Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-22 07:50:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

helm/gcp: use service account in operator and joinservice

Browse Source
This commit is contained in:
Leonard Cohnen 2025-02-20 19:26:29 +01:00
parent 99a81cd246
commit 0df9431663
13 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider={{ .Values.csp }}
- --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }}
- --attestation-variant={{ .Values.attestationVariant }}
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports:
- containerPort: {{ .Values.joinServicePort }}
name: tcp
@ -54,6 +60,10 @@ spec:
securityContext:
privileged: true
volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config
projected:
sources:

9
internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml
View File

@ -42,6 +42,8 @@ spec:
value: {{ .Values.csp | quote }}
- name: constellation-uid
value: {{ .Values.constellationUID | quote }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: {{ .Values.controllerManager.manager.image | quote }}
livenessProbe:
httpGet:
@ -72,6 +74,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -109,6 +114,10 @@ spec:
name: gceconf
optional: true
name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock

9
internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: GCP
- name: constellation-uid
value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage
livenessProbe:
httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf
optional: true
name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=AWS
- --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=aws-nitro-tpm
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /var/config
name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports:
- containerPort: 9090
name: tcp
@ -54,6 +60,10 @@ spec:
securityContext:
privileged: true
volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config
projected:
sources:

9
internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: Azure
- name: constellation-uid
value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage
livenessProbe:
httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf
optional: true
name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=Azure
- --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=azure-sev-snp
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /var/config
name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports:
- containerPort: 9090
name: tcp
@ -54,6 +60,10 @@ spec:
securityContext:
privileged: true
volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config
projected:
sources:

9
internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: GCP
- name: constellation-uid
value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage
livenessProbe:
httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf
optional: true
name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=GCP
- --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=gcp-sev-es
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /var/config
name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports:
- containerPort: 9090
name: tcp
@ -54,6 +60,10 @@ spec:
securityContext:
privileged: true
volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config
projected:
sources:

9
internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: GCP
- name: constellation-uid
value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage
livenessProbe:
httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf
optional: true
name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=OpenStack
- --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=qemu-vtpm
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /var/config
name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports:
- containerPort: 9090
name: tcp
@ -54,6 +60,10 @@ spec:
securityContext:
privileged: true
volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config
projected:
sources:

9
internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: QEMU
- name: constellation-uid
value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage
livenessProbe:
httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf
optional: true
name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=QEMU
- --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=qemu-vtpm
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /var/config
name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports:
- containerPort: 9090
name: tcp
@ -54,6 +60,10 @@ spec:
securityContext:
privileged: true
volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config
projected:
sources:

10
operators/constellation-node-operator/config/manager/manager.yaml
View File

@ -31,6 +31,9 @@ spec:
- /manager
args:
- --leader-elect
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: controller:latest
name: manager
securityContext:
@ -60,6 +63,9 @@ spec:
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket
readOnly: true
@ -91,6 +97,10 @@ spec:
configMap:
name: gceconf
optional: true
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket
hostPath:
path: /run/constellation-upgrade-agent.sock