mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
keyservice: use dash in container name (#1016)
Co-authored-by: Otto Bittner <cobittner@posteo.net>
This commit is contained in:
Paul Meyer
GitHub
parent
effe797d81
commit
a8cbfd848f
2
.github/actions/e2e_mini/run-e2e.sh
vendored
2
.github/actions/e2e_mini/run-e2e.sh
vendored
@ -56,7 +56,7 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy
|
||||
# Wait for daemon sets
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset cilium
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset join-service
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset keyservice
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset key-service
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent
|
||||
kubectl -n kube-system rollout status --timeout 180s daemonset verification-service
|
||||
echo "::endgroup::"
|
||||
|
||||
@ -34,7 +34,7 @@ jobs:
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service_ko
|
||||
with:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
koConfig: .ko.yaml
|
||||
koTarget: ./keyservice/cmd
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
2
.github/workflows/build-keyservice-image.yml
vendored
2
.github/workflows/build-keyservice-image.yml
vendored
@ -33,7 +33,7 @@ jobs:
|
||||
id: build-and-upload
|
||||
uses: ./.github/actions/build_micro_service
|
||||
with:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
projectVersion: "0.0.0"
|
||||
dockerfile: keyservice/Dockerfile
|
||||
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
@ -8,7 +8,7 @@ on:
|
||||
type: choice
|
||||
options:
|
||||
- "join-service"
|
||||
- "keyservice"
|
||||
- "key-service"
|
||||
- "verification-service"
|
||||
- "qemu-metadata-api"
|
||||
- "filebeat-debugd"
|
||||
@ -80,7 +80,7 @@ jobs:
|
||||
case "${{ inputs.microService }}" in
|
||||
"join-service" )
|
||||
echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
"keyservice" )
|
||||
"key-service" )
|
||||
echo "microServiceDockerfile=keyservice/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
"verification-service" )
|
||||
echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;;
|
||||
|
||||
6
.github/workflows/release.yml
vendored
6
.github/workflows/release.yml
vendored
@ -131,7 +131,7 @@ jobs:
|
||||
strategy:
|
||||
matrix:
|
||||
service:
|
||||
[join-service, keyservice, verification-service, qemu-metadata-api]
|
||||
[join-service, key-service, verification-service, qemu-metadata-api]
|
||||
with:
|
||||
microService: ${{ matrix.service }}
|
||||
imageTag: ${{ inputs.version }}
|
||||
@ -178,7 +178,7 @@ jobs:
|
||||
- name: Update Helm Charts
|
||||
run: |
|
||||
yq eval -i ".version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
|
||||
for service in keyservice join-service ccm cnm autoscaler verification-service konnectivity gcp-guest-agent; do
|
||||
for service in key-service join-service ccm cnm autoscaler verification-service konnectivity gcp-guest-agent; do
|
||||
yq eval -i "(.dependencies[] | select(.name == \"${service}\")).version = \"${WITHOUT_V}\"" cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
|
||||
yq eval -i ".version = \"${WITHOUT_V}\"" "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml"
|
||||
git add "cli/internal/helm/charts/edgeless/constellation-services/charts/${service}/Chart.yaml"
|
||||
@ -194,7 +194,7 @@ jobs:
|
||||
|
||||
- name: Update micro service versions
|
||||
run: |
|
||||
for service in node-operator join-service keyservice verification-service qemu-metadata-api; do
|
||||
for service in node-operator join-service key-service verification-service qemu-metadata-api; do
|
||||
name=ghcr.io/edgelesssys/constellation/${service}
|
||||
digest=$(crane digest "${name}:${VERSION}")
|
||||
sed -i "s#\"${name}:v[0-9]\+\.[0-9]\+\.[0-9]\+[^@]*@sha256:[0-9a-f]\+\"#\"${name}:${VERSION}@${digest}\"#" internal/versions/versions.go
|
||||
|
||||
@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
|
||||
type: application
|
||||
version: 2.4.0
|
||||
dependencies:
|
||||
- name: keyservice
|
||||
- name: key-service
|
||||
version: 2.4.0
|
||||
tags:
|
||||
- Azure
|
||||
|
||||
@ -2,4 +2,4 @@ apiVersion: v2
|
||||
appVersion: "v1.1.0"
|
||||
description: Azure disk Container Storage Interface (CSI) Storage Plugin with on-node encryption support
|
||||
name: azuredisk-csi-driver
|
||||
version: v1.1.0
|
||||
version: v1.1.2
|
||||
|
||||
@ -121,7 +121,7 @@ spec:
|
||||
- "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
|
||||
- "--support-zone={{ .Values.node.supportZone }}"
|
||||
- "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
|
||||
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
|
||||
- "--kms-addr={{ .Values.global.keyServiceName }}.{{ .Values.global.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.global.keyServicePort }}"
|
||||
ports:
|
||||
- containerPort: {{ .Values.node.livenessProbe.healthPort }}
|
||||
name: healthz
|
||||
|
||||
@ -124,9 +124,9 @@ node:
|
||||
livenessProbe:
|
||||
healthPort: 29603
|
||||
global:
|
||||
keyserviceName: "keyservice"
|
||||
keyservicePort: 9000
|
||||
keyserviceNamespace: "kube-system"
|
||||
keyServiceName: "key-service"
|
||||
keyServicePort: 9000
|
||||
keyServiceNamespace: "kube-system"
|
||||
|
||||
snapshot:
|
||||
enabled: false
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v2
|
||||
version: 1.0.1
|
||||
appVersion: "v1.0.1"
|
||||
version: 1.1.0
|
||||
appVersion: "v1.1.2"
|
||||
description: GCP Compute Persistent Disk Container Storage Interface (CSI) Storage Plugin with on-node encryption support
|
||||
name: gcp-compute-persistent-disk-csi-driver
|
||||
|
||||
@ -41,7 +41,7 @@ spec:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
|
||||
- "--kms-addr={{ .Values.global.keyServiceName }}.{{ .Values.global.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.global.keyServicePort }}"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
|
||||
@ -30,8 +30,8 @@ csiController:
|
||||
runOnControlPlane: true
|
||||
|
||||
global:
|
||||
keyserviceName: "keyservice"
|
||||
keyservicePort: 9000
|
||||
keyserviceNamespace: "kube-system"
|
||||
keyServiceName: "key-service"
|
||||
keyServicePort: 9000
|
||||
keyServiceNamespace: "kube-system"
|
||||
|
||||
createStorageClass: true
|
||||
|
||||
@ -38,7 +38,7 @@ spec:
|
||||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --cloud-provider={{ .Values.csp }}
|
||||
- --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
|
||||
- --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v2
|
||||
name: keyservice
|
||||
name: key-service
|
||||
description: A Helm chart to deploy the Constellation KeyService
|
||||
type: application
|
||||
version: 2.4.0
|
||||
@ -0,0 +1,13 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
name: key-service
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: keyservice
|
||||
name: key-service
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
- kind: ServiceAccount
|
||||
name: key-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
@ -0,0 +1,62 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: key-service
|
||||
k8s-app: key-service
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: key-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: key-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
spec:
|
||||
containers:
|
||||
- name: key-service
|
||||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --port={{ .Values.global.keyServicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: key-service
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: {{ .Values.measurementsFilename | quote }}
|
||||
path: {{ .Values.measurementsFilename | quote }}
|
||||
name: {{ .Values.global.joinConfigCMName | quote }}
|
||||
- secret:
|
||||
items:
|
||||
- key: {{ .Values.masterSecretKeyName | quote }}
|
||||
path: {{ .Values.masterSecretKeyName | quote }}
|
||||
- key: {{ .Values.saltKeyName | quote }}
|
||||
path: {{ .Values.saltKeyName | quote }}
|
||||
name: {{ .Values.masterSecretName | quote }}
|
||||
updateStrategy: {}
|
||||
@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: key-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: {{ .Values.global.keyServicePort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.global.keyServicePort }}
|
||||
selector:
|
||||
k8s-app: key-service
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
@ -4,7 +4,7 @@
|
||||
"image": {
|
||||
"description": "Container image to use for the spawned pods.",
|
||||
"type": "string",
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/key-service:latest"]
|
||||
},
|
||||
"masterSecret": {
|
||||
"description": "Secret used to derive key material within the cluster",
|
||||
@ -1,13 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,62 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: keyservice
|
||||
image: {{ .Values.image | quote }}
|
||||
args:
|
||||
- --port={{ .Values.global.keyservicePort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath | quote }}
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: {{ .Values.measurementsFilename | quote }}
|
||||
path: {{ .Values.measurementsFilename | quote }}
|
||||
name: {{ .Values.global.joinConfigCMName | quote }}
|
||||
- secret:
|
||||
items:
|
||||
- key: {{ .Values.masterSecretKeyName | quote }}
|
||||
path: {{ .Values.masterSecretKeyName | quote }}
|
||||
- key: {{ .Values.saltKeyName | quote }}
|
||||
path: {{ .Values.saltKeyName | quote }}
|
||||
name: {{ .Values.masterSecretName | quote }}
|
||||
updateStrategy: {}
|
||||
@ -1,16 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: keyservice
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: {{ .Values.global.keyservicePort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.global.keyservicePort }}
|
||||
selector:
|
||||
k8s-app: keyservice
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
@ -1,5 +0,0 @@
|
||||
apiVersion: v2
|
||||
name: kms
|
||||
description: A Helm chart to deploy the Constellation Key Management Service
|
||||
type: application
|
||||
version: 2.4.0
|
||||
@ -1,6 +1,6 @@
|
||||
global:
|
||||
# Port on which the KeyService will listen. Global since join-service also uses the value.
|
||||
keyservicePort: 9000
|
||||
keyServicePort: 9000
|
||||
# Path to which secrets/CMs are mounted.
|
||||
serviceBasePath: /var/config
|
||||
# Name of the ConfigMap that holds measurements and other info.
|
||||
|
||||
@ -52,7 +52,7 @@ const (
|
||||
// ChartLoader loads embedded helm charts.
|
||||
type ChartLoader struct {
|
||||
joinServiceImage string
|
||||
keyserviceImage string
|
||||
keyServiceImage string
|
||||
ccmImage string
|
||||
cnmImage string
|
||||
autoscalerImage string
|
||||
@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)
|
||||
|
||||
return &ChartLoader{
|
||||
joinServiceImage: versions.JoinImage,
|
||||
keyserviceImage: versions.KeyServiceImage,
|
||||
keyServiceImage: versions.KeyServiceImage,
|
||||
ccmImage: ccmImage,
|
||||
cnmImage: cnmImage,
|
||||
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
|
||||
@ -359,14 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
|
||||
csp := config.GetProvider()
|
||||
values := map[string]any{
|
||||
"global": map[string]any{
|
||||
"keyservicePort": constants.KeyservicePort,
|
||||
"keyserviceNamespace": "", // empty namespace means we use the release namespace
|
||||
"keyServicePort": constants.KeyServicePort,
|
||||
"keyServiceNamespace": "", // empty namespace means we use the release namespace
|
||||
"serviceBasePath": constants.ServiceBasePath,
|
||||
"joinConfigCMName": constants.JoinConfigMap,
|
||||
"internalCMName": constants.InternalConfigMap,
|
||||
},
|
||||
"keyservice": map[string]any{
|
||||
"image": i.keyserviceImage,
|
||||
"key-service": map[string]any{
|
||||
"image": i.keyServiceImage,
|
||||
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
|
||||
"salt": base64.StdEncoding.EncodeToString(salt),
|
||||
"saltKeyName": constants.ConstellationSaltKey,
|
||||
|
||||
@ -90,7 +90,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
|
||||
chartLoader := ChartLoader{
|
||||
joinServiceImage: "joinServiceImage",
|
||||
keyserviceImage: "keyserviceImage",
|
||||
keyServiceImage: "keyServiceImage",
|
||||
ccmImage: tc.ccmImage,
|
||||
cnmImage: tc.cnmImage,
|
||||
autoscalerImage: "autoscalerImage",
|
||||
@ -159,7 +159,7 @@ func TestOperators(t *testing.T) {
|
||||
|
||||
chartLoader := ChartLoader{
|
||||
joinServiceImage: "joinServiceImage",
|
||||
keyserviceImage: "keyserviceImage",
|
||||
keyServiceImage: "keyServiceImage",
|
||||
ccmImage: "ccmImage",
|
||||
cnmImage: "cnmImage",
|
||||
autoscalerImage: "autoscalerImage",
|
||||
@ -338,7 +338,7 @@ func prepareGCPValues(values map[string]any) error {
|
||||
|
||||
verificationVals, ok := values["verification-service"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'verification-service' key")
|
||||
return fmt.Errorf("missing 'verification-service' key %v", values)
|
||||
}
|
||||
verificationVals["loadBalancerIP"] = "127.0.0.1"
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@ -21,7 +21,7 @@ spec:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
app: csi-azuredisk-controller
|
||||
spec:
|
||||
serviceAccountName: csi-azuredisk-controller-sa
|
||||
@ -88,8 +88,8 @@ spec:
|
||||
- name: ADDRESS
|
||||
value: /csi/csi.sock
|
||||
volumeMounts:
|
||||
- mountPath: /csi
|
||||
name: socket-dir
|
||||
- mountPath: /csi
|
||||
name: socket-dir
|
||||
resources:
|
||||
limits:
|
||||
memory: 500Mi
|
||||
@ -122,8 +122,8 @@ spec:
|
||||
- "-v=2"
|
||||
- "-leader-election"
|
||||
- "--leader-election-namespace=testNamespace"
|
||||
- '-handle-volume-inuse-error=false'
|
||||
- '-feature-gates=RecoverVolumeExpansionFailure=true'
|
||||
- "-handle-volume-inuse-error=false"
|
||||
- "-feature-gates=RecoverVolumeExpansionFailure=true"
|
||||
- "-timeout=240s"
|
||||
env:
|
||||
- name: ADDRESS
|
||||
|
||||
@ -8,7 +8,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
spec:
|
||||
updateStrategy:
|
||||
rollingUpdate:
|
||||
@ -24,7 +24,7 @@ spec:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
app: csi-azuredisk-node
|
||||
spec:
|
||||
serviceAccountName: csi-azuredisk-node-sa
|
||||
@ -35,11 +35,11 @@ spec:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: type
|
||||
operator: NotIn
|
||||
values:
|
||||
- virtual-kubelet
|
||||
- matchExpressions:
|
||||
- key: type
|
||||
operator: NotIn
|
||||
values:
|
||||
- virtual-kubelet
|
||||
priorityClassName: system-node-critical
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
@ -107,7 +107,7 @@ spec:
|
||||
- "--allow-empty-cloud-config=true"
|
||||
- "--support-zone=true"
|
||||
- "--get-node-info-from-labels=false"
|
||||
- "--kms-addr=keyservice.testNamespace:9000"
|
||||
- "--kms-addr=key-service.testNamespace:9000"
|
||||
ports:
|
||||
- containerPort: 29603
|
||||
name: healthz
|
||||
|
||||
@ -7,7 +7,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
@ -48,7 +48,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-azuredisk-controller-sa
|
||||
@ -69,7 +69,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
@ -100,7 +100,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-azuredisk-controller-sa
|
||||
@ -121,7 +121,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
@ -152,7 +152,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-azuredisk-controller-sa
|
||||
@ -172,7 +172,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
@ -202,7 +202,7 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-azuredisk-controller-sa
|
||||
|
||||
@ -8,4 +8,4 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
|
||||
@ -8,4 +8,4 @@ metadata:
|
||||
app.kubernetes.io/managed-by: "Helm"
|
||||
app.kubernetes.io/name: "azuredisk-csi-driver"
|
||||
app.kubernetes.io/version: "v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.0"
|
||||
helm.sh/chart: "azuredisk-csi-driver-v1.1.2"
|
||||
|
||||
@ -38,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=Azure
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
- --key-service-endpoint=key-service.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
||||
@ -0,0 +1,13 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
name: key-service
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: keyservice
|
||||
name: key-service
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
- kind: ServiceAccount
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
@ -0,0 +1,62 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: key-service
|
||||
k8s-app: key-service
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: key-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
spec:
|
||||
containers:
|
||||
- name: key-service
|
||||
image: keyServiceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: key-service
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: measurements
|
||||
path: measurements
|
||||
name: join-config
|
||||
- secret:
|
||||
items:
|
||||
- key: mastersecret
|
||||
path: mastersecret
|
||||
- key: salt
|
||||
path: salt
|
||||
name: constellation-mastersecret
|
||||
updateStrategy: {}
|
||||
@ -1,16 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: 9000
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
- name: grpc
|
||||
port: 9000
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: keyservice
|
||||
k8s-app: key-service
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
@ -1,13 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,62 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: measurements
|
||||
path: measurements
|
||||
name: join-config
|
||||
- secret:
|
||||
items:
|
||||
- key: mastersecret
|
||||
path: mastersecret
|
||||
- key: salt
|
||||
path: salt
|
||||
name: constellation-mastersecret
|
||||
updateStrategy: {}
|
||||
@ -41,7 +41,7 @@ spec:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=keyservice.testNamespace:9000"
|
||||
- "--kms-addr=key-service.testNamespace:9000"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
@ -109,4 +109,4 @@ spec:
|
||||
# See "special case". This will tolerate everything. Node component should
|
||||
# be scheduled on all nodes.
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
- operator: Exists
|
||||
|
||||
@ -38,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=GCP
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
- --key-service-endpoint=key-service.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
||||
@ -0,0 +1,13 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
name: key-service
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: keyservice
|
||||
name: key-service
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
- kind: ServiceAccount
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
@ -0,0 +1,62 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: key-service
|
||||
k8s-app: key-service
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: key-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
spec:
|
||||
containers:
|
||||
- name: key-service
|
||||
image: keyServiceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: key-service
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: measurements
|
||||
path: measurements
|
||||
name: join-config
|
||||
- secret:
|
||||
items:
|
||||
- key: mastersecret
|
||||
path: mastersecret
|
||||
- key: salt
|
||||
path: salt
|
||||
name: constellation-mastersecret
|
||||
updateStrategy: {}
|
||||
@ -1,16 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: 9000
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
- name: grpc
|
||||
port: 9000
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: keyservice
|
||||
k8s-app: key-service
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
@ -1,13 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,62 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: measurements
|
||||
path: measurements
|
||||
name: join-config
|
||||
- secret:
|
||||
items:
|
||||
- key: mastersecret
|
||||
path: mastersecret
|
||||
- key: salt
|
||||
path: salt
|
||||
name: constellation-mastersecret
|
||||
updateStrategy: {}
|
||||
@ -38,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=QEMU
|
||||
- --keyservice-endpoint=keyservice.testNamespace:9000
|
||||
- --key-service-endpoint=key-service.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
||||
@ -0,0 +1,13 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
name: key-service
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,12 +1,12 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: keyservice
|
||||
name: key-service
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
- kind: ServiceAccount
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
@ -0,0 +1,62 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: key-service
|
||||
k8s-app: key-service
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: key-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: key-service
|
||||
spec:
|
||||
containers:
|
||||
- name: key-service
|
||||
image: keyServiceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: key-service
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: measurements
|
||||
path: measurements
|
||||
name: join-config
|
||||
- secret:
|
||||
items:
|
||||
- key: mastersecret
|
||||
path: mastersecret
|
||||
- key: salt
|
||||
path: salt
|
||||
name: constellation-mastersecret
|
||||
updateStrategy: {}
|
||||
@ -1,16 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
- name: grpc
|
||||
port: 9000
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
- name: grpc
|
||||
port: 9000
|
||||
protocol: TCP
|
||||
targetPort: 9000
|
||||
selector:
|
||||
k8s-app: keyservice
|
||||
k8s-app: key-service
|
||||
type: ClusterIP
|
||||
status:
|
||||
loadBalancer: {}
|
||||
@ -1,5 +1,5 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: keyservice
|
||||
name: key-service
|
||||
namespace: testNamespace
|
||||
@ -1,13 +0,0 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
name: keyservice
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
@ -1,62 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: keyservice
|
||||
k8s-app: keyservice
|
||||
kubernetes.io/cluster-service: "true"
|
||||
name: keyservice
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: keyservice
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: keyservice
|
||||
spec:
|
||||
containers:
|
||||
- name: keyservice
|
||||
image: keyserviceImage
|
||||
args:
|
||||
- --port=9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
readOnly: true
|
||||
resources: {}
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
serviceAccountName: keyservice
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
items:
|
||||
- key: measurements
|
||||
path: measurements
|
||||
name: join-config
|
||||
- secret:
|
||||
items:
|
||||
- key: mastersecret
|
||||
path: mastersecret
|
||||
- key: salt
|
||||
path: salt
|
||||
name: constellation-mastersecret
|
||||
updateStrategy: {}
|
||||
@ -48,8 +48,8 @@ download_chart() {
|
||||
|
||||
## GCP CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.1" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "v1.1.2" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
|
||||
## Azure CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.1" "charts/edgeless" "azuredisk-csi-driver"
|
||||
download_chart "https://github.com/edgelesssys/constellation-azuredisk-csi-driver" "v1.1.2" "charts/edgeless" "azuredisk-csi-driver"
|
||||
|
||||
@ -46,8 +46,8 @@ const (
|
||||
VerifyServiceNodePortHTTP = 30080
|
||||
// VerifyServiceNodePortGRPC GRPC node port for verification service.
|
||||
VerifyServiceNodePortGRPC = 30081
|
||||
// KeyservicePort is the port the KMS server listens on.
|
||||
KeyservicePort = 9000
|
||||
// KeyServicePort is the port the KMS server listens on.
|
||||
KeyServicePort = 9000
|
||||
// BootstrapperPort port of bootstrapper.
|
||||
BootstrapperPort = 9000
|
||||
// KubernetesPort port for Kubernetes API.
|
||||
|
||||
@ -40,7 +40,7 @@ const vpcIPTimeout = 30 * time.Second
|
||||
|
||||
func main() {
|
||||
provider := flag.String("cloud-provider", "", "cloud service provider this binary is running on")
|
||||
keyserviceEndpoint := flag.String("keyservice-endpoint", "", "endpoint of Constellations key management service")
|
||||
keyServiceEndpoint := flag.String("key-service-endpoint", "", "endpoint of Constellations key management service")
|
||||
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
|
||||
flag.Parse()
|
||||
|
||||
@ -78,7 +78,7 @@ func main() {
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to create kubeadm")
|
||||
}
|
||||
keyserviceClient := kms.New(log.Named("keyserviceClient"), *keyserviceEndpoint)
|
||||
keyServiceClient := kms.New(log.Named("keyServiceClient"), *keyServiceEndpoint)
|
||||
|
||||
measurementSalt, err := handler.Read(filepath.Join(constants.ServiceBasePath, constants.MeasurementSaltFilename))
|
||||
if err != nil {
|
||||
@ -89,7 +89,7 @@ func main() {
|
||||
measurementSalt,
|
||||
kubernetesca.New(log.Named("certificateAuthority"), handler),
|
||||
kubeadm,
|
||||
keyserviceClient,
|
||||
keyServiceClient,
|
||||
log.Named("server"),
|
||||
)
|
||||
if err != nil {
|
||||
|
||||
@ -25,7 +25,7 @@ import (
|
||||
)
|
||||
|
||||
func main() {
|
||||
port := flag.String("port", strconv.Itoa(constants.KeyservicePort), "Port gRPC server listens on")
|
||||
port := flag.String("port", strconv.Itoa(constants.KeyServicePort), "Port gRPC server listens on")
|
||||
masterSecretPath := flag.String("master-secret", filepath.Join(constants.ServiceBasePath, constants.ConstellationMasterSecretKey), "Path to the Constellation master secret")
|
||||
saltPath := flag.String("salt", filepath.Join(constants.ServiceBasePath, constants.ConstellationSaltKey), "Path to the Constellation salt")
|
||||
verbosity := flag.Int("v", 0, logger.CmdLineVerbosityDescription)
|
||||
@ -62,7 +62,7 @@ func main() {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to setup KMS")
|
||||
}
|
||||
|
||||
if err := server.New(log.Named("keyservice"), conKMS).Run(*port); err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to run keyservice server")
|
||||
if err := server.New(log.Named("keyService"), conKMS).Run(*port); err != nil {
|
||||
log.With(zap.Error(err)).Fatalf("Failed to run key-service server")
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user