mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
405db3286e
* There are now two attestation packages on azure. The issuer on the server side is created base on successfully querying the idkeydigest from the TPM. Fallback on err: Trusted Launch. * The bootstrapper's issuer choice is validated by the CLI's validator, which is created based on the local config. * Add "azureCVM" field to new "internal-config" cm. This field is populated by the bootstrapper. * Group attestation OIDs by CSP (#42) * Bootstrapper now uses IssuerWrapper type to pass the issuer (and some context info) to the initserver. * Introduce VMType package akin to cloudprovider. Used by IssuerWrapper. * Extend unittests. * Remove CSP specific attestation integration tests Co-authored-by: <dw@edgeless.systems> Signed-off-by: Otto Bittner <cobittner@posteo.net>
129 lines
4.2 KiB
Go
129 lines
4.2 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
/*
|
|
Package constants contains the constants used by Constellation.
|
|
Constants should never be overwritable by command line flags or configuration files.
|
|
*/
|
|
package constants
|
|
|
|
import "time"
|
|
|
|
const (
|
|
//
|
|
// Constellation.
|
|
//
|
|
|
|
// ConstellationNameLength is the maximum length of a Constellation's name.
|
|
ConstellationNameLength = 37
|
|
// ConstellationMasterSecretStoreName is the name for the Constellation secrets in Kubernetes.
|
|
ConstellationMasterSecretStoreName = "constellation-mastersecret"
|
|
// ConstellationMasterSecretKey is the name of the key for master secret in the master secret store secret.
|
|
ConstellationMasterSecretKey = "mastersecret"
|
|
// ConstellationMasterSecretSalt is the name of the key for salt in the master secret store secret.
|
|
ConstellationMasterSecretSalt = "salt"
|
|
|
|
//
|
|
// Ports.
|
|
//
|
|
|
|
// JoinServicePort is the port for reaching the join service within Kubernetes.
|
|
JoinServicePort = 9090
|
|
// JoinServiceNodePort is the port for reaching the join service outside of Kubernetes.
|
|
JoinServiceNodePort = 30090
|
|
VerifyServicePortHTTP = 8080
|
|
VerifyServicePortGRPC = 9090
|
|
VerifyServiceNodePortHTTP = 30080
|
|
VerifyServiceNodePortGRPC = 30081
|
|
// KMSPort is the port the KMS server listens on.
|
|
KMSPort = 9000
|
|
BootstrapperPort = 9000
|
|
KubernetesPort = 6443
|
|
RecoveryPort = 9000
|
|
EnclaveSSHPort = 2222
|
|
SSHPort = 22
|
|
NVMEOverTCPPort = 8009
|
|
DebugdPort = 4000
|
|
// Default NodePort Range
|
|
// https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
|
|
NodePortFrom = 30000
|
|
NodePortTo = 32767
|
|
|
|
//
|
|
// Filenames.
|
|
//
|
|
StateFilename = "constellation-state.json"
|
|
ClusterIDsFileName = "constellation-id.json"
|
|
ConfigFilename = "constellation-conf.yaml"
|
|
LicenseFilename = "constellation.license"
|
|
DebugdConfigFilename = "cdbg-conf.yaml"
|
|
AdminConfFilename = "constellation-admin.conf"
|
|
MasterSecretFilename = "constellation-mastersecret.json"
|
|
WGQuickConfigFilename = "wg0.conf"
|
|
CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf"
|
|
KubeadmCertificateDir = "/etc/kubernetes/pki"
|
|
|
|
//
|
|
// Filenames for Constellation's micro services.
|
|
//
|
|
|
|
// ServiceBasePath is the base path for the mounted micro service's files.
|
|
ServiceBasePath = "/var/config"
|
|
// MeasurementsFilename is the filename of CC measurements.
|
|
MeasurementsFilename = "measurements"
|
|
// EnforcedPCRsFilename is the filename for a list PCRs that are required to pass attestation.
|
|
EnforcedPCRsFilename = "enforcedPCRs"
|
|
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
|
|
MeasurementSaltFilename = "measurementSalt"
|
|
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
|
|
MeasurementSecretFilename = "measurementSecret"
|
|
// IdKeyDigestFilename is the name of the file holding the currently enforced idkeydigest.
|
|
IdKeyDigestFilename = "idkeydigest"
|
|
// EnforceIdKeyDigestFilename is the name of the file configuring whether idkeydigest is enforced or not.
|
|
EnforceIdKeyDigestFilename = "enforceIdKeyDigest"
|
|
// AzureCVM is the name of the file indicating whether the cluster is expected to run on CVMs or not.
|
|
AzureCVM = "azureCVM"
|
|
// K8sVersion is the filename of the mapped "k8s-version" configMap file.
|
|
K8sVersion = "k8s-version"
|
|
|
|
//
|
|
// CLI.
|
|
//
|
|
|
|
MinControllerCount = 1
|
|
MinWorkerCount = 1
|
|
|
|
//
|
|
// Kubernetes.
|
|
//
|
|
|
|
KubernetesJoinTokenTTL = 15 * time.Minute
|
|
ConstellationNamespace = "kube-system"
|
|
JoinConfigMap = "join-config"
|
|
InternalConfigMap = "internal-config"
|
|
|
|
//
|
|
// Helm.
|
|
//
|
|
|
|
HelmNamespace = "kube-system"
|
|
|
|
//
|
|
// Releases.
|
|
//
|
|
|
|
// S3PublicBucket contains measurements & releases.
|
|
S3PublicBucket = "https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/"
|
|
// CosignPublicKey signs all our releases.
|
|
CosignPublicKey = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
|
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
|
-----END PUBLIC KEY-----`
|
|
)
|
|
|
|
// VersionInfo is the version of a binary. Left as a separate variable to allow override during build.
|
|
var VersionInfo = "0.0.0"
|