image: add upgrade-agent (#827)

.github/actions/build_upgrade_agent/action.yml

@@ -0,0 +1,22 @@
+name: Build upgrade-agent
+description: Build the Constellation upgrade-agent binary
+
+inputs:
+  outputPath:
+    description: "Output path of the binary"
+    default: "./upgrade-agent"
+    required: true
+
+# Linux runner only (Docker required)
+runs:
+  using: "composite"
+  steps:
+    - name: Build the upgrade-agent
+      shell: bash
+      run: |
+        echo "::group::Build the upgrade-agent"
+        mkdir -p build && cd build
+        cmake ..
+        make upgrade-agent
+        mv -n upgrade-agent "${{ inputs.outputPath }}"
+        echo "::endgroup::"

.github/workflows/build-os-image.yml

@@ -31,6 +31,7 @@ jobs:
     outputs:
       bootstrapper-sha256: ${{ steps.collect-hashes.outputs.bootstrapper-sha256 }}
       disk-mapper-sha256: ${{ steps.collect-hashes.outputs.disk-mapper-sha256 }}
+      upgrade-agent-sha256: ${{ steps.collect-hashes.outputs.upgrade-agent-sha256 }}
     steps:
       - name: Checkout
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
@@ -54,6 +55,11 @@ jobs:
         with:
           outputPath: ${{ github.workspace }}/build/disk-mapper
 
+      - name: Build upgrade-agent
+        uses: ./.github/actions/build_upgrade_agent
+        with:
+          outputPath: ${{ github.workspace }}/build/upgrade-agent
+
       - name: Upload dependencies
         uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1
         with:
@@ -61,6 +67,7 @@ jobs:
           path: |
             ${{ github.workspace }}/build/bootstrapper
             ${{ github.workspace }}/build/disk-mapper
+            ${{ github.workspace }}/build/upgrade-agent
 
       - name: Collect hashes
         id: collect-hashes
@@ -68,6 +75,7 @@ jobs:
           {
             echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
             echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
+            echo "upgrade-agent-sha256=$(sha256sum upgrade-agent | head -c 64)"
           } >> "$GITHUB_OUTPUT"
         working-directory: ${{ github.workspace }}/build
 
@@ -209,10 +217,11 @@ jobs:
           name: dependencies
           path: ${{ github.workspace }}/build
 
-      - name: Mark bootstrapper and disk-mapper as executable
+      - name: Mark bootstrapper, disk-mapper, and upgrade-agent as executable
         run: |
           chmod +x ${{ github.workspace }}/build/bootstrapper
           chmod +x ${{ github.workspace }}/build/disk-mapper
+          chmod +x ${{ github.workspace }}/build/upgrade-agent
 
       - name: Setup mkosi
         uses: ./.github/actions/setup_mkosi
@@ -240,6 +249,7 @@ jobs:
         env:
           BOOTSTRAPPER_BINARY: ${{ github.workspace }}/build/bootstrapper
           DISK_MAPPER_BINARY: ${{ github.workspace }}/build/disk-mapper
+          UPGRADE_AGENT_BINARY: ${{ github.workspace }}/build/upgrade-agent
           IMAGE_VERSION: ${{ needs.build-settings.outputs.imageVersion }}
           CSP: ${{ matrix.csp }}
 
@@ -613,6 +623,7 @@ jobs:
           cat > SHA256SUMS <<EOF
           ${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
           ${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
+          ${{ needs.build-dependencies.outputs.upgrade-agent-sha256 }} upgrade-agent
           ${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
           ${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
           ${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-daemonset.yaml

@@ -43,6 +43,9 @@ spec:
             - mountPath: /etc/gce
               name: gceconf
               readOnly: true
+            - mountPath: /etc/constellation-upgrade-agent.sock
+              name: upgrade-agent-socket
+              readOnly: true
             - mountPath: /var/secrets/google
               name: gcekey
               readOnly: true
@@ -77,6 +80,10 @@ spec:
         - name: gceconf
           configMap:
             name: gceconf
+        - name: upgrade-agent-socket
+          hostPath:
+            path: /run/constellation-upgrade-agent.sock
+            type: Socket
         - name: gcekey
           secret:
             secretName: gcekey

cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml

@@ -89,6 +89,9 @@ spec:
         - mountPath: /etc/gce
           name: gceconf
           readOnly: true
+        - mountPath: /etc/constellation-upgrade-agent.sock
+          name: upgrade-agent-socket
+          readOnly: true
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
       securityContext:
@@ -123,3 +126,7 @@ spec:
           name: gceconf
           optional: true
         name: gceconf
+      - name: upgrade-agent-socket
+        hostPath:
+          path: /run/constellation-upgrade-agent.sock
+          type: Socket

cli/internal/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -107,6 +107,9 @@ spec:
         - mountPath: /etc/gce
           name: gceconf
           readOnly: true
+        - mountPath: /etc/constellation-upgrade-agent.sock
+          name: upgrade-agent-socket
+          readOnly: true
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
       securityContext:
@@ -141,3 +144,7 @@ spec:
           name: gceconf
           optional: true
         name: gceconf
+      - name: upgrade-agent-socket
+        hostPath:
+          path: /run/constellation-upgrade-agent.sock
+          type: Socket

cli/internal/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -107,6 +107,9 @@ spec:
         - mountPath: /etc/gce
           name: gceconf
           readOnly: true
+        - mountPath: /etc/constellation-upgrade-agent.sock
+          name: upgrade-agent-socket
+          readOnly: true
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
       securityContext:
@@ -141,3 +144,7 @@ spec:
           name: gceconf
           optional: true
         name: gceconf
+      - name: upgrade-agent-socket
+        hostPath:
+          path: /run/constellation-upgrade-agent.sock
+          type: Socket

cli/internal/helm/testdata/GCP/constellation-services/charts/ccm/templates/gcp-daemonset.yaml

@@ -42,6 +42,9 @@ spec:
             - mountPath: /etc/gce
               name: gceconf
               readOnly: true
+            - mountPath: /etc/constellation-upgrade-agent.sock
+              name: upgrade-agent-socket
+              readOnly: true
             - mountPath: /var/secrets/google
               name: gcekey
               readOnly: true
@@ -76,6 +79,10 @@ spec:
         - name: gceconf
           configMap:
             name: gceconf
+        - name: upgrade-agent-socket
+          hostPath:
+            path: /run/constellation-upgrade-agent.sock
+            type: Socket
         - name: gcekey
           secret:
             secretName: gcekey

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -107,6 +107,9 @@ spec:
         - mountPath: /etc/gce
           name: gceconf
           readOnly: true
+        - mountPath: /etc/constellation-upgrade-agent.sock
+          name: upgrade-agent-socket
+          readOnly: true
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
       securityContext:
@@ -141,3 +144,7 @@ spec:
           name: gceconf
           optional: true
         name: gceconf
+      - name: upgrade-agent-socket
+        hostPath:
+          path: /run/constellation-upgrade-agent.sock
+          type: Socket

image/Makefile

@@ -3,6 +3,7 @@ SRC_PATH                          = $(CURDIR)
 BASE_PATH                        ?= $(SRC_PATH)
 BOOTSTRAPPER_BINARY              ?= $(BASE_PATH)/../build/bootstrapper
 DISK_MAPPER_BINARY               ?= $(BASE_PATH)/../build/disk-mapper
+UPGRADE_AGENT_BINARY             ?= $(BASE_PATH)/../build/upgrade-agent
 PKI                              ?= $(BASE_PATH)/pki
 MKOSI_EXTRA                      ?= $(BASE_PATH)/mkosi.extra
 IMAGE_VERSION                    ?= v0.0.0
@@ -36,6 +37,7 @@ inject-bins: $(PREBUILT_RPMS)
 	mkdir -p $(MKOSI_EXTRA)/usr/bin
 	mkdir -p $(MKOSI_EXTRA)/usr/sbin
 	cp $(BOOTSTRAPPER_BINARY) $(MKOSI_EXTRA)/usr/bin/bootstrapper
+	cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent
 	cp $(DISK_MAPPER_BINARY) $(MKOSI_EXTRA)/usr/sbin/disk-mapper
 
 inject-certs: $(certs)

image/mkosi.skeleton/usr/lib/systemd/system-preset/30-constellation.preset

@@ -1,4 +1,5 @@
 enable configure-constel-csp.service
+enable constellation-upgrade-agent.service
 enable constellation-bootstrapper.service
 enable containerd.service
 enable kubelet.service

image/mkosi.skeleton/usr/lib/systemd/system/constellation-upgrade-agent.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Constellation Upgrade Agent
+
+[Service]
+Type=simple
+RemainAfterExit=yes
+Restart=on-failure
+ExecStart=/usr/bin/upgrade-agent
+
+[Install]
+WantedBy=multi-user.target

operators/constellation-node-operator/config/manager/manager.yaml

@@ -60,6 +60,9 @@ spec:
             - mountPath: /etc/gce
               name: gceconf
               readOnly: true
+            - mountPath: /etc/constellation-upgrade-agent.sock
+              name: upgrade-agent-socket
+              readOnly: true
           resources:
             limits:
               cpu: 500m
@@ -88,6 +91,10 @@ spec:
           configMap:
             name: gceconf
             optional: true
+        - name: upgrade-agent-socket
+          hostPath:
+            path: /run/constellation-upgrade-agent.sock
+            type: Socket
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
       tolerations: