mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-08-02 03:56:07 -04:00
Add aTLS endpoint to KMS (#236)
* Move file watcher and validator to internal * Add aTLS endpoint to KMS for Kubernetes external requests * Update Go version in Dockerfiles * Move most KMS packages to internal Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
042f668d20
commit
f9a581f329
66 changed files with 550 additions and 355 deletions
|
@ -138,7 +138,7 @@ func NewActivationDaemonset(csp, measurementsJSON, idJSON string) *activationDae
|
|||
Image: activationImage,
|
||||
Ports: []k8s.ContainerPort{
|
||||
{
|
||||
ContainerPort: 9090,
|
||||
ContainerPort: constants.ActivationServicePort,
|
||||
Name: "tcp",
|
||||
},
|
||||
},
|
||||
|
@ -148,13 +148,12 @@ func NewActivationDaemonset(csp, measurementsJSON, idJSON string) *activationDae
|
|||
Args: []string{
|
||||
fmt.Sprintf("--cloud-provider=%s", csp),
|
||||
fmt.Sprintf("--kms-endpoint=kms.kube-system:%d", constants.KMSPort),
|
||||
"--v=5",
|
||||
},
|
||||
VolumeMounts: []k8s.VolumeMount{
|
||||
{
|
||||
Name: "config",
|
||||
ReadOnly: true,
|
||||
MountPath: constants.ActivationBasePath,
|
||||
MountPath: constants.ServiceBasePath,
|
||||
},
|
||||
{
|
||||
Name: "kubeadm",
|
||||
|
|
|
@ -14,7 +14,8 @@ import (
|
|||
|
||||
type kmsDeployment struct {
|
||||
ServiceAccount k8s.ServiceAccount
|
||||
Service k8s.Service
|
||||
ServiceInternal k8s.Service
|
||||
ServiceExternal k8s.Service
|
||||
ClusterRole rbac.ClusterRole
|
||||
ClusterRoleBinding rbac.ClusterRoleBinding
|
||||
Deployment apps.Deployment
|
||||
|
@ -23,7 +24,7 @@ type kmsDeployment struct {
|
|||
}
|
||||
|
||||
// NewKMSDeployment creates a new *kmsDeployment to use as the key management system inside Constellation.
|
||||
func NewKMSDeployment(masterSecret []byte) *kmsDeployment {
|
||||
func NewKMSDeployment(csp string, masterSecret []byte) *kmsDeployment {
|
||||
return &kmsDeployment{
|
||||
ServiceAccount: k8s.ServiceAccount{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
|
@ -35,7 +36,7 @@ func NewKMSDeployment(masterSecret []byte) *kmsDeployment {
|
|||
Namespace: "kube-system",
|
||||
},
|
||||
},
|
||||
Service: k8s.Service{
|
||||
ServiceInternal: k8s.Service{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
APIVersion: "v1",
|
||||
Kind: "Service",
|
||||
|
@ -59,6 +60,31 @@ func NewKMSDeployment(masterSecret []byte) *kmsDeployment {
|
|||
},
|
||||
},
|
||||
},
|
||||
ServiceExternal: k8s.Service{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
APIVersion: "v1",
|
||||
Kind: "Service",
|
||||
},
|
||||
ObjectMeta: meta.ObjectMeta{
|
||||
Name: "kms-external",
|
||||
Namespace: "kube-system",
|
||||
},
|
||||
Spec: k8s.ServiceSpec{
|
||||
Type: k8s.ServiceTypeNodePort,
|
||||
Ports: []k8s.ServicePort{
|
||||
{
|
||||
Name: "atls",
|
||||
Protocol: k8s.ProtocolTCP,
|
||||
Port: constants.KMSATLSPort,
|
||||
TargetPort: intstr.FromInt(constants.KMSATLSPort),
|
||||
NodePort: constants.KMSNodePort,
|
||||
},
|
||||
},
|
||||
Selector: map[string]string{
|
||||
"k8s-app": "kms",
|
||||
},
|
||||
},
|
||||
},
|
||||
ClusterRole: rbac.ClusterRole{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
APIVersion: "rbac.authorization.k8s.io/v1",
|
||||
|
@ -161,14 +187,35 @@ func NewKMSDeployment(masterSecret []byte) *kmsDeployment {
|
|||
},
|
||||
Volumes: []k8s.Volume{
|
||||
{
|
||||
Name: "mastersecret",
|
||||
Name: "config",
|
||||
VolumeSource: k8s.VolumeSource{
|
||||
Secret: &k8s.SecretVolumeSource{
|
||||
SecretName: constants.ConstellationMasterSecretStoreName,
|
||||
Items: []k8s.KeyToPath{
|
||||
Projected: &k8s.ProjectedVolumeSource{
|
||||
Sources: []k8s.VolumeProjection{
|
||||
{
|
||||
Key: constants.ConstellationMasterSecretKey,
|
||||
Path: "constellation-mastersecret.base64",
|
||||
ConfigMap: &k8s.ConfigMapProjection{
|
||||
LocalObjectReference: k8s.LocalObjectReference{
|
||||
Name: "activation-config",
|
||||
},
|
||||
Items: []k8s.KeyToPath{
|
||||
{
|
||||
Key: constants.MeasurementsFilename,
|
||||
Path: constants.MeasurementsFilename,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
Secret: &k8s.SecretProjection{
|
||||
LocalObjectReference: k8s.LocalObjectReference{
|
||||
Name: constants.ConstellationMasterSecretStoreName,
|
||||
},
|
||||
Items: []k8s.KeyToPath{
|
||||
{
|
||||
Key: constants.ConstellationMasterSecretKey,
|
||||
Path: constants.MasterSecretFilename,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -181,14 +228,15 @@ func NewKMSDeployment(masterSecret []byte) *kmsDeployment {
|
|||
Name: "kms",
|
||||
Image: kmsImage,
|
||||
Args: []string{
|
||||
fmt.Sprintf("--atls-port=%d", constants.KMSATLSPort),
|
||||
fmt.Sprintf("--port=%d", constants.KMSPort),
|
||||
"--v=5",
|
||||
fmt.Sprintf("--cloud-provider=%s", csp),
|
||||
},
|
||||
VolumeMounts: []k8s.VolumeMount{
|
||||
{
|
||||
Name: "mastersecret",
|
||||
Name: "config",
|
||||
ReadOnly: true,
|
||||
MountPath: "/constellation/",
|
||||
MountPath: constants.ServiceBasePath,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -12,7 +12,7 @@ func TestKMSMarshalUnmarshal(t *testing.T) {
|
|||
assert := assert.New(t)
|
||||
|
||||
testMS := []byte{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8}
|
||||
kmsDepl := NewKMSDeployment(testMS)
|
||||
kmsDepl := NewKMSDeployment("test", testMS)
|
||||
data, err := kmsDepl.Marshal()
|
||||
require.NoError(err)
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue