Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-23 00:10:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

helm/gcp: use service account in operator and joinservice

Browse Source
This commit is contained in:
Leonard Cohnen 2025-02-20 19:26:29 +01:00
parent 99a81cd246
commit 0df9431663
13 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
internal/constellation/helm/charts/edgeless/constellation-services/charts/join-service/templates/daemonset.yaml
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider={{ .Values.csp }} - --cloud-provider={{ .Values.csp }}
- --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }} - --key-service-endpoint=key-service.{{ .Release.Namespace }}:{{ .Values.global.keyServicePort }}
- --attestation-variant={{ .Values.attestationVariant }} - --attestation-variant={{ .Values.attestationVariant }}
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts: volumeMounts:
- mountPath: {{ .Values.global.serviceBasePath | quote }} - mountPath: {{ .Values.global.serviceBasePath | quote }}
name: config name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes - mountPath: /etc/kubernetes
name: kubeadm name: kubeadm
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports: ports:
- containerPort: {{ .Values.joinServicePort }} - containerPort: {{ .Values.joinServicePort }}
name: tcp name: tcp
@ -54,6 +60,10 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config - name: config
projected: projected:
sources: sources:

9
internal/constellation/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml
View File

@ -42,6 +42,8 @@ spec:
value: {{ .Values.csp | quote }} value: {{ .Values.csp | quote }}
- name: constellation-uid - name: constellation-uid
value: {{ .Values.constellationUID | quote }} value: {{ .Values.constellationUID | quote }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: {{ .Values.controllerManager.manager.image | quote }} image: {{ .Values.controllerManager.manager.image | quote }}
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -72,6 +74,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -109,6 +114,10 @@ spec:
name: gceconf name: gceconf
optional: true optional: true
name: gceconf name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock

9
internal/constellation/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: GCP value: GCP
- name: constellation-uid - name: constellation-uid
value: "42424242424242" value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage image: constellationOperatorImage
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf name: gceconf
optional: true optional: true
name: gceconf name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/AWS/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=AWS - --cloud-provider=AWS
- --key-service-endpoint=key-service.testNamespace:9000 - --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=aws-nitro-tpm - --attestation-variant=aws-nitro-tpm
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes - mountPath: /etc/kubernetes
name: kubeadm name: kubeadm
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports: ports:
- containerPort: 9090 - containerPort: 9090
name: tcp name: tcp
@ -54,6 +60,10 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config - name: config
projected: projected:
sources: sources:

9
internal/constellation/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: Azure value: Azure
- name: constellation-uid - name: constellation-uid
value: "42424242424242" value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage image: constellationOperatorImage
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf name: gceconf
optional: true optional: true
name: gceconf name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=Azure - --cloud-provider=Azure
- --key-service-endpoint=key-service.testNamespace:9000 - --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=azure-sev-snp - --attestation-variant=azure-sev-snp
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes - mountPath: /etc/kubernetes
name: kubeadm name: kubeadm
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports: ports:
- containerPort: 9090 - containerPort: 9090
name: tcp name: tcp
@ -54,6 +60,10 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config - name: config
projected: projected:
sources: sources:

9
internal/constellation/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: GCP value: GCP
- name: constellation-uid - name: constellation-uid
value: "42424242424242" value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage image: constellationOperatorImage
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf name: gceconf
optional: true optional: true
name: gceconf name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=GCP - --cloud-provider=GCP
- --key-service-endpoint=key-service.testNamespace:9000 - --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=gcp-sev-es - --attestation-variant=gcp-sev-es
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes - mountPath: /etc/kubernetes
name: kubeadm name: kubeadm
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports: ports:
- containerPort: 9090 - containerPort: 9090
name: tcp name: tcp
@ -54,6 +60,10 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config - name: config
projected: projected:
sources: sources:

9
internal/constellation/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: GCP value: GCP
- name: constellation-uid - name: constellation-uid
value: "42424242424242" value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage image: constellationOperatorImage
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf name: gceconf
optional: true optional: true
name: gceconf name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=OpenStack - --cloud-provider=OpenStack
- --key-service-endpoint=key-service.testNamespace:9000 - --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=qemu-vtpm - --attestation-variant=qemu-vtpm
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes - mountPath: /etc/kubernetes
name: kubeadm name: kubeadm
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports: ports:
- containerPort: 9090 - containerPort: 9090
name: tcp name: tcp
@ -54,6 +60,10 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config - name: config
projected: projected:
sources: sources:

9
internal/constellation/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml vendored
View File

@ -50,6 +50,8 @@ spec:
value: QEMU value: QEMU
- name: constellation-uid - name: constellation-uid
value: "42424242424242" value: "42424242424242"
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: constellationOperatorImage image: constellationOperatorImage
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -86,6 +88,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -123,6 +128,10 @@ spec:
name: gceconf name: gceconf
optional: true optional: true
name: gceconf name: gceconf
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock

10
internal/constellation/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml vendored
View File

@ -40,6 +40,9 @@ spec:
- --cloud-provider=QEMU - --cloud-provider=QEMU
- --key-service-endpoint=key-service.testNamespace:9000 - --key-service-endpoint=key-service.testNamespace:9000
- --attestation-variant=qemu-vtpm - --attestation-variant=qemu-vtpm
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts: volumeMounts:
- mountPath: /var/config - mountPath: /var/config
name: config name: config
@ -47,6 +50,9 @@ spec:
- mountPath: /etc/kubernetes - mountPath: /etc/kubernetes
name: kubeadm name: kubeadm
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
ports: ports:
- containerPort: 9090 - containerPort: 9090
name: tcp name: tcp
@ -54,6 +60,10 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumes: volumes:
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: config - name: config
projected: projected:
sources: sources:

10
operators/constellation-node-operator/config/manager/manager.yaml
View File

@ -31,6 +31,9 @@ spec:
- /manager - /manager
args: args:
- --leader-elect - --leader-elect
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
image: controller:latest image: controller:latest
name: manager name: manager
securityContext: securityContext:
@ -60,6 +63,9 @@ spec:
- mountPath: /etc/gce - mountPath: /etc/gce
name: gceconf name: gceconf
readOnly: true readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
- mountPath: /etc/constellation-upgrade-agent.sock - mountPath: /etc/constellation-upgrade-agent.sock
name: upgrade-agent-socket name: upgrade-agent-socket
readOnly: true readOnly: true
@ -91,6 +97,10 @@ spec:
configMap: configMap:
name: gceconf name: gceconf
optional: true optional: true
- name: gcekey
secret:
secretName: gcekey
optional: true
- name: upgrade-agent-socket - name: upgrade-agent-socket
hostPath: hostPath:
path: /run/constellation-upgrade-agent.sock path: /run/constellation-upgrade-agent.sock