From 0df94316638c50570973dd26a64e94323f302df5 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Thu, 20 Feb 2025 19:26:29 +0100 Subject: [PATCH] helm/gcp: use service account in operator and joinservice --- .../charts/join-service/templates/daemonset.yaml | 10 ++++++++++ .../constellation-operator/templates/deployment.yaml | 9 +++++++++ .../constellation-operator/templates/deployment.yaml | 9 +++++++++ .../charts/join-service/templates/daemonset.yaml | 10 ++++++++++ .../constellation-operator/templates/deployment.yaml | 9 +++++++++ .../charts/join-service/templates/daemonset.yaml | 10 ++++++++++ .../constellation-operator/templates/deployment.yaml | 9 +++++++++ .../charts/join-service/templates/daemonset.yaml | 10 ++++++++++ .../constellation-operator/templates/deployment.yaml | 9 +++++++++ .../charts/join-service/templates/daemonset.yaml | 10 ++++++++++ .../constellation-operator/templates/deployment.yaml | 9 +++++++++ .../charts/join-service/templates/daemonset.yaml | 10 ++++++++++ .../config/manager/manager.yaml | 10 ++++++++++ 13 files changed, 124 insertions(+) diff --git a/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml index fe6460d4a..5eed603c5 100644 --- a/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,6 +40,9 @@ spec: - --cloud-provider={{ .Values.csp }} - --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }} - --attestation-variant={{ .Values.attestationVariant }} + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json volumeMounts: - mountPath: {{ .Values.global.serviceBasePath | quote }} name: config @@ -47,6 +50,9 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true ports: - containerPort: {{ .Values.joinServicePort }} name: tcp @@ -54,6 +60,10 @@ spec: securityContext: privileged: true volumes: + - name: gcekey + secret: + secretName: gcekey + optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml index 9083df141..5afe29d9b 100644 --- a/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml @@ -42,6 +42,8 @@ spec: value: {{ .Values.csp | quote }} - name: constellation-uid value: {{ .Values.constellationUID | quote }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: {{ .Values.controllerManager.manager.image | quote }} livenessProbe: httpGet: @@ -72,6 +74,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -109,6 +114,10 @@ spec: name: gceconf optional: true name: gceconf + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml index 01d9e6f57..3950967c1 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: value: GCP - name: constellation-uid value: "42424242424242" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -86,6 +88,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -123,6 +128,10 @@ spec: name: gceconf optional: true name: gceconf + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml index 2156f82a6..7c65a887f 100644 --- a/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,6 +40,9 @@ spec: - --cloud-provider=AWS - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=aws-nitro-tpm + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -47,6 +50,9 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true ports: - containerPort: 9090 name: tcp @@ -54,6 +60,10 @@ spec: securityContext: privileged: true volumes: + - name: gcekey + secret: + secretName: gcekey + optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml index d50c5492f..da3bfa7fd 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: value: Azure - name: constellation-uid value: "42424242424242" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -86,6 +88,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -123,6 +128,10 @@ spec: name: gceconf optional: true name: gceconf + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml index 05f397876..361089daa 100644 --- a/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,6 +40,9 @@ spec: - --cloud-provider=Azure - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=azure-sev-snp + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -47,6 +50,9 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true ports: - containerPort: 9090 name: tcp @@ -54,6 +60,10 @@ spec: securityContext: privileged: true volumes: + - name: gcekey + secret: + secretName: gcekey + optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml index 01d9e6f57..3950967c1 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: value: GCP - name: constellation-uid value: "42424242424242" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -86,6 +88,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -123,6 +128,10 @@ spec: name: gceconf optional: true name: gceconf + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml index 0ddfa9201..d50416871 100644 --- a/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,6 +40,9 @@ spec: - --cloud-provider=GCP - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=gcp-sev-es + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -47,6 +50,9 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true ports: - containerPort: 9090 name: tcp @@ -54,6 +60,10 @@ spec: securityContext: privileged: true volumes: + - name: gcekey + secret: + secretName: gcekey + optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml index 01d9e6f57..3950967c1 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: value: GCP - name: constellation-uid value: "42424242424242" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -86,6 +88,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -123,6 +128,10 @@ spec: name: gceconf optional: true name: gceconf + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml index 0ed907f4d..96258cbe2 100644 --- a/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,6 +40,9 @@ spec: - --cloud-provider=OpenStack - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=qemu-vtpm + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -47,6 +50,9 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true ports: - containerPort: 9090 name: tcp @@ -54,6 +60,10 @@ spec: securityContext: privileged: true volumes: + - name: gcekey + secret: + secretName: gcekey + optional: true - name: config projected: sources: diff --git a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml index 99e4a790d..edad32c8d 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml @@ -50,6 +50,8 @@ spec: value: QEMU - name: constellation-uid value: "42424242424242" + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: constellationOperatorImage livenessProbe: httpGet: @@ -86,6 +88,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -123,6 +128,10 @@ spec: name: gceconf optional: true name: gceconf + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock diff --git a/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml b/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml index 71ad80428..b1db9147f 100644 --- a/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml +++ b/internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml @@ -40,6 +40,9 @@ spec: - --cloud-provider=QEMU - --key-service-endpoint=key-service.testNamespace:9000 - --attestation-variant=qemu-vtpm + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json volumeMounts: - mountPath: /var/config name: config @@ -47,6 +50,9 @@ spec: - mountPath: /etc/kubernetes name: kubeadm readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true ports: - containerPort: 9090 name: tcp @@ -54,6 +60,10 @@ spec: securityContext: privileged: true volumes: + - name: gcekey + secret: + secretName: gcekey + optional: true - name: config projected: sources: diff --git a/operators/constellation-node-operator/config/manager/manager.yaml b/operators/constellation-node-operator/config/manager/manager.yaml index 32b39e301..314209305 100644 --- a/operators/constellation-node-operator/config/manager/manager.yaml +++ b/operators/constellation-node-operator/config/manager/manager.yaml @@ -31,6 +31,9 @@ spec: - /manager args: - --leader-elect + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/secrets/google/key.json image: controller:latest name: manager securityContext: @@ -60,6 +63,9 @@ spec: - mountPath: /etc/gce name: gceconf readOnly: true + - mountPath: /var/secrets/google + name: gcekey + readOnly: true - mountPath: /etc/constellation-upgrade-agent.sock name: upgrade-agent-socket readOnly: true @@ -91,6 +97,10 @@ spec: configMap: name: gceconf optional: true + - name: gcekey + secret: + secretName: gcekey + optional: true - name: upgrade-agent-socket hostPath: path: /run/constellation-upgrade-agent.sock