kms: rename kms to keyservice

In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
This commit is contained in:
Otto Bittner 2023-01-11 10:08:57 +01:00
parent 67f8336b9d
commit 90b88e1cf9
101 changed files with 313 additions and 319 deletions

View File

@ -56,7 +56,7 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy
# Wait for daemon sets
kubectl -n kube-system rollout status --timeout 180s daemonset cilium
kubectl -n kube-system rollout status --timeout 180s daemonset join-service
kubectl -n kube-system rollout status --timeout 180s daemonset kms
kubectl -n kube-system rollout status --timeout 180s daemonset keyservice
kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent
kubectl -n kube-system rollout status --timeout 180s daemonset verification-service
echo "::endgroup::"

View File

@ -1,4 +1,4 @@
name: Build and upload KMS image
name: Build and upload KeyService image
on:
workflow_dispatch:
@ -7,12 +7,12 @@ on:
- main
- "release/**"
paths:
- "kms/**"
- "keyservice/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops
jobs:
build-kms-server:
build-keyservice:
runs-on: ubuntu-22.04
permissions:
contents: read
@ -29,13 +29,13 @@ jobs:
with:
go-version: "1.19.5"
- name: Build and upload KMS server container image
- name: Build and upload KeyService container image
id: build-and-upload
uses: ./.github/actions/build_micro_service
with:
name: kmsserver
name: keyservice
projectVersion: "0.0.0"
dockerfile: kms/Dockerfile
dockerfile: keyservice/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

View File

@ -8,7 +8,7 @@ on:
type: choice
options:
- "join-service"
- "kmsserver"
- "keyservice"
- "verification-service"
- "qemu-metadata-api"
- "filebeat-debugd"
@ -80,8 +80,8 @@ jobs:
case "${{ inputs.microService }}" in
"join-service" )
echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;;
"kmsserver" )
echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;;
"keyservice" )
echo "microServiceDockerfile=keyservice/Dockerfile" >> "$GITHUB_ENV" ;;
"verification-service" )
echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;;
"qemu-metadata-api" )

View File

@ -36,7 +36,7 @@
/internal/versions @katexochen
/internal/versionsapi @katexochen
/joinservice @daniel-weisse
/kms @daniel-weisse
/keyservice @daniel-weisse
/operators @malt3
/upgrade-agent @3u13r
/verify @daniel-weisse

View File

@ -33,7 +33,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/license"
"github.com/edgelesssys/constellation/v2/internal/retry"
"github.com/edgelesssys/constellation/v2/internal/versions"
kms "github.com/edgelesssys/constellation/v2/kms/setup"
keyservice "github.com/edgelesssys/constellation/v2/keyservice/setup"
"github.com/spf13/afero"
"github.com/spf13/cobra"
"google.golang.org/grpc"
@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud
req := &initproto.InitRequest{
MasterSecret: masterSecret.Key,
Salt: masterSecret.Salt,
KmsUri: kms.ClusterKMSURI,
StorageUri: kms.NoStoreURI,
KmsUri: keyservice.ClusterKMSURI,
StorageUri: keyservice.NoStoreURI,
KeyEncryptionKeyId: "",
UseExistingKek: false,
CloudServiceAccountUri: serviceAccURI,

View File

@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
type: application
version: 2.4.0
dependencies:
- name: kms
- name: keyservice
version: 2.4.0
tags:
- Azure

View File

@ -121,7 +121,7 @@ spec:
- "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
- "--support-zone={{ .Values.node.supportZone }}"
- "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
- "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}"
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
ports:
- containerPort: {{ .Values.node.livenessProbe.healthPort }}
name: healthz

View File

@ -123,8 +123,10 @@ node:
logLevel: 5
livenessProbe:
healthPort: 29603
kmsPort: "9000"
kmsNamespace: "kube-system"
global:
keyserviceName: "keyservice"
keyservicePort: 9000
keyserviceNamespace: "kube-system"
snapshot:
enabled: false

View File

@ -41,7 +41,7 @@ spec:
- "--v=5"
- "--endpoint=unix:/csi/csi.sock"
- "--run-controller-service=false"
- "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}"
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
securityContext:
privileged: true
volumeMounts:

View File

@ -29,8 +29,9 @@ csiController:
replicas: 1
runOnControlPlane: true
csiNode:
kmsPort: "9000"
kmsNamespace: "kube-system"
global:
keyserviceName: "keyservice"
keyservicePort: 9000
keyserviceNamespace: "kube-system"
createStorageClass: true

View File

@ -38,7 +38,7 @@ spec:
image: {{ .Values.image | quote }}
args:
- --cloud-provider={{ .Values.csp }}
- --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }}
- --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config

View File

@ -0,0 +1,5 @@
apiVersion: v2
name: keyservice
description: A Helm chart to deploy the Constellation KeyService
type: application
version: 2.4.0

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
k8s-app: keyservice
name: keyservice
rules:
- apiGroups:
- ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
name: keyservice
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
name: keyservice
subjects:
- kind: ServiceAccount
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}

View File

@ -2,25 +2,25 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
component: keyservice
k8s-app: keyservice
kubernetes.io/cluster-service: "true"
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
k8s-app: kms
k8s-app: keyservice
template:
metadata:
labels:
k8s-app: kms
k8s-app: keyservice
spec:
containers:
- name: kms
- name: keyservice
image: {{ .Values.image | quote }}
args:
- --port={{ .Values.global.kmsPort }}
- --port={{ .Values.global.keyservicePort }}
volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config
@ -29,7 +29,7 @@ spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
serviceAccountName: keyservice
tolerations:
- key: CriticalAddonsOnly
operator: Exists

View File

@ -1,16 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: grpc
port: {{ .Values.global.kmsPort }}
port: {{ .Values.global.keyservicePort }}
protocol: TCP
targetPort: {{ .Values.global.kmsPort }}
targetPort: {{ .Values.global.keyservicePort }}
selector:
k8s-app: kms
k8s-app: keyservice
type: ClusterIP
status:
loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}

View File

@ -4,7 +4,7 @@
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
"examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
},
"masterSecret": {
"description": "Secret used to derive key material within the cluster",

View File

@ -1,6 +1,6 @@
global:
# Port on which the KMS service will listen. Global since join-service also uses the value.
kmsPort: 9000
# Port on which the KeyService will listen. Global since join-service also uses the value.
keyservicePort: 9000
# Path to which secrets/CMs are mounted.
serviceBasePath: /var/config
# Name of the ConfigMap that holds measurements and other info.

View File

@ -52,7 +52,7 @@ const (
// ChartLoader loads embedded helm charts.
type ChartLoader struct {
joinServiceImage string
kmsImage string
keyserviceImage string
ccmImage string
cnmImage string
autoscalerImage string
@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)
return &ChartLoader{
joinServiceImage: versions.JoinImage,
kmsImage: versions.KmsImage,
keyserviceImage: versions.KeyServiceImage,
ccmImage: ccmImage,
cnmImage: cnmImage,
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
@ -359,13 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
csp := config.GetProvider()
values := map[string]any{
"global": map[string]any{
"kmsPort": constants.KMSPort,
"serviceBasePath": constants.ServiceBasePath,
"joinConfigCMName": constants.JoinConfigMap,
"internalCMName": constants.InternalConfigMap,
"keyservicePort": constants.KeyservicePort,
"keyserviceNamespace": "", // empty namespace means we use the release namespace
"serviceBasePath": constants.ServiceBasePath,
"joinConfigCMName": constants.JoinConfigMap,
"internalCMName": constants.InternalConfigMap,
},
"kms": map[string]any{
"image": i.kmsImage,
"keyservice": map[string]any{
"image": i.keyserviceImage,
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
"salt": base64.StdEncoding.EncodeToString(salt),
"saltKeyName": constants.ConstellationSaltKey,
@ -420,13 +421,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
"deployCSIDriver": config.DeployCSIDriver(),
}
values["azuredisk-csi-driver"] = map[string]any{
"node": map[string]any{
"kmsPort": constants.KMSPort,
"kmsNamespace": "", // empty namespace means we use the release namespace
},
}
values["tags"] = map[string]any{
"Azure": true,
}
@ -444,13 +438,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
"deployCSIDriver": config.DeployCSIDriver(),
}
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
"csiNode": map[string]any{
"kmsPort": constants.KMSPort,
"kmsNamespace": "", // empty namespace means we use the release namespace
},
}
values["tags"] = map[string]any{
"GCP": true,
}

View File

@ -90,7 +90,7 @@ func TestConstellationServices(t *testing.T) {
chartLoader := ChartLoader{
joinServiceImage: "joinServiceImage",
kmsImage: "kmsImage",
keyserviceImage: "keyserviceImage",
ccmImage: tc.ccmImage,
cnmImage: tc.cnmImage,
autoscalerImage: "autoscalerImage",
@ -159,7 +159,7 @@ func TestOperators(t *testing.T) {
chartLoader := ChartLoader{
joinServiceImage: "joinServiceImage",
kmsImage: "kmsImage",
keyserviceImage: "keyserviceImage",
ccmImage: "ccmImage",
cnmImage: "cnmImage",
autoscalerImage: "autoscalerImage",
@ -301,40 +301,38 @@ func prepareGCPValues(values map[string]any) error {
testTag := "v0.0.0"
pullPolicy := "IfNotPresent"
csiVals, ok := values["gcp-compute-persistent-disk-csi-driver"].(map[string]any)
if !ok {
return errors.New("missing 'gcp-compute-persistent-disk-csi-driver' key")
}
csiVals["image"] = map[string]any{
"csiProvisioner": map[string]any{
"repo": "csi-provisioner",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiAttacher": map[string]any{
"repo": "csi-attacher",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiResizer": map[string]any{
"repo": "csi-resizer",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiSnapshotter": map[string]any{
"repo": "csi-snapshotter",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiNodeRegistrar": map[string]any{
"repo": "csi-registrar",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"gcepdDriver": map[string]any{
"repo": "csi-driver",
"tag": testTag,
"pullPolicy": pullPolicy,
values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
"image": map[string]any{
"csiProvisioner": map[string]any{
"repo": "csi-provisioner",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiAttacher": map[string]any{
"repo": "csi-attacher",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiResizer": map[string]any{
"repo": "csi-resizer",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiSnapshotter": map[string]any{
"repo": "csi-snapshotter",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"csiNodeRegistrar": map[string]any{
"repo": "csi-registrar",
"tag": testTag,
"pullPolicy": pullPolicy,
},
"gcepdDriver": map[string]any{
"repo": "csi-driver",
"tag": testTag,
"pullPolicy": pullPolicy,
},
},
}

View File

@ -107,7 +107,7 @@ spec:
- "--allow-empty-cloud-config=true"
- "--support-zone=true"
- "--get-node-info-from-labels=false"
- "--kms-addr=kms.testNamespace:9000"
- "--kms-addr=keyservice.testNamespace:9000"
ports:
- containerPort: 29603
name: healthz

View File

@ -38,7 +38,7 @@ spec:
image: joinServiceImage
args:
- --cloud-provider=Azure
- --kms-endpoint=kms.testNamespace:9000
- --keyservice-endpoint=keyservice.testNamespace:9000
volumeMounts:
- mountPath: /var/config
name: config

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
k8s-app: keyservice
name: keyservice
rules:
- apiGroups:
- ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
name: keyservice
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
name: keyservice
subjects:
- kind: ServiceAccount
name: kms
name: keyservice
namespace: testNamespace

View File

@ -2,23 +2,23 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
component: keyservice
k8s-app: keyservice
kubernetes.io/cluster-service: "true"
name: kms
name: keyservice
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
k8s-app: keyservice
template:
metadata:
labels:
k8s-app: kms
k8s-app: keyservice
spec:
containers:
- name: kms
image: kmsImage
- name: keyservice
image: keyserviceImage
args:
- --port=9000
volumeMounts:
@ -29,7 +29,7 @@ spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
serviceAccountName: keyservice
tolerations:
- key: CriticalAddonsOnly
operator: Exists

View File

@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: kms
name: keyservice
namespace: testNamespace
spec:
ports:
@ -10,7 +10,7 @@ spec:
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
k8s-app: keyservice
type: ClusterIP
status:
loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
name: keyservice
namespace: testNamespace

View File

@ -41,7 +41,7 @@ spec:
- "--v=5"
- "--endpoint=unix:/csi/csi.sock"
- "--run-controller-service=false"
- "--kms-addr=kms.testNamespace:9000"
- "--kms-addr=keyservice.testNamespace:9000"
securityContext:
privileged: true
volumeMounts:

View File

@ -38,7 +38,7 @@ spec:
image: joinServiceImage
args:
- --cloud-provider=GCP
- --kms-endpoint=kms.testNamespace:9000
- --keyservice-endpoint=keyservice.testNamespace:9000
volumeMounts:
- mountPath: /var/config
name: config

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
k8s-app: keyservice
name: keyservice
rules:
- apiGroups:
- ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
name: keyservice
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
name: keyservice
subjects:
- kind: ServiceAccount
name: kms
name: keyservice
namespace: testNamespace

View File

@ -2,23 +2,23 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
component: keyservice
k8s-app: keyservice
kubernetes.io/cluster-service: "true"
name: kms
name: keyservice
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
k8s-app: keyservice
template:
metadata:
labels:
k8s-app: kms
k8s-app: keyservice
spec:
containers:
- name: kms
image: kmsImage
- name: keyservice
image: keyserviceImage
args:
- --port=9000
volumeMounts:
@ -29,7 +29,7 @@ spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
serviceAccountName: keyservice
tolerations:
- key: CriticalAddonsOnly
operator: Exists

View File

@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: kms
name: keyservice
namespace: testNamespace
spec:
ports:
@ -10,7 +10,7 @@ spec:
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
k8s-app: keyservice
type: ClusterIP
status:
loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
name: keyservice
namespace: testNamespace

View File

@ -38,7 +38,7 @@ spec:
image: joinServiceImage
args:
- --cloud-provider=QEMU
- --kms-endpoint=kms.testNamespace:9000
- --keyservice-endpoint=keyservice.testNamespace:9000
volumeMounts:
- mountPath: /var/config
name: config

View File

@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
k8s-app: keyservice
name: keyservice
rules:
- apiGroups:
- ""

View File

@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
name: keyservice
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
name: keyservice
subjects:
- kind: ServiceAccount
name: kms
name: keyservice
namespace: testNamespace

View File

@ -2,23 +2,23 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
component: keyservice
k8s-app: keyservice
kubernetes.io/cluster-service: "true"
name: kms
name: keyservice
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
k8s-app: keyservice
template:
metadata:
labels:
k8s-app: kms
k8s-app: keyservice
spec:
containers:
- name: kms
image: kmsImage
- name: keyservice
image: keyserviceImage
args:
- --port=9000
volumeMounts:
@ -29,7 +29,7 @@ spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
serviceAccountName: keyservice
tolerations:
- key: CriticalAddonsOnly
operator: Exists

View File

@ -1,7 +1,7 @@
apiVersion: v1
kind: Service
metadata:
name: kms
name: keyservice
namespace: testNamespace
spec:
ports:
@ -10,7 +10,7 @@ spec:
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
k8s-app: keyservice
type: ClusterIP
status:
loadBalancer: {}

View File

@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
name: keyservice
namespace: testNamespace

View File

@ -48,8 +48,8 @@ download_chart() {
## GCP CSI Driver
# TODO: clone from main branch once we rebase on upstream
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.0" "charts" "gcp-compute-persistent-disk-csi-driver"
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.1" "charts" "gcp-compute-persistent-disk-csi-driver"
## Azure CSI Driver
# TODO: clone from main branch once we rebase on upstream
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.0" "charts/edgeless" "azuredisk-csi-driver"
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.1" "charts/edgeless" "azuredisk-csi-driver"

View File

@ -10,7 +10,7 @@ import (
"context"
"fmt"
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
)
@ -39,7 +39,7 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int
res, err := k.kms.GetDataKey(
ctx,
&kmsproto.GetDataKeyRequest{
&keyserviceproto.GetDataKeyRequest{
DataKeyId: dekID,
Length: uint32(dekSize),
},
@ -53,11 +53,11 @@ func (k *ConstellationKMS) GetDEK(ctx context.Context, dekID string, dekSize int
}
type kmsClient interface {
GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error)
GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
}
type constellationKMSClient struct{}
func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req)
func (c *constellationKMSClient) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
}

View File

@ -11,7 +11,7 @@ import (
"errors"
"testing"
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/stretchr/testify/assert"
"go.uber.org/goleak"
"google.golang.org/grpc"
@ -27,8 +27,8 @@ type stubKMSClient struct {
dataKey []byte
}
func (c *stubKMSClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
func (c *stubKMSClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
}
func TestConstellationKMS(t *testing.T) {

View File

@ -5,7 +5,7 @@ Core components:
* [cli](/cli): The CLI is used to manage a Constellation cluster
* [bootstrapper](/bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
* [image](/image): Build files for the Constellation disk image
* [kms](/kms): Constellation's key management client and server
* [keyservice](/keyservice): Constellation's key management client and server
* [csi](/csi): Package used by CSI plugins to create and mount encrypted block devices
* [disk-mapper](/disk-mapper): Contains the disk-mapper that maps the encrypted node data disk during boot

View File

@ -7,7 +7,7 @@ These features are provided by several components:
* The [Bootstrapper](components.md#bootstrapper) initializes a Constellation node and bootstraps the cluster
* The [JoinService](components.md#joinservice) joins new nodes to an existing cluster
* The [VerificationService](components.md#verificationservice) provides remote attestation functionality
* The [Key Management Service (KMS)](components.md#kms) manages Constellation-internal keys
* The [KeyService](components.md#keyservice) manages Constellation-internal keys
The relations between components are shown in the following diagram:
@ -22,7 +22,7 @@ flowchart LR
end
subgraph Kubernetes
D[JoinService]
E[KMS]
E[KeyService]
F[VerificationService]
end
A -- deploys -->
@ -45,7 +45,7 @@ Otherwise, it waits for an initialization request to create a new Kubernetes clu
The *JoinService* runs as [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) on each control-plane node.
New nodes (at cluster start, or later through autoscaling) send a request to the service over [attested TLS (aTLS)](attestation.md#attested-tls-atls).
The *JoinService* verifies the new node's certificate and attestation statement.
If attestation is successful, the new node is supplied with an encryption key from the [*KMS*](components.md#kms) for its state disk, and a Kubernetes bootstrap token.
If attestation is successful, the new node is supplied with an encryption key from the [*KeyService*](components.md#keyservice) for its state disk, and a Kubernetes bootstrap token.
```mermaid
@ -55,8 +55,8 @@ sequenceDiagram
New node->>JoinService: aTLS handshake (server side verification)
JoinService-->>New node: #
New node->>+JoinService: IssueJoinTicket(DiskUUID, NodeName, IsControlPlane)
JoinService->>+KMS: GetDataKey(DiskUUID)
KMS-->>-JoinService: DiskEncryptionKey
JoinService->>+KeyService: GetDataKey(DiskUUID)
KeyService-->>-JoinService: DiskEncryptionKey
JoinService-->>-New node: DiskEncryptionKey, KubernetesJoinToken, ...
```
@ -66,8 +66,8 @@ The *VerificationService* runs as DaemonSet on each node.
It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation).
Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side.
## KMS
## KeyService
The *KMS* runs as DaemonSet on each control-plane node.
The *KeyService* runs as DaemonSet on each control-plane node.
It implements the key management for the [storage encryption keys](keys.md#storage-encryption) in Constellation. These keys are used for the [state disk](images.md#state-disk) of each node and the [transparently encrypted storage](encrypted-storage.md) for Kubernetes.
Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KMS* holds the key encryption key (KEK) directly or calls an external service for key derivation respectively.
Depending on wether the [constellation-managed](keys.md#constellation-managed-key-management) or [user-managed](keys.md#user-managed-key-management) mode is used, the *KeyService* holds the key encryption key (KEK) directly or calls an external key management service (KMS) for key derivation respectively.

View File

@ -28,7 +28,7 @@ All cryptographic operations happen inside the trusted environment of the confid
Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms).
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KeyService*](components.md#keyservice).
The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
This is the recommended mode of operation, and also requires the least amount of setup by the cluster administrator.

View File

@ -44,8 +44,8 @@ const (
VerifyServiceNodePortHTTP = 30080
// VerifyServiceNodePortGRPC GRPC node port for verification service.
VerifyServiceNodePortGRPC = 30081
// KMSPort is the port the KMS server listens on.
KMSPort = 9000
// KeyservicePort is the port the KMS server listens on.
KeyservicePort = 9000
// BootstrapperPort port of bootstrapper.
BootstrapperPort = 9000
// KubernetesPort port for Kubernetes API.

View File

@ -57,9 +57,9 @@ const (
// KonnectivityServerImage server image for konnectivity service.
KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.35@sha256:d863f7fd0da4392b9753dc6c9195a658e80d70e0be8c9adb410d77cf20b75c76" // renovate:container
// JoinImage image of Constellation join service.
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:5fb9592e2777bfd54b460c09761a1d7fbcd47bad73efafc429b5fa88a0bf98fe" // renovate:container
// KmsImage image of Constellation KMS server.
KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:962ab2575028c3bd3b0ab97a572f4af96075ac031776b17bb2188aa2c40e12f3" // renovate:container
JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container
// KeyServiceImage image of Constellation KeyService server.
KeyServiceImage = "ghcr.io/edgelesssys/constellation/keyservice:v2.5.0-pre.0.20230111102352-5c9a15acf65c" // renovate:container
// VerificationImage image of Constellation verification service.
VerificationImage = "ghcr.io/edgelesssys/constellation/verification-service:v2.4.0-pre.0.20230109111654-2700d5182b7d@sha256:43fd9d3494538d94f584dbcfa6d4fd82cadefe3e4fdaa33e9ffb19d8f6b98b94" // renovate:container
// GcpGuestImage image for GCP guest agent.

View File

@ -34,7 +34,7 @@ sequenceDiagram
### [internal/kms](./internal/kms/)
Implements interaction with Constellation's key management service.
Implements interaction with Constellation's keyservice.
This is needed for fetching data encryption keys for joining nodes.
### [internal/kubeadm](./internal/kubeadm/)

View File

@ -40,7 +40,7 @@ const vpcIPTimeout = 30 * time.Second
func main() {
provider := flag.String("cloud-provider", "", "cloud service provider this binary is running on")
kmsEndpoint := flag.String("kms-endpoint", "", "endpoint of Constellations key management service")
keyserviceEndpoint := flag.String("keyservice-endpoint", "", "endpoint of Constellations key management service")
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
flag.Parse()
@ -78,7 +78,7 @@ func main() {
if err != nil {
log.With(zap.Error(err)).Fatalf("Failed to create kubeadm")
}
kms := kms.New(log.Named("kms"), *kmsEndpoint)
keyserviceClient := kms.New(log.Named("keyserviceClient"), *keyserviceEndpoint)
measurementSalt, err := handler.Read(filepath.Join(constants.ServiceBasePath, constants.MeasurementSaltFilename))
if err != nil {
@ -89,7 +89,7 @@ func main() {
measurementSalt,
kubernetesca.New(log.Named("certificateAuthority"), handler),
kubeadm,
kms,
keyserviceClient,
log.Named("server"),
)
if err != nil {

View File

@ -11,13 +11,13 @@ import (
"fmt"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"go.uber.org/zap"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
)
// Client interacts with Constellation's key management service.
// Client interacts with Constellation's keyservice.
type Client struct {
log *logger.Logger
endpoint string
@ -48,7 +48,7 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt
log.Infof("Requesting data key")
res, err := c.grpc.GetDataKey(
ctx,
&kmsproto.GetDataKeyRequest{
&keyserviceproto.GetDataKeyRequest{
DataKeyId: keyID,
Length: uint32(length),
},
@ -63,11 +63,11 @@ func (c Client) GetDataKey(ctx context.Context, keyID string, length int) ([]byt
}
type grpcClient interface {
GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error)
GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error)
}
type client struct{}
func (c client) GetDataKey(ctx context.Context, req *kmsproto.GetDataKeyRequest, conn *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
return kmsproto.NewAPIClient(conn).GetDataKey(ctx, req)
func (c client) GetDataKey(ctx context.Context, req *keyserviceproto.GetDataKeyRequest, conn *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return keyserviceproto.NewAPIClient(conn).GetDataKey(ctx, req)
}

View File

@ -12,7 +12,7 @@ import (
"testing"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/stretchr/testify/assert"
"go.uber.org/goleak"
"google.golang.org/grpc"
@ -24,8 +24,8 @@ type stubClient struct {
dataKey []byte
}
func (c *stubClient) GetDataKey(context.Context, *kmsproto.GetDataKeyRequest, *grpc.ClientConn) (*kmsproto.GetDataKeyResponse, error) {
return &kmsproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
func (c *stubClient) GetDataKey(context.Context, *keyserviceproto.GetDataKeyRequest, *grpc.ClientConn) (*keyserviceproto.GetDataKeyResponse, error) {
return &keyserviceproto.GetDataKeyResponse{DataKey: c.dataKey}, c.getDataKeyErr
}
func TestMain(m *testing.M) {

View File

@ -22,10 +22,10 @@ RUN rm -rf ./hack/
# Build
RUN mkdir -p /constellation/build
WORKDIR /constellation/kms/cmd
WORKDIR /constellation/keyservice/cmd
ARG PROJECT_VERSION=0.0.0
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/kmsserver -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}"
RUN --mount=type=cache,target=/root/.cache/go-build CGO_ENABLED=0 go build -o /constellation/build/keyservice -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}"
FROM gcr.io/distroless/static:nonroot@sha256:1fa522fe6cfe020d50341f1ca561c099487bd44f8eb98d25d1920b07e05e40be as release
COPY --from=build /constellation/build/kmsserver /kmsserver
ENTRYPOINT ["/kmsserver"]
COPY --from=build /constellation/build/keyservice /keyservice
ENTRYPOINT ["/keyservice"]

View File

@ -19,14 +19,14 @@ import (
"github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/file"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/internal/server"
"github.com/edgelesssys/constellation/v2/kms/setup"
"github.com/edgelesssys/constellation/v2/keyservice/internal/server"
"github.com/edgelesssys/constellation/v2/keyservice/setup"
"github.com/spf13/afero"
"go.uber.org/zap"
)
func main() {
port := flag.String("port", strconv.Itoa(constants.KMSPort), "Port gRPC server listens on")
port := flag.String("port", strconv.Itoa(constants.KeyservicePort), "Port gRPC server listens on")
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt")
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
@ -66,7 +66,7 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to create KMS KEK from MasterKey")
}
if err := server.New(log.Named("kms"), conKMS).Run(*port); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to run KMS server")
if err := server.New(log.Named("keyservice"), conKMS).Run(*port); err != nil {
log.With(zap.Error(err)).Fatalf("Failed to run keyservice server")
}
}

View File

@ -6,10 +6,10 @@ It's intendet for the Constellation CSI Plugins and the CLI.
## KMS
The Cloud KMS is where we store our key encryption key (KEK).
It should be initiated by the CLI and provided with a key release policy.
The CSP Plugin can request to encrypt data encryption keys (DEK) with the DEK to safely store them on persistent memory.
The KMS should be initiated by the CLI and provided with a key release policy.
The CSP Plugin can request to encrypt data encryption keys (DEK) with the KEK to safely store the DEKs in persistent storage.
The [kms](../kms/) package interacts with the Cloud KMS APIs.
Currently planned are KMS are:
Support is planed for:
* AWS KMS
* GCP CKM

View File

@ -15,8 +15,8 @@ import (
"github.com/edgelesssys/constellation/v2/internal/crypto"
"github.com/edgelesssys/constellation/v2/internal/grpc/grpclog"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/edgelesssys/constellation/v2/keyservice/kms"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"google.golang.org/grpc"
@ -30,7 +30,7 @@ import (
type Server struct {
log *logger.Logger
conKMS kms.CloudKMS
kmsproto.UnimplementedAPIServer
keyserviceproto.UnimplementedAPIServer
}
// New creates a new Server.
@ -50,7 +50,7 @@ func (s *Server) Run(port string) error {
}
server := grpc.NewServer(s.log.Named("gRPC").GetServerUnaryInterceptor())
kmsproto.RegisterAPIServer(server, s)
keyserviceproto.RegisterAPIServer(server, s)
s.log.Named("gRPC").WithIncreasedLevel(zapcore.WarnLevel).ReplaceGRPCLogger()
// start the server
@ -59,7 +59,7 @@ func (s *Server) Run(port string) error {
}
// GetDataKey returns a data key.
func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) {
func (s *Server) GetDataKey(ctx context.Context, in *keyserviceproto.GetDataKeyRequest) (*keyserviceproto.GetDataKeyResponse, error) {
log := s.log.With("peerAddress", grpclog.PeerAddrFromContext(ctx))
// Error on 0 key length
@ -79,5 +79,5 @@ func (s *Server) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest)
log.With(zap.Error(err)).Errorf("Failed to get data key")
return nil, status.Errorf(codes.Internal, "%v", err)
}
return &kmsproto.GetDataKeyResponse{DataKey: key}, nil
return &keyserviceproto.GetDataKeyResponse{DataKey: key}, nil
}

View File

@ -12,7 +12,7 @@ import (
"testing"
"github.com/edgelesssys/constellation/v2/internal/logger"
"github.com/edgelesssys/constellation/v2/kms/kmsproto"
"github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"go.uber.org/goleak"
@ -31,23 +31,23 @@ func TestGetDataKey(t *testing.T) {
kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}}
api := New(log, kms)
res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
res, err := api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
require.NoError(err)
assert.Equal(kms.derivedKey, res.DataKey)
// Test no data key id
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32})
res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{Length: 32})
require.Error(err)
assert.Nil(res)
// Test no / zero key length
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"})
res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1"})
require.Error(err)
assert.Nil(res)
// Test derive key error
api = New(log, &stubKMS{deriveKeyErr: errors.New("error")})
res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
res, err = api.GetDataKey(context.Background(), &keyserviceproto.GetDataKeyRequest{DataKeyId: "1", Length: 32})
assert.Error(err)
assert.Nil(res)
}

View File

@ -16,7 +16,7 @@ import (
awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
)
type awsS3ClientAPI interface {

View File

@ -16,7 +16,7 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/bloberror"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
)
type azureBlobAPI interface {

View File

@ -19,9 +19,9 @@ import (
"github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/s3/types"
kmsconfig "github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
awsInterface "github.com/edgelesssys/constellation/v2/kms/kms/aws"
kmsconfig "github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
awsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms/aws"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

View File

@ -13,9 +13,9 @@ import (
"testing"
"time"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms/azure"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms/azure"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

View File

@ -14,9 +14,9 @@ import (
"time"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms/gcp"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms/gcp"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

View File

@ -2,9 +2,9 @@
// versions:
// protoc-gen-go v1.28.1
// protoc v3.21.8
// source: kms.proto
// source: keyservice.proto
package kmsproto
package keyserviceproto
import (
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
@ -32,7 +32,7 @@ type GetDataKeyRequest struct {
func (x *GetDataKeyRequest) Reset() {
*x = GetDataKeyRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_kms_proto_msgTypes[0]
mi := &file_keyservice_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -45,7 +45,7 @@ func (x *GetDataKeyRequest) String() string {
func (*GetDataKeyRequest) ProtoMessage() {}
func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
mi := &file_kms_proto_msgTypes[0]
mi := &file_keyservice_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -58,7 +58,7 @@ func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead.
func (*GetDataKeyRequest) Descriptor() ([]byte, []int) {
return file_kms_proto_rawDescGZIP(), []int{0}
return file_keyservice_proto_rawDescGZIP(), []int{0}
}
func (x *GetDataKeyRequest) GetDataKeyId() string {
@ -86,7 +86,7 @@ type GetDataKeyResponse struct {
func (x *GetDataKeyResponse) Reset() {
*x = GetDataKeyResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_kms_proto_msgTypes[1]
mi := &file_keyservice_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -99,7 +99,7 @@ func (x *GetDataKeyResponse) String() string {
func (*GetDataKeyResponse) ProtoMessage() {}
func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
mi := &file_kms_proto_msgTypes[1]
mi := &file_keyservice_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -112,7 +112,7 @@ func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message {
// Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead.
func (*GetDataKeyResponse) Descriptor() ([]byte, []int) {
return file_kms_proto_rawDescGZIP(), []int{1}
return file_keyservice_proto_rawDescGZIP(), []int{1}
}
func (x *GetDataKeyResponse) GetDataKey() []byte {
@ -122,47 +122,48 @@ func (x *GetDataKeyResponse) GetDataKey() []byte {
return nil
}
var File_kms_proto protoreflect.FileDescriptor
var File_keyservice_proto protoreflect.FileDescriptor
var file_kms_proto_rawDesc = []byte{
0x0a, 0x09, 0x6b, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73,
0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65,
0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65,
0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61,
0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18,
0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a,
0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18,
0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44,
0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61,
0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74,
0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d,
0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
0x6f, 0x6e, 0x73, 0x65, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63,
0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f,
0x6b, 0x6d, 0x73, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x33,
var file_keyservice_proto_rawDesc = []byte{
0x0a, 0x10, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x12, 0x03, 0x6b, 0x6d, 0x73, 0x22, 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61,
0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b,
0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06,
0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65,
0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b,
0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61,
0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61,
0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x44, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x3d, 0x0a, 0x0a,
0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x12, 0x16, 0x2e, 0x6b, 0x6d, 0x73,
0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
0x73, 0x74, 0x1a, 0x17, 0x2e, 0x6b, 0x6d, 0x73, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61,
0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x44, 0x5a, 0x42, 0x67,
0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65,
0x73, 0x73, 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
0x65, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_kms_proto_rawDescOnce sync.Once
file_kms_proto_rawDescData = file_kms_proto_rawDesc
file_keyservice_proto_rawDescOnce sync.Once
file_keyservice_proto_rawDescData = file_keyservice_proto_rawDesc
)
func file_kms_proto_rawDescGZIP() []byte {
file_kms_proto_rawDescOnce.Do(func() {
file_kms_proto_rawDescData = protoimpl.X.CompressGZIP(file_kms_proto_rawDescData)
func file_keyservice_proto_rawDescGZIP() []byte {
file_keyservice_proto_rawDescOnce.Do(func() {
file_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_proto_rawDescData)
})
return file_kms_proto_rawDescData
return file_keyservice_proto_rawDescData
}
var file_kms_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_kms_proto_goTypes = []interface{}{
var file_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_keyservice_proto_goTypes = []interface{}{
(*GetDataKeyRequest)(nil), // 0: kms.GetDataKeyRequest
(*GetDataKeyResponse)(nil), // 1: kms.GetDataKeyResponse
}
var file_kms_proto_depIdxs = []int32{
var file_keyservice_proto_depIdxs = []int32{
0, // 0: kms.API.GetDataKey:input_type -> kms.GetDataKeyRequest
1, // 1: kms.API.GetDataKey:output_type -> kms.GetDataKeyResponse
1, // [1:2] is the sub-list for method output_type
@ -172,13 +173,13 @@ var file_kms_proto_depIdxs = []int32{
0, // [0:0] is the sub-list for field type_name
}
func init() { file_kms_proto_init() }
func file_kms_proto_init() {
if File_kms_proto != nil {
func init() { file_keyservice_proto_init() }
func file_keyservice_proto_init() {
if File_keyservice_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_kms_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
file_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetDataKeyRequest); i {
case 0:
return &v.state
@ -190,7 +191,7 @@ func file_kms_proto_init() {
return nil
}
}
file_kms_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
file_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*GetDataKeyResponse); i {
case 0:
return &v.state
@ -207,18 +208,18 @@ func file_kms_proto_init() {
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_kms_proto_rawDesc,
RawDescriptor: file_keyservice_proto_rawDesc,
NumEnums: 0,
NumMessages: 2,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_kms_proto_goTypes,
DependencyIndexes: file_kms_proto_depIdxs,
MessageInfos: file_kms_proto_msgTypes,
GoTypes: file_keyservice_proto_goTypes,
DependencyIndexes: file_keyservice_proto_depIdxs,
MessageInfos: file_keyservice_proto_msgTypes,
}.Build()
File_kms_proto = out.File
file_kms_proto_rawDesc = nil
file_kms_proto_goTypes = nil
file_kms_proto_depIdxs = nil
File_keyservice_proto = out.File
file_keyservice_proto_rawDesc = nil
file_keyservice_proto_goTypes = nil
file_keyservice_proto_depIdxs = nil
}

View File

@ -2,7 +2,7 @@ syntax = "proto3";
package kms;
option go_package = "github.com/edgelesssys/constellation/v2/kms/kmsproto";
option go_package = "github.com/edgelesssys/constellation/v2/keyservice/keyserviceproto";
service API {
rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse);

View File

@ -2,9 +2,9 @@
// versions:
// - protoc-gen-go-grpc v1.2.0
// - protoc v3.21.8
// source: kms.proto
// source: keyservice.proto
package kmsproto
package keyserviceproto
import (
context "context"
@ -101,5 +101,5 @@ var API_ServiceDesc = grpc.ServiceDesc{
},
},
Streams: []grpc.StreamDesc{},
Metadata: "kms.proto",
Metadata: "keyservice.proto",
}

View File

@ -17,10 +17,10 @@ import (
awsconfig "github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/kms/types"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
)
const (

View File

@ -22,9 +22,9 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/kms"
"github.com/aws/aws-sdk-go-v2/service/kms/types"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/stretchr/testify/assert"
"go.uber.org/goleak"
)

View File

@ -17,10 +17,10 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
)
const (

View File

@ -14,8 +14,8 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/stretchr/testify/assert"
"go.uber.org/goleak"
)

View File

@ -15,10 +15,10 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
)
type hsmClientAPI interface {

View File

@ -13,8 +13,8 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)

View File

@ -19,10 +19,10 @@ import (
kms "cloud.google.com/go/kms/apiv1"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/config"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util"
"github.com/edgelesssys/constellation/v2/keyservice/internal/config"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
"github.com/googleapis/gax-go/v2"
"google.golang.org/api/option"
"google.golang.org/grpc/codes"

View File

@ -12,9 +12,9 @@ import (
"testing"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/util"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
kmsInterface "github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/keyservice/kms/util"
"github.com/googleapis/gax-go/v2"
"github.com/stretchr/testify/assert"
"go.uber.org/goleak"

View File

@ -14,12 +14,12 @@ import (
"strconv"
"cloud.google.com/go/kms/apiv1/kmspb"
"github.com/edgelesssys/constellation/v2/kms/internal/storage"
"github.com/edgelesssys/constellation/v2/kms/kms"
"github.com/edgelesssys/constellation/v2/kms/kms/aws"
"github.com/edgelesssys/constellation/v2/kms/kms/azure"
"github.com/edgelesssys/constellation/v2/kms/kms/cluster"
"github.com/edgelesssys/constellation/v2/kms/kms/gcp"
"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
"github.com/edgelesssys/constellation/v2/keyservice/kms"
"github.com/edgelesssys/constellation/v2/keyservice/kms/aws"
"github.com/edgelesssys/constellation/v2/keyservice/kms/azure"
"github.com/edgelesssys/constellation/v2/keyservice/kms/cluster"
"github.com/edgelesssys/constellation/v2/keyservice/kms/gcp"
)
// Well known endpoints for KMS services.

View File

@ -35,8 +35,8 @@ COPY debugd/service/*.proto /service
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
## key management
WORKDIR /kms
COPY kms/kmsproto/*.proto /kms
WORKDIR /keyservice
COPY keyservice/keyserviceproto/*.proto /keyservice
RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto
## join service
@ -62,7 +62,7 @@ RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_o
FROM scratch as export
COPY --from=build /disk-mapper/*.go disk-mapper/recoverproto/
COPY --from=build /service/*.go debugd/service/
COPY --from=build /kms/*.go kms/kmsproto/
COPY --from=build /keyservice/*.go keyservice/keyserviceproto/
COPY --from=build /joinservice/*.go joinservice/joinproto/
COPY --from=build /verify/*.go verify/verifyproto/
COPY --from=build /init/*.go bootstrapper/initproto/

View File

@ -47,7 +47,7 @@ The measurement secret, together with a measurement salt (not secret) is used to
* For eKMS backends the two URIs can be used directly to request new DEKs.
* For the cKMS backend the KMS URI can include an optional parameter that holds the masterSecret: `kms://cluster-kms?masterSecret=<masterSecret>`.
The above approach allows us to integrate with the existing setup code in `kms/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
The above approach allows us to integrate with the existing setup code in `keyservice/setup/setup.go` with only minimal changes (parse masterSecret in case of cluster-kms).
This code is used to setup CloudKMS objects.
The `setup.go` code will have to be refactored to live in `internal` so that the disk-mapper pkg can directly communicate with the respective external KMS.

View File

@ -24,7 +24,7 @@ We use SHA-256 as the hash function.
Constellation's master secret is used as *IKM* for HKDF.
The master secret is either provided by the admin, or a randomly generated 32 byte value.
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's KMS](../kms/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
It is supplied to the cluster during `constellation init` and in the following used by [Constellation's keyservice](../keyservice/) and managed by Kubernetes as a [secret](https://kubernetes.io/docs/concepts/configuration/secret/).
## Salt

Some files were not shown because too many files have changed in this diff Show More