mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-22 21:31:14 -05:00
cfcc0898b2
This is the first step in our migration off of konnectivity. Before node-to-node encryption we used konnectivity to route some KubeAPI to kubelet traffic over the pod network which then would be encrypted. Since we enabled node-to-node encryption this has no security upsides anymore. Note that we still deploy the konnectivity agents via helm and still have the load balancer for konnectivity. In the following releases we will remove both.
281 lines
12 KiB
Go
281 lines
12 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
/*
|
|
Package constants contains the constants used by Constellation.
|
|
Constants should never be overwritable by command line flags or configuration files.
|
|
*/
|
|
package constants
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/semver"
|
|
)
|
|
|
|
const (
|
|
//
|
|
// Constellation.
|
|
//
|
|
|
|
// ConstellationNameLength is the maximum length of a Constellation's name.
|
|
ConstellationNameLength = 37
|
|
// AWSConstellationNameLength is the maximum length of a Constellation's name on AWS.
|
|
AWSConstellationNameLength = 10
|
|
// ConstellationMasterSecretStoreName is the name for the Constellation secrets in Kubernetes.
|
|
ConstellationMasterSecretStoreName = "constellation-mastersecret"
|
|
// ConstellationMasterSecretKey is the name of the key for the master secret in the master secret kubernetes secret.
|
|
ConstellationMasterSecretKey = "mastersecret"
|
|
// ConstellationSaltKey is the name of the key for the salt in the master secret kubernetes secret.
|
|
ConstellationSaltKey = "salt"
|
|
// ConstellationVerifyServiceUserData is the user data that the verification service includes in the attestation.
|
|
ConstellationVerifyServiceUserData = "VerifyService"
|
|
// AttestationVariant is the name of the environment variable that contains the attestation variant.
|
|
AttestationVariant = "CONSTEL_ATTESTATION_VARIANT"
|
|
// DefaultControlPlaneGroupName is the name of the default control plane node group.
|
|
DefaultControlPlaneGroupName = "control_plane_default"
|
|
// DefaultWorkerGroupName is the name of the default worker node group.
|
|
DefaultWorkerGroupName = "worker_default"
|
|
|
|
//
|
|
// Ports.
|
|
//
|
|
|
|
// JoinServicePort is the port for reaching the join service within Kubernetes.
|
|
JoinServicePort = 9090
|
|
// JoinServiceNodePort is the port for reaching the join service outside of Kubernetes.
|
|
JoinServiceNodePort = 30090
|
|
// VerifyServicePortHTTP HTTP port for verification service.
|
|
VerifyServicePortHTTP = 8080
|
|
// VerifyServicePortGRPC GRPC port for verification service.
|
|
VerifyServicePortGRPC = 9090
|
|
// VerifyServiceNodePortHTTP HTTP node port for verification service.
|
|
VerifyServiceNodePortHTTP = 30080
|
|
// VerifyServiceNodePortGRPC GRPC node port for verification service.
|
|
VerifyServiceNodePortGRPC = 30081
|
|
// KeyServicePort is the port the KMS server listens on.
|
|
KeyServicePort = 9000
|
|
// BootstrapperPort port of bootstrapper.
|
|
BootstrapperPort = 9000
|
|
// KubernetesPort port for Kubernetes API.
|
|
KubernetesPort = 6443
|
|
// RecoveryPort port for Constellation recovery server.
|
|
RecoveryPort = 9999
|
|
// DebugdPort port for debugd process.
|
|
DebugdPort = 4000
|
|
|
|
//
|
|
// Filenames.
|
|
//
|
|
|
|
// StateFilename filename that contains the entire state of the Constellation cluster.
|
|
StateFilename = "constellation-state.yaml"
|
|
// ConfigFilename filename of Constellation config file.
|
|
ConfigFilename = "constellation-conf.yaml"
|
|
// LicenseFilename filename of Constellation license file.
|
|
LicenseFilename = "constellation.license"
|
|
// AdminConfFilename filename of KubeConfig for admin access to Constellation.
|
|
AdminConfFilename = "constellation-admin.conf"
|
|
// MasterSecretFilename filename of Constellation mastersecret.
|
|
MasterSecretFilename = "constellation-mastersecret.json"
|
|
// TerraformWorkingDir is the directory name for the TerraformClient workspace.
|
|
TerraformWorkingDir = "constellation-terraform"
|
|
// TerraformIAMWorkingDir is the directory name for the Terraform IAM Client workspace.
|
|
TerraformIAMWorkingDir = "constellation-iam-terraform"
|
|
// GCPServiceAccountKeyFilename is the file name for the GCP service account key file.
|
|
GCPServiceAccountKeyFilename = "gcpServiceAccountKey.json"
|
|
// ErrorLog file which contains server errors during init.
|
|
ErrorLog = "constellation-cluster.log"
|
|
// ControlPlaneAdminConfFilename filepath to control plane kubernetes admin config.
|
|
ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf"
|
|
// KubectlPath path to kubectl binary.
|
|
KubectlPath = "/run/state/bin/kubectl"
|
|
// UpgradeAgentSocketPath is the path to the UDS that is used for the gRPC connection to the upgrade agent.
|
|
UpgradeAgentSocketPath = "/run/constellation-upgrade-agent.sock"
|
|
// UpgradeAgentMountPath is the path inside the operator container where the UDS is mounted.
|
|
UpgradeAgentMountPath = "/etc/constellation-upgrade-agent.sock"
|
|
// CniPluginsDir path directory for CNI plugins.
|
|
CniPluginsDir = "/opt/cni/bin"
|
|
// BinDir install path for CNI config.
|
|
BinDir = "/run/state/bin"
|
|
// KubeadmPath install path for kubeadm.
|
|
KubeadmPath = "/run/state/bin/kubeadm"
|
|
// KubeletPath install path for kubelet.
|
|
KubeletPath = "/run/state/bin/kubelet"
|
|
|
|
//
|
|
// Filenames for Constellation's micro services.
|
|
//
|
|
|
|
// ServiceBasePath is the base path for the mounted micro service's files.
|
|
ServiceBasePath = "/var/config"
|
|
// AttestationConfigFilename is the filename of the config used for CC validation.
|
|
AttestationConfigFilename = "attestationConfig"
|
|
// MeasurementSaltFilename is the filename of the salt used in creation of the clusterID.
|
|
MeasurementSaltFilename = "measurementSalt"
|
|
// MeasurementSecretFilename is the filename of the secret used in creation of the clusterID.
|
|
MeasurementSecretFilename = "measurementSecret"
|
|
|
|
// K8sVersionFieldName is the name of the of the key holding the wanted Kubernetes version.
|
|
K8sVersionFieldName = "cluster-version"
|
|
// ComponentsListKey is the name of the key holding the list of components in the components configMap.
|
|
ComponentsListKey = "components"
|
|
// SevSnpCertCacheConfigMapName is the name of the configMap holding the SEV-SNP certificate cache in the join service.
|
|
SevSnpCertCacheConfigMapName = "sev-snp-cert-cache"
|
|
// CertCacheAskKey is the name of the key holding the ASK certificate in the SEV-SNP certificate cache.
|
|
CertCacheAskKey = "ask"
|
|
// CertCacheArkKey is the name of the key holding the ARK certificate in the SEV-SNP certificate cache.
|
|
CertCacheArkKey = "ark"
|
|
// NodeVersionResourceName resource name used for NodeVersion in constellation-operator and CLI.
|
|
NodeVersionResourceName = "constellation-version"
|
|
// NodeKubernetesComponentsAnnotationKey is the name of the annotation holding the reference to the ConfigMap listing all K8s components.
|
|
NodeKubernetesComponentsAnnotationKey = "constellation.edgeless.systems/kubernetes-components"
|
|
// JoiningNodesConfigMapName is the name of the configMap holding the joining nodes with the components hashes the node-operator should annotate the nodes with.
|
|
JoiningNodesConfigMapName = "joining-nodes"
|
|
|
|
//
|
|
// CLI.
|
|
//
|
|
|
|
// MinControllerCount is the minimum number of control nodes.
|
|
MinControllerCount = 1
|
|
// MinWorkerCount is the minimum number of worker nodes.
|
|
MinWorkerCount = 1
|
|
// EnvVarPrefix is expected prefix for environment variables used to overwrite config parameters.
|
|
EnvVarPrefix = "CONSTELL_"
|
|
// EnvVarAzureClientSecretValue is environment variable to overwrite
|
|
// provider.azure.clientSecretValue .
|
|
EnvVarAzureClientSecretValue = EnvVarPrefix + "AZURE_CLIENT_SECRET_VALUE"
|
|
// EnvVarOpenStackPassword is environment variable to overwrite
|
|
// provider.openstack.password .
|
|
EnvVarOpenStackPassword = EnvVarPrefix + "OS_PASSWORD"
|
|
// EnvVarNoSpinner is environment variable used to disable the loading indicator (spinner)
|
|
// displayed in Constellation CLI. Any non-empty value, e.g., CONSTELL_NO_SPINNER=1,
|
|
// can be used to disable the spinner.
|
|
EnvVarNoSpinner = EnvVarPrefix + "NO_SPINNER"
|
|
// MiniConstellationUID is a sentinel value for the UID of a mini constellation.
|
|
MiniConstellationUID = "mini"
|
|
// TerraformLogFile is the file name of the Terraform log file.
|
|
TerraformLogFile = "terraform.log"
|
|
// TerraformUpgradeWorkingDir is the directory name for the Terraform workspace being used in an upgrade.
|
|
TerraformUpgradeWorkingDir = "terraform"
|
|
// TerraformIAMUpgradeWorkingDir is the directory name for the Terraform IAM workspace being used in an upgrade.
|
|
TerraformIAMUpgradeWorkingDir = "terraform-iam"
|
|
// TerraformUpgradeBackupDir is the directory name being used to backup the pre-upgrade state in an upgrade.
|
|
TerraformUpgradeBackupDir = "terraform-backup"
|
|
// TerraformIAMUpgradeBackupDir is the directory name being used to backup the pre-upgrade state of iam in an upgrade.
|
|
TerraformIAMUpgradeBackupDir = "terraform-iam-backup"
|
|
// TerraformEmbeddedDir is the name of the base directory embedded in the CLI binary containing the Terraform files.
|
|
TerraformEmbeddedDir = "infrastructure"
|
|
// UpgradeDir is the name of the directory being used for cluster upgrades.
|
|
UpgradeDir = "constellation-upgrade"
|
|
// ControlPlaneDefault is the name of the default control plane worker group.
|
|
ControlPlaneDefault = "control_plane_default"
|
|
// WorkerDefault is the name of the default worker group.
|
|
WorkerDefault = "worker_default"
|
|
|
|
//
|
|
// Kubernetes.
|
|
//
|
|
|
|
// KubernetesJoinTokenTTL time to live for Kubernetes join token.
|
|
KubernetesJoinTokenTTL = 15 * time.Minute
|
|
// ConstellationNamespace namespace to deploy Constellation components into.
|
|
ConstellationNamespace = "kube-system"
|
|
// JoinConfigMap k8s config map with node join config.
|
|
JoinConfigMap = "join-config"
|
|
// InternalConfigMap k8s config map with internal Constellation config.
|
|
InternalConfigMap = "internal-config"
|
|
// KubeadmConfigMap k8s config map with kubeadm config
|
|
// (holds ClusterConfiguration).
|
|
KubeadmConfigMap = "kubeadm-config"
|
|
// ClusterConfigurationKey key in kubeadm config map with ClusterConfiguration.
|
|
ClusterConfigurationKey = "ClusterConfiguration"
|
|
|
|
//
|
|
// Helm.
|
|
//
|
|
|
|
// HelmNamespace namespace for helm charts.
|
|
HelmNamespace = "kube-system"
|
|
|
|
//
|
|
// Releases.
|
|
//
|
|
|
|
// CDNRepositoryURL is the base URL of the Constellation CDN artifact repository.
|
|
CDNRepositoryURL = "https://cdn.confidential.cloud"
|
|
// CDNAPIBase is the (un-versioned) prefix of the Constellation API.
|
|
CDNAPIBase = "constellation"
|
|
// CDNAPIPrefix is the prefix of the Constellation API (V1).
|
|
CDNAPIPrefix = CDNAPIBase + "/v1"
|
|
// CDNAPIPrefixV2 is the prefix of the Constellation API (v2).
|
|
CDNAPIPrefixV2 = CDNAPIBase + "/v2"
|
|
// CDNAttestationConfigPrefixV1 is the prefix of the Constellation AttestationConfig API (v1).
|
|
CDNAttestationConfigPrefixV1 = CDNAPIPrefix + "/attestation"
|
|
// CDNMeasurementsFile is name of file containing image measurements.
|
|
CDNMeasurementsFile = "measurements.json"
|
|
// CDNMeasurementsSignature is name of file containing signature for CDNMeasurementsFile.
|
|
CDNMeasurementsSignature = "measurements.json.sig"
|
|
// CDNDefaultDistributionID is the default CloudFront distribution ID to use.
|
|
CDNDefaultDistributionID = "E1H77EZTHC3NE4"
|
|
|
|
//
|
|
// PKI.
|
|
//
|
|
|
|
// CosignPublicKeyReleases signs all our releases.
|
|
CosignPublicKeyReleases = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
|
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
|
-----END PUBLIC KEY-----
|
|
`
|
|
// CosignPublicKeyDev signs all our development builds.
|
|
CosignPublicKeyDev = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELcPl4Ik+qZuH4K049wksoXK/Os3Z
|
|
b92PDCpM7FZAINQF88s1TZS/HmRXYk62UJ4eqPduvUnJmXhNikhLbMi6fw==
|
|
-----END PUBLIC KEY-----
|
|
`
|
|
)
|
|
|
|
// BinaryVersion returns the version of this Binary.
|
|
func BinaryVersion() semver.Semver {
|
|
version, err := semver.New(versionInfo)
|
|
if err != nil {
|
|
// This is not user input, unrecoverable, should never happen.
|
|
panic(fmt.Sprintf("parsing embedded version information: %s", err))
|
|
}
|
|
|
|
return version
|
|
}
|
|
|
|
// Timestamp returns the commit timestamp of a binary.
|
|
func Timestamp() string {
|
|
return timestamp
|
|
}
|
|
|
|
// Commit returns the commit hash of a binary.
|
|
func Commit() string {
|
|
return commit
|
|
}
|
|
|
|
// State returns the git state of the working directory.
|
|
func State() string {
|
|
return state
|
|
}
|
|
|
|
var (
|
|
// versionInfo is the version of a binary. Left as a separate variable to allow override during build.
|
|
versionInfo = "0.0.0"
|
|
// timestamp is the commit timestamp of a binary. Left as a separate variable to allow override during build.
|
|
timestamp = "1970-01-01T00:00:00Z"
|
|
// commit is the commit hash of a binary. Left as a separate variable to allow override during build.
|
|
commit = "0000000000000000000000000000000000000000"
|
|
// state is the git state of the working directory. Left as a separate variable to allow override during build.
|
|
state = "unknown"
|
|
)
|