version: 2.4.0
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
@ -2,25 +2,25 @@ apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
- name: keyservice
|
||||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --port={{ .Values.global.kmsPort }}
|
||||
- --port={{ .Values.global.keyservicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
@ -29,7 +29,7 @@ spec:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
@ -1,16 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: {{ .Values.global.kmsPort }}
|
||||
port: {{ .Values.global.keyservicePort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.global.kmsPort }}
|
||||
targetPort: {{ .Values.global.keyservicePort }}
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
@ -4,7 +4,7 @@
|
||||
"image": {
|
||||
"description": "Container image to use for the spawned pods.",
|
||||
"type": "string",
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
|
||||
},
|
||||
"masterSecret": {
|
||||
"description": "Secret used to derive key material within the cluster",
|
@ -1,6 +1,6 @@
|
||||
global:
|
||||
# Port on which the KMS service will listen. Global since join-service also uses the value.
|
||||
kmsPort: 9000
|
||||
# Port on which the KeyService will listen. Global since join-service also uses the value.
|
||||
keyservicePort: 9000
|
||||
# Path to which secrets/CMs are mounted.
|
||||
serviceBasePath: /var/config
|
||||
# Name of the ConfigMap that holds measurements and other info.
|
||||
|
@ -52,7 +52,7 @@ const (
|
||||
// ChartLoader loads embedded helm charts.
|
||||
type ChartLoader struct {
|
||||
joinServiceImage string
|
||||
kmsImage string
|
||||
keyserviceImage string
|
||||
ccmImage string
|
||||
cnmImage string
|
||||
autoscalerImage string
|
||||
@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)
|
||||
|
||||
return &ChartLoader{
|
||||
joinServiceImage: versions.JoinImage,
|
||||
kmsImage: versions.KmsImage,
|
||||
keyserviceImage: versions.KeyServiceImage,
|
||||
ccmImage: ccmImage,
|
||||
cnmImage: cnmImage,
|
||||
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
|
||||
@ -359,13 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
||||
csp := config.GetProvider()
|
||||
values := map[string]any{
|
||||
"global": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"serviceBasePath": constants.ServiceBasePath,
|
||||
"joinConfigCMName": constants.JoinConfigMap,
|
||||
"internalCMName": constants.InternalConfigMap,
|
||||
"keyservicePort": constants.KeyservicePort,
|
||||
"keyserviceNamespace": "", // empty namespace means we use the release namespace
|
||||
"serviceBasePath": constants.ServiceBasePath,
|
||||
"joinConfigCMName": constants.JoinConfigMap,
|
||||
"internalCMName": constants.InternalConfigMap,
|
||||
},
|
||||
"kms": map[string]any{
|
||||
"image": i.kmsImage,
|
||||
"keyservice": map[string]any{
|
||||
"image": i.keyserviceImage,
|
||||
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
|
||||
"salt": base64.StdEncoding.EncodeToString(salt),
|
||||
"saltKeyName": constants.ConstellationSaltKey,
|
||||
@ -420,13 +421,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
||||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
values["azuredisk-csi-driver"] = map[string]any{
|
||||
"node": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"kmsNamespace": "", // empty namespace means we use the release namespace
|
||||
},
|
||||
}
|
||||
|
||||
values["tags"] = map[string]any{
|
||||
"Azure": true,
|
||||
}
|
||||
@ -444,13 +438,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
||||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
|
||||
"csiNode": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"kmsNamespace": "", // empty namespace means we use the release namespace
|
||||
},
|
||||
}
|
||||
|
||||
values["tags"] = map[string]any{
|
||||
"GCP": true,
|
||||
}
|
||||
|
@ -90,7 +90,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
|
||||
chartLoader := ChartLoader{
|
||||
joinServiceImage: "joinServiceImage",
|
||||
kmsImage: "kmsImage",
|
||||
keyserviceImage: "keyserviceImage",
|
||||
ccmImage: tc.ccmImage,
|
||||
cnmImage: tc.cnmImage,
|
||||
autoscalerImage: "autoscalerImage",
|
||||
@ -159,7 +159,7 @@ func TestOperators(t *testing.T) {
|
||||
|
||||
chartLoader := ChartLoader{
|
||||
joinServiceImage: "joinServiceImage",
|
||||
kmsImage: "kmsImage",
|
||||
keyserviceImage: "keyserviceImage",
|
||||
ccmImage: "ccmImage",
|
||||
cnmImage: "cnmImage",
|
||||
autoscalerImage: "autoscalerImage",
|
||||
@ -301,40 +301,38 @@ func prepareGCPValues(values map[string]any) error {
|
||||
|
||||
testTag := "v0.0.0"
|
||||
pullPolicy := "IfNotPresent"
|
||||
csiVals, ok := values["gcp-compute-persistent-disk-csi-driver"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'gcp-compute-persistent-disk-csi-driver' key")
|
||||
}
|
||||
csiVals["image"] = map[string]any{
|
||||
"csiProvisioner": map[string]any{
|
||||
"repo": "csi-provisioner",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiAttacher": map[string]any{
|
||||
"repo": "csi-attacher",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiResizer": map[string]any{
|
||||
"repo": "csi-resizer",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiSnapshotter": map[string]any{
|
||||
"repo": "csi-snapshotter",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiNodeRegistrar": map[string]any{
|
||||
"repo": "csi-registrar",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"gcepdDriver": map[string]any{
|
||||
"repo": "csi-driver",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
|
||||
"image": map[string]any{
|
||||
"csiProvisioner": map[string]any{
|
||||
"repo": "csi-provisioner",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiAttacher": map[string]any{
|
||||
"repo": "csi-attacher",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiResizer": map[string]any{
|
||||
"repo": "csi-resizer",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiSnapshotter": map[string]any{
|
||||
"repo": "csi-snapshotter",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiNodeRegistrar": map[string]any{
|
||||
"repo": "csi-registrar",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"gcepdDriver": map[string]any{
|
||||
"repo": "csi-driver",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -107,7 +107,7 @@ spec:
|
||||
- "--allow-empty-cloud-config=true"
|
||||
- "--support-zone=true"
|
||||
- "--get-node-info-from-labels=false"
|
||||
- "--kms-addr=kms.testNamespace:9000"
|
||||
- "--kms-addr=keyservice.testNamespace:9000"
|
||||
ports:
|
||||
- containerPort: 29603
|
||||
name: healthz
|
||||
|
@ -38,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=Azure
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
@ -2,23 +2,23 @@ apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
image: kmsImage
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
@ -29,7 +29,7 @@ spec:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
@ -1,7 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
@ -10,7 +10,7 @@ spec:
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
@ -41,7 +41,7 @@ spec:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=kms.testNamespace:9000"
|
||||
- "--kms-addr=keyservice.testNamespace:9000"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
|
@ -38,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=GCP
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
@ -2,23 +2,23 @@ apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
image: kmsImage
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
@ -29,7 +29,7 @@ spec:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
@ -1,7 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
@ -10,7 +10,7 @@ spec:
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
@ -38,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=QEMU
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
name: kms
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kms
|
||||
name: keyservice
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
@ -2,23 +2,23 @@ apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: kms
|
||||
k8s-app: kms
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: kms
|
||||
image: kmsImage
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
@ -29,7 +29,7 @@ spec:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: kms
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
@ -1,7 +1,7 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
@ -10,7 +10,7 @@ spec:
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: kms
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kms
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
@ -48,8 +48,8 @@ download_chart() {
|
||||
|
||||
## GCP CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.0" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.1" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
|
||||
## Azure CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.0" "charts/edgeless" "azuredisk-csi-driver"
|
||||
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.1" "charts/edgeless" "azuredisk-csi-driver"
|
||||
|
@ -10,7 +10,7 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials/insecure"
|
||||
)
|
||||
@ -39,7 +39,7 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int
|
||||
|
||||
res, err := k.kms.GetDataKey(
|
||||
ctx,
|
||||
&kmsproto.GetDataKeyRequest{
|
||||
&keyserviceproto.GetDataKeyRequest{
|
||||
DataKeyId: dekID,
|
||||
Length: uint32(dekSize),
|
||||
},
|
||||
@ -53,11 +53,11 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int
|
||||
}
|
||||
|
||||
type kmsClient interface {
|
||||
GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error)
|
||||
GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
|
||||
}
|
||||
|
||||
type constellationKMSClient struct{}
|
||||
|
||||
func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
|
||||
return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req)
|
||||
func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
|
||||
return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
|
||||
}
|
||||
|
@ -11,7 +11,7 @@ import (
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/goleak"
|
||||
"google.golang.org/grpc"
|
||||
@ -27,8 +27,8 @@ type stubKMSClient struct {
|
||||
dataKey []byte
|
||||
}
|
||||
|
||||
func (c *stubKMSClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
|
||||
return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
|
||||
func (c *stubKMSClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
|
||||
return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
|
||||
}
|
||||
|
||||
func TestConstellationKMS(t *testing.T) {
|
||||
|
@ -5,7 +5,7 @@ Core components:
|
||||
* [cli](/cli): The CLI is used to manage a Constellation cluster
|
||||
* [bootstrapper](/bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
|
||||
* [image](/image): Build files for the Constellation disk image
|
||||
* [kms](/kms): Constellation's key management client and server
|
||||
* [keyservice](/keyservice): Constellation's key management client and server
|
||||
* [csi](/csi): Package used by CSI plugins to create and mount encrypted block devices
|
||||
* [disk-mapper](/disk-mapper): Contains the disk-mapper that maps the encrypted node data disk during boot
|
||||
|
||||
|
@ -7,7 +7,7 @@ These features are provided by several components:
|
||||
* The [Bootstrapper](components.md#bootstrapper) initializes a Constellation node and bootstraps the cluster
|
||||
* The [JoinService](components.md#joinservice) joins new nodes to an existing cluster
|
||||
* The [VerificationService](components.md#verificationservice) provides remote attestation functionality
|
||||
* The [Key Management Service (KMS)](components.md#kms) manages Constellation-internal keys
|
||||
* The [KeyService](components.md#keyservice) manages Constellation-internal keys
|
||||
|
||||
The relations between components are shown in the following diagram:
|
||||
|
||||
@ -22,7 +22,7 @@ flowchart LR
|
||||
end
|
||||
subgraph Kubernetes
|
||||
D[JoinService]
|
||||
E[KMS]
|
||||
E[KeyService]
|
||||
F[VerificationService]
|
||||
end
|
||||
A -- deploys -->
|
||||
@ -45,7 +45,7 @@ Otherwise, it waits for an initialization request to create a new Kubernetes clu
|
||||
The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node.
|
||||
New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls).
|
||||
The *JoinService* verifies the new node's certificate and attestation statement.
|
||||
If attestation is successful, the new node is supplied with an encryption key from the [*KMS*](components.md#kms) for its state disk, and a Kubernetes bootstrap token.
|
||||
If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](components.md#keyservice) for its state disk, and a Kubernetes bootstrap token.
|
||||
|
||||
|
||||
```mermaid
|
||||
@ -55,8 +55,8 @@ sequenceDiagram
|
||||
New node->>JoinService: aTLS handshake (server side verification)
|
||||
JoinService-->>New node: #
|
||||
New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
|
||||
JoinService->>+KMS: GetDataKey(DiskUUID)
|
||||
KMS-->>-JoinService: DiskEncryptionKey
|
||||
JoinService->>+KeyService: GetDataKey(DiskUUID)
|
||||
KeyService-->>-JoinService: DiskEncryptionKey
|
||||
JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ...
|
||||
```
|
||||
|
||||
@ -66,8 +66,8 @@ The *VerificationService* runs as DaemonSet on each node.
|
||||
It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation).
|
||||
Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side.
|
||||
|
||||
## KMS
|
||||
## KeyService
|
||||
|
||||
The *KMS* runs as DaemonSet on each control-plane node.
|
||||
The *KeyService* runs as DaemonSet on each control-plane node.
|
||||
It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes.
|
||||
Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KMS* holds the key encryption key (KEK) directly or calls an external service for key derivation respectively.
|
||||
Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively.
|
||||
|
@ -28,7 +28,7 @@ All cryptographic operations happen inside the trusted environment of the confid
|
||||
|
||||
Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
|
||||
|
||||
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms).
|
||||
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](components.md#keyservice).
|
||||
The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
|
||||
This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator.
|
||||
|
||||
|
@ -44,8 +44,8 @@ const (
|
||||
VerifyServiceNodePortHTTP = 30080
|
||||
// VerifyServiceNodePortGRPC GRPC node port for verification service.
|
||||
VerifyServiceNodePortGRPC = 30081
|
||||
// KMSPort is the port the KMS server listens on.
|
||||
KMSPort = 9000
|
||||
// KeyservicePort is the port the KMS server listens on.
|
||||
KeyservicePort = 9000
|
||||
// BootstrapperPort port of bootstrapper.
|
||||
BootstrapperPort = 9000
|
||||
// KubernetesPort port for Kubernetes API.
|
||||
|
@ -57,9 +57,9 @@ const (
|
||||
// KonnectivityServerImage server image for konnectivity service.
|
||||
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.35@sha256:d863f7fd0da4392b9753dc6c9195a658e80d70e0be8c9adb410d77cf20b75c76" // renovate:container
|
||||
// JoinImage image of Constellation join service.
|
||||
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:5fb9592e2777bfd54b460c09761a1d7fbcd47bad73efafc429b5fa88a0bf98fe" // renovate:container
|
||||
// KmsImage image of Constellation KMS server.
|
||||
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:962ab2575028c3bd3b0ab97a572f4af96075ac031776b17bb2188aa2c40e12f3" // renovate:container
|
||||
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container
|
||||
// KeyServiceImage image of Constellation KeyService server.
|
||||
KeyServiceImage = "ghcr.io/edgelesssys/constellation/keyservice:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container
|
||||
// VerificationImage image of Constellation verification service.
|
||||
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:43fd9d3494538d94f584dbcfa6d4fd82cadefe3e4fdaa33e9ffb19d8f6b98b94" // renovate:container
|
||||
// GcpGuestImage image for GCP guest agent.
|
||||
|
@ -34,7 +34,7 @@ sequenceDiagram
|
||||
|
||||
### [internal/kms](./internal/kms/)
|
||||
|
||||
Implements interaction with Constellation's key management service.
|
||||
Implements interaction with Constellation's keyservice.
|
||||
This is needed for fetching data encryption keys for joining nodes.
|
||||
|
||||
### [internal/kubeadm](./internal/kubeadm/)
|
||||
|
@ -40,7 +40,7 @@ const vpcIPTimeout = 30 * time.Second
|
||||
|
||||
func main() {
|
||||
provider := flag.String("cloud-provider", "", "cloud service provider this binary is running on")
|
||||
kmsEndpoint := flag.String("kms-endpoint", "", "endpoint of Constellations key management service")
|
||||
keyserviceEndpoint := flag.String("keyservice-endpoint", "", "endpoint of Constellations key management service")
|
||||
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
|
||||
flag.Parse()
|
||||
|
||||
@ -78,7 +78,7 @@ func main() {
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to create kubeadm")
|
||||
}
|
||||
kms := kms.New(log.Named("kms"), *kmsEndpoint)
|
||||
keyserviceClient := kms.New(log.Named("keyserviceClient"), *keyserviceEndpoint)
|
||||
|
||||
measurementSalt, err := handler.Read(filepath.Join(constants.ServiceBasePath, constants.MeasurementSaltFilename))
|
||||
if err != nil {
|
||||
@ -89,7 +89,7 @@ func main() {
|
||||
measurementSalt,
|
||||
kubernetesca.New(log.Named("certificateAuthority"), handler),
|
||||
kubeadm,
|
||||
kms,
|
||||
keyserviceClient,
|
||||
log.Named("server"),
|
||||
)
|
||||
if err != nil {
|
||||
|
@ -11,13 +11,13 @@ import (
|
||||
"fmt"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
||||
"go.uber.org/zap"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials/insecure"
|
||||
)
|
||||
|
||||
// Client interacts with Constellation's key management service.
|
||||
// Client interacts with Constellation's keyservice.
|
||||
type Client struct {
|
||||
log *logger.Logger
|
||||
endpoint string
|
||||
@ -48,7 +48,7 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt
|
||||
log.Infof("Requesting data key")
|
||||
res, err := c.grpc.GetDataKey(
|
||||
ctx,
|
||||
&kmsproto.GetDataKeyRequest{
|
||||
&keyserviceproto.GetDataKeyRequest{
|
||||
DataKeyId: keyID,
|
||||
Length: uint32(length),
|
||||
},
|
||||
@ -63,11 +63,11 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt
|
||||
}
|
||||
|
||||
type grpcClient interface {
|
||||
GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error)
|
||||
GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
|
||||
}
|
||||
|
||||
type client struct{}
|
||||
|
||||
func (c client) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
|
||||
return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req)
|
||||
func (c client) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
|
||||
return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
|
||||
}
|
||||
|
@ -12,7 +12,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/goleak"
|
||||
"google.golang.org/grpc"
|
||||
@ -24,8 +24,8 @@ type stubClient struct {
|
||||
dataKey []byte
|
||||
}
|
||||
|
||||
func (c *stubClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
|
||||
return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
|
||||
func (c *stubClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
|
||||
return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
|
||||
}
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
|
@ -22,10 +22,10 @@ RUN rm -rf ./hack/
|
||||
|
||||
# Build
|
||||
RUN mkdir -p /constellation/build
|
||||
WORKDIR /constellation/kms/cmd
|
||||
WORKDIR /constellation/keyservice/cmd
|
||||
ARG PROJECT_VERSION=0.0.0
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/kmsserver -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}"
|
||||
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}"
|
||||
|
||||
FROM gcr.io/distroless/static:nonroot@sha256:1fa522fe6cfe020d50341f1ca561c099487bd44f8eb98d25d1920b07e05e40be as release
|
||||
COPY --from=build /constellation/build/kmsserver /kmsserver
|
||||
ENTRYPOINT ["/kmsserver"]
|
||||
COPY --from=build /constellation/build/keyservice /keyservice
|
||||
ENTRYPOINT ["/keyservice"]
|
@ -19,14 +19,14 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/crypto"
|
||||
"github.com/edgelesssys/constellation/v2/internal/file"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/server"
|
||||
"github.com/edgelesssys/constellation/v2/kms/setup"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/server"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/setup"
|
||||
"github.com/spf13/afero"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func main() {
|
||||
port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on")
|
||||
port := flag.String("port", strconv.Itoa(constants.KeyservicePort), "Port gRPC server listens on")
|
||||
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
|
||||
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt")
|
||||
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
|
||||
@ -66,7 +66,7 @@ func main() {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to create KMS KEK from MasterKey")
|
||||
}
|
||||
|
||||
if err := server.New(log.Named("kms"), conKMS).Run(*port); err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to run KMS server")
|
||||
if err := server.New(log.Named("keyservice"), conKMS).Run(*port); err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to run keyservice server")
|
||||
}
|
||||
}
|
@ -6,10 +6,10 @@ It's intendet for the Constellation CSI Plugins and the CLI.
|
||||
## KMS
|
||||
|
||||
The Cloud KMS is where we store our key encryption key (KEK).
|
||||
It should be initiated by the CLI and provided with a key release policy.
|
||||
The CSP Plugin can request to encrypt data encryption keys (DEK) with the DEK to safely store them on persistent memory.
|
||||
The KMS should be initiated by the CLI and provided with a key release policy.
|
||||
The CSP Plugin can request to encrypt data encryption keys (DEK) with the KEK to safely store the DEKs in persistent storage.
|
||||
The [kms](../kms/) package interacts with the Cloud KMS APIs.
|
||||
Currently planned are KMS are:
|
||||
Support is planed for:
|
||||
|
||||
* AWS KMS
|
||||
* GCP CKM
|
@ -15,8 +15,8 @@ import (
|
||||
"github.com/edgelesssys/constellation/v2/internal/crypto"
|
||||
"github.com/edgelesssys/constellation/v2/internal/grpc/grpclog"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"go.uber.org/zap"
|
||||
"go.uber.org/zap/zapcore"
|
||||
"google.golang.org/grpc"
|
||||
@ -30,7 +30,7 @@ import (
|
||||
type Server struct {
|
||||
log *logger.Logger
|
||||
conKMS kms.CloudKMS
|
||||
kmsproto.UnimplementedAPIServer
|
||||
keyserviceproto.UnimplementedAPIServer
|
||||
}
|
||||
|
||||
// New creates a new Server.
|
||||
@ -50,7 +50,7 @@ func (s *Server) Run(port string) error {
|
||||
}
|
||||
|
||||
server := grpc.NewServer(s.log.Named("gRPC").GetServerUnaryInterceptor())
|
||||
kmsproto.RegisterAPIServer(server, s)
|
||||
keyserviceproto.RegisterAPIServer(server, s)
|
||||
s.log.Named("gRPC").WithIncreasedLevel(zapcore.WarnLevel).ReplaceGRPCLogger()
|
||||
|
||||
// start the server
|
||||
@ -59,7 +59,7 @@ func (s *Server) Run(port string) error {
|
||||
}
|
||||
|
||||
// GetDataKey returns a data key.
|
||||
func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) {
|
||||
func (s *Server) GetDataKey(ctx context.Context, in *keyserviceproto.GetDataKeyRequest) (*keyserviceproto.GetDataKeyResponse, error) {
|
||||
log := s.log.With("peerAddress", grpclog.PeerAddrFromContext(ctx))
|
||||
|
||||
// Error on 0 key length
|
||||
@ -79,5 +79,5 @@ func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest)
|
||||
log.With(zap.Error(err)).Errorf("Failed to get data key")
|
||||
return nil, status.Errorf(codes.Internal, "%v", err)
|
||||
}
|
||||
return &kmsproto.GetDataKeyResponse{DataKey: key}, nil
|
||||
return &keyserviceproto.GetDataKeyResponse{DataKey: key}, nil
|
||||
}
|
@ -12,7 +12,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -31,23 +31,23 @@ func TestGetDataKey(t *testing.T) {
|
||||
kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}}
|
||||
api := New(log, kms)
|
||||
|
||||
res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
|
||||
res, err := api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
|
||||
require.NoError(err)
|
||||
assert.Equal(kms.derivedKey, res.DataKey)
|
||||
|
||||
// Test no data key id
|
||||
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32})
|
||||
res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{Length: 32})
|
||||
require.Error(err)
|
||||
assert.Nil(res)
|
||||
|
||||
// Test no / zero key length
|
||||
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"})
|
||||
res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"})
|
||||
require.Error(err)
|
||||
assert.Nil(res)
|
||||
|
||||
// Test derive key error
|
||||
api = New(log, &stubKMS{deriveKeyErr: errors.New("error")})
|
||||
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
|
||||
res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
|
||||
assert.Error(err)
|
||||
assert.Nil(res)
|
||||
}
|
@ -16,7 +16,7 @@ import (
|
||||
awsconfig "github.com/aws/aws-sdk-go-v2/config"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3/types"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
)
|
||||
|
||||
type awsS3ClientAPI interface {
|
@ -16,7 +16,7 @@ import (
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
)
|
||||
|
||||
type azureBlobAPI interface {
|
@ -19,9 +19,9 @@ import (
|
||||
"github.com/aws/aws-sdk-go-v2/service/kms"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3"
|
||||
"github.com/aws/aws-sdk-go-v2/service/s3/types"
|
||||
kmsconfig "github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
awsInterface "github.com/edgelesssys/constellation/v2/kms/kms/aws"
|
||||
kmsconfig "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
awsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms/aws"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
@ -13,9 +13,9 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/azure"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/azure"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
@ -14,9 +14,9 @@ import (
|
||||
"time"
|
||||
|
||||
"cloud.google.com/go/kms/apiv1/kmspb"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/gcp"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/gcp"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
@ -2,9 +2,9 @@
|
||||
// versions:
|
||||
// protoc-gen-go v1.28.1
|
||||
// protoc v3.21.8
|
||||
// source: kms.proto
|
||||
// source: keyservice.proto
|
||||
|
||||
package kmsproto
|
||||
package keyserviceproto
|
||||
|
||||
import (
|
||||
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||
@ -32,7 +32,7 @@ type GetDataKeyRequest struct {
|
||||
func (x *GetDataKeyRequest) Reset() {
|
||||
*x = GetDataKeyRequest{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_kms_proto_msgTypes[0]
|
||||
mi := &file_keyservice_proto_msgTypes[0]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
@ -45,7 +45,7 @@ func (x *GetDataKeyRequest) String() string {
|
||||
func (*GetDataKeyRequest) ProtoMessage() {}
|
||||
|
||||
func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_kms_proto_msgTypes[0]
|
||||
mi := &file_keyservice_proto_msgTypes[0]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
@ -58,7 +58,7 @@ func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
|
||||
|
||||
// Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead.
|
||||
func (*GetDataKeyRequest) Descriptor() ([]byte, []int) {
|
||||
return file_kms_proto_rawDescGZIP(), []int{0}
|
||||
return file_keyservice_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *GetDataKeyRequest) GetDataKeyId() string {
|
||||
@ -86,7 +86,7 @@ type GetDataKeyResponse struct {
|
||||
func (x *GetDataKeyResponse) Reset() {
|
||||
*x = GetDataKeyResponse{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_kms_proto_msgTypes[1]
|
||||
mi := &file_keyservice_proto_msgTypes[1]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
@ -99,7 +99,7 @@ func (x *GetDataKeyResponse) String() string {
|
||||
func (*GetDataKeyResponse) ProtoMessage() {}
|
||||
|
||||
func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_kms_proto_msgTypes[1]
|
||||
mi := &file_keyservice_proto_msgTypes[1]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
@ -112,7 +112,7 @@ func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
|
||||
|
||||
// Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead.
|
||||
func (*GetDataKeyResponse) Descriptor() ([]byte, []int) {
|
||||
return file_kms_proto_rawDescGZIP(), []int{1}
|
||||
return file_keyservice_proto_rawDescGZIP(), []int{1}
|
||||
}
|
||||
|
||||
func (x *GetDataKeyResponse) GetDataKey() []byte {
|
||||
@ -122,47 +122,48 @@ func (x *GetDataKeyResponse) GetDataKey() []byte {
|
||||
return nil
|
||||
}
|
||||
|
||||
var File_kms_proto protoreflect.FileDescriptor
|
||||
var File_keyservice_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_kms_proto_rawDesc = []byte{
|
||||
0x0a, 0x09, 0x6b, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73,
|
||||
0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65,
|
||||
0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65,
|
||||
0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61,
|
||||
0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18,
|
||||
0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a,
|
||||
0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
|
||||
0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18,
|
||||
0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44,
|
||||
0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61,
|
||||
0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74,
|
||||
0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d,
|
||||
0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
|
||||
0x6f, 0x6e, 0x73, 0x65, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
|
||||
0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63,
|
||||
0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f,
|
||||
0x6b, 0x6d, 0x73, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72,
|
||||
0x6f, 0x74, 0x6f, 0x33,
|
||||
var file_keyservice_proto_rawDesc = []byte{
|
||||
0x0a, 0x10, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f,
|
||||
0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61,
|
||||
0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b,
|
||||
0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
|
||||
0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06,
|
||||
0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65,
|
||||
0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b,
|
||||
0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61,
|
||||
0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61,
|
||||
0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a,
|
||||
0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73,
|
||||
0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
|
||||
0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61,
|
||||
0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, 0x42, 0x67,
|
||||
0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65,
|
||||
0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74,
|
||||
0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
|
||||
0x65, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74,
|
||||
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
file_kms_proto_rawDescOnce sync.Once
|
||||
file_kms_proto_rawDescData = file_kms_proto_rawDesc
|
||||
file_keyservice_proto_rawDescOnce sync.Once
|
||||
file_keyservice_proto_rawDescData = file_keyservice_proto_rawDesc
|
||||
)
|
||||
|
||||
func file_kms_proto_rawDescGZIP() []byte {
|
||||
file_kms_proto_rawDescOnce.Do(func() {
|
||||
file_kms_proto_rawDescData = protoimpl.X.CompressGZIP(file_kms_proto_rawDescData)
|
||||
func file_keyservice_proto_rawDescGZIP() []byte {
|
||||
file_keyservice_proto_rawDescOnce.Do(func() {
|
||||
file_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_proto_rawDescData)
|
||||
})
|
||||
return file_kms_proto_rawDescData
|
||||
return file_keyservice_proto_rawDescData
|
||||
}
|
||||
|
||||
var file_kms_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
||||
var file_kms_proto_goTypes = []interface{}{
|
||||
var file_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
||||
var file_keyservice_proto_goTypes = []interface{}{
|
||||
(*GetDataKeyRequest)(nil), // 0: kms.GetDataKeyRequest
|
||||
(*GetDataKeyResponse)(nil), // 1: kms.GetDataKeyResponse
|
||||
}
|
||||
var file_kms_proto_depIdxs = []int32{
|
||||
var file_keyservice_proto_depIdxs = []int32{
|
||||
0, // 0: kms.API.GetDataKey:input_type -> kms.GetDataKeyRequest
|
||||
1, // 1: kms.API.GetDataKey:output_type -> kms.GetDataKeyResponse
|
||||
1, // [1:2] is the sub-list for method output_type
|
||||
@ -172,13 +173,13 @@ var file_kms_proto_depIdxs = []int32{
|
||||
0, // [0:0] is the sub-list for field type_name
|
||||
}
|
||||
|
||||
func init() { file_kms_proto_init() }
|
||||
func file_kms_proto_init() {
|
||||
if File_kms_proto != nil {
|
||||
func init() { file_keyservice_proto_init() }
|
||||
func file_keyservice_proto_init() {
|
||||
if File_keyservice_proto != nil {
|
||||
return
|
||||
}
|
||||
if !protoimpl.UnsafeEnabled {
|
||||
file_kms_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
|
||||
file_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*GetDataKeyRequest); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
@ -190,7 +191,7 @@ func file_kms_proto_init() {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_kms_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
|
||||
file_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
|
||||
switch v := v.(*GetDataKeyResponse); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
@ -207,18 +208,18 @@ func file_kms_proto_init() {
|
||||
out := protoimpl.TypeBuilder{
|
||||
File: protoimpl.DescBuilder{
|
||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||
RawDescriptor: file_kms_proto_rawDesc,
|
||||
RawDescriptor: file_keyservice_proto_rawDesc,
|
||||
NumEnums: 0,
|
||||
NumMessages: 2,
|
||||
NumExtensions: 0,
|
||||
NumServices: 1,
|
||||
},
|
||||
GoTypes: file_kms_proto_goTypes,
|
||||
DependencyIndexes: file_kms_proto_depIdxs,
|
||||
MessageInfos: file_kms_proto_msgTypes,
|
||||
GoTypes: file_keyservice_proto_goTypes,
|
||||
DependencyIndexes: file_keyservice_proto_depIdxs,
|
||||
MessageInfos: file_keyservice_proto_msgTypes,
|
||||
}.Build()
|
||||
File_kms_proto = out.File
|
||||
file_kms_proto_rawDesc = nil
|
||||
file_kms_proto_goTypes = nil
|
||||
file_kms_proto_depIdxs = nil
|
||||
File_keyservice_proto = out.File
|
||||
file_keyservice_proto_rawDesc = nil
|
||||
file_keyservice_proto_goTypes = nil
|
||||
file_keyservice_proto_depIdxs = nil
|
||||
}
|
@ -2,7 +2,7 @@ syntax = "proto3";
|
||||
|
||||
package kms;
|
||||
|
||||
option go_package = "github.com/edgelesssys/constellation/v2/kms/kmsproto";
|
||||
option go_package = "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto";
|
||||
|
||||
service API {
|
||||
rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse);
|
@ -2,9 +2,9 @@
|
||||
// versions:
|
||||
// - protoc-gen-go-grpc v1.2.0
|
||||
// - protoc v3.21.8
|
||||
// source: kms.proto
|
||||
// source: keyservice.proto
|
||||
|
||||
package kmsproto
|
||||
package keyserviceproto
|
||||
|
||||
import (
|
||||
context "context"
|
||||
@ -101,5 +101,5 @@ var API_ServiceDesc = grpc.ServiceDesc{
|
||||
},
|
||||
},
|
||||
Streams: []grpc.StreamDesc{},
|
||||
Metadata: "kms.proto",
|
||||
Metadata: "keyservice.proto",
|
||||
}
|
@ -17,10 +17,10 @@ import (
|
||||
awsconfig "github.com/aws/aws-sdk-go-v2/config"
|
||||
"github.com/aws/aws-sdk-go-v2/service/kms"
|
||||
"github.com/aws/aws-sdk-go-v2/service/kms/types"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/util"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
|
||||
)
|
||||
|
||||
const (
|
@ -22,9 +22,9 @@ import (
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/service/kms"
|
||||
"github.com/aws/aws-sdk-go-v2/service/kms/types"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/goleak"
|
||||
)
|
@ -17,10 +17,10 @@ import (
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/util"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
|
||||
)
|
||||
|
||||
const (
|
@ -14,8 +14,8 @@ import (
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/goleak"
|
||||
)
|
@ -15,10 +15,10 @@ import (
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/util"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
|
||||
)
|
||||
|
||||
type hsmClientAPI interface {
|
@ -13,8 +13,8 @@ import (
|
||||
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
|
||||
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
@ -19,10 +19,10 @@ import (
|
||||
|
||||
kms "cloud.google.com/go/kms/apiv1"
|
||||
"cloud.google.com/go/kms/apiv1/kmspb"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/util"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
|
||||
"github.com/googleapis/gax-go/v2"
|
||||
"google.golang.org/api/option"
|
||||
"google.golang.org/grpc/codes"
|
@ -12,9 +12,9 @@ import (
|
||||
"testing"
|
||||
|
||||
"cloud.google.com/go/kms/apiv1/kmspb"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/util"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
|
||||
"github.com/googleapis/gax-go/v2"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/goleak"
|
@ -14,12 +14,12 @@ import (
|
||||
"strconv"
|
||||
|
||||
"cloud.google.com/go/kms/apiv1/kmspb"
|
||||
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/aws"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/azure"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/cluster"
|
||||
"github.com/edgelesssys/constellation/v2/kms/kms/gcp"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/aws"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/azure"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/cluster"
|
||||
"github.com/edgelesssys/constellation/v2/keyservice/kms/gcp"
|
||||
)
|
||||
|
||||
// Well known endpoints for KMS services.
|
@ -35,8 +35,8 @@ COPY debugd/service/*.proto /service
|
||||
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
|
||||
|
||||
## key management
|
||||
WORKDIR /kms
|
||||
COPY kms/kmsproto/*.proto /kms
|
||||
WORKDIR /keyservice
|
||||
COPY keyservice/keyserviceproto/*.proto /keyservice
|
||||
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
|
||||
|
||||
## join service
|
||||
@ -62,7 +62,7 @@ RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_o
|
||||
FROM scratch as export
|
||||
COPY --from=build /disk-mapper/*.go disk-mapper/recoverproto/
|
||||
COPY --from=build /service/*.go debugd/service/
|
||||
COPY --from=build /kms/*.go kms/kmsproto/
|
||||
COPY --from=build /keyservice/*.go keyservice/keyserviceproto/
|
||||
COPY --from=build /joinservice/*.go joinservice/joinproto/
|
||||
COPY --from=build /verify/*.go verify/verifyproto/
|
||||
COPY --from=build /init/*.go bootstrapper/initproto/
|
||||
|
@ -47,7 +47,7 @@ The measurement secret, together with a measurement salt (not secret) is used to
|
||||
* For eKMS backends the two URIs can be used directly to request new DEKs.
|
||||
* For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=<masterSecret>`.
|
||||
|
||||
The above approach allows us to integrate with the existing setup code in `kms/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
|
||||
The above approach allows us to integrate with the existing setup code in `keyservice/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
|
||||
This code is used to setup CloudKMS objects.
|
||||
The `setup.go` code will have to be refactored to live in `internal` so that the disk-mapper pkg can directly communicate with the respective external KMS.
|
||||
|
||||
|
@ -24,7 +24,7 @@ We use SHA-256 as the hash function.
|
||||
|
||||
Constellation's master secret is used as *IKM* for HKDF.
|
||||
The master secret is either provided by the admin, or a randomly generated 32 byte value.
|
||||
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's KMS](../kms/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
|
||||
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's keyservice](../keyservice/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
|
||||
|
||||
## Salt
|
||||
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user