From 0371527ed44bbdf15f7e7914688cb813299d8c24 Mon Sep 17 00:00:00 2001 From: Greg May Date: Wed, 6 Nov 2024 18:59:54 -0800 Subject: [PATCH] feat(MHS-4208): add CSISecretStore templating --- .github/helm-docs.sh | 2 +- charts/tsm-audit-server/Chart.yaml | 2 +- charts/tsm-audit-server/README.md | 4 +- charts/tsm-node/Chart.yaml | 4 +- charts/tsm-node/README.md | 9 +- .../ci/configCSISecretStore-values.yaml | 30 +++++ charts/tsm-node/ci/configFile-values.yaml | 4 +- .../tsm-node/ci/configSecretName-values.yaml | 24 ++++ charts/tsm-node/ci/envvars-values.yaml | 4 +- charts/tsm-node/ci/ingress-multi.yaml | 4 +- charts/tsm-node/ci/ingress.yaml | 4 +- .../tsm-node/ci/securityContext-values.yaml | 4 +- charts/tsm-node/templates/configmap.yaml | 4 +- charts/tsm-node/templates/deployment.yaml | 29 +++-- charts/tsm-node/values.yaml | 17 ++- examples/tsm-node-multiinstance/README.md | 80 ++++++++++++- .../aws-secretproviderclass.yaml | 12 ++ .../azure-secretproviderclass.yaml | 18 +++ examples/tsm-node-multiinstance/config0.toml | 107 ++++++++++++++++++ examples/tsm-node-multiinstance/config1.toml | 105 +++++++++++++++++ examples/tsm-node-multiinstance/config2.toml | 103 +++++++++++++++++ examples/tsm-node-multiinstance/tsm0.yaml | 92 +-------------- examples/tsm-node-multiinstance/tsm1.yaml | 92 +-------------- examples/tsm-node-multiinstance/tsm2.yaml | 92 +-------------- 24 files changed, 546 insertions(+), 300 deletions(-) create mode 100644 charts/tsm-node/ci/configCSISecretStore-values.yaml create mode 100644 charts/tsm-node/ci/configSecretName-values.yaml create mode 100644 examples/tsm-node-multiinstance/aws-secretproviderclass.yaml create mode 100644 examples/tsm-node-multiinstance/azure-secretproviderclass.yaml create mode 100644 examples/tsm-node-multiinstance/config0.toml create mode 100644 examples/tsm-node-multiinstance/config1.toml create mode 100644 examples/tsm-node-multiinstance/config2.toml diff --git a/.github/helm-docs.sh b/.github/helm-docs.sh index ddaa7ba..f67efc7 100755 --- a/.github/helm-docs.sh +++ b/.github/helm-docs.sh @@ -5,7 +5,7 @@ export PATH="./.bin:$PATH" set -euxo pipefail -HELM_DOCS_VERSION=1.12.0 +HELM_DOCS_VERSION=1.14.2 # install helm-docs curl --silent --show-error --fail --location --output /tmp/helm-docs.tar.gz https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz diff --git a/charts/tsm-audit-server/Chart.yaml b/charts/tsm-audit-server/Chart.yaml index dfcbdd9..1a80463 100644 --- a/charts/tsm-audit-server/Chart.yaml +++ b/charts/tsm-audit-server/Chart.yaml @@ -5,7 +5,7 @@ maintainers: - name: Blockdaemon email: sre@blockdaemon.com type: application -version: 0.1.0 +version: 0.1.1 appVersion: "v1.1.0" dependencies: - name: mongodb diff --git a/charts/tsm-audit-server/README.md b/charts/tsm-audit-server/README.md index 8f33db2..027bfe3 100644 --- a/charts/tsm-audit-server/README.md +++ b/charts/tsm-audit-server/README.md @@ -1,6 +1,6 @@ # tsm-audit-server -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square) +![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square) A Helm chart to deploy a Blockdaemon TSM audit server to kubernetes @@ -60,4 +60,4 @@ A Helm chart to deploy a Blockdaemon TSM audit server to kubernetes | volumes | list | `[]` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/tsm-node/Chart.yaml b/charts/tsm-node/Chart.yaml index 515c175..87bc1c7 100644 --- a/charts/tsm-node/Chart.yaml +++ b/charts/tsm-node/Chart.yaml @@ -5,5 +5,5 @@ maintainers: - name: Blockdaemon email: sre@blockdaemon.com type: application -version: 0.1.5 -appVersion: "61.0.2" +version: 0.1.6 +appVersion: "62.2.4" diff --git a/charts/tsm-node/README.md b/charts/tsm-node/README.md index 8eaddc9..f708e2f 100644 --- a/charts/tsm-node/README.md +++ b/charts/tsm-node/README.md @@ -1,6 +1,6 @@ # tsm-node -![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 61.0.2](https://img.shields.io/badge/AppVersion-61.0.2-informational?style=flat-square) +![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 62.2.4](https://img.shields.io/badge/AppVersion-62.2.4-informational?style=flat-square) A Helm chart to deploy a Blockdaemon TSM node to kubernetes @@ -15,8 +15,6 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | | -| config.configFile | string | `""` | the TSM configuration file that will be mounted into the TSM node. MUTUALLY EXCLUSIVE with configSecretName | -| config.configSecretName | string | `""` | The name of the secret containing the TSM configuration file. MUTUALLY EXCLUSIVE with configFile | | env | object | `{}` | Environment variables to be passed to the TSM node deployment | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | @@ -33,6 +31,9 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes | ingress.tls | list | `[]` | | | mpcService | object | `{}` | Optional. Only used for flexibility to expose the mpc port outside of the cluster. | | nameOverride | string | `""` | | +| nodeConfig.configCSISecretStore | object | `{}` | The name of the CSI Secret-Store secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configSecretName | +| nodeConfig.configFile | string | `""` | The TSM configuration that will be mounted into the TSM node via a ConfigMap. Not recommended for production use. MUTUALLY EXCLUSIVE with configSecretName and configCSISecretStore | +| nodeConfig.configSecretName | string | `""` | The name of the kubernetes generic secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configCSISecretStore | | nodeSelector | object | `{}` | | | podAnnotations | object | `{}` | | | podLabels | object | `{}` | | @@ -50,4 +51,4 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes | volumes | list | `[]` | Additional volumes on the output Deployment definition. | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/charts/tsm-node/ci/configCSISecretStore-values.yaml b/charts/tsm-node/ci/configCSISecretStore-values.yaml new file mode 100644 index 0000000..f72fb9d --- /dev/null +++ b/charts/tsm-node/ci/configCSISecretStore-values.yaml @@ -0,0 +1,30 @@ +replicaCount: 1 +index: 0 + +nodeConfig: + configCSISecretStore: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "tsm0-tsm-node" + +image: + repository: + pullPolicy: IfNotPresent + tag: "62.2.4" +sdkService: + type: NodePort + ports: + - port: 8080 + name: sdk + targetPort: 8080 + - port: 9000 + name: mpc + targetPort: 9000 + +mpcService: + enabled: false + +ingress: + enabled: false diff --git a/charts/tsm-node/ci/configFile-values.yaml b/charts/tsm-node/ci/configFile-values.yaml index 5b4e32e..0fd2433 100644 --- a/charts/tsm-node/ci/configFile-values.yaml +++ b/charts/tsm-node/ci/configFile-values.yaml @@ -1,7 +1,7 @@ replicaCount: 1 index: 0 -config: +nodeConfig: configFile: | [Player] Index = 0 @@ -17,7 +17,7 @@ config: image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" + tag: "62.2.4" sdkService: type: NodePort ports: diff --git a/charts/tsm-node/ci/configSecretName-values.yaml b/charts/tsm-node/ci/configSecretName-values.yaml new file mode 100644 index 0000000..853e0b1 --- /dev/null +++ b/charts/tsm-node/ci/configSecretName-values.yaml @@ -0,0 +1,24 @@ +replicaCount: 1 +index: 0 + +nodeConfig: + configSecretName: "tsm0-tsm-node" +image: + repository: + pullPolicy: IfNotPresent + tag: "62.2.4" +sdkService: + type: NodePort + ports: + - port: 8080 + name: sdk + targetPort: 8080 + - port: 9000 + name: mpc + targetPort: 9000 + +mpcService: + enabled: false + +ingress: + enabled: false diff --git a/charts/tsm-node/ci/envvars-values.yaml b/charts/tsm-node/ci/envvars-values.yaml index b9134ff..0af386d 100644 --- a/charts/tsm-node/ci/envvars-values.yaml +++ b/charts/tsm-node/ci/envvars-values.yaml @@ -9,7 +9,7 @@ env: - name: tsm value: node -config: +nodeConfig: configFile: | [Player] Index = 0 @@ -25,7 +25,7 @@ config: image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" + tag: "62.2.4" sdkService: type: NodePort ports: diff --git a/charts/tsm-node/ci/ingress-multi.yaml b/charts/tsm-node/ci/ingress-multi.yaml index d64f3cf..c1cdb61 100644 --- a/charts/tsm-node/ci/ingress-multi.yaml +++ b/charts/tsm-node/ci/ingress-multi.yaml @@ -1,7 +1,7 @@ replicaCount: 1 index: 0 -config: +nodeConfig: configFile: | [Player] Index = 0 @@ -17,7 +17,7 @@ config: image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" + tag: "62.2.4" sdkService: ports: - port: 8080 diff --git a/charts/tsm-node/ci/ingress.yaml b/charts/tsm-node/ci/ingress.yaml index aeb8a76..9ec224e 100644 --- a/charts/tsm-node/ci/ingress.yaml +++ b/charts/tsm-node/ci/ingress.yaml @@ -1,7 +1,7 @@ replicaCount: 1 index: 0 -config: +nodeConfig: configFile: | [Player] Index = 0 @@ -17,7 +17,7 @@ config: image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" + tag: "62.2.4" sdkService: type: NodePort ports: diff --git a/charts/tsm-node/ci/securityContext-values.yaml b/charts/tsm-node/ci/securityContext-values.yaml index 516e0ec..28dc9c6 100644 --- a/charts/tsm-node/ci/securityContext-values.yaml +++ b/charts/tsm-node/ci/securityContext-values.yaml @@ -1,7 +1,7 @@ replicaCount: 1 index: 0 -config: +nodeConfig: configFile: | [Player] Index = 0 @@ -16,7 +16,7 @@ config: image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" + tag: "62.2.4" sdkService: type: NodePort ports: diff --git a/charts/tsm-node/templates/configmap.yaml b/charts/tsm-node/templates/configmap.yaml index eb3da80..e249e54 100644 --- a/charts/tsm-node/templates/configmap.yaml +++ b/charts/tsm-node/templates/configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.nodeConfig.configFile }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,4 +7,5 @@ metadata: {{- include "tsm-node.labels" . | nindent 4 }} data: config.toml: | - {{- .Values.config.configFile | nindent 4 }} \ No newline at end of file + {{- .Values.nodeConfig.configFile | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/tsm-node/templates/deployment.yaml b/charts/tsm-node/templates/deployment.yaml index e8c1b07..63c238f 100644 --- a/charts/tsm-node/templates/deployment.yaml +++ b/charts/tsm-node/templates/deployment.yaml @@ -13,10 +13,20 @@ spec: {{- include "tsm-node.selectorLabels" . | nindent 6 }} template: metadata: + {{- if and (.Values.podAnnotations) (.Values.nodeConfig.configFile) }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- else if .Values.podAnnotations }} + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- else if .Values.nodeConfig.configFile }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "tsm-node.labels" . | nindent 8 }} @@ -70,24 +80,25 @@ spec: port: sdk resources: {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - name: config-volume mountPath: /config {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - volumes: - name: config-volume - {{- if and .Values.config.configFile .Values.config.configSecretName }} - {{- fail "config.configFile and config.configSecretName are mutually exclusive" }} - {{- else if .Values.config.configFile }} + {{- if or (and .Values.nodeConfig.configFile .Values.nodeConfig.configSecretName) (and .Values.nodeConfig.configFile .Values.nodeConfig.configCSISecretStore) (and .Values.nodeConfig.configSecretName .Values.nodeConfig.configCSISecretStore) (and .Values.nodeConfig.configFile .Values.nodeConfig.configSecretName .Values.cconfig.onfigCSISecretStore) }} + {{- fail "config.configFile and config.configSecretName and config.configCSISecretStore are mutually exclusive" }} + {{- else if .Values.nodeConfig.configFile }} configMap: name: {{ template "tsm-node.fullname" . }} - {{- else if .Values.config.configSecretName }} + {{- else if .Values.nodeConfig.configSecretName }} secret: - secretName: {{ .Values.config.configSecretName }} + secretName: {{ .Values.nodeConfig.configSecretName }} + {{- else if .Values.nodeConfig.configCSISecretStore.csi }} + csi: + {{- toYaml .Values.nodeConfig.configCSISecretStore.csi | nindent 10 }} {{- end }} {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} diff --git a/charts/tsm-node/values.yaml b/charts/tsm-node/values.yaml index 5aa63cd..333669a 100644 --- a/charts/tsm-node/values.yaml +++ b/charts/tsm-node/values.yaml @@ -8,11 +8,20 @@ index: 0 # -- Environment variables to be passed to the TSM node deployment env: {} -config: - # -- the TSM configuration file that will be mounted into the TSM node. MUTUALLY EXCLUSIVE with configSecretName +nodeConfig: + # -- The name of the kubernetes generic secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configCSISecretStore + configSecretName: "" # Set a unique value relevant TSM node index + + # -- The name of the CSI Secret-Store secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configSecretName + configCSISecretStore: {} + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "tsm0-tsm-node" # Set a unique value relevant TSM node index + + # -- The TSM configuration that will be mounted into the TSM node via a ConfigMap. Not recommended for production use. MUTUALLY EXCLUSIVE with configSecretName and configCSISecretStore configFile: "" - # -- The name of the secret containing the TSM configuration file. MUTUALLY EXCLUSIVE with configFile - configSecretName: "" image: # -- Image to use for deploying the TSM node diff --git a/examples/tsm-node-multiinstance/README.md b/examples/tsm-node-multiinstance/README.md index 6375904..1274dad 100644 --- a/examples/tsm-node-multiinstance/README.md +++ b/examples/tsm-node-multiinstance/README.md @@ -6,22 +6,92 @@ Full documentation of the configuration can be found [here](https://builder-vaul ## Helm Repository -``` +```shell helm repo add builder-vault https://blockdaemon.github.io/builder-vault-helm/ helm repo update ``` ## Prerequisites - - An EKS cluster deployed with the [AWS Loadbalancer Controller](https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html) installed and configured. -The cluster deployed will look like this: +The deployed cluster will look like this: ![TSM Cluster](assets/tsm-cluster.jpeg) +Each Builder Vault TSM node must have it own configuration which it reads on startup from `/config/config.toml`. A sample config file for each node, of a 3 node setup, is provided `config0.toml`, `config1.toml`, `config2.toml`. You have the option to inject these config files from either a `Kubernetes Secret` or `CSI Secret Store`. This is configured through helm values `.values.nodeConfig`. + +In this example, the `tsm0.yaml`, `tsm1.yaml` and `tsm2.yaml` are already set up to use the `Kubernetes Secret` class with, for example `tsm0.yaml` set to `.values.nodeConfig.configSecretName: tsm0-tsm-node`. To configure with this approach, create the Kubernetes Secrets in step 1 below. + + +### Secrets Management options: + +#### 1. Kubernetes Secret Class +Follow the steps below to use the Kubernetes Secret generic class. Note that while each node has a unique sample filename, every TSM node expects the file on the same path `/config/config.toml`. +1. Create the secret object +```shell +$ kubectl create secret generic --from-file=config.toml=config0.toml --namespace tsm0-tsm-node +secret/tsm0-tsm-node created +``` +2. Update the helm values.yaml for each node with its corresponding secret name: +```yaml +nodeConfig.configSecretName: tsm0-tsm-node +``` + +#### 2. CSI Secret Stores class +Follow the steps below to use the CSI Secret Store class. Review the relevant secret manager documentation beforehand. Some common examples are:
+[AWS Secret Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver_SecretProviderClass.html)
+[Azure Key Vault](https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver)
+[GCP Secret Manager](https://cloud.google.com/secret-manager/docs/secret-manager-managed-csi-component) + + +1. Create the secret in the secret management system. +2. Ensure the CSI Secrets Store driver is installed for the Kubernetes cluster and that TSM nodes have the releveant privages to read the secret. +3. Create the Kubernetes SecretProviderClass to point to the secret. Example AWS SecretProviderClass specification: +```yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: tsm0-tsm-node +spec: + provider: aws + parameters: + region: us-east-1 + objects: | + - objectName: "arn:aws:secretsmanager:us-east-1:111122223333:secret:tsm0-tsm-node-ABCDE" + objectType: "secretsmanager" + objectAlias: "config.toml" +``` + +4. Update the helm values.yaml `.values.nodeConfig.configCSISecretStore` for each node with the new CSI Secret Store parameters: +```yaml +nodeConfig: + configCSISecretStore: + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "tsm0-tsm-node" +``` + +### Additional infrastructure considerations +In addition to secrets management the following changes may need to be added: +#### Ingress Class name and annotations. AWS example: +```yaml +ingress: + className: "alb" + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/certificate-arn: + alb.ingress.kubernetes.io/healthcheck-path: /ping +``` +#### Confidential Computing nodeSelector. Azure example: +```yaml +nodeSelector: + kubernetes.azure.com/security-type: ConfidentialVM +``` -The values files (tsm<0-2>.yaml) have example configurations for deploying each node in a way that they can communicate with each other and provision ingress to the SDK port. +## Deployment -To deploy, you would perform 3 helm deployments: +To deploy the BuilderVault, perform the helm deployment for each TSM node: ``` helm install tsm0 blockdaemon/tsm-node --create-namespace -n tsm -f tsm0.yaml helm install tsm1 blockdaemon/tsm-node --create-namespace -n tsm -f tsm1.yaml diff --git a/examples/tsm-node-multiinstance/aws-secretproviderclass.yaml b/examples/tsm-node-multiinstance/aws-secretproviderclass.yaml new file mode 100644 index 0000000..5354c3e --- /dev/null +++ b/examples/tsm-node-multiinstance/aws-secretproviderclass.yaml @@ -0,0 +1,12 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: tsm0-tsm-node +spec: + provider: aws + parameters: + region: us-east-1 + objects: | + - objectName: "arn:aws:secretsmanager:us-east-1:111122223333:secret:tsm0-tsm-node-ABCDE" + objectType: "secretsmanager" + objectAlias: "config.toml" \ No newline at end of file diff --git a/examples/tsm-node-multiinstance/azure-secretproviderclass.yaml b/examples/tsm-node-multiinstance/azure-secretproviderclass.yaml new file mode 100644 index 0000000..3b0921f --- /dev/null +++ b/examples/tsm-node-multiinstance/azure-secretproviderclass.yaml @@ -0,0 +1,18 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: tsm0-tsm-node +spec: + provider: azure + parameters: + usePodIdentity: "false" + useVMManagedIdentity: "true" # Set to true for using managed identity + userAssignedIdentityID: 15623de8-3b34-4d11-b8bf-33678c2d7810 # Set the clientID of the user-assigned managed identity to use + keyvaultName: buildervault-testnet # Set to the name of your key vault + objects: | + array: + - | + objectName: tsm0-tsm-node + objectType: secret + objectAlias: config.toml + tenantId: 804712c2-1d3e-4eda-be6f-2f4bdbc36300 # The tenant ID of the key vault \ No newline at end of file diff --git a/examples/tsm-node-multiinstance/config0.toml b/examples/tsm-node-multiinstance/config0.toml new file mode 100644 index 0000000..20c71f1 --- /dev/null +++ b/examples/tsm-node-multiinstance/config0.toml @@ -0,0 +1,107 @@ + +[Player] + Index = 0 + PrivateKey = "MHcCAQEEIJZ2T0ESxG34wA77rhn+9KMOrkz296jeDUOenHsLmWO/oAoGCCqGSM49AwEHoUQDQgAE0AyIB0e0A00Z+ovqDQ5mjffEqVabU/eEOwOOrkElnSX1qPkgIn5eLIOC7OWQq6dgZnJLjElg6R4vR5a91aAE8w==" + ExportWhiteList = ["*"] + +[Players.0] + Address = "tcp://tsm0-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0AyIB0e0A00Z+ovqDQ5mjffEqVabU/eEOwOOrkElnSX1qPkgIn5eLIOC7OWQq6dgZnJLjElg6R4vR5a91aAE8w==" + +[Players.1] + Address = "tcp://tsm1-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZsbGXaVTkx8iiXb7iDSBFs24xYdbe5jTRg57aU0F71BMxhlV46cKMsCDXARriCUBwApfCoAf/ByyJ7TpWRm4Rw==" + +[Players.2] + Address = "tcp://tsm2-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJZx6N1ARYmc/6DQBL/47yRL/dMvWi5UQRUiqA05pdjLAb3eXO6yPioocnZNxsQjCerxcMJ2LnvELmK5L6Ovsqw==" + +[Database] + DriverName = "sqlite3" + DataSourceName = "/tsm/sqlite.db" + EncryptorMasterPassword = "password" + +[MPCTCPServer] + Port = 9000 + +[SDKServer] + Port = 8080 + +[MetricsServer] + Port = 9102 + Prometheus = true + +[[Authentication.APIKeys]] + APIKey = "IntV2sEZRwwd2F+UkDLC7zmFhwvpxAwb0eQKwdEnSZU=" # apikey0 + ApplicationID = "demoapp" + +[[Authentication.APIKeys]] + APIKey = "NaseBBHEzG7KqmdqTH/vJZeYeZ7UCtCfsHra6QK9DHo=" # apikey3 + ApplicationID = "app2" + +[MultiInstance] + CleanupInterval = "5m" + CleanupProbability = 75 + +[DKLS19.Features] + GenerateKey = true + GeneratePresignatures = true + Sign = true + SignWithPresignature = true + GenerateRecoveryData = true + PublicKey = true + ChainCode = true + Reshare = true + CopyKey = true + BackupKeyShare = true + RestoreKeyShare = true + ExportKeyShares = true + ImportKeyShares = true + BIP32GenerateSeed = true + BIP32DeriveFromSeed = true + BIP32DeriveFromKey = true + BIP32ConvertKey = true + BIP32ExportSeed = true + BIP32ImportSeed = true + BIP32Info = true + +[SEPD19S.Features] + GenerateKey = true + GeneratePresignatures = true + Sign = true + SignWithPresignature = true + GenerateRecoveryData = true + PublicKey = true + ChainCode = true + Reshare = true + CopyKey = true + BackupKeyShare = true + RestoreKeyShare = true + ExportKeyShares = true + ImportKeyShares = true + +[ADN06.Features] + PublicKey = true + SignPKCS1v15 = true + SignPSS = true + Decrypt = true + ExportKeyShares = true + ImportKeyShares = true + +[MRZ15.AESFeatures] + GenerateKey = true + ExportKeyShares = true + ImportKeyShares = true + CTRKeyStream = true + CBCEncrypt = true + CBCDecrypt = true + GCMEncrypt = true + GCMDecrypt = true + CMAC = true + +[MRZ15.HMACFeatures] + GenerateKey = true + ExportKeyShares = true + ImportKeyShares = true + HMACSHA256 = true + HMACSHA512 = true diff --git a/examples/tsm-node-multiinstance/config1.toml b/examples/tsm-node-multiinstance/config1.toml new file mode 100644 index 0000000..e7031b1 --- /dev/null +++ b/examples/tsm-node-multiinstance/config1.toml @@ -0,0 +1,105 @@ + +[Player] + Index = 1 + PrivateKey = "MHcCAQEEILWaOgXLxJUxodTrASskOfTN0y8RD/vuwuv/bOM+f2wroAoGCCqGSM49AwEHoUQDQgAEZsbGXaVTkx8iiXb7iDSBFs24xYdbe5jTRg57aU0F71BMxhlV46cKMsCDXARriCUBwApfCoAf/ByyJ7TpWRm4Rw==" + ExportWhiteList = ["*"] + +[Players.0] + Address = "tcp://tsm0-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0AyIB0e0A00Z+ovqDQ5mjffEqVabU/eEOwOOrkElnSX1qPkgIn5eLIOC7OWQq6dgZnJLjElg6R4vR5a91aAE8w==" + +[Players.1] + Address = "tcp://tsm1-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZsbGXaVTkx8iiXb7iDSBFs24xYdbe5jTRg57aU0F71BMxhlV46cKMsCDXARriCUBwApfCoAf/ByyJ7TpWRm4Rw==" + +[Players.2] + Address = "tcp://tsm2-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJZx6N1ARYmc/6DQBL/47yRL/dMvWi5UQRUiqA05pdjLAb3eXO6yPioocnZNxsQjCerxcMJ2LnvELmK5L6Ovsqw==" + +[Database] + DriverName = "mysql" + DataSourceName = "db1user:db1password@tcp(db1:3306)/db1?parseTime=true" + EncryptorMasterPassword = "db1masterPassword" + MaxIdleConns = 500 + MaxOpenConns = 500 + +[MPCTCPServer] + Port = 9000 + +[SDKServer] + Port = 8080 + +[MetricsServer] + Port = 9102 + Prometheus = true + +[[Authentication.APIKeys]] + APIKey = "1PebMT+BBvWvEIrZb/UWIi2/1aCrUvQwjksa0ddA3mA=" # apikey1 + ApplicationID = "demoapp" + +[[Authentication.APIKeys]] + APIKey = "NaseBBHEzG7KqmdqTH/vJZeYeZ7UCtCfsHra6QK9DHo=" # apikey3 + ApplicationID = "app2" + +[DKLS19.Features] + GenerateKey = true + GeneratePresignatures = true + Sign = true + SignWithPresignature = true + GenerateRecoveryData = true + PublicKey = true + ChainCode = true + Reshare = true + CopyKey = true + BackupKeyShare = true + RestoreKeyShare = true + ExportKeyShares = true + ImportKeyShares = true + BIP32GenerateSeed = true + BIP32DeriveFromSeed = true + BIP32DeriveFromKey = true + BIP32ConvertKey = true + BIP32ExportSeed = true + BIP32ImportSeed = true + BIP32Info = true + +[SEPD19S.Features] + GenerateKey = true + GeneratePresignatures = true + Sign = true + SignWithPresignature = true + GenerateRecoveryData = true + PublicKey = true + ChainCode = true + Reshare = true + CopyKey = true + BackupKeyShare = true + RestoreKeyShare = true + ExportKeyShares = true + ImportKeyShares = true + +[ADN06.Features] + PublicKey = true + SignPKCS1v15 = true + SignPSS = true + Decrypt = true + ExportKeyShares = true + ImportKeyShares = true + +[MRZ15.AESFeatures] + GenerateKey = true + ExportKeyShares = true + ImportKeyShares = true + CTRKeyStream = true + CBCEncrypt = true + CBCDecrypt = true + GCMEncrypt = true + GCMDecrypt = true + CMAC = true + +[MRZ15.HMACFeatures] + GenerateKey = true + ExportKeyShares = true + ImportKeyShares = true + HMACSHA256 = true + HMACSHA512 = true diff --git a/examples/tsm-node-multiinstance/config2.toml b/examples/tsm-node-multiinstance/config2.toml new file mode 100644 index 0000000..3535238 --- /dev/null +++ b/examples/tsm-node-multiinstance/config2.toml @@ -0,0 +1,103 @@ + +[Player] + Index = 2 + PrivateKey = "MHcCAQEEIHGb0I8CEE6db7/buOQiX8SgnbkkAI5aX9mowvCpUjOJoAoGCCqGSM49AwEHoUQDQgAEJZx6N1ARYmc/6DQBL/47yRL/dMvWi5UQRUiqA05pdjLAb3eXO6yPioocnZNxsQjCerxcMJ2LnvELmK5L6Ovsqw==" + + # Allow any key to be exported + ExportWhiteList = ["*"] + +[Players.0] + Address = "tcp://tsm0-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0AyIB0e0A00Z+ovqDQ5mjffEqVabU/eEOwOOrkElnSX1qPkgIn5eLIOC7OWQq6dgZnJLjElg6R4vR5a91aAE8w==" +[Players.1] + Address = "tcp://tsm1-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZsbGXaVTkx8iiXb7iDSBFs24xYdbe5jTRg57aU0F71BMxhlV46cKMsCDXARriCUBwApfCoAf/ByyJ7TpWRm4Rw==" +[Players.2] + Address = "tcp://tsm2-tsm-node:9000" + PublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJZx6N1ARYmc/6DQBL/47yRL/dMvWi5UQRUiqA05pdjLAb3eXO6yPioocnZNxsQjCerxcMJ2LnvELmK5L6Ovsqw==" + +[Database] + DriverName = "postgres" + DataSourceName = "postgres://db2user:db2password@db2:5432/db2?sslmode=disable" + EncryptorMasterPassword = "db2masterPassword" + +[MPCTCPServer] + Port = 9000 + +[SDKServer] + Port = 8080 + +[MetricsServer] + Port = 9102 + Prometheus = true + +[[Authentication.APIKeys]] + APIKey = "FfrI+hyZAiVosAi53wewS0U1SsXKR0AEHZBM088rOeM=" # apikey2 + ApplicationID = "demoapp" + +[[Authentication.APIKeys]] + APIKey = "NaseBBHEzG7KqmdqTH/vJZeYeZ7UCtCfsHra6QK9DHo=" # apikey3 + ApplicationID = "app2" + +[DKLS19.Features] + GenerateKey = true + GeneratePresignatures = true + Sign = true + SignWithPresignature = true + GenerateRecoveryData = true + PublicKey = true + ChainCode = true + Reshare = true + CopyKey = true + BackupKeyShare = true + RestoreKeyShare = true + ExportKeyShares = true + ImportKeyShares = true + BIP32GenerateSeed = true + BIP32DeriveFromSeed = true + BIP32DeriveFromKey = true + BIP32ConvertKey = true + BIP32ExportSeed = true + BIP32ImportSeed = true + BIP32Info = true + +[SEPD19S.Features] + GenerateKey = true + GeneratePresignatures = true + Sign = true + SignWithPresignature = true + GenerateRecoveryData = true + PublicKey = true + ChainCode = true + Reshare = true + CopyKey = true + BackupKeyShare = true + RestoreKeyShare = true + ExportKeyShares = true + ImportKeyShares = true + +[ADN06.Features] + PublicKey = true + SignPKCS1v15 = true + SignPSS = true + Decrypt = true + ExportKeyShares = true + ImportKeyShares = true + +[MRZ15.AESFeatures] + GenerateKey = true + ExportKeyShares = true + ImportKeyShares = true + CTRKeyStream = true + CBCEncrypt = true + CBCDecrypt = true + GCMEncrypt = true + GCMDecrypt = true + CMAC = true + +[MRZ15.HMACFeatures] + GenerateKey = true + ExportKeyShares = true + ImportKeyShares = true + HMACSHA256 = true + HMACSHA512 = true diff --git a/examples/tsm-node-multiinstance/tsm0.yaml b/examples/tsm-node-multiinstance/tsm0.yaml index 059bf45..9f18722 100644 --- a/examples/tsm-node-multiinstance/tsm0.yaml +++ b/examples/tsm-node-multiinstance/tsm0.yaml @@ -1,95 +1,13 @@ replicaCount: 2 index: 0 -config: - # https://builder-vault-tsm.docs.blockdaemon.com/docs/example-tsm-configuration-file - configFile: | - [MPC] - Threshold = 1 - PlayerCount = 3 - - [Player] - Index = 0 - # This is a base64 encoding of the private key used to authenticate the local player towards the remote players. This - # must correspond to the public keys configured on the remote players for this player index. A private key can be - # generated using the following OpenSSL commands: - # - # openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out private.key - # openssl base64 -A -in private.key; echo - # - # Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128, 192 or 256 bits). - PrivateKey = "BA3E64==" - - [Players.1] - Address = "tsm1-tsm-node:9000" - # This is a base64 encoding of the players public key. A public key can be generated from the private key using the - # following OpenSSL commands: - # - # openssl ec -inform DER -in private.key -pubout -outform DER -out public.key - # openssl base64 -A -in public.key; echo - PublicKey = "BA3E64==" - - [Players.2] - Address = "tsm2-tsm-node:9000" - PublicKey = "BA3E64==" - - [Authentication] - # List of API keys used for authentication in SDKv2 - [[Authentication.APIKeys]] - # Only for SDK V2 - # Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command: - # - # echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64 - #APIKey = "" - # Users with the given API key will be mapped to this user in the system. If the user does not exist, it will be - # created automatically. Set this to an existing user ID to migrate from password to API key authentication. - #ApplicationID = "" - - [Database] - DriverName = "postgres" - # This specifies a master encryption key used to protect database records. Note that this key is not directly - # used to encrypt data. Use any long random string here and make sure to keep a backup of it somewhere safe. - EncryptorMasterPassword = "ENCRYPTION_KEY" - DataSourceName = "host=.rds.amazonaws.com port=5432 user=tsm0 password=mypass dbname=tsm0 sslmode=require" - - [MPCTCPServer] - Port = 9000 - - [SDKServer] - Port = 8080 - - [SEPD19S] - EnableShareBackup = true - EnableERSExport = true - [DKLS19] - EnableShareBackup = true - EnableERSExport = true - - [MultiInstance] - CleanupInterval = "5m" - CleanupProbability = 75 - - [Audit] - # URL of the audit receiver. Audit logs are sent to this URL - # Can be a file, HTTP location or s3 location: file://, https://, s3:// - #ReceiverURL = "" - - # When using an S3-compatible API as the ReceiverURL in [Audit], specify any - # non-standard S3 related parameters here - [Audit.S3EndpointConfig] - # If not using the default S3 endpoint, specify the custom one here - #EndpointURL = "" - # AWS or S3-compatible API region - #Region = "" - # Authorization keys for the S3-compatible API - #SecretAccessKey = "" - #AccessKeyId = "" - #SessionToken = "" +nodeConfig: # https://builder-vault-tsm.docs.blockdaemon.com/docs/example-tsm-configuration-file + configSecretName: tsm0-tsm-node image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" # override the version of the image + tag: "62.2.4" # override the version of the image sdkService: type: NodePort @@ -131,13 +49,13 @@ affinity: resources: requests: - cpu: 14 + cpu: 6 securityContext: capabilities: drop: - ALL - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false # Set to false for testing with the local sqlite runAsNonRoot: true runAsUser: 2000 allowPrivilegeEscalation: false diff --git a/examples/tsm-node-multiinstance/tsm1.yaml b/examples/tsm-node-multiinstance/tsm1.yaml index f65d86f..703c4f3 100644 --- a/examples/tsm-node-multiinstance/tsm1.yaml +++ b/examples/tsm-node-multiinstance/tsm1.yaml @@ -1,95 +1,13 @@ replicaCount: 3 index: 1 -config: - # https://builder-vault-tsm.docs.blockdaemon.com/docs/example-tsm-configuration-file - configFile: | - [MPC] - Threshold = 1 - PlayerCount = 3 - - [Player] - Index = 1 - # This is a base64 encoding of the private key used to authenticate the local player towards the remote players. This - # must correspond to the public keys configured on the remote players for this player index. A private key can be - # generated using the following OpenSSL commands: - # - # openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out private.key - # openssl base64 -A -in private.key; echo - # - # Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128, 192 or 256 bits). - PrivateKey = "BA3E64==" - - [Players.0] - Address = "tsm0-tsm-node:9000" - # This is a base64 encoding of the players public key. A public key can be generated from the private key using the - # following OpenSSL commands: - # - # openssl ec -inform DER -in private.key -pubout -outform DER -out public.key - # openssl base64 -A -in public.key; echo - PublicKey = "BA3E64==" - - [Players.2] - Address = "tsm2-tsm-node:9000" - PublicKey = "BA3E64==" - - [Authentication] - # List of API keys used for authentication in SDKv2 - [[Authentication.APIKeys]] - # Only for SDK V2 - # Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command: - # - # echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64 - #APIKey = "" - # Users with the given API key will be mapped to this user in the system. If the user does not exist, it will be - # created automatically. Set this to an existing user ID to migrate from password to API key authentication. - #ApplicationID = "" - - [Database] - DriverName = "postgres" - # This specifies a master encryption key used to protect database records. Note that this key is not directly - # used to encrypt data. Use any long random string here and make sure to keep a backup of it somewhere safe. - EncryptorMasterPassword = "ENCRYPTION_KEY" - DataSourceName = "host=.rds.amazonaws.com port=5432 user=tsm1 password=mypass dbname=tsm1 sslmode=require" - - [MPCTCPServer] - Port = 9000 - - [SDKServer] - Port = 8080 - - [SEPD19S] - EnableShareBackup = true - EnableERSExport = true - [DKLS19] - EnableShareBackup = true - EnableERSExport = true - - [MultiInstance] - CleanupInterval = "5m" - CleanupProbability = 75 - - [Audit] - # URL of the audit receiver. Audit logs are sent to this URL - # Can be a file, HTTP location or s3 location: file://, https://, s3:// - #ReceiverURL = "" - - # When using an S3-compatible API as the ReceiverURL in [Audit], specify any - # non-standard S3 related parameters here - [Audit.S3EndpointConfig] - # If not using the default S3 endpoint, specify the custom one here - #EndpointURL = "" - # AWS or S3-compatible API region - #Region = "" - # Authorization keys for the S3-compatible API - #SecretAccessKey = "" - #AccessKeyId = "" - #SessionToken = "" +nodeConfig: # https://builder-vault-tsm.docs.blockdaemon.com/docs/example-tsm-configuration-file + configSecretName: tsm1-tsm-node image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" # override the version of the image + tag: "62.2.4" # override the version of the image sdkService: type: NodePort @@ -131,13 +49,13 @@ affinity: resources: requests: - cpu: 14 + cpu: 6 securityContext: capabilities: drop: - ALL - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false # Set to false for testing with the local sqlite runAsNonRoot: true runAsUser: 2000 allowPrivilegeEscalation: false diff --git a/examples/tsm-node-multiinstance/tsm2.yaml b/examples/tsm-node-multiinstance/tsm2.yaml index da7c9c5..21060e2 100644 --- a/examples/tsm-node-multiinstance/tsm2.yaml +++ b/examples/tsm-node-multiinstance/tsm2.yaml @@ -1,95 +1,13 @@ replicaCount: 1 index: 2 -config: - # https://builder-vault-tsm.docs.blockdaemon.com/docs/example-tsm-configuration-file - configFile: | - [MPC] - Threshold = 1 - PlayerCount = 3 - - [Player] - Index = 2 - # This is a base64 encoding of the private key used to authenticate the local player towards the remote players. This - # must correspond to the public keys configured on the remote players for this player index. A private key can be - # generated using the following OpenSSL commands: - # - # openssl ecparam -name P-256 -genkey -param_enc named_curve -outform DER -out private.key - # openssl base64 -A -in private.key; echo - # - # Instead of P-256 one can use P-384 or P-521 depending on the desired security level (128, 192 or 256 bits). - PrivateKey = "BA3E64==" - - [Players.0] - Address = "tsm1-tsm-node:9000" - # This is a base64 encoding of the players public key. A public key can be generated from the private key using the - # following OpenSSL commands: - # - # openssl ec -inform DER -in private.key -pubout -outform DER -out public.key - # openssl base64 -A -in public.key; echo - PublicKey = "BA3E64==" - - [Players.1] - Address = "tsm2-tsm-node:9000" - PublicKey = "BA3E64==" - - [Authentication] - # List of API keys used for authentication in SDKv2 - [[Authentication.APIKeys]] - # Only for SDK V2 - # Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command: - # - # echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64 - #APIKey = "" - # Users with the given API key will be mapped to this user in the system. If the user does not exist, it will be - # created automatically. Set this to an existing user ID to migrate from password to API key authentication. - #ApplicationID = "" - - [Database] - DriverName = "postgres" - # This specifies a master encryption key used to protect database records. Note that this key is not directly - # used to encrypt data. Use any long random string here and make sure to keep a backup of it somewhere safe. - EncryptorMasterPassword = "ENCRYPTION_KEY" - DataSourceName = "host=.rds.amazonaws.com port=5432 user=tsm2 password=mypass dbname=tsm2 sslmode=require" - - [MPCTCPServer] - Port = 9000 - - [SDKServer] - Port = 8080 - - [SEPD19S] - EnableShareBackup = true - EnableERSExport = true - [DKLS19] - EnableShareBackup = true - EnableERSExport = true - - [MultiInstance] - CleanupInterval = "5m" - CleanupProbability = 75 - - [Audit] - # URL of the audit receiver. Audit logs are sent to this URL - # Can be a file, HTTP location or s3 location: file://, https://, s3:// - #ReceiverURL = "" - - # When using an S3-compatible API as the ReceiverURL in [Audit], specify any - # non-standard S3 related parameters here - [Audit.S3EndpointConfig] - # If not using the default S3 endpoint, specify the custom one here - #EndpointURL = "" - # AWS or S3-compatible API region - #Region = "" - # Authorization keys for the S3-compatible API - #SecretAccessKey = "" - #AccessKeyId = "" - #SessionToken = "" +nodeConfig: # https://builder-vault-tsm.docs.blockdaemon.com/docs/example-tsm-configuration-file + configSecretName: tsm2-tsm-node image: repository: pullPolicy: IfNotPresent - tag: "61.0.2" # override the version of the image + tag: "62.2.4" # override the version of the image sdkService: type: NodePort @@ -132,13 +50,13 @@ affinity: resources: requests: - cpu: 14 + cpu: 6 securityContext: capabilities: drop: - ALL - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false # Set to false for testing with the local sqlite runAsNonRoot: true runAsUser: 2000 allowPrivilegeEscalation: false