Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-09-18 20:14:48 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add helm unittests (#380)

Browse source
This commit is contained in:
Otto Bittner 2022-10-31 19:25:02 +01:00 committed by GitHub
parent 3933a97567
commit 30bdbd9b85
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
68 changed files with 1217 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

14
cli/internal/cmd/init.go
View file

@ -59,7 +59,7 @@ func runInitialize(cmd *cobra.Command, args []string) error {
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
return dialer.New(nil, validator.V(cmd), &net.Dialer{})
}
helmLoader := &helm.ChartLoader{}
spinner := newSpinner(cmd.OutOrStdout())
defer spinner.Stop()
@ -67,12 +67,12 @@ func runInitialize(cmd *cobra.Command, args []string) error {
defer cancel()
cmd.SetContext(ctx)
return initialize(cmd, newDialer, fileHandler, helmLoader, license.NewClient(), spinner)
return initialize(cmd, newDialer, fileHandler, license.NewClient(), spinner)
}
// initialize initializes a Constellation.
func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator) *dialer.Dialer,
fileHandler file.Handler, helmLoader helmLoader, quotaChecker license.QuotaChecker, spinner spinnerInterf,
fileHandler file.Handler, quotaChecker license.QuotaChecker, spinner spinnerInterf,
) error {
flags, err := evalFlagArgs(cmd)
if err != nil {
@ -125,8 +125,8 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
if err != nil {
return fmt.Errorf("parsing or generating master secret from file %s: %w", flags.masterSecretPath, err)
}
helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, config), getEnforceIDKeyDigest(provider, config), k8sVersion)
helmLoader := helm.New(provider, k8sVersion)
helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, config), getEnforceIDKeyDigest(provider, config))
if err != nil {
return fmt.Errorf("loading Helm charts: %w", err)
}
@ -368,7 +368,3 @@ func getMarshaledServiceAccountURI(provider cloudprovider.Provider, config *conf
type grpcDialer interface {
Dial(ctx context.Context, target string) (*grpc.ClientConn, error)
}
type helmLoader interface {
Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error)
}

14
cli/internal/cmd/init_test.go
View file

@ -31,7 +31,6 @@ import (
"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
"github.com/edgelesssys/constellation/v2/internal/license"
"github.com/edgelesssys/constellation/v2/internal/oid"
"github.com/edgelesssys/constellation/v2/internal/versions"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -64,7 +63,6 @@ func TestInitialize(t *testing.T) {
idFile *clusterid.File
configMutator func(*config.Config)
serviceAccKey *gcpshared.ServiceAccountKey
helmLoader stubHelmLoader
initServerAPI *stubInitServer
masterSecretShouldExist bool
wantErr bool
@ -163,7 +161,7 @@ func TestInitialize(t *testing.T) {
defer cancel()
cmd.SetContext(ctx)
err := initialize(cmd, newDialer, fileHandler, &tc.helmLoader, &stubLicenseClient{}, nopSpinner{})
err := initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, nopSpinner{})
if tc.wantErr {
assert.Error(err)
@ -405,7 +403,7 @@ func TestAttestation(t *testing.T) {
defer cancel()
cmd.SetContext(ctx)
err := initialize(cmd, newDialer, fileHandler, &stubHelmLoader{}, &stubLicenseClient{}, nopSpinner{})
err := initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, nopSpinner{})
assert.Error(err)
// make sure the error is actually a TLS handshake error
assert.Contains(err.Error(), "transport: authentication handshake failed")
@ -504,11 +502,3 @@ func (c *stubLicenseClient) QuotaCheck(ctx context.Context, checkRequest license
Quota: 25,
}, nil
}
type stubHelmLoader struct {
loadErr error
}
func (d *stubHelmLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error) {
return nil, d.loadErr
}

4
cli/internal/cmd/miniup.go
View file

@ -19,7 +19,6 @@ import (
"strings"
"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
"github.com/edgelesssys/constellation/v2/cli/internal/helm"
"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/config"
@ -236,13 +235,12 @@ func initializeMiniCluster(cmd *cobra.Command, fileHandler file.Handler, spinner
newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
return dialer.New(nil, validator.V(cmd), &net.Dialer{})
}
helmLoader := &helm.ChartLoader{}
cmd.Flags().String("master-secret", "", "")
cmd.Flags().String("endpoint", "", "")
cmd.Flags().Bool("conformance", false, "")
if err := initialize(cmd, newDialer, fileHandler, helmLoader, license.NewClient(), spinner); err != nil {
if err := initialize(cmd, newDialer, fileHandler, license.NewClient(), spinner); err != nil {
return err
}
return nil

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/aws-daemonset.yaml
View file

@ -1,4 +1,4 @@
{{ if eq .Values.csp "AWS" }}
{{- if eq .Values.csp "AWS" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -60,4 +60,4 @@ spec:
hostPath:
path: /etc/pki
updateStrategy: {}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-daemonset.yaml
View file

@ -1,4 +1,4 @@
{{ if eq .Values.csp "Azure" }}
{{- if eq .Values.csp "Azure" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -70,4 +70,4 @@ spec:
secret:
secretName: azureconfig
updateStrategy: {}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-secret.yaml
View file

@ -1,4 +1,4 @@
{{ if eq .Values.csp "Azure" }}
{{- if eq .Values.csp "Azure" -}}
apiVersion: v1
kind: Secret
metadata:
@ -6,4 +6,4 @@ metadata:
namespace: {{ .Release.Namespace }}
data:
azure.json: {{ .Values.Azure.azureConfig | b64enc }}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml
View file

@ -1,4 +1,4 @@
{{ if eq .Values.csp "GCP" }}
{{- if eq .Values.csp "GCP" -}}
apiVersion: v1
kind: ConfigMap
metadata:
@ -6,4 +6,4 @@ metadata:
namespace: {{ .Release.Namespace }}
data:
gce.conf: "[global]\nproject-id = {{.Values.GCP.projectID }}\nuse-metadata-server = true\nnode-tags = constellation-{{ .Values.GCP.uid }}\n"
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-daemonset.yaml
View file

@ -1,4 +1,4 @@
{{ if eq .Values.csp "GCP" }}
{{- if eq .Values.csp "GCP" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -81,4 +81,4 @@ spec:
secret:
secretName: gcekey
updateStrategy: {}
{{ end }}
{{- end -}}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-secret.yaml
View file

@ -1,4 +1,4 @@
{{ if eq .Values.csp "GCP" }}
{{- if eq .Values.csp "GCP" -}}
apiVersion: v1
kind: Secret
metadata:
@ -6,4 +6,4 @@ metadata:
namespace: {{ .Release.Namespace }}
data:
key.json: {{ .Values.GCP.secretData | b64enc }}
{{ end }}
{{- end -}}

2
cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml
View file

@ -10,7 +10,7 @@ data:
{{- if eq .Values.csp "Azure" }}
# ConfigMap.data is of type map[string]string. quote will not quote a quoted string.
enforceIdKeyDigest: {{ .Values.enforceIdKeyDigest | quote }}
idkeydigest: {{ .Values.idkeydigest }}
idkeydigest: {{ .Values.idkeydigest | quote }}
{{- end }}
binaryData:
measurementSalt: {{ .Values.measurementSalt }}

3
cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json
View file

@ -27,8 +27,7 @@
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"],
"pattern": "ghcr.io/edgelesssys/constellation/join-service:.+"
"examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
},
"measurementSalt": {
"description": "Salt used to generate node measurements",

3
cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.schema.json
View file

@ -4,8 +4,7 @@
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"],
"pattern": "ghcr.io/edgelesssys/constellation/kms:*"
"examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
},
"masterSecret": {
"description": "Secret used to derive key material within the cluster",

52
cli/internal/helm/loader.go
View file

@ -34,15 +34,37 @@ import (
//go:embed all:charts/*
var HelmFS embed.FS
type ChartLoader struct{}
type ChartLoader struct {
joinServiceImage string
kmsImage string
ccmImage string
}
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error) {
func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *ChartLoader {
var ccmImage string
switch csp {
case cloudprovider.AWS:
ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS
case cloudprovider.Azure:
ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure
case cloudprovider.GCP:
ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP
}
return &ChartLoader{
joinServiceImage: versions.JoinImage,
kmsImage: versions.KmsImage,
ccmImage: ccmImage,
}
}
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) {
ciliumRelease, err := i.loadCilium(csp, conformanceMode)
if err != nil {
return nil, err
}
conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest, k8sVersion)
conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest)
if err != nil {
return nil, err
}
@ -93,7 +115,7 @@ func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode boo
// loadConstellationServices loads the constellation-services chart from the embed.FS, marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
masterSecret []byte, salt []byte, enforcedPCRs []uint32,
enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion,
enforceIDKeyDigest bool,
) (helm.Release, error) {
chart, err := loadChartsDir(HelmFS, "charts/edgeless/constellation-services")
if err != nil {
@ -119,7 +141,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
"internalCMName": constants.InternalConfigMap,
},
"kms": map[string]any{
"image": versions.KmsImage,
"image": i.kmsImage,
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
"salt": base64.StdEncoding.EncodeToString(salt),
"namespace": constants.ConstellationNamespace,
@ -131,7 +153,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
"join-service": map[string]any{
"csp": csp,
"enforcedPCRs": string(enforcedPCRsJSON),
"image": versions.JoinImage,
"image": i.joinServiceImage,
"namespace": constants.ConstellationNamespace,
},
"ccm": map[string]interface{}{
@ -153,7 +175,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
return helm.Release{}, errors.New("invalid ccm values")
}
ccmVals["Azure"] = map[string]any{
"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure,
"image": i.ccmImage,
}
vals["tags"] = map[string]any{
@ -167,7 +189,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
return helm.Release{}, errors.New("invalid ccm values")
}
ccmVals["GCP"] = map[string]any{
"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP,
"image": i.ccmImage,
}
vals["tags"] = map[string]any{
@ -186,7 +208,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
return helm.Release{}, errors.New("invalid ccm values")
}
ccmVals["AWS"] = map[string]any{
"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS,
"image": i.ccmImage,
}
vals["tags"] = map[string]any{
@ -200,12 +222,18 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
// marshalChart takes a Chart object, packages it to a temporary file and returns the content of that file.
// We currently need to take this approach of marshaling as dependencies are not marshaled correctly with json.Marshal.
// This stems from the fact that chart.Chart does not export the dependencies property.
// See: https://github.com/helm/helm/issues/11454
func (i *ChartLoader) marshalChart(chart *chart.Chart) ([]byte, error) {
path, err := chartutil.Save(chart, os.TempDir())
// A separate tmpdir path is necessary since during unit testing multiple go routines are accessing the same path, possibly deleting files for other routines.
tmpDirPath, err := os.MkdirTemp("", "*")
defer os.Remove(tmpDirPath)
if err != nil {
return nil, fmt.Errorf("creating tmp dir: %w", err)
}
path, err := chartutil.Save(chart, tmpDirPath)
defer os.Remove(path)
if err != nil {
return nil, fmt.Errorf("packaging chart: %w", err)
return nil, fmt.Errorf("chartutil save: %w", err)
}
chartRaw, err := os.ReadFile(path)
if err != nil {

150
cli/internal/helm/loader_test.go
View file

@ -9,27 +9,167 @@ package helm
import (
"bytes"
"encoding/json"
"fmt"
"io/fs"
"os"
"path"
"testing"
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
"github.com/edgelesssys/constellation/v2/internal/versions"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"helm.sh/helm/v3/pkg/chart/loader"
"helm.sh/helm/v3/pkg/chartutil"
"helm.sh/helm/v3/pkg/engine"
)
// TestLoad checks if the serialized format that Load returns correctly preserves the dependencies of the loaded chart.
func TestLoad(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
chartLoader := ChartLoader{}
release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false, versions.Default)
assert.NoError(err)
release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false)
require.NoError(err)
var helmReleases helm.Releases
err = json.Unmarshal(release, &helmReleases)
assert.NoError(err)
require.NoError(err)
reader := bytes.NewReader(helmReleases.ConstellationServices.Chart)
chart, err := loader.LoadArchive(reader)
assert.NoError(err)
require.NoError(err)
assert.NotNil(chart.Dependencies())
}
// TestTemplate checks if the rendered constellation-services chart produces the expected yaml files.
func TestTemplate(t *testing.T) {
testCases := map[string]struct {
csp cloudprovider.Provider
enforceIDKeyDigest bool
valuesModifier func(map[string]any) error
ccmImage string
}{
"GCP": {
csp: cloudprovider.GCP,
enforceIDKeyDigest: false,
valuesModifier: prepareGCPValues,
ccmImage: "ccmImageForGCP",
},
"Azure": {
csp: cloudprovider.Azure,
enforceIDKeyDigest: true,
valuesModifier: prepareAzureValues,
ccmImage: "ccmImageForAzure",
},
"QEMU": {
csp: cloudprovider.QEMU,
enforceIDKeyDigest: false,
valuesModifier: prepareQEMUValues,
},
}
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage}
release, err := chartLoader.Load(tc.csp, true, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []uint32{1, 11}, tc.enforceIDKeyDigest)
require.NoError(err)
var helmReleases helm.Releases
err = json.Unmarshal(release, &helmReleases)
require.NoError(err)
reader := bytes.NewReader(helmReleases.ConstellationServices.Chart)
chart, err := loader.LoadArchive(reader)
require.NoError(err)
options := chartutil.ReleaseOptions{
Name: "testRelease",
Namespace: "testNamespace",
Revision: 1,
IsInstall: true,
IsUpgrade: false,
}
caps := &chartutil.Capabilities{}
err = tc.valuesModifier(helmReleases.ConstellationServices.Values)
require.NoError(err)
valuesToRender, err := chartutil.ToRenderValues(chart, helmReleases.ConstellationServices.Values, options, caps)
require.NoError(err)
result, err := engine.Render(chart, valuesToRender)
require.NoError(err)
for k, v := range result {
currentFile := path.Join("testdata", tc.csp.String(), k)
content, err := os.ReadFile(currentFile)
// If a file does not exist, we expect the render for that path to be empty.
if errors.Is(err, fs.ErrNotExist) {
assert.YAMLEq("", v, fmt.Sprintf("current file: %s", currentFile))
continue
}
assert.NoError(err)
assert.YAMLEq(string(content), v, fmt.Sprintf("current file: %s", currentFile))
}
})
}
}
func prepareGCPValues(values map[string]any) error {
joinVals, ok := values["join-service"].(map[string]any)
if !ok {
return errors.New("missing 'join-service' key")
}
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ccmVals, ok := values["ccm"].(map[string]any)
if !ok {
return errors.New("missing 'ccm' key")
}
ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
ccmVals["GCP"].(map[string]any)["projectID"] = "42424242424242"
ccmVals["GCP"].(map[string]any)["uid"] = "242424242424"
ccmVals["GCP"].(map[string]any)["secretData"] = "baaaaaad"
return nil
}
func prepareAzureValues(values map[string]any) error {
joinVals, ok := values["join-service"].(map[string]any)
if !ok {
return errors.New("missing 'join-service' key")
}
joinVals["idkeydigest"] = "baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad"
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ccmVals, ok := values["ccm"].(map[string]any)
if !ok {
return errors.New("missing 'ccm' key")
}
ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
ccmVals["Azure"].(map[string]any)["azureConfig"] = "baaaaaad"
return nil
}
func prepareQEMUValues(values map[string]any) error {
joinVals, ok := values["join-service"].(map[string]any)
if !ok {
return errors.New("missing 'join-service' key")
}
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ccmVals, ok := values["ccm"].(map[string]any)
if !ok {
return errors.New("missing 'ccm' key")
}
ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
return nil
}

72
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/azure-daemonset.yaml vendored Normal file
View file

@ -0,0 +1,72 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cloud-controller-manager
namespace: testNamespace
labels:
k8s-app: cloud-controller-manager
spec:
selector:
matchLabels:
k8s-app: cloud-controller-manager
template:
metadata:
labels:
k8s-app: cloud-controller-manager
spec:
containers:
- name: cloud-controller-manager
image: ccmImageForAzure
command:
- cloud-controller-manager
- --cloud-provider=azure
- --leader-elect=true
- --cluster-cidr=192.0.2.0/24
- -v=2
- --controllers=*,-cloud-node
- --cloud-config=/etc/azure/azure.json
- --allocate-node-cidrs=false
- --configure-cloud-routes=true
resources: {}
volumeMounts:
- name: etckubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etcssl
mountPath: /etc/ssl
readOnly: true
- name: etcpki
mountPath: /etc/pki
readOnly: true
- name: azureconfig
mountPath: /etc/azure
readOnly: true
nodeSelector:
node-role.kubernetes.io/control-plane: ""
serviceAccountName: cloud-controller-manager
tolerations:
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/not-ready
volumes:
- name: etckubernetes
hostPath:
path: /etc/kubernetes
- name: etcssl
hostPath:
path: /etc/ssl
- name: etcpki
hostPath:
path: /etc/pki
- name: azureconfig
secret:
secretName: azureconfig
updateStrategy: {}

9
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/azure-secret.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: azureconfig
namespace: testNamespace
data:
azure.json: YmFhYWFhYWQ=

12
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: testNamespace

5
cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: testNamespace

24
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/clusterrole.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: join-service
name: join-service
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- update

12
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: join-service
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: join-service
subjects:
- kind: ServiceAccount
name: join-service
namespace: testNamespace

12
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: join-config
namespace: kube-system
data:
enforcedPCRs: "[1,11]"
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
enforceIdKeyDigest: "true"
idkeydigest: "baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad"
binaryData:
measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

69
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml vendored Normal file
View file

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: join-service
namespace: testNamespace
labels:
component: join-service
k8s-app: join-service
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: join-service
template:
metadata:
labels:
k8s-app: join-service
spec:
priorityClassName: system-cluster-critical
serviceAccountName: join-service
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/control-plane: ""
containers:
- name: join-service
image: joinServiceImage
args:
- --cloud-provider=Azure
- --kms-endpoint=kms.kube-system:9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
ports:
- containerPort: 9090
name: tcp
resources: {}
securityContext:
privileged: true
volumes:
- name: config
projected:
sources:
- configMap:
name: join-config
- configMap:
name: k8s-version
- configMap:
name: internal-config
- name: kubeadm
hostPath:
path: /etc/kubernetes
updateStrategy: {}

17
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/service.yaml vendored Normal file
View file

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: join-service
namespace: testNamespace
spec:
type: NodePort
selector:
k8s-app: join-service
ports:
- name: grpc
protocol: TCP
port: 9090
targetPort: 9090
nodePort: 30090
status:
loadBalancer: {}

5
cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: join-service
namespace: testNamespace

13
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrole.yaml vendored Normal file
View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

12
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
subjects:
- kind: ServiceAccount
name: kms
namespace: testNamespace

63
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/daemonset.yaml vendored Normal file
View file

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
kubernetes.io/cluster-service: "true"
name: kms
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
template:
metadata:
labels:
k8s-app: kms
spec:
containers:
- name: kms
image: kmsImage
args:
- --port=9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
resources: {}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: config
projected:
sources:
- configMap:
items:
- key: measurements
path: measurements
name: join-config
- secret:
items:
- key: mastersecret
path: mastersecret
- key: salt
path: salt
name: constellation-mastersecret
updateStrategy: {}

9
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/mastersecret.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: constellation-mastersecret
namespace: testNamespace
data:
mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

16
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/service.yaml vendored Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
namespace: testNamespace
spec:
ports:
- name: grpc
port: 9000
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
type: ClusterIP
status:
loadBalancer: {}

5
cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
namespace: testNamespace

0
cli/internal/helm/testdata/Azure/constellation-services/templates/.gitkeep vendored Normal file
View file

12
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: testNamespace

9
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gceconf
namespace: testNamespace
data:
gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\n"

83
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-daemonset.yaml vendored Normal file
View file

@ -0,0 +1,83 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cloud-controller-manager
namespace: testNamespace
labels:
k8s-app: cloud-controller-manager
spec:
selector:
matchLabels:
k8s-app: cloud-controller-manager
template:
metadata:
labels:
k8s-app: cloud-controller-manager
spec:
containers:
- name: cloud-controller-manager
image: ccmImageForGCP
command:
- /cloud-controller-manager
- --cloud-provider=gce
- --leader-elect=true
- --cluster-cidr=192.0.2.0/24
- -v=2
- --use-service-account-credentials
- --controllers=cloud-node,cloud-node-lifecycle,nodeipam,service,route
- --cloud-config=/etc/gce/gce.conf
- --cidr-allocator-type=CloudAllocator
- --allocate-node-cidrs=true
- --configure-cloud-routes=false
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
volumeMounts:
- mountPath: /etc/kubernetes
name: etckubernetes
readOnly: true
- mountPath: /etc/ssl
name: etcssl
readOnly: true
- mountPath: /etc/pki
name: etcpki
readOnly: true
- mountPath: /etc/gce
name: gceconf
readOnly: true
- mountPath: /var/secrets/google
name: gcekey
readOnly: true
resources: {}
serviceAccountName: cloud-controller-manager
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/not-ready
volumes:
- name: etckubernetes
hostPath:
path: /etc/kubernetes
- name: etcssl
hostPath:
path: /etc/ssl
- name: etcpki
hostPath:
path: /etc/pki
- name: gceconf
configMap:
name: gceconf
- name: gcekey
secret:
secretName: gcekey
updateStrategy: {}

9
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-secret.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: gcekey
namespace: testNamespace
data:
key.json: YmFhYWFhYWQ=

5
cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: testNamespace

24
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/clusterrole.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: join-service
name: join-service
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- update

12
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: join-service
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: join-service
subjects:
- kind: ServiceAccount
name: join-service
namespace: testNamespace

10
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/configmap.yaml vendored Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: join-config
namespace: kube-system
data:
enforcedPCRs: "[1,11]"
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
binaryData:
measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

69
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml vendored Normal file
View file

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: join-service
namespace: testNamespace
labels:
component: join-service
k8s-app: join-service
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: join-service
template:
metadata:
labels:
k8s-app: join-service
spec:
priorityClassName: system-cluster-critical
serviceAccountName: join-service
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/control-plane: ""
containers:
- name: join-service
image: joinServiceImage
args:
- --cloud-provider=GCP
- --kms-endpoint=kms.kube-system:9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
ports:
- containerPort: 9090
name: tcp
resources: {}
securityContext:
privileged: true
volumes:
- name: config
projected:
sources:
- configMap:
name: join-config
- configMap:
name: k8s-version
- configMap:
name: internal-config
- name: kubeadm
hostPath:
path: /etc/kubernetes
updateStrategy: {}

17
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/service.yaml vendored Normal file
View file

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: join-service
namespace: testNamespace
spec:
type: NodePort
selector:
k8s-app: join-service
ports:
- name: grpc
protocol: TCP
port: 9090
targetPort: 9090
nodePort: 30090
status:
loadBalancer: {}

5
cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: join-service
namespace: testNamespace

13
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrole.yaml vendored Normal file
View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

12
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
subjects:
- kind: ServiceAccount
name: kms
namespace: testNamespace

63
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/daemonset.yaml vendored Normal file
View file

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
kubernetes.io/cluster-service: "true"
name: kms
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
template:
metadata:
labels:
k8s-app: kms
spec:
containers:
- name: kms
image: kmsImage
args:
- --port=9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
resources: {}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: config
projected:
sources:
- configMap:
items:
- key: measurements
path: measurements
name: join-config
- secret:
items:
- key: mastersecret
path: mastersecret
- key: salt
path: salt
name: constellation-mastersecret
updateStrategy: {}

9
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/mastersecret.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: constellation-mastersecret
namespace: testNamespace
data:
mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

16
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/service.yaml vendored Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
namespace: testNamespace
spec:
ports:
- name: grpc
port: 9000
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
type: ClusterIP
status:
loadBalancer: {}

5
cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
namespace: testNamespace

0
cli/internal/helm/testdata/GCP/constellation-services/templates/.gitkeep vendored Normal file
View file

12
cli/internal/helm/testdata/QEMU/constellation-services/charts/ccm/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:cloud-controller-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cloud-controller-manager
namespace: testNamespace

5
cli/internal/helm/testdata/QEMU/constellation-services/charts/ccm/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cloud-controller-manager
namespace: testNamespace

24
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/clusterrole.yaml vendored Normal file
View file

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: join-service
name: join-service
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- create
- update

12
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: join-service
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: join-service
subjects:
- kind: ServiceAccount
name: join-service
namespace: testNamespace

10
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/configmap.yaml vendored Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: join-config
namespace: kube-system
data:
enforcedPCRs: "[1,11]"
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
binaryData:
measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

69
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml vendored Normal file
View file

@ -0,0 +1,69 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: join-service
namespace: testNamespace
labels:
component: join-service
k8s-app: join-service
kubernetes.io/cluster-service: "true"
spec:
selector:
matchLabels:
k8s-app: join-service
template:
metadata:
labels:
k8s-app: join-service
spec:
priorityClassName: system-cluster-critical
serviceAccountName: join-service
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/control-plane: ""
containers:
- name: join-service
image: joinServiceImage
args:
- --cloud-provider=QEMU
- --kms-endpoint=kms.kube-system:9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
- mountPath: /etc/kubernetes
name: kubeadm
readOnly: true
ports:
- containerPort: 9090
name: tcp
resources: {}
securityContext:
privileged: true
volumes:
- name: config
projected:
sources:
- configMap:
name: join-config
- configMap:
name: k8s-version
- configMap:
name: internal-config
- name: kubeadm
hostPath:
path: /etc/kubernetes
updateStrategy: {}

17
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/service.yaml vendored Normal file
View file

@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: join-service
namespace: testNamespace
spec:
type: NodePort
selector:
k8s-app: join-service
ports:
- name: grpc
protocol: TCP
port: 9090
targetPort: 9090
nodePort: 30090
status:
loadBalancer: {}

5
cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: join-service
namespace: testNamespace

13
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrole.yaml vendored Normal file
View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: kms
name: kms
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

12
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrolebinding.yaml vendored Normal file
View file

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kms
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kms
subjects:
- kind: ServiceAccount
name: kms
namespace: testNamespace

63
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/daemonset.yaml vendored Normal file
View file

@ -0,0 +1,63 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: kms
k8s-app: kms
kubernetes.io/cluster-service: "true"
name: kms
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: kms
template:
metadata:
labels:
k8s-app: kms
spec:
containers:
- name: kms
image: kmsImage
args:
- --port=9000
volumeMounts:
- mountPath: /var/config
name: config
readOnly: true
resources: {}
nodeSelector:
node-role.kubernetes.io/control-plane: ""
priorityClassName: system-cluster-critical
serviceAccountName: kms
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- name: config
projected:
sources:
- configMap:
items:
- key: measurements
path: measurements
name: join-config
- secret:
items:
- key: mastersecret
path: mastersecret
- key: salt
path: salt
name: constellation-mastersecret
updateStrategy: {}

9
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/mastersecret.yaml vendored Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: constellation-mastersecret
namespace: testNamespace
data:
mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

16
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/service.yaml vendored Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: kms
namespace: testNamespace
spec:
ports:
- name: grpc
port: 9000
protocol: TCP
targetPort: 9000
selector:
k8s-app: kms
type: ClusterIP
status:
loadBalancer: {}

5
cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/serviceaccount.yaml vendored Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kms
namespace: testNamespace

0
cli/internal/helm/testdata/QEMU/constellation-services/templates/.gitkeep vendored Normal file
View file