diff --git a/.gitignore b/.gitignore index 8b4473a..e11b84d 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ enclave-config/privatekey.pem *~ charts/crds tcs-issuer*.tgz +config/manager/kmra/.* diff --git a/Makefile b/Makefile index 09e0f2e..d9f65d9 100644 --- a/Makefile +++ b/Makefile @@ -97,12 +97,13 @@ install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/crd | kubectl delete -f - -deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image tcs-issuer=${IMG} +set-image: kustomize + cd config/manager && $(KUSTOMIZE) edit set image tcs-issuer=${IMG} && $(KUSTOMIZE) edit set image kmra-plugin=${IMG} + +deploy: manifests kustomize set-image ## Deploy controller to the K8s cluster specified in ~/.kube/config. $(KUSTOMIZE) build config/default | kubectl apply -f - -deploy-manifests: manifests kustomize - cd config/manager && $(KUSTOMIZE) edit set image tcs-issuer=${IMG} +deploy-manifests: manifests kustomize set-image mkdir -p deployment && $(KUSTOMIZE) build config/default -o deployment/tcs_issuer.yaml mkdir -p deployment/crds && $(KUSTOMIZE) build -o deployment/crds config/crd ## Rename CRDs; remove prefixed type information diff --git a/config/manager/kmra/.ca.secrets b/config/manager/kmra/.ca.secrets new file mode 100644 index 0000000..b9b6bb1 --- /dev/null +++ b/config/manager/kmra/.ca.secrets @@ -0,0 +1,5 @@ +# Set appropriate base64 encoded certficates and private key values +# to access the KMRA server. +ca.crt= +client.crt= +client.key= diff --git a/config/manager/kmra/.server.conf b/config/manager/kmra/.server.conf new file mode 100644 index 0000000..07bc161 --- /dev/null +++ b/config/manager/kmra/.server.conf @@ -0,0 +1,3 @@ +# NOTE: update the Key server address beofere +# deploying using `make deploy` +KEY_SERVER=localhost:443 diff --git a/config/manager/kmra/inject_kmra_plugin_patch.yaml b/config/manager/kmra/inject_kmra_plugin_patch.yaml new file mode 100644 index 0000000..78f81e8 --- /dev/null +++ b/config/manager/kmra/inject_kmra_plugin_patch.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller + namespace: system +spec: + template: + spec: + initContainers: + - name: init-kmra + image: busybox + imagePullPolicy: IfNotPresent + # The data in the secret are base64 encoded. + # km-wrap expects them in PEM encoding. + # So, we first decode them in the init container + # before starting the actual controller container. + command: ['sh', '-c', 'set -x; for f in /tmp/certs/*; do cat $f | base64 -d > /certs/$(basename $f); done ; chown -R 5000:5000 /certs'] + volumeMounts: + - name: ca-secrets + mountPath: /certs/ + - name: pre-ca-secrets + mountPath: /tmp/certs + containers: + - name: kmra-plugin + image: kmra-plugin + command: + - /kmra-plugin + args: + - --plugin-name=kmra + - --plugin-endpoint=/plugins/kmra.sock + - --registry-endpoint=/registry/registry.sock + name: kmra-plugin + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + envFrom: + - configMapRef: + name: tcs-kmra-server-config + volumeMounts: + - name: ca-secrets + mountPath: /certs/ + readOnly: true + - name: plugins-dir + mountPath: /plugins/ + - name: registry-dir + mountPath: /registry/ + volumes: + - name: pre-ca-secrets + secret: + secretName: kmra-secrets + - name: ca-secrets + emptyDir: {} diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index 77a2a0e..5af3440 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,6 +1,9 @@ resources: - tcs_issuer.yaml +patchesStrategicMerge: +- kmra/inject_kmra_plugin_patch.yaml + generatorOptions: disableNameSuffixHash: true @@ -8,15 +11,24 @@ configMapGenerator: - files: - tcs_issuer_config.yaml name: config +- envs: + - kmra/.server.conf + name: kmra-server-config secretGenerator: - envs: - .env.secret name: issuer-pkcs11-conf +- envs: + - kmra/.ca.secrets + name: kmra-secrets apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: +- name: kmra-plugin + newName: intel/trusted-certificate-issuer + newTag: latest - name: tcs-issuer newName: intel/trusted-certificate-issuer newTag: latest diff --git a/config/manager/tcs_issuer.yaml b/config/manager/tcs_issuer.yaml index 9070385..363b8ca 100644 --- a/config/manager/tcs_issuer.yaml +++ b/config/manager/tcs_issuer.yaml @@ -30,10 +30,14 @@ spec: imagePullPolicy: IfNotPresent ## Set appropriate permissions to tokens directory. ## The tcs-issuer container runs with UID 5000(tcs-issuer username). - command: ["/bin/chown", "-R", "5000:5000", "/home/tcs-issuer/tokens"] + command: ["/bin/chown", "-R", "5000:5000", "/home/tcs-issuer/tokens", "/registry", "/plugins"] volumeMounts: - mountPath: /home/tcs-issuer/tokens name: tokens-dir + - mountPath: /plugins/ + name: plugins-dir + - mountPath: /registry/ + name: plugins-dir containers: - command: - /tcs-issuer @@ -45,7 +49,7 @@ spec: - --health-probe-bind-address=:8083 - --user-pin=$USER_PIN - --so-pin=$SO_PIN - - --registry-path=/home/tcs-issuer/sockets/registry.sock + - --registry-endpoint=/registry/registry.sock image: tcs-issuer imagePullPolicy: Always name: tcs-issuer @@ -91,8 +95,10 @@ spec: # for (un)sealing the tokens. Do not change this path. - mountPath: /home/tcs-issuer/tokens name: tokens-dir - - mountPath: /home/tcs-issuer/sockets - name: socket-dir + - mountPath: /plugins/ + name: plugins-dir + - mountPath: /registry/ + name: registry-dir serviceAccountName: tcs-issuer-serviceaccount terminationGracePeriodSeconds: 10 volumes: @@ -100,5 +106,7 @@ spec: path: /var/lib/tcs-issuer/tokens type: DirectoryOrCreate name: tokens-dir - - name : socket-dir + - name : registry-dir + emptyDir: {} + - name : plugins-dir emptyDir: {} \ No newline at end of file diff --git a/deployment/tcs_issuer.yaml b/deployment/tcs_issuer.yaml index ecdeee8..5f3ef17 100644 --- a/deployment/tcs_issuer.yaml +++ b/deployment/tcs_issuer.yaml @@ -260,6 +260,14 @@ metadata: namespace: tcs-issuer --- apiVersion: v1 +data: + KEY_SERVER: localhost:443 +kind: ConfigMap +metadata: + name: tcs-kmra-server-config + namespace: tcs-issuer +--- +apiVersion: v1 data: sopin: V0lwbUJCybc2Oc6M06Vz userpin: U3BnbGIyTUl3ZV9lSHUy @@ -270,6 +278,17 @@ metadata: type: Opaque --- apiVersion: v1 +data: + ca.crt: "" + client.crt: "" + client.key: "" +kind: Secret +metadata: + name: tcs-kmra-secrets + namespace: tcs-issuer +type: Opaque +--- +apiVersion: v1 kind: Service metadata: labels: @@ -304,6 +323,32 @@ spec: control-plane: tcs-issuer spec: containers: + - args: + - --plugin-name=kmra + - --plugin-endpoint=/plugins/kmra.sock + - --registry-endpoint=/registry/registry.sock + command: + - /kmra-plugin + envFrom: + - configMapRef: + name: tcs-kmra-server-config + image: intel/trusted-certificate-issuer + name: kmra-plugin + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /certs/ + name: ca-secrets + readOnly: true + - mountPath: /plugins/ + name: plugins-dir + - mountPath: /registry/ + name: registry-dir - args: - --leader-elect - --zap-devel @@ -312,6 +357,7 @@ spec: - --health-probe-bind-address=:8083 - --user-pin=$USER_PIN - --so-pin=$SO_PIN + - --registry-endpoint=/registry/registry.sock command: - /tcs-issuer env: @@ -325,7 +371,7 @@ spec: secretKeyRef: key: sopin name: tcs-issuer-pkcs11-conf - image: intel/trusted-certificate-issuer:latest + image: intel/trusted-certificate-issuer imagePullPolicy: Always livenessProbe: httpGet: @@ -357,22 +403,53 @@ spec: volumeMounts: - mountPath: /home/tcs-issuer/tokens name: tokens-dir + - mountPath: /plugins/ + name: plugins-dir + - mountPath: /registry/ + name: registry-dir initContainers: + - command: + - sh + - -c + - set -x; for f in /tmp/certs/*; do cat $f | base64 -d > /certs/$(basename $f); done ; chown -R 5000:5000 /certs + image: busybox + imagePullPolicy: IfNotPresent + name: init-kmra + volumeMounts: + - mountPath: /certs/ + name: ca-secrets + - mountPath: /tmp/certs + name: pre-ca-secrets - command: - /bin/chown - -R - 5000:5000 - /home/tcs-issuer/tokens + - /registry + - /plugins image: busybox imagePullPolicy: IfNotPresent name: init volumeMounts: - mountPath: /home/tcs-issuer/tokens name: tokens-dir + - mountPath: /plugins/ + name: plugins-dir + - mountPath: /registry/ + name: plugins-dir serviceAccountName: tcs-issuer-serviceaccount terminationGracePeriodSeconds: 10 volumes: + - name: pre-ca-secrets + secret: + secretName: tcs-kmra-secrets + - emptyDir: {} + name: ca-secrets - hostPath: path: /var/lib/tcs-issuer/tokens type: DirectoryOrCreate name: tokens-dir + - emptyDir: {} + name: registry-dir + - emptyDir: {} + name: plugins-dir