constellation/internal/constants/constants.go
Otto Bittner 405db3286e AB#2386: TrustedLaunch support for azure attestation
* There are now two attestation packages on azure.
The issuer on the server side is created base on successfully
querying the idkeydigest from the TPM. Fallback on err: Trusted Launch.
* The bootstrapper's issuer choice is validated by the CLI's validator,
which is created based on the local config.
* Add "azureCVM" field to new "internal-config" cm.
This field is populated by the bootstrapper.
* Group attestation OIDs by CSP (#42)
* Bootstrapper now uses IssuerWrapper type to pass
the issuer (and some context info) to the initserver.
* Introduce VMType package akin to cloudprovider. Used by
IssuerWrapper.
* Extend unittests.
* Remove CSP specific attestation integration tests

Co-authored-by: <dw@edgeless.systems>
Signed-off-by: Otto Bittner <cobittner@posteo.net>
2022-09-05 12:03:48 +02:00

129 lines
4.2 KiB
Go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
/*
Package constants contains the constants used by Constellation.
Constants should never be overwritable by command line flags or configuration files.
*/
package constants
import "time"
const (
//
// Constellation.
//
// ConstellationNameLength is the maximum length of a Constellation's name.
ConstellationNameLength = 37
// ConstellationMasterSecretStoreName is the name for the Constellation secrets in Kubernetes.
ConstellationMasterSecretStoreName = "constellation-mastersecret"
// ConstellationMasterSecretKey is the name of the key for master secret in the master secret store secret.
ConstellationMasterSecretKey = "mastersecret"
// ConstellationMasterSecretSalt is the name of the key for salt in the master secret store secret.
ConstellationMasterSecretSalt = "salt"
//
// Ports.
//
// JoinServicePort is the port for reaching the join service within Kubernetes.
JoinServicePort = 9090
// JoinServiceNodePort is the port for reaching the join service outside of Kubernetes.
JoinServiceNodePort = 30090
VerifyServicePortHTTP = 8080
VerifyServicePortGRPC = 9090
VerifyServiceNodePortHTTP = 30080
VerifyServiceNodePortGRPC = 30081
// KMSPort is the port the KMS server listens on.
KMSPort = 9000
BootstrapperPort = 9000
KubernetesPort = 6443
RecoveryPort = 9000
EnclaveSSHPort = 2222
SSHPort = 22
NVMEOverTCPPort = 8009
DebugdPort = 4000
// Default NodePort Range
// https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
NodePortFrom = 30000
NodePortTo = 32767
//
// Filenames.
//
StateFilename = "constellation-state.json"
ClusterIDsFileName = "constellation-id.json"
ConfigFilename = "constellation-conf.yaml"
LicenseFilename = "constellation.license"
DebugdConfigFilename = "cdbg-conf.yaml"
AdminConfFilename = "constellation-admin.conf"
MasterSecretFilename = "constellation-mastersecret.json"
WGQuickConfigFilename = "wg0.conf"
CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf"
KubeadmCertificateDir = "/etc/kubernetes/pki"
//
// Filenames for Constellation's micro services.
//
// ServiceBasePath is the base path for the mounted micro service's files.
ServiceBasePath = "/var/config"
// MeasurementsFilename is the filename of CC measurements.
MeasurementsFilename = "measurements"
// EnforcedPCRsFilename is the filename for a list PCRs that are required to pass attestation.
EnforcedPCRsFilename = "enforcedPCRs"
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
MeasurementSaltFilename = "measurementSalt"
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
MeasurementSecretFilename = "measurementSecret"
// IdKeyDigestFilename is the name of the file holding the currently enforced idkeydigest.
IdKeyDigestFilename = "idkeydigest"
// EnforceIdKeyDigestFilename is the name of the file configuring whether idkeydigest is enforced or not.
EnforceIdKeyDigestFilename = "enforceIdKeyDigest"
// AzureCVM is the name of the file indicating whether the cluster is expected to run on CVMs or not.
AzureCVM = "azureCVM"
// K8sVersion is the filename of the mapped "k8s-version" configMap file.
K8sVersion = "k8s-version"
//
// CLI.
//
MinControllerCount = 1
MinWorkerCount = 1
//
// Kubernetes.
//
KubernetesJoinTokenTTL = 15 * time.Minute
ConstellationNamespace = "kube-system"
JoinConfigMap = "join-config"
InternalConfigMap = "internal-config"
//
// Helm.
//
HelmNamespace = "kube-system"
//
// Releases.
//
// S3PublicBucket contains measurements & releases.
S3PublicBucket = "https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/"
// CosignPublicKey signs all our releases.
CosignPublicKey = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
-----END PUBLIC KEY-----`
)
// VersionInfo is the version of a binary. Left as a separate variable to allow override during build.
var VersionInfo = "0.0.0"