Add helm unittests (#380)

.github/workflows/test-helm-lint.yaml

@@ -1,41 +0,0 @@
-name: Lint Helm Charts
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-      - "release/**"
-    paths:
-      - "cli/internal/helm/charts/**"
-  pull_request:
-    paths:
-      - "cli/internal/helm/charts/**"
-
-# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-
-jobs:
-  helm-lint:
-    runs-on: ubuntu-latest
-    env:
-      CTEST_OUTPUT_ON_FAILURE: True
-    steps:
-      - name: Checkout
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Setup Helm
-        uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # tag=v3
-        with:
-          version: "v3.9.0" # default is latest (stable)
-
-      - name: Create and populate build folder
-        run: mkdir build && cd build && cmake ..
-
-      - name: Unit Tests
-        run: ctest -R helm-lint
-        working-directory: build

.github/workflows/test-unittest.yml

@@ -42,6 +42,8 @@ jobs:
       - name: Unit Tests
         run: ctest -R unit
         working-directory: build
+        env:
+          TMPDIR: ${{ runner.temp }}
 
   test-darwin:
     runs-on: macos-12

CMakeLists.txt

@@ -63,9 +63,3 @@ add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CM
 add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi)
 add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/disk-mapper/internal)
 add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)
-add_test(NAME helm-lint COMMAND bash -c "helm lint * --set tags.GCP=true --set kms.image='ghcr.io/edgelesssys/constellation/kms:latest' --set join-service.csp='GCP' \
-  --set join-service.enforcedPCRs='[]' --set join-service.image='ghcr.io/edgelesssys/constellation/join-service:latest' --set join-service.measurements='[]' \
-  --set join-service.measurementSalt='deadbeef' --set kms.salt='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' --set kms.masterSecret='aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' \
-  --set ccm.csp='GCP' --set ccm.subnetworkCIDR='192.0.2.0/24' --set ccm.GCP.image='ghcr.io/edgelesssys/cloud-provider-gcp:latest' --set ccm.GCP.projectID='demoproject-581925' \
-  --set ccm.GCP.uid='foobar' --set ccm.GCP.secretData='jsonstring'"
-  WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/cli/internal/helm/charts/edgeless/)

cli/internal/cmd/init.go

@@ -59,7 +59,7 @@ func runInitialize(cmd *cobra.Command, args []string) error {
 	newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
 		return dialer.New(nil, validator.V(cmd), &net.Dialer{})
 	}
-	helmLoader := &helm.ChartLoader{}
+
 	spinner := newSpinner(cmd.OutOrStdout())
 	defer spinner.Stop()
 
@@ -67,12 +67,12 @@ func runInitialize(cmd *cobra.Command, args []string) error {
 	defer cancel()
 	cmd.SetContext(ctx)
 
-	return initialize(cmd, newDialer, fileHandler, helmLoader, license.NewClient(), spinner)
+	return initialize(cmd, newDialer, fileHandler, license.NewClient(), spinner)
 }
 
 // initialize initializes a Constellation.
 func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator) *dialer.Dialer,
-	fileHandler file.Handler, helmLoader helmLoader, quotaChecker license.QuotaChecker, spinner spinnerInterf,
+	fileHandler file.Handler, quotaChecker license.QuotaChecker, spinner spinnerInterf,
 ) error {
 	flags, err := evalFlagArgs(cmd)
 	if err != nil {
@@ -125,8 +125,8 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
 	if err != nil {
 		return fmt.Errorf("parsing or generating master secret from file %s: %w", flags.masterSecretPath, err)
 	}
-
+	helmLoader := helm.New(provider, k8sVersion)
-	helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, config), getEnforceIDKeyDigest(provider, config), k8sVersion)
+	helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, config), getEnforceIDKeyDigest(provider, config))
 	if err != nil {
 		return fmt.Errorf("loading Helm charts: %w", err)
 	}
@@ -368,7 +368,3 @@ func getMarshaledServiceAccountURI(provider cloudprovider.Provider, config *conf
 type grpcDialer interface {
 	Dial(ctx context.Context, target string) (*grpc.ClientConn, error)
 }
-
-type helmLoader interface {
-	Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error)
-}

cli/internal/cmd/init_test.go

@@ -31,7 +31,6 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/grpc/testdialer"
 	"github.com/edgelesssys/constellation/v2/internal/license"
 	"github.com/edgelesssys/constellation/v2/internal/oid"
-	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -64,7 +63,6 @@ func TestInitialize(t *testing.T) {
 		idFile                  *clusterid.File
 		configMutator           func(*config.Config)
 		serviceAccKey           *gcpshared.ServiceAccountKey
-		helmLoader              stubHelmLoader
 		initServerAPI           *stubInitServer
 		masterSecretShouldExist bool
 		wantErr                 bool
@@ -163,7 +161,7 @@ func TestInitialize(t *testing.T) {
 			defer cancel()
 			cmd.SetContext(ctx)
 
-			err := initialize(cmd, newDialer, fileHandler, &tc.helmLoader, &stubLicenseClient{}, nopSpinner{})
+			err := initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, nopSpinner{})
 
 			if tc.wantErr {
 				assert.Error(err)
@@ -405,7 +403,7 @@ func TestAttestation(t *testing.T) {
 	defer cancel()
 	cmd.SetContext(ctx)
 
-	err := initialize(cmd, newDialer, fileHandler, &stubHelmLoader{}, &stubLicenseClient{}, nopSpinner{})
+	err := initialize(cmd, newDialer, fileHandler, &stubLicenseClient{}, nopSpinner{})
 	assert.Error(err)
 	// make sure the error is actually a TLS handshake error
 	assert.Contains(err.Error(), "transport: authentication handshake failed")
@@ -504,11 +502,3 @@ func (c *stubLicenseClient) QuotaCheck(ctx context.Context, checkRequest license
 		Quota: 25,
 	}, nil
 }
-
-type stubHelmLoader struct {
-	loadErr error
-}
-
-func (d *stubHelmLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error) {
-	return nil, d.loadErr
-}

cli/internal/cmd/miniup.go

@@ -19,7 +19,6 @@ import (
 	"strings"
 
 	"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd"
-	"github.com/edgelesssys/constellation/v2/cli/internal/helm"
 	"github.com/edgelesssys/constellation/v2/cli/internal/libvirt"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
@@ -236,13 +235,12 @@ func initializeMiniCluster(cmd *cobra.Command, fileHandler file.Handler, spinner
 	newDialer := func(validator *cloudcmd.Validator) *dialer.Dialer {
 		return dialer.New(nil, validator.V(cmd), &net.Dialer{})
 	}
-	helmLoader := &helm.ChartLoader{}
 
 	cmd.Flags().String("master-secret", "", "")
 	cmd.Flags().String("endpoint", "", "")
 	cmd.Flags().Bool("conformance", false, "")
 
-	if err := initialize(cmd, newDialer, fileHandler, helmLoader, license.NewClient(), spinner); err != nil {
+	if err := initialize(cmd, newDialer, fileHandler, license.NewClient(), spinner); err != nil {
 		return err
 	}
 	return nil

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/aws-daemonset.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.csp "AWS" }}
+{{- if eq .Values.csp "AWS" -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -60,4 +60,4 @@ spec:
         hostPath:
           path: /etc/pki
   updateStrategy: {}
-{{ end }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-daemonset.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.csp "Azure" }}
+{{- if eq .Values.csp "Azure" -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -70,4 +70,4 @@ spec:
         secret:
           secretName: azureconfig
   updateStrategy: {}
-{{ end }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-secret.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.csp "Azure" }}
+{{- if eq .Values.csp "Azure" -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,4 +6,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 data:
   azure.json: {{ .Values.Azure.azureConfig | b64enc }}
-{{ end }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-cm.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.csp "GCP" }}
+{{- if eq .Values.csp "GCP" -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,4 +6,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 data:
   gce.conf: "[global]\nproject-id = {{.Values.GCP.projectID }}\nuse-metadata-server = true\nnode-tags = constellation-{{ .Values.GCP.uid }}\n"
-{{ end }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-daemonset.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.csp "GCP" }}
+{{- if eq .Values.csp "GCP" -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -81,4 +81,4 @@ spec:
           secret:
             secretName: gcekey
   updateStrategy: {}
-{{ end }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-secret.yaml

@@ -1,4 +1,4 @@
-{{ if eq .Values.csp "GCP" }}
+{{- if eq .Values.csp "GCP" -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,4 +6,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 data:
   key.json: {{ .Values.GCP.secretData | b64enc }}
-{{ end }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/templates/configmap.yaml

@@ -10,7 +10,7 @@ data:
   {{- if eq .Values.csp "Azure" }}
   # ConfigMap.data is of type map[string]string. quote will not quote a quoted string.
   enforceIdKeyDigest: {{ .Values.enforceIdKeyDigest | quote }}
-  idkeydigest: {{ .Values.idkeydigest }}
+  idkeydigest: {{ .Values.idkeydigest | quote }}
   {{- end }}
 binaryData:
   measurementSalt: {{ .Values.measurementSalt }}

cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/values.schema.json

@@ -27,8 +27,7 @@
         "image": {
             "description": "Container image to use for the spawned pods.",
             "type": "string",
-            "examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"],
+            "examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
-            "pattern": "ghcr.io/edgelesssys/constellation/join-service:.+"
         },
         "measurementSalt": {
             "description": "Salt used to generate node measurements",

cli/internal/helm/charts/edgeless/constellation-services/charts/kms/values.schema.json

@@ -4,8 +4,7 @@
         "image": {
             "description": "Container image to use for the spawned pods.",
             "type": "string",
-            "examples": ["ghcr.io/edgelesssys/constellation/kms:latest"],
+            "examples": ["ghcr.io/edgelesssys/constellation/kms:latest"]
-            "pattern": "ghcr.io/edgelesssys/constellation/kms:*"
         },
         "masterSecret": {
             "description": "Secret used to derive key material within the cluster",

cli/internal/helm/loader.go

@@ -34,15 +34,37 @@ import (
 //go:embed all:charts/*
 var HelmFS embed.FS
 
-type ChartLoader struct{}
+type ChartLoader struct {
+	joinServiceImage string
+	kmsImage         string
+	ccmImage         string
+}
 
-func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion) ([]byte, error) {
+func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *ChartLoader {
+	var ccmImage string
+	switch csp {
+	case cloudprovider.AWS:
+		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS
+	case cloudprovider.Azure:
+		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure
+	case cloudprovider.GCP:
+		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP
+	}
+
+	return &ChartLoader{
+		joinServiceImage: versions.JoinImage,
+		kmsImage:         versions.KmsImage,
+		ccmImage:         ccmImage,
+	}
+}
+
+func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) {
 	ciliumRelease, err := i.loadCilium(csp, conformanceMode)
 	if err != nil {
 		return nil, err
 	}
 
-	conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest, k8sVersion)
+	conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest)
 	if err != nil {
 		return nil, err
 	}
@@ -93,7 +115,7 @@ func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode boo
 // loadConstellationServices loads the constellation-services chart from the embed.FS, marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
 func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 	masterSecret []byte, salt []byte, enforcedPCRs []uint32,
-	enforceIDKeyDigest bool, k8sVersion versions.ValidK8sVersion,
+	enforceIDKeyDigest bool,
 ) (helm.Release, error) {
 	chart, err := loadChartsDir(HelmFS, "charts/edgeless/constellation-services")
 	if err != nil {
@@ -119,7 +141,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 			"internalCMName":   constants.InternalConfigMap,
 		},
 		"kms": map[string]any{
-			"image":                versions.KmsImage,
+			"image":                i.kmsImage,
 			"masterSecret":         base64.StdEncoding.EncodeToString(masterSecret),
 			"salt":                 base64.StdEncoding.EncodeToString(salt),
 			"namespace":            constants.ConstellationNamespace,
@@ -131,7 +153,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 		"join-service": map[string]any{
 			"csp":          csp,
 			"enforcedPCRs": string(enforcedPCRsJSON),
-			"image":        versions.JoinImage,
+			"image":        i.joinServiceImage,
 			"namespace":    constants.ConstellationNamespace,
 		},
 		"ccm": map[string]interface{}{
@@ -153,7 +175,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 				return helm.Release{}, errors.New("invalid ccm values")
 			}
 			ccmVals["Azure"] = map[string]any{
-				"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure,
+				"image": i.ccmImage,
 			}
 
 			vals["tags"] = map[string]any{
@@ -167,7 +189,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 				return helm.Release{}, errors.New("invalid ccm values")
 			}
 			ccmVals["GCP"] = map[string]any{
-				"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP,
+				"image": i.ccmImage,
 			}
 
 			vals["tags"] = map[string]any{
@@ -186,7 +208,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 			return helm.Release{}, errors.New("invalid ccm values")
 		}
 		ccmVals["AWS"] = map[string]any{
-			"image": versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS,
+			"image": i.ccmImage,
 		}
 
 		vals["tags"] = map[string]any{
@@ -200,12 +222,18 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 // marshalChart takes a Chart object, packages it to a temporary file and returns the content of that file.
 // We currently need to take this approach of marshaling as dependencies are not marshaled correctly with json.Marshal.
 // This stems from the fact that chart.Chart does not export the dependencies property.
-// See: https://github.com/helm/helm/issues/11454
 func (i *ChartLoader) marshalChart(chart *chart.Chart) ([]byte, error) {
-	path, err := chartutil.Save(chart, os.TempDir())
+	// A separate tmpdir path is necessary since during unit testing multiple go routines are accessing the same path, possibly deleting files for other routines.
+	tmpDirPath, err := os.MkdirTemp("", "*")
+	defer os.Remove(tmpDirPath)
+	if err != nil {
+		return nil, fmt.Errorf("creating tmp dir: %w", err)
+	}
+
+	path, err := chartutil.Save(chart, tmpDirPath)
 	defer os.Remove(path)
 	if err != nil {
-		return nil, fmt.Errorf("packaging chart: %w", err)
+		return nil, fmt.Errorf("chartutil save: %w", err)
 	}
 	chartRaw, err := os.ReadFile(path)
 	if err != nil {

cli/internal/helm/loader_test.go

@@ -9,27 +9,167 @@ package helm
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"io/fs"
+	"os"
+	"path"
 	"testing"
 
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
-	"github.com/edgelesssys/constellation/v2/internal/versions"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/engine"
 )
 
+// TestLoad checks if the serialized format that Load returns correctly preserves the dependencies of the loaded chart.
 func TestLoad(t *testing.T) {
 	assert := assert.New(t)
+	require := require.New(t)
 
 	chartLoader := ChartLoader{}
-	release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false, versions.Default)
+	release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false)
-	assert.NoError(err)
+	require.NoError(err)
 
 	var helmReleases helm.Releases
 	err = json.Unmarshal(release, &helmReleases)
-	assert.NoError(err)
+	require.NoError(err)
 	reader := bytes.NewReader(helmReleases.ConstellationServices.Chart)
 	chart, err := loader.LoadArchive(reader)
-	assert.NoError(err)
+	require.NoError(err)
 	assert.NotNil(chart.Dependencies())
 }
+
+// TestTemplate checks if the rendered constellation-services chart produces the expected yaml files.
+func TestTemplate(t *testing.T) {
+	testCases := map[string]struct {
+		csp                cloudprovider.Provider
+		enforceIDKeyDigest bool
+		valuesModifier     func(map[string]any) error
+		ccmImage           string
+	}{
+		"GCP": {
+			csp:                cloudprovider.GCP,
+			enforceIDKeyDigest: false,
+			valuesModifier:     prepareGCPValues,
+			ccmImage:           "ccmImageForGCP",
+		},
+		"Azure": {
+			csp:                cloudprovider.Azure,
+			enforceIDKeyDigest: true,
+			valuesModifier:     prepareAzureValues,
+			ccmImage:           "ccmImageForAzure",
+		},
+		"QEMU": {
+			csp:                cloudprovider.QEMU,
+			enforceIDKeyDigest: false,
+			valuesModifier:     prepareQEMUValues,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+
+			chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage}
+			release, err := chartLoader.Load(tc.csp, true, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []uint32{1, 11}, tc.enforceIDKeyDigest)
+			require.NoError(err)
+
+			var helmReleases helm.Releases
+			err = json.Unmarshal(release, &helmReleases)
+			require.NoError(err)
+			reader := bytes.NewReader(helmReleases.ConstellationServices.Chart)
+			chart, err := loader.LoadArchive(reader)
+			require.NoError(err)
+
+			options := chartutil.ReleaseOptions{
+				Name:      "testRelease",
+				Namespace: "testNamespace",
+				Revision:  1,
+				IsInstall: true,
+				IsUpgrade: false,
+			}
+			caps := &chartutil.Capabilities{}
+
+			err = tc.valuesModifier(helmReleases.ConstellationServices.Values)
+			require.NoError(err)
+
+			valuesToRender, err := chartutil.ToRenderValues(chart, helmReleases.ConstellationServices.Values, options, caps)
+			require.NoError(err)
+			result, err := engine.Render(chart, valuesToRender)
+			require.NoError(err)
+			for k, v := range result {
+				currentFile := path.Join("testdata", tc.csp.String(), k)
+				content, err := os.ReadFile(currentFile)
+
+				// If a file does not exist, we expect the render for that path to be empty.
+				if errors.Is(err, fs.ErrNotExist) {
+					assert.YAMLEq("", v, fmt.Sprintf("current file: %s", currentFile))
+					continue
+				}
+				assert.NoError(err)
+				assert.YAMLEq(string(content), v, fmt.Sprintf("current file: %s", currentFile))
+			}
+		})
+	}
+}
+
+func prepareGCPValues(values map[string]any) error {
+	joinVals, ok := values["join-service"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'join-service' key")
+	}
+	joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
+	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+
+	ccmVals, ok := values["ccm"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'ccm' key")
+	}
+	ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
+	ccmVals["GCP"].(map[string]any)["projectID"] = "42424242424242"
+	ccmVals["GCP"].(map[string]any)["uid"] = "242424242424"
+	ccmVals["GCP"].(map[string]any)["secretData"] = "baaaaaad"
+
+	return nil
+}
+
+func prepareAzureValues(values map[string]any) error {
+	joinVals, ok := values["join-service"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'join-service' key")
+	}
+	joinVals["idkeydigest"] = "baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad"
+	joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
+	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+
+	ccmVals, ok := values["ccm"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'ccm' key")
+	}
+	ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
+	ccmVals["Azure"].(map[string]any)["azureConfig"] = "baaaaaad"
+
+	return nil
+}
+
+func prepareQEMUValues(values map[string]any) error {
+	joinVals, ok := values["join-service"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'join-service' key")
+	}
+	joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
+	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+
+	ccmVals, ok := values["ccm"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'ccm' key")
+	}
+	ccmVals["subnetworkCIDR"] = "192.0.2.0/24"
+
+	return nil
+}

cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/azure-daemonset.yaml

@@ -0,0 +1,72 @@
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace
+  labels:
+    k8s-app: cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cloud-controller-manager
+  template:
+    metadata:
+      labels:
+        k8s-app: cloud-controller-manager
+    spec:
+      containers:
+      - name: cloud-controller-manager
+        image: ccmImageForAzure
+        command:
+        - cloud-controller-manager
+        - --cloud-provider=azure
+        - --leader-elect=true
+        - --cluster-cidr=192.0.2.0/24
+        - -v=2
+        - --controllers=*,-cloud-node
+        - --cloud-config=/etc/azure/azure.json
+        - --allocate-node-cidrs=false
+        - --configure-cloud-routes=true
+        resources: {}
+        volumeMounts:
+        - name: etckubernetes
+          mountPath: /etc/kubernetes
+          readOnly: true
+        - name: etcssl
+          mountPath: /etc/ssl
+          readOnly: true
+        - name: etcpki
+          mountPath: /etc/pki
+          readOnly: true
+        - name: azureconfig
+          mountPath: /etc/azure
+          readOnly: true
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      serviceAccountName: cloud-controller-manager
+      tolerations:
+      - effect: NoSchedule
+        key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoSchedule
+        key: node.kubernetes.io/not-ready
+      volumes:
+      - name: etckubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: etcssl
+        hostPath:
+          path: /etc/ssl
+      - name: etcpki
+        hostPath:
+          path: /etc/pki
+      - name: azureconfig
+        secret:
+          secretName: azureconfig
+  updateStrategy: {}

cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/azure-secret.yaml

@@ -0,0 +1,9 @@
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: azureconfig
+  namespace: testNamespace
+data:
+  azure.json: YmFhYWFhYWQ=
+

cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: testNamespace

cli/internal/helm/testdata/Azure/constellation-services/charts/ccm/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace

cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/clusterrole.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: join-service
+  name: join-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - update

cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: join-service
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: join-service
+subjects:
+- kind: ServiceAccount
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: join-config
+  namespace: kube-system
+data:
+  enforcedPCRs: "[1,11]"
+  measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
+  enforceIdKeyDigest: "true"
+  idkeydigest: "baaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaadbaaaaaad"
+binaryData:
+  measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/daemonset.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: join-service
+  namespace: testNamespace
+  labels:
+    component: join-service
+    k8s-app: join-service
+    kubernetes.io/cluster-service: "true"
+spec:
+  selector:
+    matchLabels:
+      k8s-app: join-service
+  template:
+    metadata:
+      labels:
+        k8s-app: join-service
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: join-service
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Equal
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      containers:
+        - name: join-service
+          image: joinServiceImage
+          args:
+            - --cloud-provider=Azure
+            - --kms-endpoint=kms.kube-system:9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+            - mountPath: /etc/kubernetes
+              name: kubeadm
+              readOnly: true
+          ports:
+            - containerPort: 9090
+              name: tcp
+          resources: {}
+          securityContext:
+            privileged: true
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  name: join-config
+              - configMap:
+                  name: k8s-version
+              - configMap:
+                  name: internal-config
+        - name: kubeadm
+          hostPath:
+            path: /etc/kubernetes
+  updateStrategy: {}

cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: join-service
+  namespace: testNamespace
+spec:
+  type: NodePort
+  selector:
+    k8s-app: join-service
+  ports:
+  - name: grpc
+    protocol: TCP
+    port: 9090
+    targetPort: 9090
+    nodePort: 30090
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/Azure/constellation-services/charts/join-service/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: kms
+  name: kms
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get

cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kms
+subjects:
+- kind: ServiceAccount
+  name: kms
+  namespace: testNamespace

cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/daemonset.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: kms
+    k8s-app: kms
+    kubernetes.io/cluster-service: "true"
+  name: kms
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kms
+  template:
+    metadata:
+      labels:
+        k8s-app: kms
+    spec:
+      containers:
+        - name: kms
+          image: kmsImage
+          args:
+            - --port=9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+          resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: kms
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        projected:
+          sources:
+          - configMap:
+              items:
+              - key: measurements
+                path: measurements
+              name: join-config
+          - secret:
+              items:
+              - key: mastersecret
+                path: mastersecret
+              - key: salt
+                path: salt
+              name: constellation-mastersecret
+  updateStrategy: {}

cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/mastersecret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: constellation-mastersecret
+  namespace: testNamespace
+data:
+  mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
+  salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kms
+  namespace: testNamespace
+spec:
+  ports:
+  - name: grpc
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  selector:
+    k8s-app: kms
+  type: ClusterIP
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/Azure/constellation-services/charts/kms/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kms
+  namespace: testNamespace

cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: testNamespace

cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-cm.yaml

@@ -0,0 +1,9 @@
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gceconf
+  namespace: testNamespace
+data:
+  gce.conf: "[global]\nproject-id = 42424242424242\nuse-metadata-server = true\nnode-tags = constellation-242424242424\n"
+

cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-daemonset.yaml

@@ -0,0 +1,83 @@
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace
+  labels:
+    k8s-app: cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cloud-controller-manager
+  template:
+    metadata:
+      labels:
+        k8s-app: cloud-controller-manager
+    spec:
+      containers:
+        - name: cloud-controller-manager
+          image: ccmImageForGCP
+          command:
+          - /cloud-controller-manager
+          - --cloud-provider=gce
+          - --leader-elect=true
+          - --cluster-cidr=192.0.2.0/24
+          - -v=2
+          - --use-service-account-credentials
+          - --controllers=cloud-node,cloud-node-lifecycle,nodeipam,service,route
+          - --cloud-config=/etc/gce/gce.conf
+          - --cidr-allocator-type=CloudAllocator
+          - --allocate-node-cidrs=true
+          - --configure-cloud-routes=false
+          env:
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: /var/secrets/google/key.json
+          volumeMounts:
+            - mountPath: /etc/kubernetes
+              name: etckubernetes
+              readOnly: true
+            - mountPath: /etc/ssl
+              name: etcssl
+              readOnly: true
+            - mountPath: /etc/pki
+              name: etcpki
+              readOnly: true
+            - mountPath: /etc/gce
+              name: gceconf
+              readOnly: true
+            - mountPath: /var/secrets/google
+              name: gcekey
+              readOnly: true
+          resources: {}
+      serviceAccountName: cloud-controller-manager
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+        - effect: NoSchedule
+          key: node.cloudprovider.kubernetes.io/uninitialized
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoSchedule
+          key: node.kubernetes.io/not-ready
+      volumes:
+        - name: etckubernetes
+          hostPath:
+            path: /etc/kubernetes
+        - name: etcssl
+          hostPath:
+            path: /etc/ssl
+        - name: etcpki
+          hostPath:
+            path: /etc/pki
+        - name: gceconf
+          configMap:
+            name: gceconf
+        - name: gcekey
+          secret:
+            secretName: gcekey
+  updateStrategy: {}

cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-secret.yaml

@@ -0,0 +1,9 @@
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gcekey
+  namespace: testNamespace
+data:
+  key.json: YmFhYWFhYWQ=
+

cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace

cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/clusterrole.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: join-service
+  name: join-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - update

cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: join-service
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: join-service
+subjects:
+- kind: ServiceAccount
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: join-config
+  namespace: kube-system
+data:
+  enforcedPCRs: "[1,11]"
+  measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
+binaryData:
+  measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/daemonset.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: join-service
+  namespace: testNamespace
+  labels:
+    component: join-service
+    k8s-app: join-service
+    kubernetes.io/cluster-service: "true"
+spec:
+  selector:
+    matchLabels:
+      k8s-app: join-service
+  template:
+    metadata:
+      labels:
+        k8s-app: join-service
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: join-service
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Equal
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      containers:
+        - name: join-service
+          image: joinServiceImage
+          args:
+            - --cloud-provider=GCP
+            - --kms-endpoint=kms.kube-system:9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+            - mountPath: /etc/kubernetes
+              name: kubeadm
+              readOnly: true
+          ports:
+            - containerPort: 9090
+              name: tcp
+          resources: {}
+          securityContext:
+            privileged: true
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  name: join-config
+              - configMap:
+                  name: k8s-version
+              - configMap:
+                  name: internal-config
+        - name: kubeadm
+          hostPath:
+            path: /etc/kubernetes
+  updateStrategy: {}

cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: join-service
+  namespace: testNamespace
+spec:
+  type: NodePort
+  selector:
+    k8s-app: join-service
+  ports:
+  - name: grpc
+    protocol: TCP
+    port: 9090
+    targetPort: 9090
+    nodePort: 30090
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/GCP/constellation-services/charts/join-service/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: kms
+  name: kms
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get

cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kms
+subjects:
+- kind: ServiceAccount
+  name: kms
+  namespace: testNamespace

cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/daemonset.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: kms
+    k8s-app: kms
+    kubernetes.io/cluster-service: "true"
+  name: kms
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kms
+  template:
+    metadata:
+      labels:
+        k8s-app: kms
+    spec:
+      containers:
+        - name: kms
+          image: kmsImage
+          args:
+            - --port=9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+          resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: kms
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        projected:
+          sources:
+          - configMap:
+              items:
+              - key: measurements
+                path: measurements
+              name: join-config
+          - secret:
+              items:
+              - key: mastersecret
+                path: mastersecret
+              - key: salt
+                path: salt
+              name: constellation-mastersecret
+  updateStrategy: {}

cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/mastersecret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: constellation-mastersecret
+  namespace: testNamespace
+data:
+  mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
+  salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kms
+  namespace: testNamespace
+spec:
+  ports:
+  - name: grpc
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  selector:
+    k8s-app: kms
+  type: ClusterIP
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/GCP/constellation-services/charts/kms/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kms
+  namespace: testNamespace

cli/internal/helm/testdata/QEMU/constellation-services/charts/ccm/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: testNamespace

cli/internal/helm/testdata/QEMU/constellation-services/charts/ccm/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace

cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/clusterrole.yaml

@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: join-service
+  name: join-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - update

cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: join-service
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: join-service
+subjects:
+- kind: ServiceAccount
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: join-config
+  namespace: kube-system
+data:
+  enforcedPCRs: "[1,11]"
+  measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
+binaryData:
+  measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/daemonset.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: join-service
+  namespace: testNamespace
+  labels:
+    component: join-service
+    k8s-app: join-service
+    kubernetes.io/cluster-service: "true"
+spec:
+  selector:
+    matchLabels:
+      k8s-app: join-service
+  template:
+    metadata:
+      labels:
+        k8s-app: join-service
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: join-service
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Equal
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      containers:
+        - name: join-service
+          image: joinServiceImage
+          args:
+            - --cloud-provider=QEMU
+            - --kms-endpoint=kms.kube-system:9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+            - mountPath: /etc/kubernetes
+              name: kubeadm
+              readOnly: true
+          ports:
+            - containerPort: 9090
+              name: tcp
+          resources: {}
+          securityContext:
+            privileged: true
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  name: join-config
+              - configMap:
+                  name: k8s-version
+              - configMap:
+                  name: internal-config
+        - name: kubeadm
+          hostPath:
+            path: /etc/kubernetes
+  updateStrategy: {}

cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: join-service
+  namespace: testNamespace
+spec:
+  type: NodePort
+  selector:
+    k8s-app: join-service
+  ports:
+  - name: grpc
+    protocol: TCP
+    port: 9090
+    targetPort: 9090
+    nodePort: 30090
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/QEMU/constellation-services/charts/join-service/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: kms
+  name: kms
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get

cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kms
+subjects:
+- kind: ServiceAccount
+  name: kms
+  namespace: testNamespace

cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/daemonset.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: kms
+    k8s-app: kms
+    kubernetes.io/cluster-service: "true"
+  name: kms
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kms
+  template:
+    metadata:
+      labels:
+        k8s-app: kms
+    spec:
+      containers:
+        - name: kms
+          image: kmsImage
+          args:
+            - --port=9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+          resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: kms
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        projected:
+          sources:
+          - configMap:
+              items:
+              - key: measurements
+                path: measurements
+              name: join-config
+          - secret:
+              items:
+              - key: mastersecret
+                path: mastersecret
+              - key: salt
+                path: salt
+              name: constellation-mastersecret
+  updateStrategy: {}

cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/mastersecret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: constellation-mastersecret
+  namespace: testNamespace
+data:
+  mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
+  salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kms
+  namespace: testNamespace
+spec:
+  ports:
+  - name: grpc
+    port: 9000
+    protocol: TCP
+    targetPort: 9000
+  selector:
+    k8s-app: kms
+  type: ClusterIP
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/QEMU/constellation-services/charts/kms/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kms
+  namespace: testNamespace

hack/go.sum

@@ -129,11 +129,13 @@ github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1 h1:BWe8a+f/t+7
 github.com/AzureAD/microsoft-authentication-library-for-go v0.5.1/go.mod h1:Vt9sXTKwMyGcOxSmLDMnGPgqsUg7m8pe215qMLrDXw4=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
@@ -141,7 +143,9 @@ github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0
 github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
+github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
+github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
@@ -539,6 +543,7 @@ github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWe
 github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
 github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -820,6 +825,7 @@ github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJ
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo=
 github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63UyNX5k4=
+github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -1223,6 +1229,7 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
 github.com/shirou/gopsutil/v3 v3.21.10/go.mod h1:t75NhzCZ/dYyPQjyQmrAYP6c8+LCdFANeBMdLPCNnew=
+github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=