Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-26 07:16:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add helm unittests (#380)

Browse Source
This commit is contained in:
Otto Bittner 2022-10-31 19:25:02 +01:00 committed by GitHub
parent 3933a97567
commit 30bdbd9b85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
68 changed files with 1217 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
.github/workflows/test-helm-lint.yaml vendored
View File

@ -1,41 +0,0 @@
name: Lint Helm Charts
on:
workflow_dispatch:
push:
branches:
- main
- "release/**"
paths:
- "cli/internal/helm/charts/**"
pull_request:
paths:
- "cli/internal/helm/charts/**"
# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
helm-lint:
runs-on: ubuntu-latest
env:
CTEST_OUTPUT_ON_FAILURE: True
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Setup Helm
uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # tag=v3
with:
version: "v3.9.0" # default is latest (stable)
- name: Create and populate build folder
run: mkdir build && cd build && cmake ..
- name: Unit Tests
run: ctest -R helm-lint
working-directory: build

2
.github/workflows/test-unittest.yml vendored
View File

@ -42,6 +42,8 @@ jobs:
- name: Unit Tests
run: ctest -R unit
working-directory: build
env:
TMPDIR: ${{ runner.temp }}
test-darwin:
runs-on: macos-12

6
CMakeLists.txt
View File

@ -63,9 +63,3 @@ add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CM
add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi)
add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/disk-mapper/internal)
add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)
add_test(NAME helm-lint COMMAND bash -c "helm lint * --set tags.GCP=true --set kms.image='ghcr.io/edgelesssys/constellation/kms:latest' --set join-service.csp='GCP' \
--set join-service.enforcedPCRs='[]' --set join-service.image='ghcr.io/edgelesssys/constellation/join-service:latest' --set join-service.measurements='[]' \
--set join-service.measurementSalt='deadbeef' --set kms.salt='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' --set kms.masterSecret='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' \
--set ccm.csp='GCP' --set ccm.subnetworkCIDR='192.0.2.0/24' --set ccm.GCP.image='ghcr.io/edgelesssys/cloud-provider-gcp:latest' --set ccm.GCP.projectID='demoproject-581925' \
--set ccm.GCP.uid='foobar' --set ccm.GCP.secretData='jsonstring'"
WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/cli/internal/helm/charts/edgeless/)

14
cli/internal/cmd/init.go
View File

@ -59,7 +59,7 @@ func runInitialize(cmd *cobra.Command, args []string) error {
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
return dialer.New(nil, validator.V(cmd), &net.Dialer{})
}
helmLoader := &helm.ChartLoader{}
spinner := newSpinner(cmd.OutOrStdout())
defer spinner.Stop()
@ -67,12 +67,12 @@ func runInitialize(cmd *cobra.Command, args []string) error {
defer cancel()
cmd.SetContext(ctx)
return initialize(cmd, newDialer, fileHandler, helmLoader, license.NewClient(), spinner)
return initialize(cmd, newDialer, fileHandler, license.NewClient(), spinner)
}
// initialize initializes a Constellation.
func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator) *dialer.Dialer,
fileHandler file.Handler, helmLoader helmLoader, quotaChecker license.QuotaChecker, spinner spinnerInterf,
fileHandler file.Handler, quotaChecker license.QuotaChecker, spinner spinnerInterf,
) error {
flags, err := evalFlagArgs(cmd)
if err != nil {
@ -125,8 +125,8 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
if err != nil {
return fmt.Errorf("parsing or generating master secret from file %s: %w", flags.masterSecretPath, err)
}
helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, config), getEnforceIDKeyDigest(provider, config), k8sVersion)
helmLoader := helm.New(provider, k8sVersion)
helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, config), getEnforceIDKeyDigest(provider, config))
if err != nil {
return fmt.Errorf("loading Helm charts: %w", err)
}
@ -368,7 +368,3 @@ func getMarshaledServiceAccountURI(provider cloudprovider.Provider, config *conf
type grpcDialer interface {
Dial(ctx context.Context, target string) (*grpc.ClientConn, error)
}
type helmLoader interface {
Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error)
}

14
cli/internal/cmd/init_test.go
View File

@ -31,7 +31,6 @@ import (
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
"github.com/edgelesssys/constellation/v2/internal/license"
"github.com/edgelesssys/constellation/v2/internal/oid"
"github.com/edgelesssys/constellation/v2/internal/versions"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -64,7 +63,6 @@ func TestInitialize(t *testing.T) {
idFile *clusterid.File
configMutator func(*config.Config)
serviceAccKey *gcpshared.ServiceAccountKey
helmLoader stubHelmLoader
initServerAPI *stubInitServer
masterSecretShouldExist bool
wantErr bool
@ -163,7 +161,7 @@ func TestInitialize(t *testing.T) {
defer cancel()
cmd.SetContext(ctx)
err := initialize(cmd, newDialer, fileHandler, &tc.helmLoader, &stubLicenseClient{}, nopSpinner{})
err := initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, nopSpinner{})
if tc.wantErr {
assert.Error(err)
@ -405,7 +403,7 @@ func TestAttestation(t *testing.T) {
defer cancel()
cmd.SetContext(ctx)
err := initialize(cmd, newDialer, fileHandler, &stubHelmLoader{}, &stubLicenseClient{}, nopSpinner{})
err := initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, nopSpinner{})
assert.Error(err)
// make sure the error is actually a TLS handshake error
assert.Contains(err.Error(), "transport: authentication handshake failed")
@ -504,11 +502,3 @@ func (c *stubLicenseClient) QuotaCheck(ctx context.Context, checkRequest license
Quota: 25,
}, nil
}
type stubHelmLoader struct {
loadErr error
}
func (d *stubHelmLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error) {
return nil, d.loadErr
}

4
cli/internal/cmd/miniup.go
View File

@ -19,7 +19,6 @@ import (
"strings"
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/helm"
"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -236,13 +235,12 @@ func initializeMiniCluster(cmd *cobra.Command, fileHandler file.Handler, spinner
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
return dialer.New(nil, validator.V(cmd), &net.Dialer{})
}
helmLoader := &helm.ChartLoader{}
cmd.Flags().String("master-secret", "", "")
cmd.Flags().String("endpoint", "", "")
cmd.Flags().Bool("conformance", false, "")
if err := initialize(cmd, newDialer, fileHandler, helmLoader, license.NewClient(), spinner); err != nil {
if err := initialize(cmd, newDialer, fileHandler, license.NewClient(), spinner); err != nil {
return err
}
return nil

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/aws-daemonset.yaml
View File

@ -1,4 +1,4 @@
{{ if eq .Values.csp "AWS" }}
{{- if eq .Values.csp "AWS" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -60,4 +60,4 @@ spec:
hostPath:
path: /etc/pki
updateStrategy: {}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-daemonset.yaml
View File

@ -1,4 +1,4 @@
{{ if eq .Values.csp "Azure" }}
{{- if eq .Values.csp "Azure" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -70,4 +70,4 @@ spec:
secret:
secretName: azureconfig
updateStrategy: {}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-secret.yaml
View File

@ -1,4 +1,4 @@
{{ if eq .Values.csp "Azure" }}
{{- if eq .Values.csp "Azure" -}}
apiVersion: v1
kind: Secret
metadata:
@ -6,4 +6,4 @@ metadata:
namespace: {{ .Release.Namespace }}
data:
azure.json: {{ .Values.Azure.azureConfig | b64enc }}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml
View File

@ -1,4 +1,4 @@
{{ if eq .Values.csp "GCP" }}
{{- if eq .Values.csp "GCP" -}}
apiVersion: v1
kind: ConfigMap
metadata:
@ -6,4 +6,4 @@ metadata:
namespace: {{ .Release.Namespace }}
data:
gce.conf: "[global]\nproject-id = {{.Values.GCP.projectID }}\nuse-metadata-server = true\nnode-tags = constellation-{{ .Values.GCP.uid }}\n"
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-daemonset.yaml
View File

@ -1,4 +1,4 @@
{{ if eq .Values.csp "GCP" }}
{{- if eq .Values.csp "GCP" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -81,4 +81,4 @@ spec:
secret:
secretName: gcekey
updateStrategy: {}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-secret.yaml
View File

@ -1,4 +1,4 @@
{{ if eq .Values.csp "GCP" }}
{{- if eq .Values.csp "GCP" -}}
apiVersion: v1
kind: Secret
metadata:
@ -6,4 +6,4 @@ metadata:
namespace: {{ .Release.Namespace }}
data:
key.json: {{ .Values.GCP.secretData | b64enc }}
{{ end }}
{{- end -}}

2
cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml
View File

@ -10,7 +10,7 @@ data:
{{- if eq .Values.csp "Azure" }}
# ConfigMap.data is of type map[string]string. quote will not quote a quoted string.
enforceIdKeyDigest: {{ .Values.enforceIdKeyDigest | quote }}
idkeydigest: {{ .Values.idkeydigest }}
idkeydigest: {{ .Values.idkeydigest | quote }}
{{- end }}
binaryData:
measurementSalt: {{ .Values.measurementSalt }}

3
cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
View File

@ -27,8 +27,7 @@
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"],
"pattern": "ghcr.io/edgelesssys/constellation/join-service:.+"
"examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
},
"measurementSalt": {
"description": "Salt used to generate node measurements",

3
cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.schema.json
View File

@ -4,8 +4,7 @@
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"],
"pattern": "ghcr.io/edgelesssys/constellation/kms:*"
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
},
"masterSecret": {
"description": "Secret used to derive key material within the cluster",

52
cli/internal/helm/loader.go
View File

@ -34,15 +34,37 @@ import (
//go:embed all:charts/*
var HelmFS embed.FS
type ChartLoader struct{}
type ChartLoader struct {
joinServiceImage string
kmsImage string
ccmImage string
}
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error) {
func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *ChartLoader {
var ccmImage string
switch csp {
case cloudprovider.AWS:
ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS
case cloudprovider.Azure:
ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure
case cloudprovider.GCP:
ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP
}
return &ChartLoader{
joinServiceImage: versions.JoinImage,
kmsImage: versions.KmsImage,
ccmImage: ccmImage,
}
}
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) {
ciliumRelease, err := i.loadCilium(csp, conformanceMode)
if err != nil {
return nil, err
}
conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest, k8sVersion)
conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest)
if err != nil {
return nil, err
}
@ -93,7 +115,7 @@ func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode boo
// loadConstellationServices loads the constellation-services chart from the embed.FS, marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
masterSecret []byte, salt []byte, enforcedPCRs []uint32,
enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion,
enforceIDKeyDigest bool,
) (helm.Release, error) {
chart, err := loadChartsDir(HelmFS, "charts/edgeless/constellation-services")
if err != nil {
@ -119,7 +141,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
"internalCMName": constants.InternalConfigMap,
},
"kms": map[string]any{
"image": versions.KmsImage,
"image": i.kmsImage,
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
"salt": base64.StdEncoding.EncodeToString(salt),
"namespace": constants.ConstellationNamespace,
@ -131,7 +153,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
"join-service": map[string]any{
"csp": csp,
"enforcedPCRs": string(enforcedPCRsJSON),
"image": versions.JoinImage,
"image": i.joinServiceImage,
"namespace": constants.ConstellationNamespace,
},
"ccm": map[string]interface{}{
@ -153,7 +175,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
return helm.Release{}, errors.New("invalid ccm values")
}
ccmVals["Azure"] = map[string]any{
"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure,
"image": i.ccmImage,
}
vals["tags"] = map[string]any{
@ -167,7 +189,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
return helm.Release{}, errors.New("invalid ccm values")
}
ccmVals["GCP"] = map[string]any{
"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP,
"image": i.ccmImage,
}
vals["tags"] = map[string]any{
@ -186,7 +208,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
return helm.Release{}, errors.New("invalid ccm values")
}
ccmVals["AWS"] = map[string]any{
"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS,
"image": i.ccmImage,
}
vals["tags"] = map[string]any{
@ -200,12 +222,18 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
// marshalChart takes a Chart object, packages it to a temporary file and returns the content of that file.
// We currently need to take this approach of marshaling as dependencies are not marshaled correctly with json.Marshal.
// This stems from the fact that chart.Chart does not export the dependencies property.
// See: https://github.com/helm/helm/issues/11454
func (i *ChartLoader) marshalChart(chart *chart.Chart) ([]byte, error) {
path, err := chartutil.Save(chart, os.TempDir())
// A separate tmpdir path is necessary since during unit testing multiple go routines are accessing the same path, possibly deleting files for other routines.
tmpDirPath, err := os.MkdirTemp("", "*")
defer os.Remove(tmpDirPath)
if err != nil {
return nil, fmt.Errorf("creating tmp dir: %w", err)
}
path, err := chartutil.Save(chart, tmpDirPath)
defer os.Remove(path)
if err != nil {
return nil, fmt.Errorf("packaging chart: %w", err)
return nil, fmt.Errorf("chartutil save: %w", err)
}
chartRaw, err := os.ReadFile(path)
if err != nil {

150
cli/internal/helm/loader_test.go
View File

@ -9,27 +9,167 @@ package helm
import (
"bytes"
"encoding/json"
"fmt"
"io/fs"
"os"
"path"
"testing"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
"github.com/edgelesssys/constellation/v2/internal/versions"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"helm.sh/helm/v3/pkg/chart/loader"
"helm.sh/helm/v3/pkg/chartutil"
"helm.sh/helm/v3/pkg/engine"
)
// TestLoad checks if the serialized format that Load returns correctly preserves the dependencies of the loaded chart.
func TestLoad(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
chartLoader := ChartLoader{}
release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false, versions.Default)
assert.NoError(err)
release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false)
require.NoError(err)
var helmReleases helm.Releases
err = json.Unmarshal(release, &helmReleases)
assert.NoError(err)
require.NoError(err)
reader := bytes.NewReader(helmReleases.ConstellationServices.Chart)
chart, err := loader.LoadArchive(reader)
assert.NoError(err)
require.NoError(err)
assert.NotNil(chart.Dependencies())
}
// TestTemplate checks if the rendered constellation-services chart produces the expected yaml files.
func TestTemplate(t *testing.T) {
testCases := map[string]struct {
csp cloudprovider.Provider
enforceIDKeyDigest bool
valuesModifier func(map[string]any) error
ccmImage string
}{
"GCP": {
csp: cloudprovider.GCP,
enforceIDKeyDigest: false,
valuesModifier: prepareGCPValues,
ccmImage: "ccmImageForGCP",
},
"Azure": {
csp: cloudprovider.Azure,
enforceIDKeyDigest: true,
valuesModifier: prepareAzureValues,
ccmImage: "ccmImageForAzure",
},
"QEMU": {
csp: cloudprovider.QEMU,
enforceIDKeyDigest: false,
valuesModifier: prepareQEMUValues,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage}
release, err := chartLoader.Load(tc.csp, true, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []uint32{1, 11}, tc.enforceIDKeyDigest)
require.NoError(err)
var helmReleases helm.Releases
err = json.Unmarshal(release, &helmReleases)
require.NoError(err)
reader := bytes.NewReader(helmReleases.ConstellationServices.Chart)
chart, err := loader.LoadArchive(reader)
require.NoError(err)
options := chartutil.ReleaseOptions{
Name: "testRelease",
Namespace: "testNamespace",
Revision: 1,
IsInstall: true,
IsUpgrade: false,
}
caps := &chartutil.Capabilities{}
err = tc.valuesModifier(helmReleases.ConstellationServices.Values)
require.NoError(err)
valuesToRender, err := chartutil.ToRenderValues(chart, helmReleases.ConstellationServices.Values, options, caps)
require.NoError(err)
result, err := engine.Render(chart, valuesToRender)
require.NoError(err)
for k, v := range result {
currentFile := path.Join("testdata", tc.csp.String(), k)
content, err := os.ReadFile(currentFile)
// If a file does not exist, we expect the render for that path to be empty.
if errors.Is(err, fs.ErrNotExist) {
assert.YAMLEq("", v, fmt.Sprintf("current file: %s", currentFile))
continue
}
assert.NoError(err)
assert.YAMLEq(string(content), v, fmt.Sprintf("current file: %s", currentFile))
}
})
}
}
func prepareGCPValues(values map[string]any) error {
joinVals, ok := values["join-service"].(map[string]any)
if !ok {
return errors.New("missing 'join-service' key")
}
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ccmVals, ok := values["ccm"].(map[string]any)
if !ok {
return errors.New("missing 'ccm' key")
}
ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
ccmVals["GCP"].(map[string]any)["projectID"] = "42424242424242"
ccmVals["GCP"].(map[string]any)["uid"] = "242424242424"
ccmVals["GCP"].(map[string]any)["secretData"] = "baaaaaad"
return nil
}
func prepareAzureValues(values map[string]any) error {
joinVals, ok := values["join-service"].(map[string]any)
if !ok {
return errors.New("missing 'join-service' key")
}
joinVals["idkeydigest"] = "baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad"
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ccmVals, ok := values["ccm"].(map[string]any)
if !ok {
return errors.New("missing 'ccm' key")
}
ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
ccmVals["Azure"].(map[string]any)["azureConfig"] = "baaaaaad"
return nil
}
func prepareQEMUValues(values map[string]any) error {
joinVals, ok := values["join-service"].(map[string]any)
if !ok {
return errors.New("missing 'join-service' key")
}
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ccmVals, ok := values["ccm"].(map[string]any)
if !ok {
return errors.New("missing 'ccm' key")
}
ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
return nil
}

72
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/azure-daemonset.yaml vendored Normal file
View File

@ -0,0 +1,72 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cloud-controller-manager
namespace: testNamespace
labels:
k8s-app: cloud-controller-manager
spec:
selector:
matchLabels:
k8s-app: cloud-controller-manager
template:
metadata:
labels:
k8s-app: cloud-controller-manager
spec:
containers:
- name: cloud-controller-manager
image: ccmImageForAzure
command:
- cloud-controller-manager
- --cloud-provider=azure
- --leader-elect=true
- --cluster-cidr=192.0.2.0/24
- -v=2
- --controllers=*,-cloud-node
- --cloud-config=/etc/azure/azure.json
- --allocate-node-cidrs=false
- --configure-cloud-routes=true
resources: {}
volumeMounts:
- name: etckubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etcssl
mountPath: /etc/ssl
readOnly: true
- name: etcpki
mountPath: /etc/pki
readOnly: true
- name: azureconfig
mountPath: /etc/azure
readOnly: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
serviceAccountName: cloud-controller-manager
tolerations:
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/not-ready
volumes:
- name: etckubernetes
hostPath:
path: /etc/kubernetes
- name: etcssl
hostPath:
path: /etc/ssl
- name: etcpki
hostPath:
path: /etc/pki
- name: azureconfig
secret:
secretName: azureconfig
updateStrategy: {}

9
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/azure-secret.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: azureconfig
namespace: testNamespace
data:
azure.json: YmFhYWFhYWQ=

12
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: testNamespace

5
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: testNamespace

24
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/clusterrole.yaml vendored Normal file
View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: join-service
name: join-service
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- update

12
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: join-service
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: join-service
subjects:
- kind: ServiceAccount
name: join-service
namespace: testNamespace

12
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: join-config
namespace: kube-system
data:
enforcedPCRs: "[1,11]"
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
enforceIdKeyDigest: "true"
idkeydigest: "baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad"
binaryData:
measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

69
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: join-service
namespace: testNamespace
labels:
component: join-service
k8s-app: join-service
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: join-service
template:
metadata:
labels:
k8s-app: join-service
spec:
priorityClassName: system-cluster-critical
serviceAccountName: join-service
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/control-plane: ""
containers:
- name: join-service
image: joinServiceImage
args:
- --cloud-provider=Azure
- --kms-endpoint=kms.kube-system:9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
ports:
- containerPort: 9090
name: tcp
resources: {}
securityContext:
privileged: true
volumes:
- name: config
projected:
sources:
- configMap:
name: join-config
- configMap:
name: k8s-version
- configMap:
name: internal-config
- name: kubeadm
hostPath:
path: /etc/kubernetes
updateStrategy: {}

17
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/service.yaml vendored Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: join-service
namespace: testNamespace
spec:
type: NodePort
selector:
k8s-app: join-service
ports:
- name: grpc
protocol: TCP
port: 9090
targetPort: 9090
nodePort: 30090
status:
loadBalancer: {}

5
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: join-service
namespace: testNamespace

13
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrole.yaml vendored Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

12
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
subjects:
- kind: ServiceAccount
name: kms
namespace: testNamespace

63
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
kubernetes.io/cluster-service: "true"
name: kms
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
template:
metadata:
labels:
k8s-app: kms
spec:
containers:
- name: kms
image: kmsImage
args:
- --port=9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
resources: {}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: config
projected:
sources:
- configMap:
items:
- key: measurements
path: measurements
name: join-config
- secret:
items:
- key: mastersecret
path: mastersecret
- key: salt
path: salt
name: constellation-mastersecret
updateStrategy: {}

9
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/mastersecret.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: constellation-mastersecret
namespace: testNamespace
data:
mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

16
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/service.yaml vendored Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
namespace: testNamespace
spec:
ports:
- name: grpc
port: 9000
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
type: ClusterIP
status:
loadBalancer: {}

5
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
namespace: testNamespace

0
cli/internal/helm/testdata/Azure/constellation-services/templates/.gitkeep vendored Normal file
View File

12
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: testNamespace

9
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gceconf
namespace: testNamespace
data:
gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\n"

83
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-daemonset.yaml vendored Normal file
View File

@ -0,0 +1,83 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cloud-controller-manager
namespace: testNamespace
labels:
k8s-app: cloud-controller-manager
spec:
selector:
matchLabels:
k8s-app: cloud-controller-manager
template:
metadata:
labels:
k8s-app: cloud-controller-manager
spec:
containers:
- name: cloud-controller-manager
image: ccmImageForGCP
command:
- /cloud-controller-manager
- --cloud-provider=gce
- --leader-elect=true
- --cluster-cidr=192.0.2.0/24
- -v=2
- --use-service-account-credentials
- --controllers=cloud-node,cloud-node-lifecycle,nodeipam,service,route
- --cloud-config=/etc/gce/gce.conf
- --cidr-allocator-type=CloudAllocator
- --allocate-node-cidrs=true
- --configure-cloud-routes=false
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /etc/kubernetes
name: etckubernetes
readOnly: true
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /etc/pki
name: etcpki
readOnly: true
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
resources: {}
serviceAccountName: cloud-controller-manager
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/not-ready
volumes:
- name: etckubernetes
hostPath:
path: /etc/kubernetes
- name: etcssl
hostPath:
path: /etc/ssl
- name: etcpki
hostPath:
path: /etc/pki
- name: gceconf
configMap:
name: gceconf
- name: gcekey
secret:
secretName: gcekey
updateStrategy: {}

9
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-secret.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: gcekey
namespace: testNamespace
data:
key.json: YmFhYWFhYWQ=

5
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: testNamespace

24
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/clusterrole.yaml vendored Normal file
View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: join-service
name: join-service
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- update

12
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: join-service
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: join-service
subjects:
- kind: ServiceAccount
name: join-service
namespace: testNamespace

10
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/configmap.yaml vendored Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: join-config
namespace: kube-system
data:
enforcedPCRs: "[1,11]"
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
binaryData:
measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

69
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: join-service
namespace: testNamespace
labels:
component: join-service
k8s-app: join-service
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: join-service
template:
metadata:
labels:
k8s-app: join-service
spec:
priorityClassName: system-cluster-critical
serviceAccountName: join-service
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/control-plane: ""
containers:
- name: join-service
image: joinServiceImage
args:
- --cloud-provider=GCP
- --kms-endpoint=kms.kube-system:9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
ports:
- containerPort: 9090
name: tcp
resources: {}
securityContext:
privileged: true
volumes:
- name: config
projected:
sources:
- configMap:
name: join-config
- configMap:
name: k8s-version
- configMap:
name: internal-config
- name: kubeadm
hostPath:
path: /etc/kubernetes
updateStrategy: {}

17
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/service.yaml vendored Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: join-service
namespace: testNamespace
spec:
type: NodePort
selector:
k8s-app: join-service
ports:
- name: grpc
protocol: TCP
port: 9090
targetPort: 9090
nodePort: 30090
status:
loadBalancer: {}

5
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: join-service
namespace: testNamespace

13
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrole.yaml vendored Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

12
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
subjects:
- kind: ServiceAccount
name: kms
namespace: testNamespace

63
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
kubernetes.io/cluster-service: "true"
name: kms
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
template:
metadata:
labels:
k8s-app: kms
spec:
containers:
- name: kms
image: kmsImage
args:
- --port=9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
resources: {}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: config
projected:
sources:
- configMap:
items:
- key: measurements
path: measurements
name: join-config
- secret:
items:
- key: mastersecret
path: mastersecret
- key: salt
path: salt
name: constellation-mastersecret
updateStrategy: {}

9
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/mastersecret.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: constellation-mastersecret
namespace: testNamespace
data:
mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

16
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/service.yaml vendored Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
namespace: testNamespace
spec:
ports:
- name: grpc
port: 9000
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
type: ClusterIP
status:
loadBalancer: {}

5
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
namespace: testNamespace

0
cli/internal/helm/testdata/GCP/constellation-services/templates/.gitkeep vendored Normal file
View File

12
cli/internal/helm/testdata/QEMU/constellation-services/charts/ccm/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: testNamespace

5
cli/internal/helm/testdata/QEMU/constellation-services/charts/ccm/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: testNamespace

24
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/clusterrole.yaml vendored Normal file
View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: join-service
name: join-service
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- update

12
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: join-service
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: join-service
subjects:
- kind: ServiceAccount
name: join-service
namespace: testNamespace

10
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/configmap.yaml vendored Normal file
View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: join-config
namespace: kube-system
data:
enforcedPCRs: "[1,11]"
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
binaryData:
measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

69
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: join-service
namespace: testNamespace
labels:
component: join-service
k8s-app: join-service
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: join-service
template:
metadata:
labels:
k8s-app: join-service
spec:
priorityClassName: system-cluster-critical
serviceAccountName: join-service
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/control-plane: ""
containers:
- name: join-service
image: joinServiceImage
args:
- --cloud-provider=QEMU
- --kms-endpoint=kms.kube-system:9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
ports:
- containerPort: 9090
name: tcp
resources: {}
securityContext:
privileged: true
volumes:
- name: config
projected:
sources:
- configMap:
name: join-config
- configMap:
name: k8s-version
- configMap:
name: internal-config
- name: kubeadm
hostPath:
path: /etc/kubernetes
updateStrategy: {}

17
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/service.yaml vendored Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: join-service
namespace: testNamespace
spec:
type: NodePort
selector:
k8s-app: join-service
ports:
- name: grpc
protocol: TCP
port: 9090
targetPort: 9090
nodePort: 30090
status:
loadBalancer: {}

5
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: join-service
namespace: testNamespace

13
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrole.yaml vendored Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

12
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrolebinding.yaml vendored Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
subjects:
- kind: ServiceAccount
name: kms
namespace: testNamespace

63
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
kubernetes.io/cluster-service: "true"
name: kms
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
template:
metadata:
labels:
k8s-app: kms
spec:
containers:
- name: kms
image: kmsImage
args:
- --port=9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
resources: {}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: config
projected:
sources:
- configMap:
items:
- key: measurements
path: measurements
name: join-config
- secret:
items:
- key: mastersecret
path: mastersecret
- key: salt
path: salt
name: constellation-mastersecret
updateStrategy: {}

9
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/mastersecret.yaml vendored Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: constellation-mastersecret
namespace: testNamespace
data:
mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

16
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/service.yaml vendored Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
namespace: testNamespace
spec:
ports:
- name: grpc
port: 9000
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
type: ClusterIP
status:
loadBalancer: {}

5
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/serviceaccount.yaml vendored Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
namespace: testNamespace

0
cli/internal/helm/testdata/QEMU/constellation-services/templates/.gitkeep vendored Normal file
View File

7
hack/go.sum
View File

@ -129,11 +129,13 @@ github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7
github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo=
github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
@ -141,7 +143,9 @@ github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0
github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60=
github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
@ -539,6 +543,7 @@ github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWe
github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@ -820,6 +825,7 @@ github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJ
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo=
github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4=
github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@ -1223,6 +1229,7 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew=
github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=