AB#2200 Merge Owner and Cluster ID (#282)

* Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-01 11:36:10 -04:00 · 2022-07-26 10:58:39 +02:00 · 2022-07-26 10:58:39 +02:00 · db79784045
commit db79784045
parent 48d614c959
57 changed files with 746 additions and 585 deletions
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice.go
@ -23,7 +23,7 @@ type joinServiceDaemonset struct {
 }

 // NewJoinServiceDaemonset returns a daemonset for the join service.
-func NewJoinServiceDaemonset(csp string, measurementsJSON, idJSON string) *joinServiceDaemonset {
+func NewJoinServiceDaemonset(csp, measurementsJSON string, measurementSalt []byte) *joinServiceDaemonset {
 	return &joinServiceDaemonset{
 		ClusterRole: rbac.ClusterRole{
 			TypeMeta: meta.TypeMeta{
@ -246,8 +246,10 @@ func NewJoinServiceDaemonset(csp string, measurementsJSON, idJSON string) *joinS
 				Namespace: "kube-system",
 			},
 			Data: map[string]string{
-				"measurements": measurementsJSON,
-				"id":           idJSON,
+				constants.MeasurementsFilename: measurementsJSON,
+			},
+			BinaryData: map[string][]byte{
+				constants.MeasurementSaltFilename: measurementSalt,
 			},
 		},
 	}
--- a/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice_test.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/joinservice_test.go
@ -8,7 +8,7 @@ import (
 )

 func TestNewJoinServiceDaemonset(t *testing.T) {
-	deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", "idJSON")
+	deployment := NewJoinServiceDaemonset("csp", "measurementsJSON", []byte{0x0, 0x1, 0x2})
 	deploymentYAML, err := deployment.Marshal()
 	require.NoError(t, err)

--- a/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/resources/kms.go
@ -15,8 +15,7 @@ import (

 type kmsDeployment struct {
 	ServiceAccount     k8s.ServiceAccount
-	ServiceInternal    k8s.Service
-	ServiceExternal    k8s.Service
+	Service            k8s.Service
 	ClusterRole        rbac.ClusterRole
 	ClusterRoleBinding rbac.ClusterRoleBinding
 	Deployment         apps.Deployment
@ -37,7 +36,7 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
 				Namespace: "kube-system",
 			},
 		},
-		ServiceInternal: k8s.Service{
+		Service: k8s.Service{
 			TypeMeta: meta.TypeMeta{
 				APIVersion: "v1",
 				Kind:       "Service",
@ -61,31 +60,6 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
 				},
 			},
 		},
-		ServiceExternal: k8s.Service{
-			TypeMeta: meta.TypeMeta{
-				APIVersion: "v1",
-				Kind:       "Service",
-			},
-			ObjectMeta: meta.ObjectMeta{
-				Name:      "kms-external",
-				Namespace: "kube-system",
-			},
-			Spec: k8s.ServiceSpec{
-				Type: k8s.ServiceTypeNodePort,
-				Ports: []k8s.ServicePort{
-					{
-						Name:       "atls",
-						Protocol:   k8s.ProtocolTCP,
-						Port:       constants.KMSATLSPort,
-						TargetPort: intstr.FromInt(constants.KMSATLSPort),
-						NodePort:   constants.KMSNodePort,
-					},
-				},
-				Selector: map[string]string{
-					"k8s-app": "kms",
-				},
-			},
-		},
 		ClusterRole: rbac.ClusterRole{
 			TypeMeta: meta.TypeMeta{
 				APIVersion: "rbac.authorization.k8s.io/v1",
@ -229,9 +203,7 @@ func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
 								Name:  "kms",
 								Image: versions.KmsImage,
 								Args: []string{
-									fmt.Sprintf("--atls-port=%d", constants.KMSATLSPort),
 									fmt.Sprintf("--port=%d", constants.KMSPort),
-									fmt.Sprintf("--cloud-provider=%s", csp),
 								},
 								VolumeMounts: []k8s.VolumeMount{
 									{
--- a/bootstrapper/internal/kubernetes/k8sapi/util.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/util.go
@ -19,7 +19,7 @@ import (

 	"github.com/edgelesssys/constellation/bootstrapper/internal/kubelet"
 	"github.com/edgelesssys/constellation/bootstrapper/internal/kubernetes/k8sapi/resources"
-	"github.com/edgelesssys/constellation/bootstrapper/util"
+	"github.com/edgelesssys/constellation/internal/crypto"
 	"github.com/edgelesssys/constellation/internal/file"
 	"github.com/edgelesssys/constellation/internal/logger"
 	"github.com/edgelesssys/constellation/internal/versions"
@ -455,7 +455,7 @@ func (k *KubernetesUtil) createSignedKubeletCert(nodeName string, ips []net.IP)
 		return err
 	}

-	serialNumber, err := util.GenerateCertificateSerialNumber()
+	serialNumber, err := crypto.GenerateCertificateSerialNumber()
 	if err != nil {
 		return err
 	}