Skip to content

Commit

Permalink
kms: rename kms to keyservice
Browse files Browse the repository at this point in the history
In the light of extending our eKMS support it will be helpful
to have a tighter use of the word "KMS".
KMS should refer to the actual component that manages keys.
The keyservice, also called KMS in the constellation code,
does not manage keys itself. It talks to a KMS backend,
which in turn does the actual key management.
  • Loading branch information
derpsteb committed Jan 16, 2023
1 parent 67f8336 commit 90b88e1
Show file tree
Hide file tree
Showing 101 changed files with 314 additions and 320 deletions.
2 changes: 1 addition & 1 deletion .github/actions/e2e_mini/run-e2e.sh
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ kubectl -n kube-system wait --for=condition=Available=True --timeout=180s deploy
# Wait for daemon sets
kubectl -n kube-system rollout status --timeout 180s daemonset cilium
kubectl -n kube-system rollout status --timeout 180s daemonset join-service
kubectl -n kube-system rollout status --timeout 180s daemonset kms
kubectl -n kube-system rollout status --timeout 180s daemonset keyservice
kubectl -n kube-system rollout status --timeout 180s daemonset konnectivity-agent
kubectl -n kube-system rollout status --timeout 180s daemonset verification-service
echo "::endgroup::"
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Build and upload KMS image
name: Build and upload KeyService image

on:
workflow_dispatch:
Expand All @@ -7,12 +7,12 @@ on:
- main
- "release/**"
paths:
- "kms/**"
- "keyservice/**"
- "internal/**"
- "!internal/versions/versions.go" # Don't build on version bumps to avoid infinite loops

jobs:
build-kms-server:
build-keyservice:
runs-on: ubuntu-22.04
permissions:
contents: read
Expand All @@ -29,13 +29,13 @@ jobs:
with:
go-version: "1.19.5"

- name: Build and upload KMS server container image
- name: Build and upload KeyService container image
id: build-and-upload
uses: ./.github/actions/build_micro_service
with:
name: kmsserver
name: keyservice
projectVersion: "0.0.0"
dockerfile: kms/Dockerfile
dockerfile: keyservice/Dockerfile
githubToken: ${{ secrets.GITHUB_TOKEN }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/build-micro-service-manual.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on:
type: choice
options:
- "join-service"
- "kmsserver"
- "keyservice"
- "verification-service"
- "qemu-metadata-api"
- "filebeat-debugd"
Expand Down Expand Up @@ -80,8 +80,8 @@ jobs:
case "${{ inputs.microService }}" in
"join-service" )
echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;;
"kmsserver" )
echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;;
"keyservice" )
echo "microServiceDockerfile=keyservice/Dockerfile" >> "$GITHUB_ENV" ;;
"verification-service" )
echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;;
"qemu-metadata-api" )
Expand Down
2 changes: 1 addition & 1 deletion CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
/internal/versions @katexochen
/internal/versionsapi @katexochen
/joinservice @daniel-weisse
/kms @daniel-weisse
/keyservice @daniel-weisse
/operators @malt3
/upgrade-agent @3u13r
/verify @daniel-weisse
Expand Down
6 changes: 3 additions & 3 deletions cli/internal/cmd/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import (
"github.com/edgelesssys/constellation/v2/internal/license"
"github.com/edgelesssys/constellation/v2/internal/retry"
"github.com/edgelesssys/constellation/v2/internal/versions"
kms "github.com/edgelesssys/constellation/v2/kms/setup"
keyservice "github.com/edgelesssys/constellation/v2/keyservice/setup"
"github.com/spf13/afero"
"github.com/spf13/cobra"
"google.golang.org/grpc"
Expand Down Expand Up @@ -143,8 +143,8 @@ func (i *initCmd) initialize(cmd *cobra.Command, newDialer func(validator *cloud
req := &initproto.InitRequest{
MasterSecret: masterSecret.Key,
Salt: masterSecret.Salt,
KmsUri: kms.ClusterKMSURI,
StorageUri: kms.NoStoreURI,
KmsUri: keyservice.ClusterKMSURI,
StorageUri: keyservice.NoStoreURI,
KeyEncryptionKeyId: "",
UseExistingKek: false,
CloudServiceAccountUri: serviceAccURI,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: A chart to deploy all microservices that are part of a valid conste
type: application
version: 2.4.0
dependencies:
- name: kms
- name: keyservice
version: 2.4.0
tags:
- Azure
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ spec:
- "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
- "--support-zone={{ .Values.node.supportZone }}"
- "--get-node-info-from-labels={{ .Values.linux.getNodeInfoFromLabels }}"
- "--kms-addr=kms.{{ .Values.node.kmsNamespace | default .Release.Namespace }}:{{ .Values.node.kmsPort }}"
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
ports:
- containerPort: {{ .Values.node.livenessProbe.healthPort }}
name: healthz
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,10 @@ node:
logLevel: 5
livenessProbe:
healthPort: 29603
kmsPort: "9000"
kmsNamespace: "kube-system"
global:
keyserviceName: "keyservice"
keyservicePort: 9000
keyserviceNamespace: "kube-system"

snapshot:
enabled: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ spec:
- "--v=5"
- "--endpoint=unix:/csi/csi.sock"
- "--run-controller-service=false"
- "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}"
- "--kms-addr={{ .Values.global.keyserviceName }}.{{ .Values.global.keyserviceNamespace | default .Release.Namespace }}:{{ .Values.global.keyservicePort }}"
securityContext:
privileged: true
volumeMounts:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ csiController:
replicas: 1
runOnControlPlane: true

csiNode:
kmsPort: "9000"
kmsNamespace: "kube-system"
global:
keyserviceName: "keyservice"
keyservicePort: 9000
keyserviceNamespace: "kube-system"

createStorageClass: true
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ spec:
image: {{ .Values.image | quote }}
args:
- --cloud-provider={{ .Values.csp }}
- --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }}
- --keyservice-endpoint=keyservice.{{ .Release.Namespace }}:{{ .Values.global.keyservicePort }}
volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v2
name: keyservice
description: A Helm chart to deploy the Constellation KeyService
type: application
version: 2.4.0
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
k8s-app: keyservice
name: keyservice
rules:
- apiGroups:
- ""
Expand Down
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
name: keyservice
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
name: keyservice
subjects:
- kind: ServiceAccount
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,25 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
component: keyservice
k8s-app: keyservice
kubernetes.io/cluster-service: "true"
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
k8s-app: kms
k8s-app: keyservice
template:
metadata:
labels:
k8s-app: kms
k8s-app: keyservice
spec:
containers:
- name: kms
- name: keyservice
image: {{ .Values.image | quote }}
args:
- --port={{ .Values.global.kmsPort }}
- --port={{ .Values.global.keyservicePort }}
volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config
Expand All @@ -29,7 +29,7 @@ spec:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
serviceAccountName: keyservice
tolerations:
- key: CriticalAddonsOnly
operator: Exists
Expand Down
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: grpc
port: {{ .Values.global.kmsPort }}
port: {{ .Values.global.keyservicePort }}
protocol: TCP
targetPort: {{ .Values.global.kmsPort }}
targetPort: {{ .Values.global.keyservicePort }}
selector:
k8s-app: kms
k8s-app: keyservice
type: ClusterIP
status:
loadBalancer: {}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
name: keyservice
namespace: {{ .Release.Namespace }}
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
"examples": ["ghcr.io/edgelesssys/constellation/keyservice:latest"]
},
"masterSecret": {
"description": "Secret used to derive key material within the cluster",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
global:
# Port on which the KMS service will listen. Global since join-service also uses the value.
kmsPort: 9000
# Port on which the KeyService will listen. Global since join-service also uses the value.
keyservicePort: 9000
# Path to which secrets/CMs are mounted.
serviceBasePath: /var/config
# Name of the ConfigMap that holds measurements and other info.
Expand Down
31 changes: 9 additions & 22 deletions cli/internal/helm/loader.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ const (
// ChartLoader loads embedded helm charts.
type ChartLoader struct {
joinServiceImage string
kmsImage string
keyserviceImage string
ccmImage string
cnmImage string
autoscalerImage string
Expand All @@ -78,7 +78,7 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)

return &ChartLoader{
joinServiceImage: versions.JoinImage,
kmsImage: versions.KmsImage,
keyserviceImage: versions.KeyServiceImage,
ccmImage: ccmImage,
cnmImage: cnmImage,
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
Expand Down Expand Up @@ -359,13 +359,14 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
csp := config.GetProvider()
values := map[string]any{
"global": map[string]any{
"kmsPort": constants.KMSPort,
"serviceBasePath": constants.ServiceBasePath,
"joinConfigCMName": constants.JoinConfigMap,
"internalCMName": constants.InternalConfigMap,
"keyservicePort": constants.KeyservicePort,
"keyserviceNamespace": "", // empty namespace means we use the release namespace
"serviceBasePath": constants.ServiceBasePath,
"joinConfigCMName": constants.JoinConfigMap,
"internalCMName": constants.InternalConfigMap,
},
"kms": map[string]any{
"image": i.kmsImage,
"keyservice": map[string]any{
"image": i.keyserviceImage,
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
"salt": base64.StdEncoding.EncodeToString(salt),
"saltKeyName": constants.ConstellationSaltKey,
Expand Down Expand Up @@ -420,13 +421,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
"deployCSIDriver": config.DeployCSIDriver(),
}

values["azuredisk-csi-driver"] = map[string]any{
"node": map[string]any{
"kmsPort": constants.KMSPort,
"kmsNamespace": "", // empty namespace means we use the release namespace
},
}

values["tags"] = map[string]any{
"Azure": true,
}
Expand All @@ -444,13 +438,6 @@ func (i *ChartLoader) loadConstellationServicesValues(config *config.Config, mas
"deployCSIDriver": config.DeployCSIDriver(),
}

values["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
"csiNode": map[string]any{
"kmsPort": constants.KMSPort,
"kmsNamespace": "", // empty namespace means we use the release namespace
},
}

values["tags"] = map[string]any{
"GCP": true,
}
Expand Down
Loading

0 comments on commit 90b88e1

Please sign in to comment.