cli: install helm charts in cli instead of bootstrapper (#2136)

* init * fixup! init * gcp working? * fixup! fixup! init * azure cfg for microService installation * fixup! azure cfg for microService installation * fixup! azure cfg for microService installation * cleanup bootstrapper code * cleanup helminstall code * fixup! cleanup helminstall code * Update internal/deploy/helm/install.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * daniel feedback * TODO add provider (also to CreateCluster) so we can ensure that provider specific output * fixup! daniel feedback * use debugLog in helm installer * placeholderHelmInstaller * rename to stub --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-08-01 19:46:07 -04:00 · 2023-07-31 10:53:05 +02:00 · 2023-07-31 10:53:05 +02:00 · 26305e8f80
commit 26305e8f80
parent ef60d00a60
38 changed files with 775 additions and 970 deletions
--- a/cli/internal/helm/BUILD.bazel
+++ b/cli/internal/helm/BUILD.bazel
@ -7,8 +7,10 @@ go_library(
        "backup.go",
        "client.go",
        "helm.go",
+        "helminstaller.go",
        "loader.go",
        "serviceversion.go",
+        "setup.go",
        "values.go",
    ],
    embedsrcs = [
@ -417,12 +419,17 @@ go_library(
    deps = [
        "//cli/internal/clusterid",
        "//cli/internal/helm/imageversion",
+        "//cli/internal/terraform",
+        "//internal/cloud/azureshared",
        "//internal/cloud/cloudprovider",
+        "//internal/cloud/gcpshared",
+        "//internal/cloud/openstack",
        "//internal/compatibility",
        "//internal/config",
        "//internal/constants",
        "//internal/deploy/helm",
        "//internal/file",
+        "//internal/kms/uri",
        "//internal/semver",
        "//internal/versions",
        "@com_github_pkg_errors//:errors",
--- a/cli/internal/helm/helminstaller.go
+++ b/cli/internal/helm/helminstaller.go
@ -0,0 +1,100 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package helm
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/cli/internal/clusterid"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/openstack"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+	helminstaller "github.com/edgelesssys/constellation/v2/internal/deploy/helm"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
+)
+
+// SuiteInstaller installs all Helm charts required for a constellation cluster.
+type SuiteInstaller interface {
+	Install(ctx context.Context, provider cloudprovider.Provider, masterSecret uri.MasterSecret,
+		idFile clusterid.File,
+		serviceAccURI string, releases *helminstaller.Releases,
+	) error
+}
+
+type helmInstallationClient struct {
+	log       debugLog
+	installer helmInstaller
+}
+
+// NewInstallationClient creates a new Helm installation client to install all Helm charts required for a constellation cluster.
+func NewInstallationClient(log debugLog) (SuiteInstaller, error) {
+	installer, err := helminstaller.NewInstaller(constants.AdminConfFilename, log)
+	if err != nil {
+		return nil, fmt.Errorf("creating Helm installer: %w", err)
+	}
+	return &helmInstallationClient{log: log, installer: installer}, nil
+}
+
+func (h helmInstallationClient) Install(ctx context.Context, provider cloudprovider.Provider, masterSecret uri.MasterSecret,
+	idFile clusterid.File,
+	serviceAccURI string, releases *helminstaller.Releases,
+) error {
+	serviceVals, err := setupMicroserviceVals(ctx, provider, masterSecret.Salt, idFile.UID, serviceAccURI)
+	if err != nil {
+		return fmt.Errorf("setting up microservice values: %w", err)
+	}
+	if err := h.installer.InstallChartWithValues(ctx, releases.ConstellationServices, serviceVals); err != nil {
+		return fmt.Errorf("installing microservices: %w", err)
+	}
+
+	h.log.Debugf("Installing cert-manager")
+	if err := h.installer.InstallChart(ctx, releases.CertManager); err != nil {
+		return fmt.Errorf("installing cert-manager: %w", err)
+	}
+
+	if releases.CSI != nil {
+		var csiVals map[string]any
+		if provider == cloudprovider.OpenStack {
+			creds, err := openstack.AccountKeyFromURI(serviceAccURI)
+			if err != nil {
+				return err
+			}
+			cinderIni := creds.CloudINI().CinderCSIConfiguration()
+			csiVals = map[string]any{
+				"cinder-config": map[string]any{
+					"secretData": cinderIni,
+				},
+			}
+		}
+
+		h.log.Debugf("Installing CSI deployments")
+		if err := h.installer.InstallChartWithValues(ctx, *releases.CSI, csiVals); err != nil {
+			return fmt.Errorf("installing CSI snapshot CRDs: %w", err)
+		}
+	}
+
+	if releases.AWSLoadBalancerController != nil {
+		h.log.Debugf("Installing AWS Load Balancer Controller")
+		if err := h.installer.InstallChart(ctx, *releases.AWSLoadBalancerController); err != nil {
+			return fmt.Errorf("installing AWS Load Balancer Controller: %w", err)
+		}
+	}
+
+	h.log.Debugf("Installing constellation operators")
+	operatorVals := setupOperatorVals(ctx, idFile.UID)
+	if err := h.installer.InstallChartWithValues(ctx, releases.ConstellationOperators, operatorVals); err != nil {
+		return fmt.Errorf("installing constellation operators: %w", err)
+	}
+
+	// TODO(elchead): AB#3301 do cilium after version upgrade
+	return nil
+}
+
+type helmInstaller interface {
+	InstallChart(context.Context, helminstaller.Release) error
+	InstallChartWithValues(ctx context.Context, release helminstaller.Release, extraValues map[string]any) error
+}
--- a/cli/internal/helm/loader.go
+++ b/cli/internal/helm/loader.go
@ -110,6 +110,19 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion,

 // Load the embedded helm charts.
 func (i *ChartLoader) Load(config *config.Config, conformanceMode bool, helmWaitMode helm.WaitMode, masterSecret, salt []byte) ([]byte, error) {
+	releases, err := i.LoadReleases(config, conformanceMode, helmWaitMode, masterSecret, salt)
+	if err != nil {
+		return nil, fmt.Errorf("loading releases: %w", err)
+	}
+	rel, err := json.Marshal(releases)
+	if err != nil {
+		return nil, err
+	}
+	return rel, nil
+}
+
+// LoadReleases loads the embedded helm charts and returns them as a HelmReleases object.
+func (i *ChartLoader) LoadReleases(config *config.Config, conformanceMode bool, helmWaitMode helm.WaitMode, masterSecret, salt []byte) (*helm.Releases, error) {
 	ciliumRelease, err := i.loadRelease(ciliumInfo, helmWaitMode)
 	if err != nil {
 		return nil, fmt.Errorf("loading cilium: %w", err)
@ -150,12 +163,7 @@ func (i *ChartLoader) Load(config *config.Config, conformanceMode bool, helmWait
 		}
 		releases.CSI = &csi
 	}
-
-	rel, err := json.Marshal(releases)
-	if err != nil {
-		return nil, err
-	}
-	return rel, nil
+	return &releases, nil
 }

 // loadRelease loads the embedded chart and values depending on the given info argument.
--- a/cli/internal/helm/setup.go
+++ b/cli/internal/helm/setup.go
@ -0,0 +1,134 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package helm
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/cli/internal/terraform"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/azureshared"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+)
+
+// setupMicroserviceVals returns the values for the microservice chart.
+func setupMicroserviceVals(ctx context.Context, provider cloudprovider.Provider, measurementSalt []byte, uid, serviceAccURI string) (map[string]any, error) {
+	tfClient, err := terraform.New(ctx, constants.TerraformWorkingDir)
+	if err != nil {
+		return nil, fmt.Errorf("creating Terraform client: %w", err)
+	}
+	output, err := tfClient.ShowCluster(ctx, provider)
+	if err != nil {
+		return nil, fmt.Errorf("getting Terraform output: %w", err)
+	}
+	extraVals := map[string]any{
+		"join-service": map[string]any{
+			"measurementSalt": base64.StdEncoding.EncodeToString(measurementSalt),
+		},
+		"verification-service": map[string]any{
+			"loadBalancerIP": output.IP,
+		},
+		"konnectivity": map[string]any{
+			"loadBalancerIP": output.IP,
+		},
+	}
+	switch provider {
+	case cloudprovider.GCP:
+		serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(serviceAccURI)
+		if err != nil {
+			return nil, fmt.Errorf("getting service account key: %w", err)
+		}
+		rawKey, err := json.Marshal(serviceAccountKey)
+		if err != nil {
+			return nil, fmt.Errorf("marshaling service account key: %w", err)
+		}
+		if output.GCP == nil {
+			return nil, fmt.Errorf("no GCP output from Terraform")
+		}
+		extraVals["ccm"] = map[string]any{
+			"GCP": map[string]any{
+				"projectID":         output.GCP.ProjectID,
+				"uid":               uid,
+				"secretData":        string(rawKey),
+				"subnetworkPodCIDR": output.GCP.IPCidrPod,
+			},
+		}
+	case cloudprovider.Azure:
+		if output.Azure == nil {
+			return nil, fmt.Errorf("no Azure output from Terraform")
+		}
+		ccmConfig, err := getCCMConfig(*output.Azure, serviceAccURI)
+		if err != nil {
+			return nil, fmt.Errorf("getting Azure CCM config: %w", err)
+		}
+		extraVals["ccm"] = map[string]any{
+			"Azure": map[string]any{
+				"azureConfig": string(ccmConfig),
+			},
+		}
+	}
+
+	return extraVals, nil
+}
+
+// setupOperatorVals returns the values for the constellation-operator chart.
+func setupOperatorVals(_ context.Context, uid string) map[string]any {
+	return map[string]any{
+		"constellation-operator": map[string]any{
+			"constellationUID": uid,
+		},
+	}
+}
+
+type cloudConfig struct {
+	Cloud                       string `json:"cloud,omitempty"`
+	TenantID                    string `json:"tenantId,omitempty"`
+	SubscriptionID              string `json:"subscriptionId,omitempty"`
+	ResourceGroup               string `json:"resourceGroup,omitempty"`
+	Location                    string `json:"location,omitempty"`
+	SubnetName                  string `json:"subnetName,omitempty"`
+	SecurityGroupName           string `json:"securityGroupName,omitempty"`
+	SecurityGroupResourceGroup  string `json:"securityGroupResourceGroup,omitempty"`
+	LoadBalancerName            string `json:"loadBalancerName,omitempty"`
+	LoadBalancerSku             string `json:"loadBalancerSku,omitempty"`
+	VNetName                    string `json:"vnetName,omitempty"`
+	VNetResourceGroup           string `json:"vnetResourceGroup,omitempty"`
+	CloudProviderBackoff        bool   `json:"cloudProviderBackoff,omitempty"`
+	UseInstanceMetadata         bool   `json:"useInstanceMetadata,omitempty"`
+	VMType                      string `json:"vmType,omitempty"`
+	UseManagedIdentityExtension bool   `json:"useManagedIdentityExtension,omitempty"`
+	UserAssignedIdentityID      string `json:"userAssignedIdentityID,omitempty"`
+}
+
+// GetCCMConfig returns the configuration needed for the Kubernetes Cloud Controller Manager on Azure.
+func getCCMConfig(tfOutput terraform.AzureApplyOutput, serviceAccURI string) ([]byte, error) {
+	creds, err := azureshared.ApplicationCredentialsFromURI(serviceAccURI)
+	if err != nil {
+		return nil, fmt.Errorf("getting service account key: %w", err)
+	}
+	useManagedIdentityExtension := creds.PreferredAuthMethod == azureshared.AuthMethodUserAssignedIdentity
+	config := cloudConfig{
+		Cloud:                       "AzurePublicCloud",
+		TenantID:                    creds.TenantID,
+		SubscriptionID:              tfOutput.SubscriptionID,
+		ResourceGroup:               tfOutput.ResourceGroup,
+		LoadBalancerSku:             "standard",
+		SecurityGroupName:           tfOutput.NetworkSecurityGroupName,
+		LoadBalancerName:            tfOutput.LoadBalancerName,
+		UseInstanceMetadata:         true,
+		VMType:                      "vmss",
+		Location:                    creds.Location,
+		UseManagedIdentityExtension: useManagedIdentityExtension,
+		UserAssignedIdentityID:      tfOutput.UserAssignedIdentity,
+	}
+
+	return json.Marshal(config)
+}