Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
Apache License 2.0
29
stars
15
forks
source link
QuoteAttestation: Remove support for multiple signers in the API #20
Currently, the QuoteAttestation CRD API supports multiple CA provisioning via spec.singerNames and status.secrets. The original idea behind this was to minimize the QA objects and thus reduce quote verification requests for multiple CAs. But, in fact, this is not needed (and thus not used in the code) for the below reasons, and also complicates the handling of QA objects:
the quote attestation is initiated (and linked to) by a single issuer(TCSIssuer/TCSClusterIssuer). So, it makes more sense to keep the 1:1 relation between issuer to QA.
complicates the status handling in case of failures, for ex., in case of failure of key wrapping for one of the signers, but
no clear ownership of the QA object by any issuer.
So, I would propose to make the QuoteAttestation CRD support providing of a single CA. The changes include:
QuoteAttestationSpec {
SignerName string
SecretName string // name of the secret, to keep the wrapped key and certificate
...
}
type QuoteAttestationStatus struct {
Conditions []QuoteAttestationCondition `json:"conditions,omitempty"`
}
Move the QuoteAttestation object creation from sgx.go to issuer_controller.go.
Remove the QuoteAttestation reconciler code, Instead, the issuer reconciler fetches its QA object and checks if the attention is ready.
Currently, the
QuoteAttestation
CRD API supports multiple CA provisioning viaspec.singerNames
andstatus.secrets
. The original idea behind this was to minimize the QA objects and thus reduce quote verification requests for multiple CAs. But, in fact, this is not needed (and thus not used in the code) for the below reasons, and also complicates the handling of QA objects:So, I would propose to make the QuoteAttestation CRD support providing of a single CA. The changes include:
to
QuoteAttestation
object creation fromsgx.go
toissuer_controller.go
.