Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-11 23:49:30 -05:00
Code Issues Packages Projects Releases Wiki Activity
53caa86cb8
constellation/keyservice
History
renovate[bot] 24af06b02f
deps: update Go dependencies (#3411) 
* deps: update Go dependencies

* bazel: force Gazelle generation for xDS

xDS has an upstream set of build files that makes Gazelle consider their project a whole new Bazel project, which makes Gazelle not generate any build files, even though the upstream ones aren't valid.

See https://github.com/cncf/xds/issues/104.

* go: update cel.dev/expr for Bazel fixes

cel.dev/expr had some upstream Bazel fixes in v0.16.2 without which Gazelle doesn't work.

* chore: generate

* e2e: remove references to kubeProxyVersion

kubeProxyVersion is deprecated as of KEP-4004. It was never being set to an accurate value before, and we only used it in the e2e test, so removing the additional check should not hurt here.

See https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/4004-deprecate-kube-proxy-version

* constellation-node-operator: use typed rate-limiter

The untyped rate-limiter was deprecated in favor of a generic one that can just be instantiated to `any` to achieve the previous behaviour.

* Advertise ALPN settings in NextProtos required by gRPC

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

* atls: add nextProtos

nextProtos (for ALPN) is now required by gRPC, so add it.

* go: add cri-client replace

* deps: tidy all modules

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Daniel Weiße <dw@edgeless.systems>
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2024-10-16 17:35:51 +02:00
..
cmd deps: convert zap to slog (#2825) 2024-02-08 14:20:01 +00:00
internal/server logging: reduce grpc logging noise (#3329) 2024-08-29 10:44:22 +02:00
keyserviceproto deps: update Go dependencies (#3411) 2024-10-16 17:35:51 +02:00
README.md dev-docs: Go package docs (#958) 2023-01-19 15:57:50 +01:00

README.md

KeyService

The KeyService is one of Constellation's Kubernetes components, responsible for distributing keys and secrets to other services. This includes the JoinService, which contacts the KeyService to derive state disk keys and measurement secrets for newly-joining, and rejoining nodes, and Constellation's CSI drivers, which contact the KeyService for disk encryption keys.

The service is not exposed outside the cluster, and should be kept for internal usage only.

gRPC API

Keys can be requested through simple gRPC API based on an ID and key length.

Backends

The KeyService supports multiple backends to store keys and manage crypto operations. The default option holds a master secret in memory. Keys are derived on demand from this secret, and not stored anywhere. Other backends make use of external Key Management Systems (KMS) for key derivation and securing a master secret. When using an external KMS backend, encrypted keys are stored in cloud buckets.