From 62168bbf9833e9da06a415f284257c4045e8b402 Mon Sep 17 00:00:00 2001
From: Otto Bittner <cobittner@posteo.net>
Date: Tue, 18 Oct 2022 13:12:24 +0200
Subject: [PATCH] AB#2490: Add KMS helm chart

* Also run helm-lint in CI now
---
 .github/workflows/test-helm-lint.yaml         | 40 ++++++++++++
 CMakeLists.txt                                |  1 +
 .../helm/charts/edgeless/kms/.helmignore      | 23 +++++++
 .../helm/charts/edgeless/kms/Chart.yaml       |  6 ++
 .../edgeless/kms/templates/clusterrole.yaml   | 13 ++++
 .../kms/templates/clusterrolebinding.yaml     | 12 ++++
 .../edgeless/kms/templates/daemonset.yaml     | 63 +++++++++++++++++++
 .../edgeless/kms/templates/mastersecret.yaml  |  9 +++
 .../edgeless/kms/templates/service.yaml       | 16 +++++
 .../kms/templates/serviceaccount.yaml         |  5 ++
 .../helm/charts/edgeless/kms/values.yaml      | 22 +++++++
 11 files changed, 210 insertions(+)
 create mode 100644 .github/workflows/test-helm-lint.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/.helmignore
 create mode 100644 cli/internal/helm/charts/edgeless/kms/Chart.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/templates/clusterrole.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/templates/clusterrolebinding.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/templates/daemonset.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/templates/mastersecret.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/templates/service.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/templates/serviceaccount.yaml
 create mode 100644 cli/internal/helm/charts/edgeless/kms/values.yaml

diff --git a/.github/workflows/test-helm-lint.yaml b/.github/workflows/test-helm-lint.yaml
new file mode 100644
index 000000000..71325788a
--- /dev/null
+++ b/.github/workflows/test-helm-lint.yaml
@@ -0,0 +1,40 @@
+name: Lint Helm Charts
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "cli/internal/helm/charts/**"
+  pull_request:
+    paths:
+      - "cli/internal/helm/charts/**"
+
+# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  helm-lint:
+    runs-on: ubuntu-latest
+    env:
+      CTEST_OUTPUT_ON_FAILURE: True
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: 'v3.9.0' # default is latest (stable)
+
+      - name: Create and populate build folder
+        run: mkdir build && cd build && cmake ..
+
+      - name: Unit Tests
+        run: ctest -R helm-lint
+        working-directory: build
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 53c35b812..8818fc7f4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -63,3 +63,4 @@ add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CM
 add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi)
 add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/disk-mapper/internal)
 add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)
+add_test(NAME helm-lint COMMAND bash -c "helm lint --strict *" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/cli/internal/helm/charts/edgeless/)
diff --git a/cli/internal/helm/charts/edgeless/kms/.helmignore b/cli/internal/helm/charts/edgeless/kms/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/cli/internal/helm/charts/edgeless/kms/Chart.yaml b/cli/internal/helm/charts/edgeless/kms/Chart.yaml
new file mode 100644
index 000000000..cb172100d
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: kms
+description: A Helm chart to deploy the Constellation Key Management Service
+type: application
+version: 0.1.0
+appVersion: "2.1.0"
diff --git a/cli/internal/helm/charts/edgeless/kms/templates/clusterrole.yaml b/cli/internal/helm/charts/edgeless/kms/templates/clusterrole.yaml
new file mode 100644
index 000000000..d44b4b1c9
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/templates/clusterrole.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: kms
+  name: kms
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
diff --git a/cli/internal/helm/charts/edgeless/kms/templates/clusterrolebinding.yaml b/cli/internal/helm/charts/edgeless/kms/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000..c9e8dbcfc
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/templates/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kms
+subjects:
+- kind: ServiceAccount
+  name: kms
+  namespace: {{ .Values.namespace }}
diff --git a/cli/internal/helm/charts/edgeless/kms/templates/daemonset.yaml b/cli/internal/helm/charts/edgeless/kms/templates/daemonset.yaml
new file mode 100644
index 000000000..5d91fcab7
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/templates/daemonset.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: kms
+    k8s-app: kms
+    kubernetes.io/cluster-service: "true"
+  name: kms
+  namespace: {{ .Values.namespace }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kms
+  template:
+    metadata:
+      labels:
+        k8s-app: kms
+    spec:
+      containers:
+      - args:
+        - --port={{ .Values.kmsPort }}
+        image: {{ .Values.kmsImage }}
+        name: kms
+        resources: {}
+        volumeMounts:
+        - mountPath: {{ .Values.serviceBasePath }}
+          name: config
+          readOnly: true
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: kms
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - name: config
+        projected:
+          sources:
+          - configMap:
+              items:
+              - key: {{ .Values.measurementsFilename }}
+                path: {{ .Values.measurementsFilename }}
+              name: {{ .Values.joinConfigCMName }}
+          - secret:
+              items:
+              - key: {{ .Values.masterSecretKeyName }}
+                path: {{ .Values.masterSecretKeyName }}
+              - key: {{ .Values.saltKeyName }}
+                path: {{ .Values.saltKeyName }}
+              name: {{ .Values.masterSecretName }}
+  updateStrategy: {}
diff --git a/cli/internal/helm/charts/edgeless/kms/templates/mastersecret.yaml b/cli/internal/helm/charts/edgeless/kms/templates/mastersecret.yaml
new file mode 100644
index 000000000..01dd22065
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/templates/mastersecret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ .Values.masterSecretName }}
+  namespace: {{ .Values.namespace }}
+data:
+  mastersecret: {{ .Values.masterSecret }}
+  salt: {{ .Values.salt }}
diff --git a/cli/internal/helm/charts/edgeless/kms/templates/service.yaml b/cli/internal/helm/charts/edgeless/kms/templates/service.yaml
new file mode 100644
index 000000000..88712c588
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/templates/service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kms
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+  - name: grpc
+    port: {{ .Values.kmsPort }}
+    protocol: TCP
+    targetPort: {{ .Values.kmsPort }}
+  selector:
+    k8s-app: kms
+  type: ClusterIP
+status:
+  loadBalancer: {}
diff --git a/cli/internal/helm/charts/edgeless/kms/templates/serviceaccount.yaml b/cli/internal/helm/charts/edgeless/kms/templates/serviceaccount.yaml
new file mode 100644
index 000000000..60379a375
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/templates/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kms
+  namespace: {{ .Values.namespace }}
diff --git a/cli/internal/helm/charts/edgeless/kms/values.yaml b/cli/internal/helm/charts/edgeless/kms/values.yaml
new file mode 100644
index 000000000..e51f70372
--- /dev/null
+++ b/cli/internal/helm/charts/edgeless/kms/values.yaml
@@ -0,0 +1,22 @@
+# Namespace to which KMS will be deployed.
+namespace: "kube-system"
+# Port on which the service will listen.
+kmsPort: 9000
+# Name of the ConfigMap that holds measurements and other info.
+joinConfigCMName: join-config
+# Path to which secrets/CMs are mounted.
+serviceBasePath: /var/config
+# Container image.
+kmsImage: setFullImagePathHere
+# Salt for key derivation.
+salt: ""
+# Name of the key within the respective secret that holds the salt.
+saltKeyName: salt
+# MasterSecret for the cluster.
+masterSecret: ""
+# Name of the secret that contains the master secret.
+masterSecretName: constellation-mastersecret
+# Name of the key within the respective secret that holds the master secret.
+masterSecretKeyName: mastersecret
+# Name of the ConfigMap that holds the measurements.
+measurementsFilename: measurements