AB#2635: Deploy Konnectivity via Helm

cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml

@@ -42,6 +42,13 @@ dependencies:
       - GCP
       - AWS
       - QEMU
+  - name: konnectivity
+    version: 2.3.0-pre
+    tags:
+      - Azure
+      - GCP
+      - AWS
+      - QEMU
   - name: gcp-guest-agent
     version: 2.3.0-pre
     tags:

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: konnectivity
+description: A chart to deploy konnectivity for Constellation
+type: application
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+  name: system:konnectivity-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:konnectivity-server

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/daemonset.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: konnectivity-agent
+  name: konnectivity-agent
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: konnectivity-agent
+  template:
+    metadata:
+      labels:
+        k8s-app: konnectivity-agent
+    spec:
+      containers:
+      - args:
+        - --logtostderr=true
+        - --proxy-server-host={{ .Values.loadBalancerIP }}
+        - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        - --proxy-server-port=8132
+        - --admin-server-port=8133
+        - --health-server-port={{ .Values.healthServerPort }}
+        - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token
+        - --agent-identifiers=host=$(HOST_IP)
+        - --sync-forever=true
+        - --keepalive-time=60m
+        - --sync-interval=5s
+        - --sync-interval-cap=30s
+        - --probe-interval=5s
+        - --v=3
+        command:
+        - /proxy-agent
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.hostIP
+        image: {{ .Values.image }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.healthServerPort }}
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        name: konnectivity-agent
+        resources: {}
+        volumeMounts:
+        - mountPath: /var/run/secrets/tokens
+          name: konnectivity-agent-token
+          readOnly: true
+      priorityClassName: system-cluster-critical
+      serviceAccountName: konnectivity-agent
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+      volumes:
+      - name: konnectivity-agent-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: system:konnectivity-server
+              path: konnectivity-agent-token
+  updateStrategy: {}

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+  name: konnectivity-agent
+  namespace: {{ .Release.Namespace }}

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.schema.json

@@ -0,0 +1,21 @@
+{
+    "$schema": "https://json-schema.org/draft-07/schema#",
+    "properties": {
+        "image": {
+            "description": "Container image to use for the spawned pods.",
+            "type": "string",
+            "examples": ["us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.33@sha256:48f2a4ec3e10553a81b8dd1c6fa5fe4bcc9617f78e71c1ca89c6921335e2d7da"]
+        },
+        "loadBalancerIP": {
+            "description": "IP of the loadbalancer serving the control plane.",
+            "type": "string",
+            "examples": ["10.4.0.1"]
+        }
+    },
+    "required": [
+        "image",
+        "loadBalancerIP"
+    ],
+    "title": "Values",
+    "type": "object"
+}

cli/internal/helm/charts/edgeless/constellation-services/charts/konnectivity/values.yaml

@@ -0,0 +1 @@
+healthServerPort: 8134