Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-12-11 06:02:41 -05:00
Code Issues Projects Releases Packages Wiki Activity

Generate random salt for key derivation on init (#309)

Browse source 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-07-29 09:52:47 +02:00 committed by GitHub
parent e0ce2e8a51
commit 9a3bd38912
25 changed files with 342 additions and 317 deletions
Download patch file Download diff file Expand all files Collapse all files

21
bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
View file

@ -23,8 +23,18 @@ type kmsDeployment struct {
ImagePullSecret k8s.Secret
}
// KMSConfig is the configuration needed to set up Constellation's key management service.
type KMSConfig struct {
MasterSecret []byte
Salt []byte
KMSURI string
StorageURI string
KeyEncryptionKeyID string
UseExistingKEK bool
}
// NewKMSDeployment creates a new *kmsDeployment to use as the key management system inside Constellation.
func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
func NewKMSDeployment(csp string, config KMSConfig) *kmsDeployment {
return &kmsDeployment{
ServiceAccount: k8s.ServiceAccount{
TypeMeta: meta.TypeMeta{
@ -187,7 +197,11 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
Items: []k8s.KeyToPath{
{
Key: constants.ConstellationMasterSecretKey,
Path: constants.MasterSecretFilename,
Path: constants.ConstellationMasterSecretKey,
},
{
Key: constants.ConstellationMasterSecretSalt,
Path: constants.ConstellationMasterSecretSalt,
},
},
},
@ -228,7 +242,8 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
Namespace: "kube-system",
},
Data: map[string][]byte{
constants.ConstellationMasterSecretKey: masterSecret,
constants.ConstellationMasterSecretKey: config.MasterSecret,
constants.ConstellationMasterSecretSalt: config.Salt,
},
Type: "Opaque",
},

3
bootstrapper/internal/kubernetes/k8sapi/resources/kms_test.go
View file

@ -11,8 +11,7 @@ func TestKMSMarshalUnmarshal(t *testing.T) {
require := require.New(t)
assert := assert.New(t)
testMS := []byte{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8}
kmsDepl := NewKMSDeployment("test", testMS)
kmsDepl := NewKMSDeployment("test", KMSConfig{MasterSecret: []byte{0x0, 0x1, 0x2}, Salt: []byte{0x3, 0x4, 0x5}})
data, err := kmsDepl.Marshal()
require.NoError(err)

12
bootstrapper/internal/kubernetes/kubernetes.go
View file

@ -68,18 +68,10 @@ func New(cloudProvider string, clusterUtil clusterUtil, configProvider configura
}
}
type KMSConfig struct {
MasterSecret []byte
KMSURI string
StorageURI string
KeyEncryptionKeyID string
UseExistingKEK bool
}
// InitCluster initializes a new Kubernetes cluster and applies pod network provider.
func (k *KubeWrapper) InitCluster(
ctx context.Context, autoscalingNodeGroups []string, cloudServiceAccountURI, versionString string,
measurementSalt []byte, kmsConfig KMSConfig, sshUsers map[string]string, log *logger.Logger,
measurementSalt []byte, kmsConfig resources.KMSConfig, sshUsers map[string]string, log *logger.Logger,
) ([]byte, error) {
k8sVersion, err := versions.NewValidK8sVersion(versionString)
if err != nil {
@ -187,7 +179,7 @@ func (k *KubeWrapper) InitCluster(
return nil, fmt.Errorf("setting up pod network: %w", err)
}
kms := resources.NewKMSDeployment(k.cloudProvider, kmsConfig.MasterSecret)
kms := resources.NewKMSDeployment(k.cloudProvider, kmsConfig)
if err = k.clusterUtil.SetupKMS(k.client, kms); err != nil {
return nil, fmt.Errorf("setting up kms: %w", err)
}

2
bootstrapper/internal/kubernetes/kubernetes_test.go
View file

@ -296,7 +296,7 @@ func TestInitCluster(t *testing.T) {
kubeconfigReader: tc.kubeconfigReader,
getIPAddr: func() (string, error) { return privateIP, nil },
}
_, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, KMSConfig{MasterSecret: masterSecret}, nil, logger.NewTest(t))
_, err := kube.InitCluster(context.Background(), autoscalingNodeGroups, serviceAccountURI, string(tc.k8sVersion), nil, resources.KMSConfig{MasterSecret: masterSecret}, nil, logger.NewTest(t))
if tc.wantErr {
assert.Error(err)