deployment chagnes to run kmra plugin

.gitignore

@@ -31,3 +31,4 @@ enclave-config/privatekey.pem
 *~
 charts/crds
 tcs-issuer*.tgz
+config/manager/kmra/.*

Makefile

@@ -97,12 +97,13 @@ install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
-deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	cd config/manager && $(KUSTOMIZE) edit set image tcs-issuer=${IMG}
+set-image: kustomize
+	cd config/manager && $(KUSTOMIZE) edit set image tcs-issuer=${IMG} && $(KUSTOMIZE) edit set image kmra-plugin=${IMG}
+
+deploy: manifests kustomize set-image ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
-deploy-manifests: manifests kustomize
-	cd config/manager && $(KUSTOMIZE) edit set image tcs-issuer=${IMG}
+deploy-manifests: manifests kustomize set-image
 	mkdir -p deployment && $(KUSTOMIZE) build config/default -o deployment/tcs_issuer.yaml
 	mkdir -p deployment/crds && $(KUSTOMIZE) build -o deployment/crds config/crd
 ## Rename CRDs; remove prefixed type information

config/manager/kmra/.ca.secrets

@@ -0,0 +1,5 @@
+# Set appropriate base64 encoded certficates and private key values
+# to access the KMRA server.
+ca.crt=
+client.crt=
+client.key=

config/manager/kmra/.server.conf

@@ -0,0 +1,3 @@
+# NOTE: update the Key server address beofere
+# deploying using `make deploy`
+KEY_SERVER=localhost:443

config/manager/kmra/inject_kmra_plugin_patch.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller
+  namespace: system
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: init-kmra
+        image: busybox
+        imagePullPolicy: IfNotPresent
+        # The data in the secret are base64 encoded.
+        # km-wrap expects them in PEM encoding.
+        # So, we first decode them in the init container
+        # before starting the actual controller container.
+        command: ['sh', '-c', 'set -x; for f in /tmp/certs/*; do cat $f | base64 -d > /certs/$(basename $f); done ; chown -R 5000:5000 /certs']
+        volumeMounts:
+        - name: ca-secrets
+          mountPath: /certs/
+        - name: pre-ca-secrets
+          mountPath: /tmp/certs
+      containers:
+      - name: kmra-plugin
+        image: kmra-plugin
+        command:
+        - /kmra-plugin
+        args:
+        - --plugin-name=kmra
+        - --plugin-endpoint=/plugins/kmra.sock
+        - --registry-endpoint=/registry/registry.sock
+        name: kmra-plugin
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        envFrom:
+        - configMapRef:
+            name: tcs-kmra-server-config
+        volumeMounts:
+        - name: ca-secrets
+          mountPath: /certs/
+          readOnly: true
+        - name: plugins-dir
+          mountPath: /plugins/
+        - name: registry-dir
+          mountPath: /registry/
+      volumes:
+      - name: pre-ca-secrets
+        secret:
+          secretName: kmra-secrets
+      - name: ca-secrets
+        emptyDir: {}

config/manager/kustomization.yaml

@@ -1,22 +1,34 @@
 resources:
 - tcs_issuer.yaml
 
+patchesStrategicMerge:
+- kmra/inject_kmra_plugin_patch.yaml
+
 generatorOptions:
   disableNameSuffixHash: true
 
 configMapGenerator:
 - files:
   - tcs_issuer_config.yaml
   name: config
+- envs:
+  - kmra/.server.conf
+  name: kmra-server-config
 
 secretGenerator:
 - envs:
   - .env.secret
   name: issuer-pkcs11-conf
+- envs:
+  - kmra/.ca.secrets
+  name: kmra-secrets
 
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
+- name: kmra-plugin
+  newName: intel/trusted-certificate-issuer
+  newTag: latest
 - name: tcs-issuer
   newName: intel/trusted-certificate-issuer
   newTag: latest

config/manager/tcs_issuer.yaml

@@ -30,10 +30,14 @@ spec:
         imagePullPolicy: IfNotPresent
         ## Set appropriate permissions to tokens directory.
         ## The tcs-issuer container runs with UID 5000(tcs-issuer username).
-        command: ["/bin/chown", "-R", "5000:5000", "/home/tcs-issuer/tokens"]
+        command: ["/bin/chown", "-R", "5000:5000", "/home/tcs-issuer/tokens", "/registry", "/plugins"]
         volumeMounts:
         - mountPath: /home/tcs-issuer/tokens
           name: tokens-dir
+        - mountPath: /plugins/
+          name: plugins-dir
+        - mountPath: /registry/
+          name: plugins-dir
       containers:
       - command:
         - /tcs-issuer
@@ -45,7 +49,7 @@ spec:
         - --health-probe-bind-address=:8083
         - --user-pin=$USER_PIN
         - --so-pin=$SO_PIN
-        - --registry-path=/home/tcs-issuer/sockets/registry.sock
+        - --registry-endpoint=/registry/registry.sock
         image: tcs-issuer
         imagePullPolicy: Always
         name: tcs-issuer
@@ -91,14 +95,18 @@ spec:
           # for (un)sealing the tokens. Do not change this path.
           - mountPath: /home/tcs-issuer/tokens
             name: tokens-dir
-          - mountPath: /home/tcs-issuer/sockets
-            name: socket-dir
+          - mountPath: /plugins/
+            name: plugins-dir
+          - mountPath: /registry/
+            name: registry-dir
       serviceAccountName: tcs-issuer-serviceaccount
       terminationGracePeriodSeconds: 10
       volumes:
       - hostPath:
           path: /var/lib/tcs-issuer/tokens
           type: DirectoryOrCreate
         name: tokens-dir
-      - name : socket-dir
+      - name : registry-dir
+        emptyDir: {}
+      - name : plugins-dir
         emptyDir: {}

deployment/tcs_issuer.yaml

@@ -260,6 +260,14 @@ metadata:
   namespace: tcs-issuer
 ---
 apiVersion: v1
+data:
+  KEY_SERVER: localhost:443
+kind: ConfigMap
+metadata:
+  name: tcs-kmra-server-config
+  namespace: tcs-issuer
+---
+apiVersion: v1
 data:
   sopin: V0lwbUJCybc2Oc6M06Vz
   userpin: U3BnbGIyTUl3ZV9lSHUy
@@ -270,6 +278,17 @@ metadata:
 type: Opaque
 ---
 apiVersion: v1
+data:
+  ca.crt: ""
+  client.crt: ""
+  client.key: ""
+kind: Secret
+metadata:
+  name: tcs-kmra-secrets
+  namespace: tcs-issuer
+type: Opaque
+---
+apiVersion: v1
 kind: Service
 metadata:
   labels:
@@ -304,6 +323,32 @@ spec:
         control-plane: tcs-issuer
     spec:
       containers:
+      - args:
+        - --plugin-name=kmra
+        - --plugin-endpoint=/plugins/kmra.sock
+        - --registry-endpoint=/registry/registry.sock
+        command:
+        - /kmra-plugin
+        envFrom:
+        - configMapRef:
+            name: tcs-kmra-server-config
+        image: intel/trusted-certificate-issuer
+        name: kmra-plugin
+        resources:
+          limits:
+            cpu: 100m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        volumeMounts:
+        - mountPath: /certs/
+          name: ca-secrets
+          readOnly: true
+        - mountPath: /plugins/
+          name: plugins-dir
+        - mountPath: /registry/
+          name: registry-dir
       - args:
         - --leader-elect
         - --zap-devel
@@ -312,6 +357,7 @@ spec:
         - --health-probe-bind-address=:8083
         - --user-pin=$USER_PIN
         - --so-pin=$SO_PIN
+        - --registry-endpoint=/registry/registry.sock
         command:
         - /tcs-issuer
         env:
@@ -325,7 +371,7 @@ spec:
             secretKeyRef:
               key: sopin
               name: tcs-issuer-pkcs11-conf
-        image: intel/trusted-certificate-issuer:latest
+        image: intel/trusted-certificate-issuer
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -357,22 +403,53 @@ spec:
         volumeMounts:
         - mountPath: /home/tcs-issuer/tokens
           name: tokens-dir
+        - mountPath: /plugins/
+          name: plugins-dir
+        - mountPath: /registry/
+          name: registry-dir
       initContainers:
+      - command:
+        - sh
+        - -c
+        - set -x; for f in /tmp/certs/*; do cat $f | base64 -d > /certs/$(basename $f); done ; chown -R 5000:5000 /certs
+        image: busybox
+        imagePullPolicy: IfNotPresent
+        name: init-kmra
+        volumeMounts:
+        - mountPath: /certs/
+          name: ca-secrets
+        - mountPath: /tmp/certs
+          name: pre-ca-secrets
       - command:
         - /bin/chown
         - -R
         - 5000:5000
         - /home/tcs-issuer/tokens
+        - /registry
+        - /plugins
         image: busybox
         imagePullPolicy: IfNotPresent
         name: init
         volumeMounts:
         - mountPath: /home/tcs-issuer/tokens
           name: tokens-dir
+        - mountPath: /plugins/
+          name: plugins-dir
+        - mountPath: /registry/
+          name: plugins-dir
       serviceAccountName: tcs-issuer-serviceaccount
       terminationGracePeriodSeconds: 10
       volumes:
+      - name: pre-ca-secrets
+        secret:
+          secretName: tcs-kmra-secrets
+      - emptyDir: {}
+        name: ca-secrets
       - hostPath:
           path: /var/lib/tcs-issuer/tokens
           type: DirectoryOrCreate
         name: tokens-dir
+      - emptyDir: {}
+        name: registry-dir
+      - emptyDir: {}
+        name: plugins-dir