constellation/bootstrapper/internal/kubernetes/k8sapi/resources/verification.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package resources

import (
	"fmt"
	"net"
	"strings"

	"github.com/edgelesssys/constellation/v2/internal/constants"
	"github.com/edgelesssys/constellation/v2/internal/kubernetes"
	"github.com/edgelesssys/constellation/v2/internal/versions"
	"google.golang.org/protobuf/proto"
	apps "k8s.io/api/apps/v1"
	k8s "k8s.io/api/core/v1"
	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/util/intstr"
)

// VerificationDaemonset groups all k8s resources for the verification service deployment.
type VerificationDaemonset struct {
	DaemonSet    apps.DaemonSet
	Service      k8s.Service
	LoadBalancer k8s.Service
}

// NewVerificationDaemonSet creates a new VerificationDaemonset.
func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset {
	var err error
	if strings.Contains(loadBalancerIP, ":") {
		loadBalancerIP, _, err = net.SplitHostPort(loadBalancerIP)
		if err != nil {
			panic(err)
		}
	}
	return &VerificationDaemonset{
		DaemonSet: apps.DaemonSet{
			TypeMeta: meta.TypeMeta{
				APIVersion: "apps/v1",
				Kind:       "DaemonSet",
			},
			ObjectMeta: meta.ObjectMeta{
				Name:      "verification-service",
				Namespace: "kube-system",
				Labels: map[string]string{
					"k8s-app":   "verification-service",
					"component": "verification-service",
				},
			},
			Spec: apps.DaemonSetSpec{
				Selector: &meta.LabelSelector{
					MatchLabels: map[string]string{
						"k8s-app": "verification-service",
					},
				},
				Template: k8s.PodTemplateSpec{
					ObjectMeta: meta.ObjectMeta{
						Labels: map[string]string{
							"k8s-app": "verification-service",
						},
					},
					Spec: k8s.PodSpec{
						Tolerations: []k8s.Toleration{
							{
								Key:      "node-role.kubernetes.io/master",
								Operator: k8s.TolerationOpEqual,
								Value:    "true",
								Effect:   k8s.TaintEffectNoSchedule,
							},
							{
								Key:      "node-role.kubernetes.io/control-plane",
								Operator: k8s.TolerationOpExists,
								Effect:   k8s.TaintEffectNoSchedule,
							},
							{
								Operator: k8s.TolerationOpExists,
								Effect:   k8s.TaintEffectNoExecute,
							},
							{
								Operator: k8s.TolerationOpExists,
								Effect:   k8s.TaintEffectNoSchedule,
							},
						},
						Containers: []k8s.Container{
							{
								Name:  "verification-service",
								Image: versions.VerificationImage,
								Ports: []k8s.ContainerPort{
									{
										Name:          "http",
										ContainerPort: constants.VerifyServicePortHTTP,
									},
									{
										Name:          "grpc",
										ContainerPort: constants.VerifyServicePortGRPC,
									},
								},
								SecurityContext: &k8s.SecurityContext{
									Privileged: func(b bool) *bool { return &b }(true),
								},
								Args: []string{
									fmt.Sprintf("--cloud-provider=%s", csp),
								},
								VolumeMounts: []k8s.VolumeMount{
									{
										Name:      "event-log",
										ReadOnly:  true,
										MountPath: "/sys/kernel/security/",
									},
								},
							},
						},
						Volumes: []k8s.Volume{
							{
								Name: "event-log",
								VolumeSource: k8s.VolumeSource{
									HostPath: &k8s.HostPathVolumeSource{
										Path: "/sys/kernel/security/",
									},
								},
							},
						},
					},
				},
			},
		},
		Service: k8s.Service{
			TypeMeta: meta.TypeMeta{
				APIVersion: "v1",
				Kind:       "Service",
			},
			ObjectMeta: meta.ObjectMeta{
				Name:      "verification-service",
				Namespace: "kube-system",
			},
			Spec: k8s.ServiceSpec{
				Type: k8s.ServiceTypeNodePort,
				Ports: []k8s.ServicePort{
					{
						Name:       "http",
						Protocol:   k8s.ProtocolTCP,
						Port:       constants.VerifyServicePortHTTP,
						TargetPort: intstr.FromInt(constants.VerifyServicePortHTTP),
						NodePort:   constants.VerifyServiceNodePortHTTP,
					},
					{
						Name:       "grpc",
						Protocol:   k8s.ProtocolTCP,
						Port:       constants.VerifyServicePortGRPC,
						TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),
						NodePort:   constants.VerifyServiceNodePortGRPC,
					},
				},
				Selector: map[string]string{
					"k8s-app": "verification-service",
				},
			},
		},
		LoadBalancer: k8s.Service{
			TypeMeta: meta.TypeMeta{
				APIVersion: "v1",
				Kind:       "Service",
			},
			ObjectMeta: meta.ObjectMeta{
				Name:      "verify",
				Namespace: "kube-system",
			},
			Spec: k8s.ServiceSpec{
				AllocateLoadBalancerNodePorts: proto.Bool(false),
				Type:                          k8s.ServiceTypeLoadBalancer,
				LoadBalancerClass:             proto.String("constellation"),
				ExternalIPs:                   []string{loadBalancerIP},
				Ports: []k8s.ServicePort{
					{
						Name:       "grpc",
						Protocol:   k8s.ProtocolTCP,
						Port:       constants.VerifyServiceNodePortGRPC,
						TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),
					},
				},
				Selector: map[string]string{
					"k8s-app": "verification-service",
				},
			},
		},
	}
}

// Marshal to Kubernetes YAML.
func (v *VerificationDaemonset) Marshal() ([]byte, error) {
	return kubernetes.MarshalK8SResources(v)
}
add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w . 2022-09-05 03:06:08 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`package resources`

			`import (`
			`"fmt"`
add verify load balancer 2022-09-01 09:01:23 -04:00			`"net"`
			`"strings"`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00
Upgrade go module to v2 2022-09-21 07:47:57 -04:00			`"github.com/edgelesssys/constellation/v2/internal/constants"`
			`"github.com/edgelesssys/constellation/v2/internal/kubernetes"`
			`"github.com/edgelesssys/constellation/v2/internal/versions"`
add verify load balancer 2022-09-01 09:01:23 -04:00			`"google.golang.org/protobuf/proto"`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`apps "k8s.io/api/apps/v1"`
			`k8s "k8s.io/api/core/v1"`
			`meta "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/util/intstr"`
			`)`

Document exported funcs,types,interfaces and enable check. (#475) * Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Otto Bittner <cobittner@posteo.net> 2022-11-09 09:57:54 -05:00			`// VerificationDaemonset groups all k8s resources for the verification service deployment.`
Feat/revive (#212) * enable revive as linter * fix var-naming revive issues * fix blank-imports revive issues * fix receiver-naming revive issues * fix exported revive issues * fix indent-error-flow revive issues * fix unexported-return revive issues * fix indent-error-flow revive issues Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-10-05 09:02:46 -04:00			`type VerificationDaemonset struct {`
add verify load balancer 2022-09-01 09:01:23 -04:00			`DaemonSet apps.DaemonSet`
			`Service k8s.Service`
			`LoadBalancer k8s.Service`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`}`

Document exported funcs,types,interfaces and enable check. (#475) * Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Otto Bittner <cobittner@posteo.net> 2022-11-09 09:57:54 -05:00			`// NewVerificationDaemonSet creates a new VerificationDaemonset.`
Feat/revive (#212) * enable revive as linter * fix var-naming revive issues * fix blank-imports revive issues * fix receiver-naming revive issues * fix exported revive issues * fix indent-error-flow revive issues * fix unexported-return revive issues * fix indent-error-flow revive issues Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-10-05 09:02:46 -04:00			`func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset {`
add verify load balancer 2022-09-01 09:01:23 -04:00			`var err error`
			`if strings.Contains(loadBalancerIP, ":") {`
			`loadBalancerIP, _, err = net.SplitHostPort(loadBalancerIP)`
			`if err != nil {`
			`panic(err)`
			`}`
			`}`
Feat/revive (#212) * enable revive as linter * fix var-naming revive issues * fix blank-imports revive issues * fix receiver-naming revive issues * fix exported revive issues * fix indent-error-flow revive issues * fix unexported-return revive issues * fix indent-error-flow revive issues Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-10-05 09:02:46 -04:00			`return &VerificationDaemonset{`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`DaemonSet: apps.DaemonSet{`
			`TypeMeta: meta.TypeMeta{`
			`APIVersion: "apps/v1",`
			`Kind: "DaemonSet",`
			`},`
			`ObjectMeta: meta.ObjectMeta{`
			`Name: "verification-service",`
			`Namespace: "kube-system",`
			`Labels: map[string]string{`
			`"k8s-app": "verification-service",`
			`"component": "verification-service",`
			`},`
			`},`
			`Spec: apps.DaemonSetSpec{`
			`Selector: &meta.LabelSelector{`
			`MatchLabels: map[string]string{`
			`"k8s-app": "verification-service",`
			`},`
			`},`
			`Template: k8s.PodTemplateSpec{`
			`ObjectMeta: meta.ObjectMeta{`
			`Labels: map[string]string{`
			`"k8s-app": "verification-service",`
			`},`
			`},`
			`Spec: k8s.PodSpec{`
			`Tolerations: []k8s.Toleration{`
			`{`
			`Key: "node-role.kubernetes.io/master",`
			`Operator: k8s.TolerationOpEqual,`
			`Value: "true",`
			`Effect: k8s.TaintEffectNoSchedule,`
			`},`
			`{`
			`Key: "node-role.kubernetes.io/control-plane",`
			`Operator: k8s.TolerationOpExists,`
			`Effect: k8s.TaintEffectNoSchedule,`
			`},`
			`{`
			`Operator: k8s.TolerationOpExists,`
			`Effect: k8s.TaintEffectNoExecute,`
			`},`
			`{`
			`Operator: k8s.TolerationOpExists,`
			`Effect: k8s.TaintEffectNoSchedule,`
			`},`
			`},`
			`Containers: []k8s.Container{`
			`{`
			`Name: "verification-service",`
AB#2074: Choosable K8S Version (#277) AB#2074: Add configurable k8s version Configurable version flow: * cli config holds/validates k8sVersion * InitCluster receive a k8sVersion arg * InitCluster creates CM "k8s-version" * kubeadm's InitConfiguration receives k8sVersion * joinservice spec mounts/reads k8s-version CM * joinservice supplies k8sVersion via JoinTicketResponse Other changes: * Remove unused test code (FakeK8SClient) * move VersionConfig map to /internal/versions * installk8sComponents is now a function instead of a method 2022-07-18 06:28:02 -04:00			`Image: versions.VerificationImage,`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`Ports: []k8s.ContainerPort{`
			`{`
			`Name: "http",`
			`ContainerPort: constants.VerifyServicePortHTTP,`
			`},`
			`{`
			`Name: "grpc",`
			`ContainerPort: constants.VerifyServicePortGRPC,`
			`},`
			`},`
			`SecurityContext: &k8s.SecurityContext{`
			`Privileged: func(b bool) *bool { return &b }(true),`
			`},`
			`Args: []string{`
			`fmt.Sprintf("--cloud-provider=%s", csp),`
			`},`
			`VolumeMounts: []k8s.VolumeMount{`
			`{`
			`Name: "event-log",`
			`ReadOnly: true,`
			`MountPath: "/sys/kernel/security/",`
			`},`
			`},`
			`},`
			`},`
			`Volumes: []k8s.Volume{`
			`{`
			`Name: "event-log",`
			`VolumeSource: k8s.VolumeSource{`
			`HostPath: &k8s.HostPathVolumeSource{`
			`Path: "/sys/kernel/security/",`
			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`Service: k8s.Service{`
			`TypeMeta: meta.TypeMeta{`
			`APIVersion: "v1",`
			`Kind: "Service",`
			`},`
			`ObjectMeta: meta.ObjectMeta{`
Fix service naming (#252) Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-07-05 09:31:06 -04:00			`Name: "verification-service",`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`Namespace: "kube-system",`
			`},`
			`Spec: k8s.ServiceSpec{`
			`Type: k8s.ServiceTypeNodePort,`
			`Ports: []k8s.ServicePort{`
			`{`
			`Name: "http",`
			`Protocol: k8s.ProtocolTCP,`
			`Port: constants.VerifyServicePortHTTP,`
			`TargetPort: intstr.FromInt(constants.VerifyServicePortHTTP),`
			`NodePort: constants.VerifyServiceNodePortHTTP,`
			`},`
			`{`
			`Name: "grpc",`
			`Protocol: k8s.ProtocolTCP,`
			`Port: constants.VerifyServicePortGRPC,`
			`TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),`
			`NodePort: constants.VerifyServiceNodePortGRPC,`
			`},`
			`},`
			`Selector: map[string]string{`
			`"k8s-app": "verification-service",`
			`},`
			`},`
			`},`
add verify load balancer 2022-09-01 09:01:23 -04:00			`LoadBalancer: k8s.Service{`
			`TypeMeta: meta.TypeMeta{`
			`APIVersion: "v1",`
			`Kind: "Service",`
			`},`
			`ObjectMeta: meta.ObjectMeta{`
			`Name: "verify",`
			`Namespace: "kube-system",`
			`},`
			`Spec: k8s.ServiceSpec{`
			`AllocateLoadBalancerNodePorts: proto.Bool(false),`
			`Type: k8s.ServiceTypeLoadBalancer,`
			`LoadBalancerClass: proto.String("constellation"),`
			`ExternalIPs: []string{loadBalancerIP},`
			`Ports: []k8s.ServicePort{`
			`{`
			`Name: "grpc",`
			`Protocol: k8s.ProtocolTCP,`
			`Port: constants.VerifyServiceNodePortGRPC,`
			`TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),`
			`},`
			`},`
			`Selector: map[string]string{`
			`"k8s-app": "verification-service",`
			`},`
			`},`
			`},`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`}`
			`}`

Document exported funcs,types,interfaces and enable check. (#475) * Include EXC0014 and fix issues. * Include EXC0012 and fix issues. Signed-off-by: Fabian Kammel <fk@edgeless.systems> Co-authored-by: Otto Bittner <cobittner@posteo.net> 2022-11-09 09:57:54 -05:00			`// Marshal to Kubernetes YAML.`
Feat/revive (#212) * enable revive as linter * fix var-naming revive issues * fix blank-imports revive issues * fix receiver-naming revive issues * fix exported revive issues * fix indent-error-flow revive issues * fix unexported-return revive issues * fix indent-error-flow revive issues Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-10-05 09:02:46 -04:00			`func (v *VerificationDaemonset) Marshal() ([]byte, error) {`
Move cloud metadata packages and kubernetes resources marshaling to internal Decouples cloud provider metadata packages from kubernetes related code Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-08-29 08:30:20 -04:00			`return kubernetes.MarshalK8SResources(v)`
AB#2190 Verification service (#232) * Add verification service * Update verify command to use new Constellation verification service * Deploy verification service on cluster init * Update pcr-reader to use verification service * Add verification service build workflow Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-06-28 11:03:28 -04:00			`}`